Merge branch 'VTimofeenko-gentoo_molecule'

This commit is contained in:
Jeremy Gardais 2021-08-25 15:28:15 +02:00
commit 97440461df
Signed by: jegardai
GPG Key ID: E759BAA22501AF32
6 changed files with 162 additions and 1 deletions

View File

@ -0,0 +1,5 @@
FROM gentoo/stage3:systemd
ENV container=docker
VOLUME ["/sys/fs/cgroup"]
CMD ["/sbin/init"]

View File

@ -0,0 +1,9 @@
---
- name: Converge
hosts: all
gather_facts: yes
roles:
- role: ipr-cnrs.nftables
nft_debug: true
# can't remove iptables on an instance with docker
nft_old_pkg_manage: false

View File

@ -0,0 +1,21 @@
---
dependency:
name: galaxy
driver:
name: docker
platforms:
- name: Gentoo
image: gentoo/stage3:systemd
command: /sbin/init
privileged: true
volumes:
- /srv/gentoo-molecule/gentoo-repo:/var/db/repos/gentoo
- /srv/gentoo-molecule/binpkgs:/var/cache/binpkgs
- /sys/fs/cgroup:/sys/fs/cgroup:ro
tmpfs:
- /run
- /tmp
provisioner:
name: ansible
verifier:
name: ansible

View File

@ -0,0 +1,34 @@
# Taken from https://github.com/VTimofeenko/portage-overlay-cfg on commit d8914035e236c4f3819985098dd1ae36551bfc52
# If bugs are found check that repository
# Since Gentoo builds from source, to save time on molecule tests, we should reuse artifacts as much as possible
# This playbook performs the initial setup of a Gentoo container
# It configures portage to try to use prebuilt packages if available and to save the built packages.
---
- name: Run preparation playbook
hosts: Gentoo
tasks:
- name: Enable buildpkg feature
lineinfile:
line: "FEATURES='buildpkg'"
dest: /etc/portage/make.conf
state: present
- name: Enable trying to install from binpkgs by default
lineinfile:
line: "EMERGE_DEFAULT_OPTS='--usepkg'"
dest: /etc/portage/make.conf
state: present
- name: Synchronize gentoo repository if needed
block:
- name: Check if there is anything in the repo
find:
paths: '/var/db/repos/gentoo/'
register: find_files_in_repo
- name: Synchronize the repo if needed
command: "emaint sync -a"
when: find_files_in_repo.matched == 0
- name: Install equery, needed for package check
# Command, because equery does not exist yet
command: emerge --changed-use --oneshot app-portage/gentoolkit
changed_when: false
# The rest of the original file is specific to that role and not needed here

View File

@ -0,0 +1,92 @@
---
# This is an example playbook to execute Ansible tests.
- name: Verify
hosts: all
gather_facts: false
tasks:
- name: check for nftables.d
stat:
path: /etc/nftables.d
register: p
- name: check nftables.d
assert:
that:
- p.stat.exists and p.stat.isdir
- name: check for nftables.conf
stat:
path: /etc/nftables.conf
register: p
- name: check nftables.conf
assert:
that:
- p.stat.exists
- name: check for filter-input.nft
stat:
path: /etc/nftables.d/filter-input.nft
register: p
- name: check filter-input.nft
assert:
that:
- p.stat.exists
- name: list rules
command: nft list ruleset
register: nft
- name: debug rules
debug: var=nft
- name: check rules
assert:
that:
# The whole line is:
# type filter hook input priority 0; policy drop;
# However on CentOS will return "priority 0", while Debian will
# show "priority filter"
- '"type filter hook input" in nft.stdout'
- '"type filter hook output" in nft.stdout'
- name: check for fail2ban systemd custom dir
stat:
path: /etc/systemd/system/fail2ban.service.d
register: f2b_systemd_dir
- name: check fail2ban systemd custom dir
assert:
that:
- f2b_systemd_dir.stat.exists and f2b_systemd_dir.stat.isdir
- name: check for fail2ban systemd override
stat:
path: /etc/systemd/system/fail2ban.service.d/override.conf
register: f2b_systemd_override
- name: check fail2ban systemd override
assert:
that:
- f2b_systemd_override.stat.exists
- name: service status - active
command: systemctl is-active nftables.service
register: status
- name: check service status
assert:
that:
- 'status.stdout == "active"'
- name: service status - enabled
command: systemctl is-enabled nftables.service
register: status
- name: check service status
assert:
that:
- 'status.stdout == "enabled"'

View File

@ -59,7 +59,7 @@
package:
name: '{{ nft_pkg_list | list }}'
state: '{{ nft_pkg_state }}'
update_cache: true
# update_cache: true
register: pkg_install_result
until: pkg_install_result is success
when: nft_enabled|bool