# docker_host Installs the Docker CE engine and the Compose plugin on every host in the `docker_hosts` group. Provides the container runtime that per-service roles (one service = one role, ADR-004) deploy their Compose stacks onto. ## Scope This role covers the **engine install only**. The following are deferred to Phase 2 (when the Proxmox cluster and `base` host firewall exist): - Daemon hardening (`iptables: false`, log driver, `live-restore`, userns remapping). - Rendering container forward/NAT rules into `/etc/nftables.d/*.nft` (the `base` role hook for container firewall integration, ADR-020). ## Variables | Variable | Default | Description | |---|---|---| | `docker_host__packages` | `[docker-ce, docker-ce-cli, containerd.io, docker-compose-plugin]` | APT packages installed from the Docker CE repository | All variables use the `docker_host__` double-underscore namespace (CLAUDE.md convention). ## Example ```yaml - hosts: docker_hosts become: true roles: - role: docker_host tags: [docker_host] ``` ## Tags All tasks carry the `packages` concern tag (APT package install, ADR-019). ## Related - ADR-004 (`docs/decisions/004-docker-model.md`) — Docker & Compose model. - ADR-020 (`docs/decisions/020-firewall.md`) — daemon hardening + `nftables.d` integration (deferred to Phase 2). - ADR-011 (`docs/decisions/011-update-management.md`) — version pinning policy (future: pin Docker CE version explicitly).