14 changed files with 19 additions and 256 deletions
--- a/.ansible-lint
+++ b/.ansible-lint
@ -1,4 +0,0 @@
 skip_list:
  - command-instead-of-module
  - no-changed-when
  - role-name
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@ -1,23 +1,20 @@
 ---
-name: ipr-cnrs.nftables.molecule
+name: Molecule
 on:
  push:
-    branches: [master]
+    branches: [main]
  pull_request:
-    branches: [master]
+    branches: [main]
  workflow_dispatch:
 jobs:
-  test:
+  build:
-    runs-on:  ubuntu-latest
+    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
-      - name: checkout
+      - name: Ansible Molecule
-        uses: actions/checkout@v2
+        uses: MonolithProjects/action-molecule@v1.4.3
        with:
          path: "${{ github.repository }}"
      - name: molecule
        uses: robertdebock/molecule-action@2.6.17
--- a/meta/main.yml
+++ b/meta/main.yml
@ -4,8 +4,6 @@ dependencies: []
 galaxy_info:
  author: "Jérémy Gardais"
  namespace: ipr-cnrs
  role_name: nftables
  description: "Manage Nftables rules and packages"
  license: WTFPL
  company: IPR
--- a/molecule/archlinux/Dockerfile.j2
+++ b/molecule/archlinux/Dockerfile.j2
@ -1,7 +0,0 @@
 FROM archlinux:latest
 ENV container=docker
 RUN pacman -Sy --noconfirm python
 VOLUME ["/sys/fs/cgroup", "/tmp", "/run"]
 CMD ["/usr/sbin/init"]
--- a/molecule/archlinux/converge.yml
+++ b/molecule/archlinux/converge.yml
@ -1,9 +0,0 @@
 ---
 - name: Converge
  hosts: all
  gather_facts: yes
  roles:
    - role: ipr-cnrs.nftables
      nft_debug: true
      # can't remove iptables on an instance with docker
      nft_old_pkg_manage: false
--- a/molecule/archlinux/molecule.yml
+++ b/molecule/archlinux/molecule.yml
@ -1,19 +0,0 @@
 ---
 dependency:
  name: galaxy
 driver:
  name: docker
 platforms:
  - name: archlinux
    image: archlinux:latest
    command: /usr/sbin/init
    privileged: true
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    tmpfs:
      - /run
      - /tmp
 provisioner:
  name: ansible
 verifier:
  name: ansible
--- a/molecule/archlinux/verify.yml
+++ b/molecule/archlinux/verify.yml
@ -1,72 +0,0 @@
 ---
 # This is an example playbook to execute Ansible tests.
 - name: Verify
  hosts: all
  gather_facts: false
  tasks:
  - name: check for nftables.d
    stat:
      path: /etc/nftables.d
    register: p
  - name: check nftables.d
    assert:
      that:
        - p.stat.exists and p.stat.isdir
  - name: check for nftables.conf
    stat:
      path: /etc/nftables.conf
    register: p
  - name: check nftables.conf
    assert:
      that:
        - p.stat.exists
  - name: check for nftables.conf
    stat:
      path: /etc/nftables.d/filter-input.nft
    register: p
  - name: check filter-input.nft
    assert:
      that:
        - p.stat.exists
  - name: list rules
    command: nft list ruleset
    register: nft
  - name: debug rules
    debug: var=nft
  - name: check rules
    assert:
      that:
        # The whole line is:
        # type filter hook input priority 0; policy drop;
        # However on CentOS will return "priority 0", while Debian will
        # show "priority filter"
        - '"type filter hook input" in nft.stdout'
        - '"type filter hook output" in nft.stdout'
  - name: service status - active
    command: systemctl is-active nftables.service
    register: status
  - name: check service status
    assert:
      that:
        - 'status.stdout == "active"'
  - name: service status - enabled
    command: systemctl is-enabled nftables.service
    register: status
  - name: check service status
    assert:
      that:
        - 'status.stdout == "enabled"'
--- a/molecule/default/converge.yml
+++ b/molecule/default/converge.yml
@ -1,9 +1,7 @@
 ---
 - name: Converge
  hosts: all
  gather_facts: yes
  roles:
    - role: ipr-cnrs.nftables
-      nft_debug: true
+
-      # can't remove iptables on an instance with docker
+
      nft_old_pkg_manage: false
--- a/molecule/default/molecule.yml
+++ b/molecule/default/molecule.yml
@ -1,54 +1,11 @@
 ---
 dependency:
  name: galaxy
 lint: |
  set -e
  yamllint .
  ansible-lint
 driver:
  name: docker
 platforms:
-
+  - name: instance
-  - name: systemd-ubuntu-latest
+    image: ubuntu:latest
    image: jrei/systemd-ubuntu:latest
    command: /usr/sbin/init
    privileged: true
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    tmpfs:
      - /run
      - /tmp
  - name: systemd-centos-latest
    image: centos/systemd:latest
    command: /usr/sbin/init
    privileged: true
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    tmpfs:
      - /run
      - /tmp
  - name: systemd-debian-latest
    image: jrei/systemd-debian:latest
    command: /sbin/init
    privileged: true
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    tmpfs:
      - /run
      - /tmp
  - name: systemd-fedora-latest
    image: jrei/systemd-fedora:latest
    command: /usr/sbin/init
    privileged: true
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    tmpfs:
      - /run
      - /tmp
 provisioner:
  name: ansible
 verifier:
--- a/molecule/default/verify.yml
+++ b/molecule/default/verify.yml
@ -5,68 +5,6 @@
  hosts: all
  gather_facts: false
  tasks:
-
+  - name: Example assertion
  - name: check for nftables.d
    stat:
      path: /etc/nftables.d
    register: p
  - name: check nftables.d
    assert:
-      that:
+      that: true
        - p.stat.exists and p.stat.isdir
  - name: check for nftables.conf
    stat:
      path: /etc/nftables.conf
    register: p
  - name: check nftables.conf
    assert:
      that:
        - p.stat.exists
  - name: check for nftables.conf
    stat:
      path: /etc/nftables.d/filter-input.nft
    register: p
  - name: check filter-input.nft
    assert:
      that:
        - p.stat.exists
  - name: list rules
    command: nft list ruleset
    register: nft
  - name: debug rules
    debug: var=nft
  - name: check rules
    assert:
      that:
        # The whole line is:
        # type filter hook input priority 0; policy drop;
        # However on CentOS will return "priority 0", while Debian will
        # show "priority filter"
        - '"type filter hook input" in nft.stdout'
        - '"type filter hook output" in nft.stdout'
  - name: service status - active
    command: systemctl is-active nftables.service
    register: status
  - name: check service status
    assert:
      that:
        - 'status.stdout == "active"'
  - name: service status - enabled
    command: systemctl is-enabled nftables.service
    register: status
  - name: check service status
    assert:
      that:
        - 'status.stdout == "enabled"'
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -13,8 +13,7 @@
  loop_control:
    loop_var: groupname
- name: Debug nftables_group_rules
+- debug: var=nftables_group_rules
  debug: var=nftables_group_rules
  when: nft_debug
 - name: Import nftables-variables if nft_merged_groups is set
@ -37,12 +36,7 @@
  loop_control:
    loop_var: varfile
- name: Debug nft_combined_rules
+- debug: var=nft_combined_rules
  debug: var=nft_combined_rules
  when: nft_debug
 - name: Debug ansible_os_family
  debug: var=ansible_os_family
  when: nft_debug
 - name: Load specific OS vars for nftables
@ -59,7 +53,6 @@
  package:
    name: '{{ nft_pkg_list | list }}'
    state: '{{ nft_pkg_state }}'
    update_cache: true
  register: pkg_install_result
  until: pkg_install_result is success
  when: nft_enabled|bool
@ -185,4 +178,5 @@
  register: nftables__register_systemd_service
  when: (nft_enabled|bool and
         nft_service_manage|bool)
-  notify: ['Restart nftables service']
+  notify: ['Restart nftables service']
--- a/vars/alpine.yml
+++ b/vars/alpine.yml
@ -1,4 +0,0 @@
 ---
 # vars file for Alpine
 nft_pkg_list:
  - nftables
--- a/vars/archlinux.yml
+++ b/vars/archlinux.yml
@ -1,4 +0,0 @@
 ---
 # vars file for Archlinux-based distros
 nft_pkg_list:
  - nftables
--- a/vars/centos.yml
+++ b/vars/centos.yml