test(base): molecule coverage for the mesh concern (manage-off no-op)

Converge enables mesh with base__mesh_manage:false (+ dummy key) so the include path runs hermetically; verify asserts netbird is not installed — proving the concern is a clean no-op when the live actions are gated off. Existing firewall/ ssh/fail2ban assertions unaffected. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-17 16:11:02 +02:00 · 2026-06-17 16:11:02 +02:00 · 9b3f8f826f
commit 9b3f8f826f
parent 44c4978b5f
2 changed files with 18 additions and 0 deletions
--- a/roles/base/molecule/default/converge.yml
+++ b/roles/base/molecule/default/converge.yml
@ -6,6 +6,11 @@
  vars:
    base__firewall_apply: false
    base__firewall_control_addr: 10.10.0.99   # test control-node LAN address
+    # Exercise the mesh concern's include path with the live actions gated off, so it
+    # runs hermetically (no coordinator/key needed) and must be a clean no-op.
+    base__mesh_enabled: true
+    base__mesh_manage: false
+    base__mesh_setup_key: "dummy-molecule-key"
    firewall_zones:
      lan: 10.30.0.0/24
      srv: 10.20.0.0/24
--- a/roles/base/molecule/default/verify.yml
+++ b/roles/base/molecule/default/verify.yml
@ -57,3 +57,16 @@
    - name: Fail2ban sshd jail configured
      ansible.builtin.command: grep -q '^\[sshd\]' /etc/fail2ban/jail.d/sshd.local
      changed_when: false
+
+    # mesh concern: enabled but manage=false must be a clean no-op (no install/enrol)
+    - name: Check whether netbird got installed
+      ansible.builtin.command: which netbird
+      register: _nb
+      changed_when: false
+      failed_when: false
+    - name: Assert mesh manage=false installed nothing
+      ansible.builtin.assert:
+        that:
+          - _nb.rc != 0
+        fail_msg: "netbird must not be installed when base__mesh_manage is false"
+        success_msg: "mesh concern is a clean no-op under manage=false"