--- # Integration verify (ADR-025). Outcome-based: proves Docker forwarding survives the # reboot. The load-bearing check probes the VM's published :443 FROM the controller # (ubongo) — if base's forward-drop killed DNAT, this times out (the FRICTION #1 bug). - name: Verify the rebooted host hosts: all become: true gather_facts: false tasks: - name: Gather service facts ansible.builtin.service_facts: - name: Docker daemon is active ansible.builtin.assert: that: "ansible_facts.services['docker.service'].state == 'running'" fail_msg: "docker.service is not running" - name: Forward chain permits container traffic (drop-in loaded) ansible.builtin.command: nft list chain inet filter forward register: _fwd changed_when: false - name: Assert container forwarding is allowed (not pure drop) ansible.builtin.assert: that: "'accept' in _fwd.stdout" fail_msg: >- forward chain is pure drop — container forwarding will die on reboot (FRICTION 2026-06-17 #1). docker_host container-forward drop-in missing. - name: Published HTTPS port answers from the controller (DNAT + forward alive) delegate_to: localhost become: false ansible.builtin.uri: url: "https://{{ ansible_host }}/" validate_certs: false status_code: [200, 308, 404, 502, 503] timeout: 10 register: _probe retries: 5 delay: 6 until: _probe is succeeded