boma/roles/docker_host/tasks/main.yml

---
- name: Install prerequisites
  ansible.builtin.apt:
    name: [ca-certificates, curl, gnupg]
    state: present
    update_cache: true
  tags: [packages]

- name: Ensure /etc/apt/keyrings exists
  ansible.builtin.file:
    path: /etc/apt/keyrings
    state: directory
    mode: "0755"
  tags: [packages]

- name: Add Docker's APT GPG key
  ansible.builtin.get_url:
    url: https://download.docker.com/linux/debian/gpg
    dest: /etc/apt/keyrings/docker.asc
    mode: "0644"
  tags: [packages]

- name: Add the Docker APT repository
  ansible.builtin.apt_repository:
    repo: >-
      deb [arch={{ 'amd64' if ansible_architecture == 'x86_64' else ansible_architecture }}
      signed-by=/etc/apt/keyrings/docker.asc]
      https://download.docker.com/linux/debian
      {{ ansible_distribution_release }} stable
    filename: docker
    state: present
  tags: [packages]

- name: Install Docker engine + compose plugin
  ansible.builtin.apt:
    name: "{{ docker_host__packages }}"
    state: present
    update_cache: true
  tags: [packages]

- name: Ensure the nftables drop-in dir exists (for the container-forward rules)
  ansible.builtin.file:
    path: "{{ docker_host__nftables_dropin_dir }}"
    state: directory
    mode: "0755"
  when: docker_host__forward_dropin | bool
  tags: [firewall]

- name: Install the container-forward nftables drop-in (reboot-safe Docker forwarding)
  ansible.builtin.template:
    src: 10-docker-forward.nft.j2
    dest: "{{ docker_host__nftables_dropin_dir }}/10-docker-forward.nft"
    mode: "0644"
  when: docker_host__forward_dropin | bool
  # Not reloaded here: a running host already forwards via Docker's runtime rules, so the
  # drop-in only needs to protect the NEXT boot (loaded by nftables.service). Reloading nft
  # now would flush Docker's NAT (FRICTION 2026-06-17 #4); the boot loads it cleanly.
  tags: [firewall]