sjat
03d33f83dd
playbooks/site.yml imports the docker_host role, but it didn't exist, so ansible-lint's syntax-check failed on a clean checkout — breaking CLAUDE.md's "main must always work" / "Never skip lint" (top open finding O1 from the 2026-06-11 review). Scaffold docker_host as a proper placeholder via the prescribed mechanism (make new-role): filled meta/main.yml + README, an honest no-task tasks/main.yml documenting planned scope (Docker engine + Compose, daemon hardening, nftables.d container rules per ADR-004/020), and the standard molecule scenario. This preserves site.yml's full-standard-state intent rather than dropping the play. Update STATUS.md (docker_host moves from "Not in git" to "scaffolded, no tasks") and the role/playbook READMEs to match. make lint: 0 failures, 0 warnings; check-tags OK. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
13 lines
786 B
YAML
13 lines
786 B
YAML
---
|
|
# docker_host — Docker engine + Compose runtime for hosts in the docker_hosts group.
|
|
#
|
|
# SCAFFOLDED, NOT YET IMPLEMENTED. This role is referenced by playbooks/site.yml so the
|
|
# full standard state is expressed end-to-end, but it has no tasks yet — applying it is a
|
|
# no-op. See STATUS.md ("Scaffolded but empty") and ADR-004 (Docker & Compose model).
|
|
#
|
|
# Planned scope (ADR-002/004/020):
|
|
# - install Docker engine + compose plugin (version-pinned, per ADR-011)
|
|
# - daemon hardening: iptables:false (host nftables owns the firewall, ADR-020),
|
|
# log-driver, live-restore, userns where practical
|
|
# - render container forward/NAT rules into /etc/nftables.d/*.nft (the base-role hook)
|
|
# - deploy per-service Compose stacks from the service roles (one service = one role)
|