# docker_host Docker engine + Compose runtime applied to every host in the `docker_hosts` group. Provides the container platform that the per-service roles (one service = one role, ADR-004) deploy their Compose stacks onto. > **Status: scaffolded, not yet implemented.** This role has no tasks yet — applying it > is a no-op. It is wired into `playbooks/site.yml` so the full standard state is > expressed end-to-end, and so `make lint` covers it. See `STATUS.md`. ## Planned scope - Install Docker engine + the Compose plugin, version-pinned (ADR-011). - Daemon hardening: `iptables: false` (the host `base` firewall owns nftables, ADR-020), log driver, `live-restore`, user-namespace remapping where practical (ADR-002). - Render container forward/NAT rules into `/etc/nftables.d/*.nft` — the include hook the `base` role's ruleset exposes (see `roles/base/README.md`). - Provide the runtime the service roles deploy their Compose files onto. ## Variables None yet. Placeholders will use the `docker_host__*` namespace (CLAUDE.md convention). ## Example ```yaml - hosts: docker_hosts become: true roles: - role: docker_host tags: [docker_host] ``` See ADR-004 (`docs/decisions/004-docker-model.md`) for the Docker & Compose model.