2026-06-18 12:03:44 +02:00
|
|
|
---
|
2026-06-19 22:29:45 +02:00
|
|
|
# Package-install and cache-dir tasks are skipped (converge runs `firewall` tag only;
|
|
|
|
|
# KVM/libvirt packages cannot be fetched in the Docker container). This scenario
|
|
|
|
|
# verifies the nftables drop-in renders correctly.
|
2026-06-18 12:03:44 +02:00
|
|
|
- name: Verify
|
|
|
|
|
hosts: all
|
|
|
|
|
become: true
|
|
|
|
|
gather_facts: false
|
|
|
|
|
tasks:
|
2026-06-19 22:29:45 +02:00
|
|
|
- name: Read the libvirt bridge nftables drop-in
|
|
|
|
|
ansible.builtin.slurp:
|
|
|
|
|
src: /etc/nftables.d/10-libvirt-boma.nft
|
|
|
|
|
register: _dropin
|
|
|
|
|
- name: Assert drop-in contains virbr-boma accept rule
|
2026-06-18 12:03:44 +02:00
|
|
|
ansible.builtin.assert:
|
|
|
|
|
that:
|
2026-06-19 22:29:45 +02:00
|
|
|
- "'virbr-boma' in (_dropin.content | b64decode)"
|
|
|
|
|
- "'accept' in (_dropin.content | b64decode)"
|