Switch tests to use Molecule.

.gitignore

@@ -1,2 +1,3 @@
 *.retry
-tests/test.sh
+*/__pycache__
+*.pyc

.travis.yml

@@ -1,32 +1,31 @@
 ---
+language: python
 services: docker
 
 env:
-  - distro: centos7
-  - distro: centos6
-  # - distro: ubuntu1804
-  - distro: ubuntu1604
-  # - distro: debian9
-  - distro: debian8
-  - distro: fedora27
+  global:
+    - ROLE_NAME: security
+  matrix:
+    - MOLECULE_DISTRO: centos7
+      MOLECULE_DOCKER_COMMAND: /usr/lib/systemd/systemd
+    - MOLECULE_DISTRO: centos6
+    - MOLECULE_DISTRO: fedora27
+    - MOLECULE_DISTRO: ubuntu1604
+    - MOLECULE_DISTRO: debian8
 
-script:
-  # Configure test script so we can run extra tests after playbook is run.
-  - export container_id=$(date +%s)
-  - export cleanup=false
+install:
+  # Install test dependencies.
+  - pip install molecule docker
 
-  # Download test shim.
-  - wget -O ${PWD}/tests/test.sh https://gist.githubusercontent.com/geerlingguy/73ef1e5ee45d8694570f334be385e181/raw/
-  - chmod +x ${PWD}/tests/test.sh
+before_script:
+  # Use actual Ansible Galaxy role name for the project directory.
+  - cd ../
+  - mv ansible-role-$ROLE_NAME geerlingguy.$ROLE_NAME
+  - cd geerlingguy.$ROLE_NAME
 
+script:
   # Run tests.
-  - ${PWD}/tests/test.sh
-
-  # Make sure fail2ban process is running.
-  - >
-    sudo docker exec ${container_id} ps -ax | grep -q 'fail2ban'
-    && (echo 'fail2ban is on: pass' && exit 0)
-    || (echo 'fail2ban is on: fail' && exit 1)
+  - molecule test
 
 notifications:
   webhooks: https://galaxy.ansible.com/api/v1/notifications/

meta/main.yml

@@ -10,16 +10,16 @@ galaxy_info:
   platforms:
     - name: EL
       versions:
-      - all
+        - all
     - name: Fedora
       versions:
-      - all
+        - all
     - name: Debian
       versions:
-      - all
+        - all
     - name: Ubuntu
       versions:
-      - all
+        - all
   galaxy_tags:
     - system
     - security

molecule/default/molecule.yml

@@ -0,0 +1,27 @@
+---
+dependency:
+  name: galaxy
+driver:
+  name: docker
+lint:
+  name: yamllint
+  options:
+    config-file: molecule/default/yaml-lint.yml
+platforms:
+  - name: instance
+    image: geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible
+    command: ${MOLECULE_DOCKER_COMMAND:-"sleep infinity"}
+    privileged: true
+    pre_build_image: true
+provisioner:
+  name: ansible
+  lint:
+    name: ansible-lint
+  playbooks:
+    converge: ${MOLECULE_PLAYBOOK:-playbook.yml}
+scenario:
+  name: default
+verifier:
+  name: testinfra
+  lint:
+    name: flake8

tests/test.yml → molecule/default/playbook.yml

@@ -1,38 +1,41 @@
-- hosts: all
+---
+- name: Converge
+  hosts: all
+  become: true
 
   pre_tasks:
     - name: Update apt cache.
-      package: update_cache=yes cache_valid_time=600
+      package: update_cache=true cache_valid_time=600
       when: ansible_os_family == 'Debian'
 
     - name: Ensure build dependencies are installed (RedHat).
-      package: 'name="{{ item }}" state=present'
-      with_items:
-        - openssh-server
-        - openssh-clients
+      package:
+        name:
+          - openssh-server
+          - openssh-clients
+        state: present
       when: ansible_os_family == 'RedHat'
 
     - name: Ensure build dependencies are installed (Fedora).
-      package: 'name="{{ item }}" state=present'
-      with_items:
-        - procps
+      package: name=procps state=present
       when: ansible_distribution == 'Fedora'
 
     - name: Ensure build dependencies are installed (Debian).
-      package: 'name="{{ item }}" state=present'
-      with_items:
-        - openssh-server
-        - openssh-client
+      package:
+        name:
+          - openssh-server
+          - openssh-client
+        state: present
       when: ansible_os_family == 'Debian'
 
     - name: Ensure auth.log file is present.
       copy:
         dest: /var/log/auth.log
         content: ""
-        force: no
+        force: false
       when: >
         (ansible_distribution == 'Ubuntu' and ansible_distribution_version == '14.04') or
         (ansible_distribution == 'Debian' and ansible_distribution_release == 'jessie')
 
   roles:
-    - role_under_test
+    - role: geerlingguy.security

molecule/default/tests/test_default.py

@@ -0,0 +1,14 @@
+import os
+
+import testinfra.utils.ansible_runner
+
+testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
+    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all')
+
+
+def test_hosts_file(host):
+    f = host.file('/etc/hosts')
+
+    assert f.exists
+    assert f.user == 'root'
+    assert f.group == 'root'

molecule/default/yaml-lint.yml

@@ -0,0 +1,6 @@
+---
+extends: default
+rules:
+  line-length:
+    max: 120
+    level: warning

vars/Debian.yml

@@ -1,3 +1,3 @@
 ---
 security_ssh_config_path: /etc/ssh/sshd_config
-security_sshd_name: ssh
+security_sshd_name: ssh