--- # Integration verify (ADR-025). Outcome-based: proves Docker forwarding survives the # reboot. The load-bearing check probes the VM's published :80 FROM the controller # (ubongo) — if base's forward-drop killed DNAT, this times out (the FRICTION #1 bug). - name: Verify the rebooted host hosts: all become: true gather_facts: false tasks: - name: Gather service facts ansible.builtin.service_facts: - name: Docker daemon is active ansible.builtin.assert: that: "ansible_facts.services['docker.service'].state == 'running'" fail_msg: "docker.service is not running" - name: Forward chain permits container traffic (drop-in loaded) ansible.builtin.command: nft list chain inet filter forward register: _fwd changed_when: false - name: Assert container forwarding is allowed (not pure drop) ansible.builtin.assert: that: "'accept' in _fwd.stdout" fail_msg: >- forward chain is pure drop — container forwarding will die on reboot (FRICTION 2026-06-17 #1). docker_host container-forward drop-in missing. - name: Published port answers from the controller (DNAT + forward alive) delegate_to: localhost become: false ansible.builtin.uri: # Probe :80 (plain HTTP) — any answer proves the published-port DNAT + forward path # is alive. Don't follow caddy's HTTP->HTTPS redirect (its `tls internal` has no # cert for a bare-IP HTTPS request); the 308 itself proves the path works. url: "http://{{ ansible_host }}/" follow_redirects: none status_code: [200, 301, 308, 404, 502, 503] timeout: 10 register: _probe retries: 5 delay: 6 until: _probe is succeeded