2026-06-11 14:53:55 +02:00
|
|
|
---
|
2026-06-14 17:28:51 +02:00
|
|
|
- name: Install prerequisites
|
|
|
|
|
ansible.builtin.apt:
|
|
|
|
|
name: [ca-certificates, curl, gnupg]
|
|
|
|
|
state: present
|
|
|
|
|
update_cache: true
|
|
|
|
|
tags: [packages]
|
|
|
|
|
|
|
|
|
|
- name: Ensure /etc/apt/keyrings exists
|
|
|
|
|
ansible.builtin.file:
|
|
|
|
|
path: /etc/apt/keyrings
|
|
|
|
|
state: directory
|
|
|
|
|
mode: "0755"
|
|
|
|
|
tags: [packages]
|
|
|
|
|
|
|
|
|
|
- name: Add Docker's APT GPG key
|
|
|
|
|
ansible.builtin.get_url:
|
|
|
|
|
url: https://download.docker.com/linux/debian/gpg
|
|
|
|
|
dest: /etc/apt/keyrings/docker.asc
|
|
|
|
|
mode: "0644"
|
|
|
|
|
tags: [packages]
|
|
|
|
|
|
|
|
|
|
- name: Add the Docker APT repository
|
|
|
|
|
ansible.builtin.apt_repository:
|
|
|
|
|
repo: >-
|
|
|
|
|
deb [arch={{ 'amd64' if ansible_architecture == 'x86_64' else ansible_architecture }}
|
|
|
|
|
signed-by=/etc/apt/keyrings/docker.asc]
|
|
|
|
|
https://download.docker.com/linux/debian
|
|
|
|
|
{{ ansible_distribution_release }} stable
|
|
|
|
|
filename: docker
|
|
|
|
|
state: present
|
|
|
|
|
tags: [packages]
|
|
|
|
|
|
|
|
|
|
- name: Install Docker engine + compose plugin
|
|
|
|
|
ansible.builtin.apt:
|
|
|
|
|
name: "{{ docker_host__packages }}"
|
|
|
|
|
state: present
|
|
|
|
|
update_cache: true
|
|
|
|
|
tags: [packages]
|
2026-06-18 16:57:47 +02:00
|
|
|
|
|
|
|
|
- name: Ensure the nftables drop-in dir exists (for the container-forward rules)
|
|
|
|
|
ansible.builtin.file:
|
|
|
|
|
path: "{{ docker_host__nftables_dropin_dir }}"
|
|
|
|
|
state: directory
|
|
|
|
|
mode: "0755"
|
|
|
|
|
when: docker_host__forward_dropin | bool
|
|
|
|
|
tags: [firewall]
|
|
|
|
|
|
|
|
|
|
- name: Install the container-forward nftables drop-in (reboot-safe Docker forwarding)
|
|
|
|
|
ansible.builtin.template:
|
|
|
|
|
src: 10-docker-forward.nft.j2
|
|
|
|
|
dest: "{{ docker_host__nftables_dropin_dir }}/10-docker-forward.nft"
|
|
|
|
|
mode: "0644"
|
|
|
|
|
when: docker_host__forward_dropin | bool
|
|
|
|
|
# Not reloaded here: a running host already forwards via Docker's runtime rules, so the
|
|
|
|
|
# drop-in only needs to protect the NEXT boot (loaded by nftables.service). Reloading nft
|
|
|
|
|
# now would flush Docker's NAT (FRICTION 2026-06-17 #4); the boot loads it cleanly.
|
|
|
|
|
tags: [firewall]
|