Merge remote-tracking branch 'github/add_molecule'

.ansible-lint

@@ -0,0 +1,4 @@
+skip_list:
+  - command-instead-of-module
+  - no-changed-when
+  - role-name

.github/workflows/main.yml

@@ -1,20 +1,23 @@
 ---
-name: Molecule
+name: ipr-cnrs.nftables.molecule
 
 on:
   push:
-    branches: [main]
+    branches: [master]
   pull_request:
-    branches: [main]
+    branches: [master]
 
   workflow_dispatch:
 
 jobs:
-  build:
-    runs-on: ubuntu-latest
-
+  test:
+    runs-on:  ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
 
-      - name: Ansible Molecule
-        uses: MonolithProjects/action-molecule@v1.4.3
+      - name: checkout
+        uses: actions/checkout@v2
+        with:
+          path: "${{ github.repository }}"
+
+      - name: molecule
+        uses: robertdebock/molecule-action@2.6.17

meta/main.yml

@@ -4,6 +4,8 @@ dependencies: []
 
 galaxy_info:
   author: "Jérémy Gardais"
+  namespace: ipr-cnrs
+  role_name: nftables
   description: "Manage Nftables rules and packages"
   license: WTFPL
   company: IPR

molecule/archlinux/Dockerfile.j2

@@ -0,0 +1,7 @@
+FROM archlinux:latest
+ENV container=docker
+
+RUN pacman -Sy --noconfirm python
+
+VOLUME ["/sys/fs/cgroup", "/tmp", "/run"]
+CMD ["/usr/sbin/init"]

molecule/archlinux/converge.yml

@@ -0,0 +1,9 @@
+---
+- name: Converge
+  hosts: all
+  gather_facts: yes
+  roles:
+    - role: ipr-cnrs.nftables
+      nft_debug: true
+      # can't remove iptables on an instance with docker
+      nft_old_pkg_manage: false

molecule/archlinux/molecule.yml

@@ -0,0 +1,19 @@
+---
+dependency:
+  name: galaxy
+driver:
+  name: docker
+platforms:
+  - name: archlinux
+    image: archlinux:latest
+    command: /usr/sbin/init
+    privileged: true
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    tmpfs:
+      - /run
+      - /tmp
+provisioner:
+  name: ansible
+verifier:
+  name: ansible

molecule/archlinux/verify.yml

@@ -0,0 +1,72 @@
+---
+# This is an example playbook to execute Ansible tests.
+
+- name: Verify
+  hosts: all
+  gather_facts: false
+  tasks:
+
+  - name: check for nftables.d
+    stat:
+      path: /etc/nftables.d
+    register: p
+
+  - name: check nftables.d
+    assert:
+      that:
+        - p.stat.exists and p.stat.isdir
+
+  - name: check for nftables.conf
+    stat:
+      path: /etc/nftables.conf
+    register: p
+
+  - name: check nftables.conf
+    assert:
+      that:
+        - p.stat.exists
+
+  - name: check for nftables.conf
+    stat:
+      path: /etc/nftables.d/filter-input.nft
+    register: p
+
+  - name: check filter-input.nft
+    assert:
+      that:
+        - p.stat.exists
+
+  - name: list rules
+    command: nft list ruleset
+    register: nft
+
+  - name: debug rules
+    debug: var=nft
+
+  - name: check rules
+    assert:
+      that:
+        # The whole line is:
+        # type filter hook input priority 0; policy drop;
+        # However on CentOS will return "priority 0", while Debian will
+        # show "priority filter"
+        - '"type filter hook input" in nft.stdout'
+        - '"type filter hook output" in nft.stdout'
+
+  - name: service status - active
+    command: systemctl is-active nftables.service
+    register: status
+
+  - name: check service status
+    assert:
+      that:
+        - 'status.stdout == "active"'
+
+  - name: service status - enabled
+    command: systemctl is-enabled nftables.service
+    register: status
+
+  - name: check service status
+    assert:
+      that:
+        - 'status.stdout == "enabled"'

molecule/default/converge.yml

@@ -1,7 +1,9 @@
 ---
 - name: Converge
   hosts: all
+  gather_facts: yes
   roles:
     - role: ipr-cnrs.nftables
-
-
+      nft_debug: true
+      # can't remove iptables on an instance with docker
+      nft_old_pkg_manage: false

molecule/default/molecule.yml

@@ -1,11 +1,54 @@
 ---
 dependency:
   name: galaxy
+lint: |
+  set -e
+  yamllint .
+  ansible-lint
 driver:
   name: docker
 platforms:
-  - name: instance
-    image: ubuntu:latest
+
+  - name: systemd-ubuntu-latest
+    image: jrei/systemd-ubuntu:latest
+    command: /usr/sbin/init
+    privileged: true
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    tmpfs:
+      - /run
+      - /tmp
+
+  - name: systemd-centos-latest
+    image: centos/systemd:latest
+    command: /usr/sbin/init
+    privileged: true
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    tmpfs:
+      - /run
+      - /tmp
+
+  - name: systemd-debian-latest
+    image: jrei/systemd-debian:latest
+    command: /sbin/init
+    privileged: true
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    tmpfs:
+      - /run
+      - /tmp
+
+  - name: systemd-fedora-latest
+    image: jrei/systemd-fedora:latest
+    command: /usr/sbin/init
+    privileged: true
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    tmpfs:
+      - /run
+      - /tmp
+
 provisioner:
   name: ansible
 verifier:

molecule/default/verify.yml

@@ -5,6 +5,68 @@
   hosts: all
   gather_facts: false
   tasks:
-  - name: Example assertion
+
+  - name: check for nftables.d
+    stat:
+      path: /etc/nftables.d
+    register: p
+
+  - name: check nftables.d
     assert:
-      that: true
+      that:
+        - p.stat.exists and p.stat.isdir
+
+  - name: check for nftables.conf
+    stat:
+      path: /etc/nftables.conf
+    register: p
+
+  - name: check nftables.conf
+    assert:
+      that:
+        - p.stat.exists
+
+  - name: check for nftables.conf
+    stat:
+      path: /etc/nftables.d/filter-input.nft
+    register: p
+
+  - name: check filter-input.nft
+    assert:
+      that:
+        - p.stat.exists
+
+  - name: list rules
+    command: nft list ruleset
+    register: nft
+
+  - name: debug rules
+    debug: var=nft
+
+  - name: check rules
+    assert:
+      that:
+        # The whole line is:
+        # type filter hook input priority 0; policy drop;
+        # However on CentOS will return "priority 0", while Debian will
+        # show "priority filter"
+        - '"type filter hook input" in nft.stdout'
+        - '"type filter hook output" in nft.stdout'
+
+  - name: service status - active
+    command: systemctl is-active nftables.service
+    register: status
+
+  - name: check service status
+    assert:
+      that:
+        - 'status.stdout == "active"'
+
+  - name: service status - enabled
+    command: systemctl is-enabled nftables.service
+    register: status
+
+  - name: check service status
+    assert:
+      that:
+        - 'status.stdout == "enabled"'

tasks/main.yml

@@ -13,7 +13,8 @@
   loop_control:
     loop_var: groupname
 
-- debug: var=nftables_group_rules
+- name: Debug nftables_group_rules
+  debug: var=nftables_group_rules
   when: nft_debug
 
 - name: Import nftables-variables if nft_merged_groups is set
@@ -36,7 +37,12 @@
   loop_control:
     loop_var: varfile
 
-- debug: var=nft_combined_rules
+- name: Debug nft_combined_rules
+  debug: var=nft_combined_rules
+  when: nft_debug
+
+- name: Debug ansible_os_family
+  debug: var=ansible_os_family
   when: nft_debug
 
 - name: Load specific OS vars for nftables
@@ -53,6 +59,7 @@
   package:
     name: '{{ nft_pkg_list | list }}'
     state: '{{ nft_pkg_state }}'
+    update_cache: true
   register: pkg_install_result
   until: pkg_install_result is success
   when: nft_enabled|bool
@@ -178,5 +185,4 @@
   register: nftables__register_systemd_service
   when: (nft_enabled|bool and
          nft_service_manage|bool)
-  notify: ['Restart nftables service']
-
+  notify: ['Restart nftables service']

vars/alpine.yml

@@ -0,0 +1,4 @@
+---
+# vars file for Alpine
+nft_pkg_list:
+  - nftables

vars/archlinux.yml

@@ -0,0 +1,4 @@
+---
+# vars file for Archlinux-based distros
+nft_pkg_list:
+  - nftables