linux-system-roles · richm · Mar 19, 2026 · Mar 19, 2026
diff --git a/tests/tasks/bind_slot_with_passphrase.yml b/tests/tasks/bind_slot_with_passphrase.yml
@@ -17,10 +17,9 @@
       register: nbde_client_device_checksum_before
 
     - name: Perform binding with nbde_client role
-      include_role:
-        name: linux-system-roles.nbde_client
-        public: true
+      include_tasks: tasks/run_role_with_clear_facts.yml
       vars:
+        __sr_public: true
         nbde_client_bindings:
           - device: "{{ nbde_client_selected_device }}"
             slot: "{{ nbde_client_test_slot }}"

diff --git a/tests/tasks/run_role_with_clear_facts.yml b/tests/tasks/run_role_with_clear_facts.yml
@@ -0,0 +1,37 @@
+---
+# Task file: clear_facts, run linux-system-roles.nbde_client.
+# Include this with include_tasks or import_tasks
+# Input:
+# - __sr_tasks_from: tasks_from to run - same as tasks_from in include_role
+# - __sr_public: export private vars from role - same as public in include_role
+# - __sr_failed_when: set to false to ignore role errors - same as failed_when in include_role
+- name: Clear facts
+  meta: clear_facts
+
+# note that you can use failed_when with import_role but not with include_role
+# so this simulates the __sr_failed_when false case
+# Q: Why do we need a separate task to run the role normally?  Why not just
+# run the role in the block and rethrow the error in the rescue block?
+# A: Because you cannot rethrow the error in exactly the same way as the role does.
+# It might be possible to exactly reconstruct ansible_failed_result but it's not worth the effort.
+- name: Run the role with __sr_failed_when false
+  when:
+    - __sr_failed_when is defined
+    - not __sr_failed_when
+  block:
+    - name: Run the role
+      include_role:
+        name: linux-system-roles.nbde_client
+        tasks_from: "{{ __sr_tasks_from | default('main') }}"
+        public: "{{ __sr_public | default(false) }}"
+  rescue:
+    - name: Ignore the failure when __sr_failed_when is false
+      debug:
+        msg: Ignoring failure when __sr_failed_when is false
+
+- name: Run the role normally
+  include_role:
+    name: linux-system-roles.nbde_client
+    tasks_from: "{{ __sr_tasks_from | default('main') }}"
+    public: "{{ __sr_public | default(false) }}"
+  when: __sr_failed_when | d(true)
diff --git a/tests/tasks/verify_idempotency.yml b/tests/tasks/verify_idempotency.yml
@@ -1,7 +1,6 @@
 ---
 - name: Use nbde_client role - idempotency check
-  include_role:
-    name: linux-system-roles.nbde_client
+  include_tasks: tasks/run_role_with_clear_facts.yml
 
 - name: Verify idempotency of clevis operations
   assert:

diff --git a/tests/tests_bind_high_availability.yml b/tests/tests_bind_high_availability.yml
@@ -16,8 +16,7 @@
     - name: Run the test
       block:
         - name: Use nbde_client role
-          include_role:
-            name: linux-system-roles.nbde_client
+          include_tasks: tasks/run_role_with_clear_facts.yml
 
         - name: Attempt to unlock device
           include_tasks: tasks/verify_unlock_device.yml

diff --git a/tests/tests_default.yml b/tests/tests_default.yml
@@ -1,8 +1,8 @@
 ---
 - name: Ensure that the role runs with default parameters
   hosts: all
-  gather_facts: false
-  roles:
-    - linux-system-roles.nbde_client
+  tasks:
+    - name: Run nbde_client role
+      include_tasks: tasks/run_role_with_clear_facts.yml
 
 # vim:set ts=2 sw=2 et:
diff --git a/tests/tests_default_vars.yml b/tests/tests_default_vars.yml
@@ -5,8 +5,10 @@
     - name: Run test
       block:
         - name: Import role
-          import_role:
-            name: linux-system-roles.nbde_client
+          include_tasks: tasks/run_role_with_clear_facts.yml
+          vars:
+            __sr_public: true
+
         - name: Assert that the role declares all parameters in defaults
           assert:
             that:

diff --git a/tests/tests_error_handling.yml b/tests/tests_error_handling.yml
@@ -16,8 +16,7 @@
     - name: Run the test
       block:
         - name: Use nbde_client role
-          include_role:
-            name: linux-system-roles.nbde_client
+          include_tasks: tasks/run_role_with_clear_facts.yml
       rescue:
         - name: Extract the result
           set_fact:

diff --git a/tests/tests_include_vars_from_parent.yml b/tests/tests_include_vars_from_parent.yml
@@ -1,7 +1,6 @@
 ---
 - name: Test role include variable override
   hosts: all
-  gather_facts: true
   tasks:
     - name: Create var file in caller that can override the one in called role
       delegate_to: localhost

diff --git a/tests/tests_key_rotation.yml b/tests/tests_key_rotation.yml
@@ -15,8 +15,7 @@
     - name: Run the test
       block:
         - name: Use nbde_client role
-          include_role:
-            name: linux-system-roles.nbde_client
+          include_tasks: tasks/run_role_with_clear_facts.yml
 
         - name: Attempt to unlock device
           include_tasks: tasks/verify_unlock_device.yml
@@ -34,8 +33,7 @@
           include_tasks: tasks/rotate_keys.yml
 
         - name: Use nbde_client role - idempotency check - change expected
-          include_role:
-            name: linux-system-roles.nbde_client
+          include_tasks: tasks/run_role_with_clear_facts.yml
 
         - name: Assert change happened after key rotation
           assert:

diff --git a/tests/tests_passphrase_temporary.yml b/tests/tests_passphrase_temporary.yml
@@ -19,8 +19,7 @@
     - name: Run the test
       block:
         - name: Use nbde_client role
-          include_role:
-            name: linux-system-roles.nbde_client
+          include_tasks: tasks/run_role_with_clear_facts.yml
 
         - name: Attempt to unlock device
           include_tasks: tasks/verify_unlock_device.yml

diff --git a/tests/tests_passphrase_temporary_keyfile.yml b/tests/tests_passphrase_temporary_keyfile.yml
@@ -19,8 +19,7 @@
     - name: Run the test
       block:
         - name: Use nbde_client role
-          include_role:
-            name: linux-system-roles.nbde_client
+          include_tasks: tasks/run_role_with_clear_facts.yml
 
         - name: Attempt to unlock device
           include_tasks: tasks/verify_unlock_device.yml

diff --git a/tests/tests_simple_bind.yml b/tests/tests_simple_bind.yml
@@ -15,9 +15,9 @@
     - name: Run the test
       block:
         - name: Use nbde_client role
-          include_role:
-            name: linux-system-roles.nbde_client
-            public: true
+          include_tasks: tasks/run_role_with_clear_facts.yml
+          vars:
+            __sr_public: true
 
         - name: Check ansible_managed, fingerprint in generated files
           include_tasks: tasks/check_header.yml

diff --git a/tests/tests_simple_bind_keyfile.yml b/tests/tests_simple_bind_keyfile.yml
@@ -15,8 +15,7 @@
     - name: Run the test
       block:
         - name: Use nbde_client role
-          include_role:
-            name: linux-system-roles.nbde_client
+          include_tasks: tasks/run_role_with_clear_facts.yml
 
         - name: Attempt to unlock device
           include_tasks: tasks/verify_unlock_device.yml

diff --git a/tests/tests_simple_bind_unbind.yml b/tests/tests_simple_bind_unbind.yml
@@ -18,8 +18,7 @@
     - name: Run the test
       block:
         - name: Use nbde_client role
-          include_role:
-            name: linux-system-roles.nbde_client
+          include_tasks: tasks/run_role_with_clear_facts.yml
 
         - name: Attempt to unlock device
           include_tasks: tasks/verify_unlock_device.yml

diff --git a/tests/tests_simple_bind_unbind_keyfile.yml b/tests/tests_simple_bind_unbind_keyfile.yml
@@ -18,8 +18,7 @@
     - name: Run the test
       block:
         - name: Use nbde_client role
-          include_role:
-            name: linux-system-roles.nbde_client
+          include_tasks: tasks/run_role_with_clear_facts.yml
 
         - name: Attempt to unlock device
           include_tasks: tasks/verify_unlock_device.yml

diff --git a/tests/tests_use_existing_binding.yml b/tests/tests_use_existing_binding.yml
@@ -8,8 +8,7 @@
           include_tasks: tasks/setup_test.yml
 
         - name: Add binding to slot 1
-          include_role:
-            name: linux-system-roles.nbde_client
+          include_tasks: tasks/run_role_with_clear_facts.yml
           vars:
             nbde_client_bindings:
               - device: "{{ nbde_client_test_device }}"
@@ -19,8 +18,7 @@
                   - http://localhost
 
         - name: Add binding to slot 2 without providing encryption_password
-          include_role:
-            name: linux-system-roles.nbde_client
+          include_tasks: tasks/run_role_with_clear_facts.yml
           vars:
             nbde_client_bindings:
               - device: "{{ nbde_client_test_device }}"
@@ -29,8 +27,7 @@
                   - http://localhost
 
         - name: Remove binding from slot 1
-          include_role:
-            name: linux-system-roles.nbde_client
+          include_tasks: tasks/run_role_with_clear_facts.yml
           vars:
             nbde_client_bindings:
               - device: "{{ nbde_client_test_device }}"
@@ -86,8 +83,7 @@
             state: absent
 
         - name: Add binding to slot 2 without providing encryption_password
-          include_role:
-            name: linux-system-roles.nbde_client
+          include_tasks: tasks/run_role_with_clear_facts.yml
           vars:
             nbde_client_bindings:
               - device: "{{ nbde_client_test_device }}"
@@ -96,8 +92,7 @@
                   - http://localhost
 
         - name: Remove binding from slot 1
-          include_role:
-            name: linux-system-roles.nbde_client
+          include_tasks: tasks/run_role_with_clear_facts.yml
           vars:
             nbde_client_bindings:
               - device: "{{ nbde_client_test_device }}"