boma/roles/docker_host/README.md
sjat 456c27d12b feat(docker_host): install Docker engine + compose plugin
Implements the docker_host role tasks: prerequisites, /etc/apt/keyrings
directory (ordered before the GPG key write), Docker APT key + repo, and
docker-ce/cli/containerd.io/compose-plugin install. Daemon hardening and
nftables.d integration remain deferred to Phase 2 (cluster + base firewall).
Updates defaults, README, and molecule verify to assert docker --version.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-14 17:28:51 +02:00

44 lines
1.4 KiB
Markdown

# docker_host
Installs the Docker CE engine and the Compose plugin on every host in the
`docker_hosts` group. Provides the container runtime that per-service roles
(one service = one role, ADR-004) deploy their Compose stacks onto.
## Scope
This role covers the **engine install only**. The following are deferred to Phase 2
(when the Proxmox cluster and `base` host firewall exist):
- Daemon hardening (`iptables: false`, log driver, `live-restore`, userns remapping).
- Rendering container forward/NAT rules into `/etc/nftables.d/*.nft` (the `base` role
hook for container firewall integration, ADR-020).
## Variables
| Variable | Default | Description |
|---|---|---|
| `docker_host__packages` | `[docker-ce, docker-ce-cli, containerd.io, docker-compose-plugin]` | APT packages installed from the Docker CE repository |
All variables use the `docker_host__` double-underscore namespace (CLAUDE.md convention).
## Example
```yaml
- hosts: docker_hosts
become: true
roles:
- role: docker_host
tags: [docker_host]
```
## Tags
All tasks carry the `packages` concern tag (APT package install, ADR-019).
## Related
- ADR-004 (`docs/decisions/004-docker-model.md`) — Docker & Compose model.
- ADR-020 (`docs/decisions/020-firewall.md`) — daemon hardening + `nftables.d`
integration (deferred to Phase 2).
- ADR-011 (`docs/decisions/011-update-management.md`) — version pinning policy
(future: pin Docker CE version explicitly).