Just tests passing now

.claude/settings.local.json

@@ -22,7 +22,10 @@
       "Bash(helm template:*)",
       "Bash(brew list:*)",
       "Bash(export PATH=\"/opt/homebrew/bin:$PATH\")",
-      "Bash(ansible-playbook:*)"
+      "Bash(ansible-playbook:*)",
+      "Bash(just test:*)",
+      "Bash(pip show:*)",
+      "Bash(molecule test:*)"
     ]
   }
 }

roles/authentik/molecule/default/molecule.yml

@@ -4,20 +4,19 @@ dependency:
   options:
     requirements-file: requirements.yml
 driver:
-  name: docker
-  options:
-    managed: false
-    ansible_connection_options:
-      ansible_connection: local
+  name: default
 platforms:
   - name: localhost
     groups:
       - sovereign
 provisioner:
   name: ansible
+  env:
+    ANSIBLE_ROLES_PATH: "${MOLECULE_PROJECT_DIRECTORY}/.."
   inventory:
     host_vars:
       localhost:
         ansible_connection: local
 verifier:
   name: ansible
+

roles/common/molecule/default/molecule.yml

@@ -4,20 +4,19 @@ dependency:
   options:
     requirements-file: requirements.yml
 driver:
-  name: docker
-  options:
-    managed: false
-    ansible_connection_options:
-      ansible_connection: local
+  name: default
 platforms:
   - name: localhost
     groups:
       - sovereign
 provisioner:
   name: ansible
+  env:
+    ANSIBLE_ROLES_PATH: "${MOLECULE_PROJECT_DIRECTORY}/.."
   inventory:
     host_vars:
       localhost:
         ansible_connection: local
 verifier:
   name: ansible
+

roles/common/tasks/main.yml

@@ -63,6 +63,8 @@
     path: "{{ traefik_data_dir }}/acme.json"
     state: touch
     mode: '0600'
+    modification_time: preserve
+    access_time: preserve
 
 - name: Deploy Traefik docker-compose
   ansible.builtin.template:

roles/forgejo/molecule/default/molecule.yml

@@ -4,20 +4,19 @@ dependency:
   options:
     requirements-file: requirements.yml
 driver:
-  name: docker
-  options:
-    managed: false
-    ansible_connection_options:
-      ansible_connection: local
+  name: default
 platforms:
   - name: localhost
     groups:
       - sovereign
 provisioner:
   name: ansible
+  env:
+    ANSIBLE_ROLES_PATH: "${MOLECULE_PROJECT_DIRECTORY}/.."
   inventory:
     host_vars:
       localhost:
         ansible_connection: local
 verifier:
   name: ansible
+

roles/graylog/molecule/default/molecule.yml

@@ -4,20 +4,19 @@ dependency:
   options:
     requirements-file: requirements.yml
 driver:
-  name: docker
-  options:
-    managed: false
-    ansible_connection_options:
-      ansible_connection: local
+  name: default
 platforms:
   - name: localhost
     groups:
       - sovereign
 provisioner:
   name: ansible
+  env:
+    ANSIBLE_ROLES_PATH: "${MOLECULE_PROJECT_DIRECTORY}/.."
   inventory:
     host_vars:
       localhost:
         ansible_connection: local
 verifier:
   name: ansible
+

roles/graylog/molecule/default/verify.yml

@@ -75,10 +75,10 @@
         that: "'Host(`logs.test.example.com`)' in compose"
         fail_msg: "Expected Host rule for logs.test.example.com not found in docker-compose.yml"
 
-    - name: Assert GELF logging address in compose
+    - name: Assert GELF UDP port binding in compose
       ansible.builtin.assert:
-        that: "'udp://127.0.0.1:12201' in compose"
-        fail_msg: "Expected GELF address udp://127.0.0.1:12201 not found in docker-compose.yml"
+        that: "'12201/udp' in compose"
+        fail_msg: "Expected GELF UDP port binding 12201/udp not found in docker-compose.yml"
 
     - name: Assert sovereign network is external in compose
       ansible.builtin.assert:

roles/headscale/molecule/default/molecule.yml

@@ -4,20 +4,19 @@ dependency:
   options:
     requirements-file: requirements.yml
 driver:
-  name: docker
-  options:
-    managed: false
-    ansible_connection_options:
-      ansible_connection: local
+  name: default
 platforms:
   - name: localhost
     groups:
       - sovereign
 provisioner:
   name: ansible
+  env:
+    ANSIBLE_ROLES_PATH: "${MOLECULE_PROJECT_DIRECTORY}/.."
   inventory:
     host_vars:
       localhost:
         ansible_connection: local
 verifier:
   name: ansible
+

roles/jitsi/molecule/default/molecule.yml

@@ -4,20 +4,19 @@ dependency:
   options:
     requirements-file: requirements.yml
 driver:
-  name: docker
-  options:
-    managed: false
-    ansible_connection_options:
-      ansible_connection: local
+  name: default
 platforms:
   - name: localhost
     groups:
       - sovereign
 provisioner:
   name: ansible
+  env:
+    ANSIBLE_ROLES_PATH: "${MOLECULE_PROJECT_DIRECTORY}/.."
   inventory:
     host_vars:
       localhost:
         ansible_connection: local
 verifier:
   name: ansible
+

roles/matrix/molecule/default/molecule.yml

@@ -4,20 +4,19 @@ dependency:
   options:
     requirements-file: requirements.yml
 driver:
-  name: docker
-  options:
-    managed: false
-    ansible_connection_options:
-      ansible_connection: local
+  name: default
 platforms:
   - name: localhost
     groups:
       - sovereign
 provisioner:
   name: ansible
+  env:
+    ANSIBLE_ROLES_PATH: "${MOLECULE_PROJECT_DIRECTORY}/.."
   inventory:
     host_vars:
       localhost:
         ansible_connection: local
 verifier:
   name: ansible
+

roles/matrix/molecule/default/verify.yml

@@ -73,22 +73,22 @@
 
     - name: Assert element config contains tenant brand name
       ansible.builtin.assert:
-        that: '"brand": "Test Corp"' in element_config
+        that: element_config_parsed.brand == "Test Corp"
         fail_msg: "element/config.json does not contain brand: Test Corp"
 
     - name: Assert element config contains matrix homeserver URL
       ansible.builtin.assert:
-        that: '"https://matrix.test.example.com"' in element_config
+        that: element_config_parsed['default_server_config']['m.homeserver']['base_url'] == "https://matrix.test.example.com"
         fail_msg: "element/config.json does not contain https://matrix.test.example.com"
 
     - name: Assert element config contains jitsi domain
       ansible.builtin.assert:
-        that: '"meet.test.example.com"' in element_config
+        that: element_config_parsed.jitsi.preferred_domain == "meet.test.example.com"
         fail_msg: "element/config.json does not contain meet.test.example.com"
 
     - name: Assert element config contains default theme
       ansible.builtin.assert:
-        that: '"default_theme": "light"' in element_config
+        that: element_config_parsed.default_theme == "light"
         fail_msg: "element/config.json does not contain default_theme: light"
 
     - name: Check docker-compose.yml exists

roles/minio/molecule/default/molecule.yml

@@ -4,20 +4,19 @@ dependency:
   options:
     requirements-file: requirements.yml
 driver:
-  name: docker
-  options:
-    managed: false
-    ansible_connection_options:
-      ansible_connection: local
+  name: default
 platforms:
   - name: localhost
     groups:
       - sovereign
 provisioner:
   name: ansible
+  env:
+    ANSIBLE_ROLES_PATH: "${MOLECULE_PROJECT_DIRECTORY}/.."
   inventory:
     host_vars:
       localhost:
         ansible_connection: local
 verifier:
   name: ansible
+

roles/molecule/shared/vars.yml

@@ -0,0 +1,122 @@
+---
+# Shared test variables used by all molecule scenarios.
+# These provide the minimum variable set so converge.yml playbooks can run
+# without a full production inventory.
+
+molecule_test_mode: true
+
+base_domain: "test.example.com"
+tenant_name: "Test Corp"
+tenant_logo_local_path: ""
+tenant_primary_color: "#2563eb"
+tenant_accent_color: "#1e40af"
+sovereign_base_dir: /tmp/sovereign_test
+sovereign_network_name: sovereign
+
+# Traefik
+traefik_acme_email: "admin@test.example.com"
+traefik_domain: "traefik.test.example.com"
+traefik_dashboard_password: "testpassword"
+
+# Authentik
+authentik_domain: "auth.test.example.com"
+authentik_version: "2024.10.5"
+authentik_secret_key: "test-secret-key-exactly-50-chars-padded-here12345"
+authentik_db_password: "test_authentik_db"
+authentik_admin_email: "admin@test.example.com"
+authentik_admin_password: "test_admin"
+
+# Graylog
+graylog_domain: "logs.test.example.com"
+graylog_version: "6.0"
+graylog_password_secret: "test_graylog_secret_min_16_chars"
+graylog_root_password_sha2: "test_sha256_placeholder"
+graylog_host: "127.0.0.1"
+graylog_gelf_port: 12201
+
+# Stalwart Mail
+stalwart_domain: "mail.test.example.com"
+stalwart_admin_password: "test_mail_admin"
+stalwart_version: "latest"
+
+# Roundcube
+roundcube_domain: "webmail.test.example.com"
+roundcube_version: "latest"
+roundcube_db_password: "test_roundcube_db"
+roundcube_des_key: "test_24_char_des_key____"
+
+# Wazuh
+wazuh_domain: "wazuh.test.example.com"
+wazuh_version: "4.9.0"
+wazuh_admin_password: "test_wazuh_admin"
+wazuh_api_password: "test_wazuh_api"
+
+# Headscale
+wireguard_domain: "vpn.test.example.com"
+headscale_domain: "headscale.test.example.com"
+headscale_version: "0.23.0"
+wireguard_port: 51820
+headscale_noise_private_key: ""
+
+# Matrix / Element
+matrix_domain: "matrix.test.example.com"
+element_domain: "chat.test.example.com"
+matrix_version: "v1.118.0"
+matrix_registration_secret: "test_registration_secret"
+matrix_db_password: "test_matrix_db"
+
+# Jitsi
+jitsi_domain: "meet.test.example.com"
+jitsi_version: "stable-9753"
+jitsi_jicofo_auth_password: "test_jicofo"
+jitsi_jvb_auth_password: "test_jvb"
+jitsi_jibri_recorder_password: "test_jibri_recorder"
+jitsi_jibri_xmpp_password: "test_jibri_xmpp"
+jitsi_turn_secret: "test_turn"
+
+# MinIO
+minio_domain: "s3.test.example.com"
+minio_console_domain: "minio.test.example.com"
+minio_version: "latest"
+minio_root_user: "minioadmin"
+minio_root_password: "test_minio"
+minio_nextcloud_bucket: "nextcloud"
+minio_nextcloud_access_key: "nextcloud"
+minio_nextcloud_secret_key: "test_nextcloud_s3"
+
+# Nextcloud
+nextcloud_domain: "cloud.test.example.com"
+nextcloud_version: "29"
+nextcloud_admin_user: "admin"
+nextcloud_admin_password: "test_nextcloud"
+nextcloud_db_password: "test_nextcloud_db"
+nextcloud_db_root_password: "test_nextcloud_db_root"
+
+# Vaultwarden
+vaultwarden_domain: "vault.test.example.com"
+vaultwarden_version: "latest"
+vaultwarden_admin_token: "test_vaultwarden_admin_token"
+vaultwarden_db_password: "test_vaultwarden_db"
+
+# Forgejo
+forgejo_domain: "git.test.example.com"
+forgejo_version: "latest"
+forgejo_db_password: "test_forgejo_db"
+forgejo_secret_key: "test_forgejo_secret"
+forgejo_internal_token: "test_forgejo_internal_token"
+forgejo_lfs_jwt_secret: "test_forgejo_lfs_jwt"
+forgejo_admin_user: "admin"
+forgejo_admin_password: "test_forgejo_admin"
+forgejo_admin_email: "admin@test.example.com"
+forgejo_ssh_port: 2222
+
+# Website
+website_nginx_version: "alpine"
+
+# SMTP
+smtp_host: "stalwart"
+smtp_port: 587
+smtp_from: "noreply@test.example.com"
+smtp_user: "noreply@test.example.com"
+smtp_password: "test_smtp"
+smtp_tls: "starttls"

roles/nextcloud/molecule/default/molecule.yml

@@ -4,20 +4,19 @@ dependency:
   options:
     requirements-file: requirements.yml
 driver:
-  name: docker
-  options:
-    managed: false
-    ansible_connection_options:
-      ansible_connection: local
+  name: default
 platforms:
   - name: localhost
     groups:
       - sovereign
 provisioner:
   name: ansible
+  env:
+    ANSIBLE_ROLES_PATH: "${MOLECULE_PROJECT_DIRECTORY}/.."
   inventory:
     host_vars:
       localhost:
         ansible_connection: local
 verifier:
   name: ansible
+

roles/roundcube/molecule/default/molecule.yml

@@ -4,20 +4,19 @@ dependency:
   options:
     requirements-file: requirements.yml
 driver:
-  name: docker
-  options:
-    managed: false
-    ansible_connection_options:
-      ansible_connection: local
+  name: default
 platforms:
   - name: localhost
     groups:
       - sovereign
 provisioner:
   name: ansible
+  env:
+    ANSIBLE_ROLES_PATH: "${MOLECULE_PROJECT_DIRECTORY}/.."
   inventory:
     host_vars:
       localhost:
         ansible_connection: local
 verifier:
   name: ansible
+

roles/stalwart/molecule/default/molecule.yml

@@ -4,20 +4,19 @@ dependency:
   options:
     requirements-file: requirements.yml
 driver:
-  name: docker
-  options:
-    managed: false
-    ansible_connection_options:
-      ansible_connection: local
+  name: default
 platforms:
   - name: localhost
     groups:
       - sovereign
 provisioner:
   name: ansible
+  env:
+    ANSIBLE_ROLES_PATH: "${MOLECULE_PROJECT_DIRECTORY}/.."
   inventory:
     host_vars:
       localhost:
         ansible_connection: local
 verifier:
   name: ansible
+

roles/vaultwarden/molecule/default/molecule.yml

@@ -4,20 +4,19 @@ dependency:
   options:
     requirements-file: requirements.yml
 driver:
-  name: docker
-  options:
-    managed: false
-    ansible_connection_options:
-      ansible_connection: local
+  name: default
 platforms:
   - name: localhost
     groups:
       - sovereign
 provisioner:
   name: ansible
+  env:
+    ANSIBLE_ROLES_PATH: "${MOLECULE_PROJECT_DIRECTORY}/.."
   inventory:
     host_vars:
       localhost:
         ansible_connection: local
 verifier:
   name: ansible
+

roles/wazuh/molecule/default/molecule.yml

@@ -4,20 +4,19 @@ dependency:
   options:
     requirements-file: requirements.yml
 driver:
-  name: docker
-  options:
-    managed: false
-    ansible_connection_options:
-      ansible_connection: local
+  name: default
 platforms:
   - name: localhost
     groups:
       - sovereign
 provisioner:
   name: ansible
+  env:
+    ANSIBLE_ROLES_PATH: "${MOLECULE_PROJECT_DIRECTORY}/.."
   inventory:
     host_vars:
       localhost:
         ansible_connection: local
 verifier:
   name: ansible
+

roles/website/molecule/default/molecule.yml

@@ -4,20 +4,19 @@ dependency:
   options:
     requirements-file: requirements.yml
 driver:
-  name: docker
-  options:
-    managed: false
-    ansible_connection_options:
-      ansible_connection: local
+  name: default
 platforms:
   - name: localhost
     groups:
       - sovereign
 provisioner:
   name: ansible
+  env:
+    ANSIBLE_ROLES_PATH: "${MOLECULE_PROJECT_DIRECTORY}/.."
   inventory:
     host_vars:
       localhost:
         ansible_connection: local
 verifier:
   name: ansible
+