ansible.nftables/molecule/default/verify.yml

---
# This is an example playbook to execute Ansible tests.

- name: Verify
  hosts: all
  gather_facts: false
  tasks:

  - name: check for nftables.d
    stat:
      path: /etc/nftables.d
    register: p

  - name: check nftables.d
    assert:
      that:
        - p.stat.exists and p.stat.isdir

  - name: check for nftables.conf
    stat:
      path: /etc/nftables.conf
    register: p

  - name: check nftables.conf
    assert:
      that:
        - p.stat.exists

  - name: check for filter-input.nft
    stat:
      path: /etc/nftables.d/filter-input.nft
    register: p

  - name: check filter-input.nft
    assert:
      that:
        - p.stat.exists

  - name: list rules
    command: nft list ruleset
    register: nft

  - name: debug rules
    debug: var=nft

  - name: check rules
    assert:
      that:
        # The whole line is:
        # type filter hook input priority 0; policy drop;
        # However on CentOS will return "priority 0", while Debian will
        # show "priority filter"
        - '"type filter hook input" in nft.stdout'
        - '"type filter hook output" in nft.stdout'

  - name: check for fail2ban systemd custom dir
    stat:
      path: /etc/systemd/system/fail2ban.service.d
    register: f2b_systemd_dir

  - name: check fail2ban systemd custom dir
    assert:
      that:
        - f2b_systemd_dir.stat.exists and f2b_systemd_dir.stat.isdir

  - name: check for fail2ban systemd override
    stat:
      path: /etc/systemd/system/fail2ban.service.d/override.conf
    register: f2b_systemd_override

  - name: check fail2ban systemd override
    assert:
      that:
        - f2b_systemd_override.stat.exists

  - name: service status - active
    command: systemctl is-active nftables.service
    register: status

  - name: check service status
    assert:
      that:
        - 'status.stdout == "active"'

  - name: service status - enabled
    command: systemctl is-enabled nftables.service
    register: status

  - name: check service status
    assert:
      that:
        - 'status.stdout == "enabled"'
Add Molecule test scenario 2021-08-06 11:28:16 +02:00			`---`
			`# This is an example playbook to execute Ansible tests.`

			`- name: Verify`
			`hosts: all`
			`gather_facts: false`
			`tasks:`
Use jrei/systemd-ubuntu 2021-08-08 20:43:58 +02:00
Test for key files generated by the role 2021-08-08 22:48:02 +02:00			`- name: check for nftables.d`
			`stat:`
			`path: /etc/nftables.d`
Fix variable name 2021-08-08 23:14:21 +02:00			`register: p`
Test for key files generated by the role 2021-08-08 22:48:02 +02:00
			`- name: check nftables.d`
			`assert:`
			`that:`
			`- p.stat.exists and p.stat.isdir`

			`- name: check for nftables.conf`
			`stat:`
			`path: /etc/nftables.conf`
Fix variable name 2021-08-08 23:14:21 +02:00			`register: p`
Test for key files generated by the role 2021-08-08 22:48:02 +02:00
			`- name: check nftables.conf`
			`assert:`
			`that:`
			`- p.stat.exists`

Add Molecule tests for systemd unit 2021-08-19 13:56:26 +02:00			`- name: check for filter-input.nft`
Test for key files generated by the role 2021-08-08 22:48:02 +02:00			`stat:`
			`path: /etc/nftables.d/filter-input.nft`
Fix variable name 2021-08-08 23:14:21 +02:00			`register: p`
Test for key files generated by the role 2021-08-08 22:48:02 +02:00
			`- name: check filter-input.nft`
			`assert:`
			`that:`
			`- p.stat.exists`

Add some actual verification tasks 2021-08-08 20:09:08 +02:00			`- name: list rules`
			`command: nft list ruleset`
			`register: nft`

Debug rules prior to verification 2021-08-08 22:27:18 +02:00			`- name: debug rules`
			`debug: var=nft`

Add some actual verification tasks 2021-08-08 20:09:08 +02:00			`- name: check rules`
			`assert:`
			`that:`
Adjust test to differences between CentOS and Debian 2021-08-08 22:40:13 +02:00			`# The whole line is:`
			`# type filter hook input priority 0; policy drop;`
			`# However on CentOS will return "priority 0", while Debian will`
			`# show "priority filter"`
			`- '"type filter hook input" in nft.stdout'`
			`- '"type filter hook output" in nft.stdout'`
Add some actual verification tasks 2021-08-08 20:09:08 +02:00
Add Molecule tests for systemd unit 2021-08-19 13:56:26 +02:00			`- name: check for fail2ban systemd custom dir`
			`stat:`
			`path: /etc/systemd/system/fail2ban.service.d`
			`register: f2b_systemd_dir`

			`- name: check fail2ban systemd custom dir`
			`assert:`
			`that:`
			`- f2b_systemd_dir.stat.exists and f2b_systemd_dir.stat.isdir`

			`- name: check for fail2ban systemd override`
			`stat:`
			`path: /etc/systemd/system/fail2ban.service.d/override.conf`
			`register: f2b_systemd_override`

			`- name: check fail2ban systemd override`
			`assert:`
			`that:`
			`- f2b_systemd_override.stat.exists`

Add some actual verification tasks 2021-08-08 20:09:08 +02:00			`- name: service status - active`
			`command: systemctl is-active nftables.service`
			`register: status`

			`- name: check service status`
			`assert:`
			`that:`
			`- 'status.stdout == "active"'`

			`- name: service status - enabled`
			`command: systemctl is-enabled nftables.service`
			`register: status`

			`- name: check service status`
Add Molecule test scenario 2021-08-06 11:28:16 +02:00			`assert:`
Add some actual verification tasks 2021-08-08 20:09:08 +02:00			`that:`
			`- 'status.stdout == "enabled"'`