--- # Docker engine install (ADR-004). Cluster-specific daemon hardening is deferred to when # the cluster exists. docker_host__packages: - docker-ce - docker-ce-cli - containerd.io - docker-compose-plugin # Container-forward nftables drop-in (FRICTION 2026-06-17 #1 / ADR-025). base's inet-filter # forward chain is `policy drop`; on a Docker host that kills published-port DNAT + inter- # container forwarding ON REBOOT (nftables loads default-deny before dockerd). This drop-in # (loaded via base's /etc/nftables.d/*.nft include) appends the accepts so a rebooted Docker # host keeps forwarding. Only meaningful where base__firewall_apply is true. docker_host__forward_dropin: true docker_host__nftables_dropin_dir: /etc/nftables.d # must match base__firewall_dropin_dir