diff --git a/ansible/main.yml b/ansible/main.yml index 719e46d1..e1a11245 100644 --- a/ansible/main.yml +++ b/ansible/main.yml @@ -22,6 +22,8 @@ tags: "packages" - role: "firewall" tags: "firewall" + - role: "docker" + tags: "docker" - role: "databases" tags: "databases" - role: "backups" diff --git a/ansible/roles/docker/tasks/docker-apt-repo.yml b/ansible/roles/docker/tasks/docker-apt-repo.yml new file mode 100644 index 00000000..2739e317 --- /dev/null +++ b/ansible/roles/docker/tasks/docker-apt-repo.yml @@ -0,0 +1,23 @@ +--- +# Based on the offical docker documentation on https://docs.docker.com/engine/install/ubuntu/ + +- name: "Ensure dependencies are installed" + ansible.builtin.apt: + name: + - "ca-certificates" + - "curl" + state: "present" + +- name: "Add Docker apt key" + ansible.builtin.apt_key: + url: "https://download.docker.com/linux/ubuntu/gpg" + id: "9DC858229FC7DD38854AE2D88D81803C0EBFCD88" + state: "present" + # NOTE: this differs from the official documentation, as it does not install the keyring to /etc/apt/keyrings + +- name: "Add Docker repository" + ansible.builtin.apt_repository: + repo: "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} stable" + state: "present" + update_cache: true + # NOTE: this differs from the official documentation, as it does not echo the string to /etc/apt/ as 'docker.list' diff --git a/ansible/roles/docker/tasks/main.yml b/ansible/roles/docker/tasks/main.yml new file mode 100644 index 00000000..7671177f --- /dev/null +++ b/ansible/roles/docker/tasks/main.yml @@ -0,0 +1,39 @@ +--- +# FIXME docker exposed ports bypass ufw firefwall, which we use. +# See https://docs.docker.com/network/packet-filtering-firewalls/#docker-and-ufw + +- name: "Install Docker" + block: + + - name: "Add Docker apt repository" + ansible.builtin.include_tasks: "docker-apt-repo.yml" + + - name: "Install Docker packages" + ansible.builtin.package: + name: + - "docker-ce={{ docker_engine_version }}" + - "docker-ce-cli={{ docker_engine_version }}" + - "containerd.io" + - "docker-buildx-plugin" + state: "present" + + - name: "Ensure Docker is started and enabled at boot" + ansible.builtin.service: + name: "docker" + state: "started" + enabled: true + +- name: "Install Docker Compose" + ansible.builtin.package: + name: "docker-compose-plugin" + state: "present" + +- name: "Ensure admin users are added to the docker group" + ansible.builtin.user: + name: "{{ item.name }}" + groups: "docker" + append: true + with_items: "{{ users }}" + when: "item.admin" + loop_control: + label: "Adding '{{ item.name }}' to the docker group" diff --git a/ansible/roles/docker/vars/main.yml b/ansible/roles/docker/vars/main.yml new file mode 100644 index 00000000..6a74acf4 --- /dev/null +++ b/ansible/roles/docker/vars/main.yml @@ -0,0 +1,4 @@ +--- +# Possible docker engine versions can be obtained through the following +# command: apt-cache madison docker-ce | awk '{ print $3 }' +docker_engine_version: "5:27.0.3-1~ubuntu.20.04~focal"