From 99a26d7de23bbfc757957c08e47606c3690df4cb Mon Sep 17 00:00:00 2001
From: Craig Jennings <c@cjennings.net>
Date: Thu, 25 Jun 2026 00:54:53 -0400
Subject: test(archsetup): scaffold Testinfra post-install validation (P1)

Stand up the Testinfra/pytest harness alongside the existing shell sweep so the two can be compared for parity before pytest takes over.

Adds scripts/testing/tests/ (conftest with failure attribution markers, a report hook, and a target_user fixture, plus three parity checks: user, ufw, dotfiles) and scripts/testing/lib/testinfra.sh, which injects a throwaway SSH key into the VM and runs pytest over SSH. The sweep is advisory here (RUN_TESTINFRA toggle, non-fatal) and does not yet affect pass/fail. Pulls python-pytest and python-pytest-testinfra into make deps.

Verified on the host: py_compile clean, pytest --collect-only green, bash -n and shellcheck clean. The sweep running against a real VM is verified by the next make test run.
---
 scripts/testing/tests/test_services.py | 13 +++++++++++++
 1 file changed, 13 insertions(+)
 create mode 100644 scripts/testing/tests/test_services.py

(limited to 'scripts/testing/tests/test_services.py')

diff --git a/scripts/testing/tests/test_services.py b/scripts/testing/tests/test_services.py
new file mode 100644
index 0000000..dc89e74
--- /dev/null
+++ b/scripts/testing/tests/test_services.py
@@ -0,0 +1,13 @@
+# SPDX-License-Identifier: GPL-3.0-or-later
+"""Post-install checks: essential services archsetup enables.
+
+Parity port of validate_firewall from validation.sh (more to follow in P2).
+"""
+
+import pytest
+
+
+@pytest.mark.smoke
+@pytest.mark.attribution("archsetup")
+def test_ufw_firewall_enabled(host):
+    assert host.service("ufw").is_enabled
-- 
cgit v1.2.3