boma/tests/integration/verify.yml

---
# Integration verify (ADR-025). Outcome-based: proves Docker forwarding survives the
# reboot. The load-bearing check probes the VM's published :80 FROM the controller
# (ubongo) — if base's forward-drop killed DNAT, this times out (the FRICTION #1 bug).
- name: Verify the rebooted host
  hosts: all
  become: true
  gather_facts: false
  tasks:
    - name: Gather service facts
      ansible.builtin.service_facts:

    - name: Docker daemon is active
      ansible.builtin.assert:
        that: "ansible_facts.services['docker.service'].state == 'running'"
        fail_msg: "docker.service is not running"

    - name: Forward chain permits container traffic (drop-in loaded)
      ansible.builtin.command: nft list chain inet filter forward
      register: _fwd
      changed_when: false

    - name: Assert container forwarding is allowed (not pure drop)
      ansible.builtin.assert:
        that: "'accept' in _fwd.stdout"
        fail_msg: >-
          forward chain is pure drop — container forwarding will die on reboot
          (FRICTION 2026-06-17 #1). docker_host container-forward drop-in missing.

    - name: Published port answers from the controller (DNAT + forward alive)
      delegate_to: localhost
      become: false
      ansible.builtin.uri:
        # Probe :80 (plain HTTP) — any answer proves the published-port DNAT + forward path
        # is alive. Don't follow caddy's HTTP->HTTPS redirect (its `tls internal` has no
        # cert for a bare-IP HTTPS request); the 308 itself proves the path works.
        url: "http://{{ ansible_host }}/"
        follow_redirects: none
        status_code: [200, 301, 308, 404, 502, 503]
        timeout: 10
      register: _probe
      retries: 5
      delay: 6
      until: _probe is succeeded