Update git.ipr domain

This commit adds molecule tests for Gentoo.

Since the tests run inside docker and on systemd system, the host system
also needs to run systemd.

The tests create volumes in /srv/ so that artifacts that take a long
time to build and synchronize are reused between test runs.

This specific commit also fixes the error in ipr-cnrs/nftables#24

.ansible-lint

@@ -0,0 +1,4 @@
+skip_list:
+  - command-instead-of-module
+  - no-changed-when
+  - role-name

.github/workflows/main.yml

@@ -0,0 +1,23 @@
+---
+name: ipr-cnrs.nftables.molecule
+
+on:
+  push:
+    branches: [master]
+  pull_request:
+    branches: [master]
+
+  workflow_dispatch:
+
+jobs:
+  test:
+    runs-on:  ubuntu-latest
+    steps:
+
+      - name: checkout
+        uses: actions/checkout@v2
+        with:
+          path: "${{ github.repository }}"
+
+      - name: molecule
+        uses: robertdebock/molecule-action@2.6.17

.yamllint

@@ -0,0 +1,33 @@
+---
+# Based on ansible-lint config
+extends: default
+
+rules:
+  braces:
+    max-spaces-inside: 1
+    level: error
+  brackets:
+    max-spaces-inside: 1
+    level: error
+  colons:
+    max-spaces-after: -1
+    level: error
+  commas:
+    max-spaces-after: -1
+    level: error
+  comments: disable
+  comments-indentation: disable
+  document-start: disable
+  empty-lines:
+    max: 3
+    level: error
+  hyphens:
+    level: error
+  indentation: disable
+  key-duplicates: enable
+  line-length: disable
+  new-line-at-end-of-file: disable
+  new-lines:
+    type: unix
+  trailing-spaces: disable
+  truthy: disable

CHANGELOG.md

@@ -1,14 +1,27 @@
-## v1.X.Y
+## v2.0.1
+
+### Added
+* Molecule tests for Gentoo (many thanks to @VTimofeenko ! − PR #25).
+
+### Fixed
+* Separate repositories update from installation task (fix #24).
+
+## v2.0.0
 
 ### Added
 * New examples usecases (mostly for playbooks) in README.md.
 * New rules (disable by default) can be define in *forward* chain (thanks to
   @p-rintz − PR #14).
 * Possibility to toggle file's backup (thanks to @p-rintz − PR #15).
+* Gentoo-specific variables (thanks to @VTimofeenko − PR #22).
+* Ability to specify nft binary path through **nft__bin_location** (thanks to @VTimofeenko − PR #22).
 * Manage Fail2ban in the "systemd way" (thanks to @FinweVI − PR #16).
+* Molecule tests (on Archlinux, Ubuntu, CentOS, Debian and Fedora) (many thanks to @kravietz ! − PR #23).
+* Support for Debian Bullseye (everything should now works fine).
 
 ### Removed
-* Remove everything related to **in_udp_accept** (see conversation in PR #13).
+* Remove everything related to **in_udp_accept** (see conversation in
+  [Github PR #13](https://github.com/ipr-cnrs/nftables/pull/13)).
   Cause it was empty by default and the role currently doesn't manage it very
   well. Take a look to new examples in README.md to find your preferred solution
   (re-adding it, new simple/multi-ports filter rule,…).
@@ -16,8 +29,8 @@
 ### Fixed
 * Ansible-lint: Fix line longer than 160 chars.
 * Start nftables systemd unit earlier (thanks to @kravietz − PR #19).
-* Ensure to disable nftables systemd unit from old target.
+* Ensure to disable nftables systemd unit from old target (PR #20).
-* Move systemd "Protect" options for nftables to specific override.conf file.
+* Move systemd "Protect" options for nftables to specific override.conf file (PR #20).
 
 ## v1.7.0
 

README.md

@@ -89,6 +89,7 @@ complexify his philosophy… (I'm pretty sure, i now did complexify it :D) ^^
 Please see default value by Operating System file in [vars][vars directory] directory.
 
 * **nft_pkg_list** : The list of package(s) to provide `nftables`.
+* **nft__bin_location** : Path to `nftables` executable. [default : `/usr/sbin/nft`]
 
 ### Rules Dictionaries
 
@@ -599,7 +600,7 @@ Jérémy Gardais
 * [IPR][ipr website] (Institut de Physique de Rennes)
 
 [gogs to github hook]: https://stackoverflow.com/a/21998477
-[nftables source]: https://git.ipr.univ-rennes1.fr/cellinfo/ansible.nftables
+[nftables source]: https://git.ipr.univ-rennes.fr/cellinfo/ansible.nftables
 [nftables github]: https://github.com/ipr-cnrs/nftables
 [wtfpl website]: http://www.wtfpl.net/about/
 [ipr website]: https://ipr.univ-rennes1.fr/

defaults/main.yml

@@ -609,3 +609,13 @@ nft_backup_conf: True
                                                                    # ]]]
                                                                    # ]]]
                                                                    # ]]]
+# OS specific variables defaults [[[
+# ----------------------------------
+
+# .. envvar:: nft__bin_location [[[
+#
+# Specify Nftables executable location.
+#
+nft__bin_location: '/usr/sbin/nft'
+                                                                   # ]]]
+                                                                   # ]]]

meta/main.yml

@@ -4,15 +4,31 @@ dependencies: []
 
 galaxy_info:
   author: "Jérémy Gardais"
+  namespace: ipr-cnrs
+  role_name: nftables
   description: "Manage Nftables rules and packages"
   license: WTFPL
   company: IPR
-  issue_tracker_url: https://git.ipr.univ-rennes1.fr/cellinfo/ansible.nftables/issues
+  issue_tracker_url: https://git.ipr.univ-rennes.fr/cellinfo/ansible.nftables/issues
-  min_ansible_version: 2.5
+  min_ansible_version: '2.5'
   platforms:
   - name: Debian
     versions:
+    - bullseye
+    - buster
     - stretch
+  - name: Archlinux
+    versions:
+    - all
+  - name: Fedora
+    versions:
+    - all
+  - name: Gentoo
+    versions:
+    - all
+  - name: Ubuntu
+    versions:
+    - focal
   galaxy_tags:
     - system
     - nftables

molecule/archlinux/Dockerfile.j2

@@ -0,0 +1,7 @@
+FROM archlinux:latest
+ENV container=docker
+
+RUN pacman -Sy --noconfirm python
+
+VOLUME ["/sys/fs/cgroup", "/tmp", "/run"]
+CMD ["/usr/sbin/init"]

molecule/archlinux/converge.yml

@@ -0,0 +1,9 @@
+---
+- name: Converge
+  hosts: all
+  gather_facts: yes
+  roles:
+    - role: ipr-cnrs.nftables
+      nft_debug: true
+      # can't remove iptables on an instance with docker
+      nft_old_pkg_manage: false

molecule/archlinux/molecule.yml

@@ -0,0 +1,19 @@
+---
+dependency:
+  name: galaxy
+driver:
+  name: docker
+platforms:
+  - name: archlinux
+    image: archlinux:latest
+    command: /usr/sbin/init
+    privileged: true
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    tmpfs:
+      - /run
+      - /tmp
+provisioner:
+  name: ansible
+verifier:
+  name: ansible

molecule/archlinux/verify.yml

@@ -0,0 +1,92 @@
+---
+# This is an example playbook to execute Ansible tests.
+
+- name: Verify
+  hosts: all
+  gather_facts: false
+  tasks:
+
+  - name: check for nftables.d
+    stat:
+      path: /etc/nftables.d
+    register: p
+
+  - name: check nftables.d
+    assert:
+      that:
+        - p.stat.exists and p.stat.isdir
+
+  - name: check for nftables.conf
+    stat:
+      path: /etc/nftables.conf
+    register: p
+
+  - name: check nftables.conf
+    assert:
+      that:
+        - p.stat.exists
+
+  - name: check for filter-input.nft
+    stat:
+      path: /etc/nftables.d/filter-input.nft
+    register: p
+
+  - name: check filter-input.nft
+    assert:
+      that:
+        - p.stat.exists
+
+  - name: list rules
+    command: nft list ruleset
+    register: nft
+
+  - name: debug rules
+    debug: var=nft
+
+  - name: check rules
+    assert:
+      that:
+        # The whole line is:
+        # type filter hook input priority 0; policy drop;
+        # However on CentOS will return "priority 0", while Debian will
+        # show "priority filter"
+        - '"type filter hook input" in nft.stdout'
+        - '"type filter hook output" in nft.stdout'
+
+  - name: check for fail2ban systemd custom dir
+    stat:
+      path: /etc/systemd/system/fail2ban.service.d
+    register: f2b_systemd_dir
+
+  - name: check fail2ban systemd custom dir
+    assert:
+      that:
+        - f2b_systemd_dir.stat.exists and f2b_systemd_dir.stat.isdir
+
+  - name: check for fail2ban systemd override
+    stat:
+      path: /etc/systemd/system/fail2ban.service.d/override.conf
+    register: f2b_systemd_override
+
+  - name: check fail2ban systemd override
+    assert:
+      that:
+        - f2b_systemd_override.stat.exists
+
+  - name: service status - active
+    command: systemctl is-active nftables.service
+    register: status
+
+  - name: check service status
+    assert:
+      that:
+        - 'status.stdout == "active"'
+
+  - name: service status - enabled
+    command: systemctl is-enabled nftables.service
+    register: status
+
+  - name: check service status
+    assert:
+      that:
+        - 'status.stdout == "enabled"'

molecule/default/converge.yml

@@ -0,0 +1,9 @@
+---
+- name: Converge
+  hosts: all
+  gather_facts: yes
+  roles:
+    - role: ipr-cnrs.nftables
+      nft_debug: true
+      # can't remove iptables on an instance with docker
+      nft_old_pkg_manage: false

molecule/default/molecule.yml

@@ -0,0 +1,55 @@
+---
+dependency:
+  name: galaxy
+lint: |
+  set -e
+  yamllint .
+  ansible-lint
+driver:
+  name: docker
+platforms:
+
+  - name: systemd-ubuntu-latest
+    image: jrei/systemd-ubuntu:latest
+    command: /usr/sbin/init
+    privileged: true
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    tmpfs:
+      - /run
+      - /tmp
+
+  - name: systemd-centos-latest
+    image: centos/systemd:latest
+    command: /usr/sbin/init
+    privileged: true
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    tmpfs:
+      - /run
+      - /tmp
+
+  - name: systemd-debian-latest
+    image: jrei/systemd-debian:latest
+    command: /sbin/init
+    privileged: true
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    tmpfs:
+      - /run
+      - /tmp
+
+  - name: systemd-fedora-latest
+    image: jrei/systemd-fedora:latest
+    command: /usr/sbin/init
+    privileged: true
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    tmpfs:
+      - /run
+      - /tmp
+
+provisioner:
+  name: ansible
+verifier:
+  name: ansible

molecule/default/verify.yml

@@ -0,0 +1,92 @@
+---
+# This is an example playbook to execute Ansible tests.
+
+- name: Verify
+  hosts: all
+  gather_facts: false
+  tasks:
+
+  - name: check for nftables.d
+    stat:
+      path: /etc/nftables.d
+    register: p
+
+  - name: check nftables.d
+    assert:
+      that:
+        - p.stat.exists and p.stat.isdir
+
+  - name: check for nftables.conf
+    stat:
+      path: /etc/nftables.conf
+    register: p
+
+  - name: check nftables.conf
+    assert:
+      that:
+        - p.stat.exists
+
+  - name: check for filter-input.nft
+    stat:
+      path: /etc/nftables.d/filter-input.nft
+    register: p
+
+  - name: check filter-input.nft
+    assert:
+      that:
+        - p.stat.exists
+
+  - name: list rules
+    command: nft list ruleset
+    register: nft
+
+  - name: debug rules
+    debug: var=nft
+
+  - name: check rules
+    assert:
+      that:
+        # The whole line is:
+        # type filter hook input priority 0; policy drop;
+        # However on CentOS will return "priority 0", while Debian will
+        # show "priority filter"
+        - '"type filter hook input" in nft.stdout'
+        - '"type filter hook output" in nft.stdout'
+
+  - name: check for fail2ban systemd custom dir
+    stat:
+      path: /etc/systemd/system/fail2ban.service.d
+    register: f2b_systemd_dir
+
+  - name: check fail2ban systemd custom dir
+    assert:
+      that:
+        - f2b_systemd_dir.stat.exists and f2b_systemd_dir.stat.isdir
+
+  - name: check for fail2ban systemd override
+    stat:
+      path: /etc/systemd/system/fail2ban.service.d/override.conf
+    register: f2b_systemd_override
+
+  - name: check fail2ban systemd override
+    assert:
+      that:
+        - f2b_systemd_override.stat.exists
+
+  - name: service status - active
+    command: systemctl is-active nftables.service
+    register: status
+
+  - name: check service status
+    assert:
+      that:
+        - 'status.stdout == "active"'
+
+  - name: service status - enabled
+    command: systemctl is-enabled nftables.service
+    register: status
+
+  - name: check service status
+    assert:
+      that:
+        - 'status.stdout == "enabled"'

molecule/gentoo/Dockerfile.j2

@@ -0,0 +1,5 @@
+FROM gentoo/stage3:systemd
+ENV container=docker
+
+VOLUME ["/sys/fs/cgroup"]
+CMD ["/sbin/init"]

molecule/gentoo/converge.yml

@@ -0,0 +1,9 @@
+---
+- name: Converge
+  hosts: all
+  gather_facts: yes
+  roles:
+    - role: ipr-cnrs.nftables
+      nft_debug: true
+      # can't remove iptables on an instance with docker
+      nft_old_pkg_manage: false

molecule/gentoo/molecule.yml

@@ -0,0 +1,21 @@
+---
+dependency:
+  name: galaxy
+driver:
+  name: docker
+platforms:
+  - name: Gentoo
+    image: gentoo/stage3:systemd
+    command: /sbin/init
+    privileged: true
+    volumes:
+      - /srv/gentoo-molecule/gentoo-repo:/var/db/repos/gentoo
+      - /srv/gentoo-molecule/binpkgs:/var/cache/binpkgs
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    tmpfs:
+      - /run
+      - /tmp
+provisioner:
+  name: ansible
+verifier:
+  name: ansible

molecule/gentoo/prepare.yml

@@ -0,0 +1,34 @@
+# Taken from https://github.com/VTimofeenko/portage-overlay-cfg on commit d8914035e236c4f3819985098dd1ae36551bfc52
+# If bugs are found – check that repository
+# Since Gentoo builds from source, to save time on molecule tests, we should reuse artifacts as much as possible
+# This playbook performs the initial setup of a Gentoo container
+# It configures portage to try to use prebuilt packages if available and to save the built packages.
+---
+- name: Run preparation playbook
+  hosts: Gentoo
+  tasks:
+    - name: Enable buildpkg feature
+      lineinfile:
+        line: "FEATURES='buildpkg'"
+        dest: /etc/portage/make.conf
+        state: present
+    - name: Enable trying to install from binpkgs by default
+      lineinfile:
+        line: "EMERGE_DEFAULT_OPTS='--usepkg'"
+        dest: /etc/portage/make.conf
+        state: present
+    - name: Synchronize gentoo repository if needed
+      block:
+        - name: Check if there is anything in the repo
+          find:
+            paths: '/var/db/repos/gentoo/'
+          register: find_files_in_repo
+        - name: Synchronize the repo if needed
+          command: "emaint sync -a"
+          when: find_files_in_repo.matched == 0
+
+    - name: Install equery, needed for package check
+      # Command, because equery does not exist yet
+      command: emerge --changed-use --oneshot app-portage/gentoolkit
+      changed_when: false
+# The rest of the original file is specific to that role and not needed here

molecule/gentoo/verify.yml

@@ -0,0 +1,92 @@
+---
+# This is an example playbook to execute Ansible tests.
+
+- name: Verify
+  hosts: all
+  gather_facts: false
+  tasks:
+
+  - name: check for nftables.d
+    stat:
+      path: /etc/nftables.d
+    register: p
+
+  - name: check nftables.d
+    assert:
+      that:
+        - p.stat.exists and p.stat.isdir
+
+  - name: check for nftables.conf
+    stat:
+      path: /etc/nftables.conf
+    register: p
+
+  - name: check nftables.conf
+    assert:
+      that:
+        - p.stat.exists
+
+  - name: check for filter-input.nft
+    stat:
+      path: /etc/nftables.d/filter-input.nft
+    register: p
+
+  - name: check filter-input.nft
+    assert:
+      that:
+        - p.stat.exists
+
+  - name: list rules
+    command: nft list ruleset
+    register: nft
+
+  - name: debug rules
+    debug: var=nft
+
+  - name: check rules
+    assert:
+      that:
+        # The whole line is:
+        # type filter hook input priority 0; policy drop;
+        # However on CentOS will return "priority 0", while Debian will
+        # show "priority filter"
+        - '"type filter hook input" in nft.stdout'
+        - '"type filter hook output" in nft.stdout'
+
+  - name: check for fail2ban systemd custom dir
+    stat:
+      path: /etc/systemd/system/fail2ban.service.d
+    register: f2b_systemd_dir
+
+  - name: check fail2ban systemd custom dir
+    assert:
+      that:
+        - f2b_systemd_dir.stat.exists and f2b_systemd_dir.stat.isdir
+
+  - name: check for fail2ban systemd override
+    stat:
+      path: /etc/systemd/system/fail2ban.service.d/override.conf
+    register: f2b_systemd_override
+
+  - name: check fail2ban systemd override
+    assert:
+      that:
+        - f2b_systemd_override.stat.exists
+
+  - name: service status - active
+    command: systemctl is-active nftables.service
+    register: status
+
+  - name: check service status
+    assert:
+      that:
+        - 'status.stdout == "active"'
+
+  - name: service status - enabled
+    command: systemctl is-enabled nftables.service
+    register: status
+
+  - name: check service status
+    assert:
+      that:
+        - 'status.stdout == "enabled"'

tasks/main.yml

@@ -13,7 +13,8 @@
   loop_control:
     loop_var: groupname
 
-- debug: var=nftables_group_rules
+- name: Debug nftables_group_rules
+  debug: var=nftables_group_rules
   when: nft_debug
 
 - name: Import nftables-variables if nft_merged_groups is set
@@ -36,7 +37,12 @@
   loop_control:
     loop_var: varfile
 
-- debug: var=nft_combined_rules
+- name: Debug nft_combined_rules
+  debug: var=nft_combined_rules
+  when: nft_debug
+
+- name: Debug ansible_os_family
+  debug: var=ansible_os_family
   when: nft_debug
 
 - name: Load specific OS vars for nftables
@@ -49,6 +55,12 @@
     loop_var: osname
 
 # Manage packages [[[1
+- name: Update repositories
+  package:
+    update_cache: true
+  when: (nft_enabled|bool and
+         ansible_os_family not in [ 'Gentoo' ])
+
 - name: Ensure Nftables packages are in their desired state
   package:
     name: '{{ nft_pkg_list | list }}'
@@ -194,7 +206,7 @@
   file:
     path: "{{ nft__service_override_path | dirname }}"
     state: directory
-    recurse: yes
+    mode: '0755'
   when:
     - nft_enabled|bool
     - nft_service_manage|bool
@@ -219,7 +231,7 @@
   file:
     path: "{{ nft__fail2ban_service_unit_path | dirname }}"
     state: directory
-    recurse: yes
+    mode: '0755'
   when:
     - nft_enabled|bool
     - nft_service_manage|bool

templates/etc/nftables.conf.j2

@@ -1,5 +1,5 @@
 #jinja2: lstrip_blocks: "True", trim_blocks: "True"
-#!/usr/sbin/nft -f
+#!{{ nft__bin_location }} -f
 # {{ ansible_managed }}
 {% set globalmerged = nft_global_default_rules.copy() %}
 {% set _ = globalmerged.update(nft_global_rules) %}

templates/lib/systemd/system/nftables.service.j2

@@ -13,9 +13,9 @@ RemainAfterExit=yes
 StandardInput=null
 ProtectSystem=full
 ProtectHome=true
-ExecStart=/usr/sbin/nft -f {{ nft_main_conf_path }}
+ExecStart={{ nft__bin_location }} -f {{ nft_main_conf_path }}
-ExecReload=/usr/sbin/nft -f {{ nft_main_conf_path }}
+ExecReload={{ nft__bin_location }} -f {{ nft_main_conf_path }}
-ExecStop=/usr/sbin/nft flush ruleset
+ExecStop={{ nft__bin_location }} flush ruleset
 
 [Install]
 WantedBy=sysinit.target

vars/alpine.yml

@@ -0,0 +1,4 @@
+---
+# vars file for Alpine
+nft_pkg_list:
+  - nftables

vars/archlinux.yml

@@ -0,0 +1,4 @@
+---
+# vars file for Archlinux-based distros
+nft_pkg_list:
+  - nftables

vars/gentoo.yml

@@ -0,0 +1,5 @@
+---
+# vars file for Gentoo
+nft_pkg_list:
+  - net-firewall/nftables
+nft__bin_location: "/sbin/nft"