sjat
456c27d12b
Implements the docker_host role tasks: prerequisites, /etc/apt/keyrings directory (ordered before the GPG key write), Docker APT key + repo, and docker-ce/cli/containerd.io/compose-plugin install. Daemon hardening and nftables.d integration remain deferred to Phase 2 (cluster + base firewall). Updates defaults, README, and molecule verify to assert docker --version. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1.4 KiB
1.4 KiB
docker_host
Installs the Docker CE engine and the Compose plugin on every host in the
docker_hosts group. Provides the container runtime that per-service roles
(one service = one role, ADR-004) deploy their Compose stacks onto.
Scope
This role covers the engine install only. The following are deferred to Phase 2
(when the Proxmox cluster and base host firewall exist):
- Daemon hardening (
iptables: false, log driver,live-restore, userns remapping). - Rendering container forward/NAT rules into
/etc/nftables.d/*.nft(thebaserole hook for container firewall integration, ADR-020).
Variables
| Variable | Default | Description |
|---|---|---|
docker_host__packages |
[docker-ce, docker-ce-cli, containerd.io, docker-compose-plugin] |
APT packages installed from the Docker CE repository |
All variables use the docker_host__ double-underscore namespace (CLAUDE.md convention).
Example
- hosts: docker_hosts
become: true
roles:
- role: docker_host
tags: [docker_host]
Tags
All tasks carry the packages concern tag (APT package install, ADR-019).
Related
- ADR-004 (
docs/decisions/004-docker-model.md) — Docker & Compose model. - ADR-020 (
docs/decisions/020-firewall.md) — daemon hardening +nftables.dintegration (deferred to Phase 2). - ADR-011 (
docs/decisions/011-update-management.md) — version pinning policy (future: pin Docker CE version explicitly).