boma/roles/integration_test/molecule/default/converge.yml

---
# KVM/libvirt APT packages cannot be installed in the Docker Molecule container
# (no internet; KVM unusable in a container). This converge exercises only the
# nftables drop-in rendering via tasks_from, which IS meaningful in a container.
# The full role (packages/libvirt) is exercised by make test-integration.
#
# Coverage split:
#   Docker Molecule (this file): nftables drop-in rendering only.
#   make test-integration (ADR-025, real KVM): libvirt/KVM package install, cache
#     dir creation, and end-to-end VM lifecycle — the role's substrate tasks.
# The Docker scenario intentionally covers only the firewall drop-in; substrate
# coverage lives in the real-KVM integration harness, not here.
- name: Converge
  hosts: all
  become: true
  gather_facts: true
  tasks:
    - name: Include integration_test firewall tasks
      ansible.builtin.include_role:
        name: integration_test
        tasks_from: firewall.yml
feat(integration_test): KVM/libvirt substrate role on the control node 2026-06-18 12:03:44 +02:00			`---`
feat(integration_test): Ansible-manage virbr-boma nftables input allow Adds a nftables drop-in (10-libvirt-boma.nft) to base's drop-in dir that allows traffic on iifname "virbr-boma" in the inet filter input chain. Fixes DHCP/DNS being dropped by base's default-deny INPUT policy for VMs on the libvirt integration bridge. Mirrors docker_host's drop-in pattern. Molecule scenario updated to exercise only the firewall tasks (package install unavailable in the no-internet Docker container) via include_role tasks_from; verify asserts the drop-in renders the virbr-boma accept rule. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-06-19 22:29:45 +02:00			`# KVM/libvirt APT packages cannot be installed in the Docker Molecule container`
			`# (no internet; KVM unusable in a container). This converge exercises only the`
			`# nftables drop-in rendering via tasks_from, which IS meaningful in a container.`
			`# The full role (packages/libvirt) is exercised by make test-integration.`
fix(integration): real wait_for_ip arp-fallback test + document substrate coverage gap Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-06-19 22:41:11 +02:00			`#`
			`# Coverage split:`
			`# Docker Molecule (this file): nftables drop-in rendering only.`
			`# make test-integration (ADR-025, real KVM): libvirt/KVM package install, cache`
			`# dir creation, and end-to-end VM lifecycle — the role's substrate tasks.`
			`# The Docker scenario intentionally covers only the firewall drop-in; substrate`
			`# coverage lives in the real-KVM integration harness, not here.`
feat(integration_test): KVM/libvirt substrate role on the control node 2026-06-18 12:03:44 +02:00			`- name: Converge`
			`hosts: all`
			`become: true`
			`gather_facts: true`
feat(integration_test): Ansible-manage virbr-boma nftables input allow Adds a nftables drop-in (10-libvirt-boma.nft) to base's drop-in dir that allows traffic on iifname "virbr-boma" in the inet filter input chain. Fixes DHCP/DNS being dropped by base's default-deny INPUT policy for VMs on the libvirt integration bridge. Mirrors docker_host's drop-in pattern. Molecule scenario updated to exercise only the firewall tasks (package install unavailable in the no-internet Docker container) via include_role tasks_from; verify asserts the drop-in renders the virbr-boma accept rule. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-06-19 22:29:45 +02:00			`tasks:`
			`- name: Include integration_test firewall tasks`
			`ansible.builtin.include_role:`
			`name: integration_test`
			`tasks_from: firewall.yml`