diff --git a/roles/base/molecule/default/converge.yml b/roles/base/molecule/default/converge.yml index 66c9ebe..59a1284 100644 --- a/roles/base/molecule/default/converge.yml +++ b/roles/base/molecule/default/converge.yml @@ -6,6 +6,11 @@ vars: base__firewall_apply: false base__firewall_control_addr: 10.10.0.99 # test control-node LAN address + # Exercise the mesh concern's include path with the live actions gated off, so it + # runs hermetically (no coordinator/key needed) and must be a clean no-op. + base__mesh_enabled: true + base__mesh_manage: false + base__mesh_setup_key: "dummy-molecule-key" firewall_zones: lan: 10.30.0.0/24 srv: 10.20.0.0/24 diff --git a/roles/base/molecule/default/verify.yml b/roles/base/molecule/default/verify.yml index 1b1fa30..d1e0551 100644 --- a/roles/base/molecule/default/verify.yml +++ b/roles/base/molecule/default/verify.yml @@ -57,3 +57,16 @@ - name: Fail2ban sshd jail configured ansible.builtin.command: grep -q '^\[sshd\]' /etc/fail2ban/jail.d/sshd.local changed_when: false + + # mesh concern: enabled but manage=false must be a clean no-op (no install/enrol) + - name: Check whether netbird got installed + ansible.builtin.command: which netbird + register: _nb + changed_when: false + failed_when: false + - name: Assert mesh manage=false installed nothing + ansible.builtin.assert: + that: + - _nb.rc != 0 + fail_msg: "netbird must not be installed when base__mesh_manage is false" + success_msg: "mesh concern is a clean no-op under manage=false"