boma/roles/docker_host/README.md

45 lines
1.4 KiB
Markdown
Raw Normal View History

# docker_host
Installs the Docker CE engine and the Compose plugin on every host in the
`docker_hosts` group. Provides the container runtime that per-service roles
(one service = one role, ADR-004) deploy their Compose stacks onto.
## Scope
This role covers the **engine install only**. The following are deferred to Phase 2
(when the Proxmox cluster and `base` host firewall exist):
- Daemon hardening (`iptables: false`, log driver, `live-restore`, userns remapping).
- Rendering container forward/NAT rules into `/etc/nftables.d/*.nft` (the `base` role
hook for container firewall integration, ADR-020).
## Variables
| Variable | Default | Description |
|---|---|---|
| `docker_host__packages` | `[docker-ce, docker-ce-cli, containerd.io, docker-compose-plugin]` | APT packages installed from the Docker CE repository |
All variables use the `docker_host__` double-underscore namespace (CLAUDE.md convention).
## Example
```yaml
- hosts: docker_hosts
become: true
roles:
- role: docker_host
tags: [docker_host]
```
## Tags
All tasks carry the `packages` concern tag (APT package install, ADR-019).
## Related
- ADR-004 (`docs/decisions/004-docker-model.md`) — Docker & Compose model.
- ADR-020 (`docs/decisions/020-firewall.md`) — daemon hardening + `nftables.d`
integration (deferred to Phase 2).
- ADR-011 (`docs/decisions/011-update-management.md`) — version pinning policy
(future: pin Docker CE version explicitly).