Add separate scenario for Archlinux with custom Dockerfile

molecule/archlinux/Dockerfile.j2

@@ -0,0 +1,7 @@
+FROM archlinux:latest
+ENV container=docker
+
+RUN pacman -Sy --noconfirm python
+
+VOLUME ["/sys/fs/cgroup", "/tmp", "/run"]
+CMD ["/usr/sbin/init"]

molecule/archlinux/converge.yml

@@ -0,0 +1,9 @@
+---
+- name: Converge
+  hosts: all
+  gather_facts: yes
+  roles:
+    - role: ipr-cnrs.nftables
+      nft_debug: true
+      # can't remove iptables on an instance with docker
+      nft_old_pkg_manage: false

molecule/archlinux/molecule.yml

@@ -0,0 +1,19 @@
+---
+dependency:
+  name: galaxy
+driver:
+  name: docker
+platforms:
+  - name: archlinux
+    image: archlinux:latest
+    command: /usr/sbin/init
+    privileged: true
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    tmpfs:
+      - /run
+      - /tmp
+provisioner:
+  name: ansible
+verifier:
+  name: ansible

molecule/archlinux/verify.yml

@@ -0,0 +1,72 @@
+---
+# This is an example playbook to execute Ansible tests.
+
+- name: Verify
+  hosts: all
+  gather_facts: false
+  tasks:
+
+  - name: check for nftables.d
+    stat:
+      path: /etc/nftables.d
+    register: p
+
+  - name: check nftables.d
+    assert:
+      that:
+        - p.stat.exists and p.stat.isdir
+
+  - name: check for nftables.conf
+    stat:
+      path: /etc/nftables.conf
+    register: p
+
+  - name: check nftables.conf
+    assert:
+      that:
+        - p.stat.exists
+
+  - name: check for nftables.conf
+    stat:
+      path: /etc/nftables.d/filter-input.nft
+    register: p
+
+  - name: check filter-input.nft
+    assert:
+      that:
+        - p.stat.exists
+
+  - name: list rules
+    command: nft list ruleset
+    register: nft
+
+  - name: debug rules
+    debug: var=nft
+
+  - name: check rules
+    assert:
+      that:
+        # The whole line is:
+        # type filter hook input priority 0; policy drop;
+        # However on CentOS will return "priority 0", while Debian will
+        # show "priority filter"
+        - '"type filter hook input" in nft.stdout'
+        - '"type filter hook output" in nft.stdout'
+
+  - name: service status - active
+    command: systemctl is-active nftables.service
+    register: status
+
+  - name: check service status
+    assert:
+      that:
+        - 'status.stdout == "active"'
+
+  - name: service status - enabled
+    command: systemctl is-enabled nftables.service
+    register: status
+
+  - name: check service status
+    assert:
+      that:
+        - 'status.stdout == "enabled"'

molecule/default/molecule.yml

@@ -43,15 +43,6 @@ platforms:
   #   volumes:
   #     - /sys/fs/cgroup:/sys/fs/cgroup:ro
 
-  # - name: archlinux
-  #   image: archlinux:latest
-  #   command: /usr/sbin/init
-  #   privileged: true
-  #   volumes:
-  #     - /sys/fs/cgroup:/sys/fs/cgroup:ro
-  #   tmpfs:
-  #     - /run
-  #     - /tmp
 
 provisioner:
   name: ansible