fix(base): iifname for load-time safety; zone-source molecule fixture

nft -c rejects iif "wt0" when the interface is absent (container, or any host before NetBird); iifname matches by name and is robust to wt0 coming/going. Drop the ansible_host fixture override (the docker connection uses it as the container name) — molecule covers zone resolution, pytest covers service->IP.
2026-06-06 19:02:50 +02:00 · 2026-06-06 19:02:50 +02:00 · bca74458fb
commit bca74458fb
parent eeab5ed8de
3 changed files with 3 additions and 4 deletions
--- a/roles/base/molecule/default/converge.yml
+++ b/roles/base/molecule/default/converge.yml
@ -17,6 +17,6 @@
      photoprism:
        host: instance
        ingress:
-          - { from: reverse_proxy, port: 2342, proto: tcp }
+          - { from: srv, port: 2342, proto: tcp }
  roles:
    - role: base
--- a/roles/base/molecule/default/molecule.yml
+++ b/roles/base/molecule/default/molecule.yml
@ -26,7 +26,6 @@ provisioner:
    host_vars:
      instance:
        ansible_user: root
-        ansible_host: 10.20.0.50

 verifier:
  name: ansible
--- a/roles/base/templates/nftables.conf.j2
+++ b/roles/base/templates/nftables.conf.j2
@ -5,10 +5,10 @@ flush ruleset
 table inet filter {
  chain input {
    type filter hook input priority 0; policy drop;
-    iif "lo" accept
+    iifname "lo" accept
    ct state established,related accept
    ct state invalid drop
-    iif "{{ base__firewall_mgmt_interface }}" tcp dport {{ base__firewall_ssh_port }} accept
+    iifname "{{ base__firewall_mgmt_interface }}" tcp dport {{ base__firewall_ssh_port }} accept
    ip protocol icmp accept
    ip6 nexthdr ipv6-icmp accept
 {% for r in base__firewall_resolved %}