--- - name: Install prerequisites ansible.builtin.apt: name: [ca-certificates, curl, gnupg] state: present update_cache: true tags: [packages] - name: Ensure /etc/apt/keyrings exists ansible.builtin.file: path: /etc/apt/keyrings state: directory mode: "0755" tags: [packages] - name: Add Docker's APT GPG key ansible.builtin.get_url: url: https://download.docker.com/linux/debian/gpg dest: /etc/apt/keyrings/docker.asc mode: "0644" tags: [packages] - name: Add the Docker APT repository ansible.builtin.apt_repository: repo: >- deb [arch={{ 'amd64' if ansible_architecture == 'x86_64' else ansible_architecture }} signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable filename: docker state: present tags: [packages] - name: Install Docker engine + compose plugin ansible.builtin.apt: name: "{{ docker_host__packages }}" state: present update_cache: true tags: [packages] - name: Ensure the nftables drop-in dir exists (for the container-forward rules) ansible.builtin.file: path: "{{ docker_host__nftables_dropin_dir }}" state: directory mode: "0755" when: docker_host__forward_dropin | bool tags: [firewall] - name: Install the container-forward nftables drop-in (reboot-safe Docker forwarding) ansible.builtin.template: src: 10-docker-forward.nft.j2 dest: "{{ docker_host__nftables_dropin_dir }}/10-docker-forward.nft" mode: "0644" when: docker_host__forward_dropin | bool # Not reloaded here: a running host already forwards via Docker's runtime rules, so the # drop-in only needs to protect the NEXT boot (loaded by nftables.service). Reloading nft # now would flush Docker's NAT (FRICTION 2026-06-17 #4); the boot loads it cleanly. tags: [firewall]