Revise ADR-004 to a service-role standard: every service is its own self-contained role with a required file set including SECURITY.md, uniform deploy mechanics, and a deferred shared-engine option (with revisit trigger) recorded in the ADR. Add the per-service security record: - docs/security/service-security-template.md — canonical SECURITY.md template (exposure, checklist status, service-specific hardening, residual risks) - roles/<service>/SECURITY.md is where each service records how it meets the bar; /security-review aggregates roles/*/SECURITY.md and cross-checks against config - service-checklist.md noted as the generic bar the record answers Wire-up: new-role runbook step writes SECURITY.md from the template; ADR-002 governance bullet points at it; CLAUDE.md role conventions require it and mandate one-role-per-service; STATUS records the convention as defined-not-yet-applied. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
105 lines
4.4 KiB
Markdown
105 lines
4.4 KiB
Markdown
# ADR-004 — Docker and Compose service model
|
||
|
||
## Context
|
||
|
||
All services run as Docker containers managed via Docker Compose. This document
|
||
defines how services are structured, deployed, and maintained.
|
||
|
||
## Core principles
|
||
|
||
- **No hand-edited files on hosts**: all Compose files are rendered by Ansible
|
||
from Jinja2 templates. If a file exists on a host, it was put there by Ansible.
|
||
- **Compose per service**: each service (or tightly coupled service group) gets
|
||
its own Compose file and directory under a standard path.
|
||
- **Variables drive differences**: the same template renders differently per host
|
||
via `group_vars` and `host_vars`. No host-specific templates.
|
||
|
||
## Directory layout on hosts
|
||
|
||
```
|
||
/opt/services/
|
||
├── servicename/
|
||
│ ├── docker-compose.yml # rendered by Ansible, never edited manually
|
||
│ ├── .env # rendered by Ansible from vault variables
|
||
│ └── data/ # persistent volumes (bind mounts)
|
||
│ └── ...
|
||
```
|
||
|
||
All services live under `/opt/services/`. The path is defined in
|
||
`group_vars/all/vars.yml` as `services__base_dir`.
|
||
|
||
## Service-role standard
|
||
|
||
**Every service has its own self-contained role** — one service, one role. Shared
|
||
roles serving multiple services are no longer used (see "Why not a shared engine"
|
||
below). Each service role contains a standard set of files:
|
||
|
||
| File | Purpose |
|
||
|---|---|
|
||
| `tasks/main.yml` | The standard deploy mechanics (below) |
|
||
| `templates/docker-compose.yml.j2` | The Compose definition |
|
||
| `templates/env.j2` | `.env` rendered from vault variables |
|
||
| `defaults/main.yml` | Tuneables, `rolename__` namespace |
|
||
| `README.md` | Purpose, variables, usage (role convention) |
|
||
| `SECURITY.md` | Per-service security record — see ADR-002 and `docs/security/service-security-template.md` |
|
||
| `meta/main.yml`, `molecule/default/` | Metadata + Debian 13 test scenario |
|
||
|
||
### Standard deploy mechanics
|
||
|
||
Every service role's `tasks/main.yml` follows the same sequence, so all roles are
|
||
uniform and predictable:
|
||
|
||
1. Create `/opt/services/<service>/` directory
|
||
2. Render `docker-compose.yml` from `templates/docker-compose.yml.j2`
|
||
3. Render `.env` from `templates/env.j2` (secrets from vault variables)
|
||
4. Run `docker compose up -d --remove-orphans` via `ansible.builtin.command`
|
||
5. Optionally run `docker compose pull` before up (controlled by a variable)
|
||
|
||
### Why not a shared engine
|
||
|
||
A shared `compose_service` engine role — service roles delegating the mechanics to
|
||
one place — is **intentionally not built**. Duplicating the ~5 standard tasks per
|
||
role is accepted in favour of legible, self-contained roles a reader can understand
|
||
without indirection, and AI authorship makes the duplication cheap to generate
|
||
uniformly from this standard.
|
||
|
||
**Revisit trigger:** extract a shared engine role if maintaining the duplicated
|
||
mechanics across service roles becomes painful — a pattern change that means editing
|
||
many roles, or drift between them that this standard alone isn't preventing.
|
||
|
||
## Docker daemon configuration
|
||
|
||
Managed by the `docker_host` role. Key settings:
|
||
|
||
- `"log-driver": "json-file"` with size limits (prevents disk exhaustion)
|
||
- `"iptables": false` — firewall managed entirely by nftables (see ADR-002)
|
||
- TCP socket disabled — Unix socket only (`/var/run/docker.sock`)
|
||
- User namespace remapping: evaluated per use case, not enabled by default
|
||
|
||
## Networking
|
||
|
||
- Each service Compose file defines its own named network(s)
|
||
- Services that need to communicate are placed on a shared named network
|
||
defined in a dedicated `docker-compose.networks.yml` (if cross-service
|
||
networking is needed on a host)
|
||
- External port publishing is explicit and matches nftables rules
|
||
|
||
## Image management
|
||
|
||
- Images are always pinned to a specific digest or tag in templates
|
||
- `latest` is never used in production Compose files
|
||
- Image updates are a deliberate operation: update the tag variable, run deploy
|
||
|
||
## Persistent data
|
||
|
||
- Bind mounts preferred over named volumes for data that must be backed up
|
||
- All bind mount paths are under `/opt/services/<name>/data/`
|
||
- Backup strategy is defined separately (not in scope of this repo)
|
||
|
||
## Decision
|
||
|
||
Docker Compose was chosen over Kubernetes/Swarm because:
|
||
- Appropriate complexity level for 2–5 hosts with independent service sets
|
||
- Compose files are human-readable and easily auditable
|
||
- No distributed state to manage
|
||
- Straightforward to back up and restore
|