diff --git a/roles/base/molecule/default/verify.yml b/roles/base/molecule/default/verify.yml index c87d14e..f56e7c3 100644 --- a/roles/base/molecule/default/verify.yml +++ b/roles/base/molecule/default/verify.yml @@ -1,11 +1,46 @@ --- - name: Verify hosts: all - gather_facts: true - + become: true + gather_facts: false tasks: - - name: Add verification tasks here + - name: Read the rendered ruleset + ansible.builtin.slurp: + src: /etc/nftables.conf + register: ruleset + + - name: Decode it + ansible.builtin.set_fact: + nft: "{{ ruleset.content | b64decode }}" + + - name: Assert default-deny input policy and management plane ansible.builtin.assert: - that: true - msg: "Replace this with real assertions" - tags: [verify] + that: + - "'type filter hook input priority 0; policy drop;' in nft" + - "'ct state established,related accept' in nft" + - "'iifname \"wt0\" tcp dport 22 accept' in nft" + fail_msg: "input chain is missing default-deny or the management plane" + + - name: Assert the lan->reverse_proxy:443 ingress rule (zone source) + ansible.builtin.assert: + that: + - "'10.30.0.0/24' in nft" + - "'tcp dport 443 accept' in nft" + fail_msg: "missing lan->443 rule for reverse_proxy" + + - name: Assert the srv->photoprism:2342 ingress rule (zone source) + ansible.builtin.assert: + that: + - "'10.20.0.0/24' in nft" + - "'tcp dport 2342 accept' in nft" + fail_msg: "missing srv->2342 rule for photoprism" + + - name: Assert the docker_host extension hook is present + ansible.builtin.assert: + that: + - "'include \"/etc/nftables.d/*.nft\"' in nft" + fail_msg: "missing drop-in include hook" + + - name: Syntax-check the rendered ruleset (no apply) + ansible.builtin.command: nft -c -f /etc/nftables.conf + changed_when: false