2026-06-11 14:53:55 +02:00
|
|
|
---
|
2026-06-18 16:57:47 +02:00
|
|
|
# Docker engine install (ADR-004). Cluster-specific daemon hardening is deferred to when
|
|
|
|
|
# the cluster exists.
|
2026-06-14 17:28:51 +02:00
|
|
|
docker_host__packages:
|
|
|
|
|
- docker-ce
|
|
|
|
|
- docker-ce-cli
|
|
|
|
|
- containerd.io
|
|
|
|
|
- docker-compose-plugin
|
2026-06-18 16:57:47 +02:00
|
|
|
|
|
|
|
|
# Container-forward nftables drop-in (FRICTION 2026-06-17 #1 / ADR-025). base's inet-filter
|
|
|
|
|
# forward chain is `policy drop`; on a Docker host that kills published-port DNAT + inter-
|
|
|
|
|
# container forwarding ON REBOOT (nftables loads default-deny before dockerd). This drop-in
|
|
|
|
|
# (loaded via base's /etc/nftables.d/*.nft include) appends the accepts so a rebooted Docker
|
|
|
|
|
# host keeps forwarding. Only meaningful where base__firewall_apply is true.
|
|
|
|
|
docker_host__forward_dropin: true
|
|
|
|
|
docker_host__nftables_dropin_dir: /etc/nftables.d # must match base__firewall_dropin_dir
|