(profile::core::firewall) include ipset

As `ipset` won't be used unless profile::core::firewall is included, it
makes sense to include `ipset` from the profile instead of forcing roles
to directly include it.

hieradata/role/perfsonar.yaml

@@ -1,6 +1,5 @@
 ---
 classes:
-  - "ipset"
   - "ntp"
   - "profile::core::common"
   - "profile::core::debugutils"

site/profile/manifests/core/firewall.pp

@@ -12,6 +12,7 @@
   Boolean $purge_firewall = false,
 ) {
   include firewall
+  include ipset
 
   if $purge_firewall {
     resources { 'firewall': purge => true }

spec/classes/core/firewall_spec.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'profile::core::firewall' do
+  on_supported_os.each do |os, facts|
+    context "on #{os}" do
+      let(:facts) { facts }
+
+      it { is_expected.to compile.with_all_deps }
+      it { is_expected.to contain_class('firewall') }
+      it { is_expected.to contain_class('ipset') }
+      it { is_expected.to have_resources_resource_count(0) }
+      it { is_expected.to have_firewall_resource_count(0) }
+
+      context 'with purge_firewall param' do
+        let(:params) { { purge_firewall: true } }
+
+        it { is_expected.to contain_resources('firewall').with_purge(true) }
+      end
+
+      context 'with firewall param' do
+        let(:params) do
+          {
+            firewall: {
+              '001 accept all icmp' => {
+                'proto' => 'icmp',
+                'action' => 'accept',
+              },
+            },
+          }
+        end
+
+        it do
+          is_expected.to contain_firewall('001 accept all icmp').with(
+            'proto' => 'icmp',
+            'action' => 'accept',
+          )
+        end
+      end
+    end
+  end
+end