- name: load configuration variables
  include_vars: '{{ docker_pkg }}.yml'
- name: ensure docker is installed
  package:
    name={{ docker_pkg }}
    state=present

- name: ensure docker group exists
  group:
    name=docker
    system=yes
    state=present
  when: docker_allow_unprivileged|d|bool

- name: ensure docker storage is configured
  template:
    src=docker-storage-setup.j2
    dest=/etc/sysconfig/{{ docker_storage_setup }}
    mode=0644
  notify: reset docker storage
- name: ensure docker is configured
  template:
    src={{ docker_service }}.sysconfig.j2
    dest=/etc/sysconfig/{{ docker_service }}
  notify: restart docker

- name: ensure ip forwarding is enabled
  sysctl:
    name=net.ipv4.ip_forward
    value=1
    sysctl_file=/etc/sysctl.d/70-ip_forward.conf

- name: ensure docker daemon is configured
  template:
    src: daemon.json.j2
    dest: /etc/docker/daemon.json
    mode: '0644'
  notify: restart docker

- name: ensure docker server certificate is installed
  copy:
    src: '{{ item }}'
    dest: /etc/pki/tls/certs/docker.cer
    mode: '0644'
  with_fileglob:
  - certs/docker/{{ inventory_hostname }}/docker.cer
- name: ensure docker server private key is installed
  copy:
    src: '{{ item }}'
    dest: /etc/pki/tls/private/docker.key
    mode: '0400'
  with_fileglob:
  - certs/docker/{{ inventory_hostname }}/docker.key
- name: ensure docker client ca certificate is installed
  copy:
    src: '{{ item }}'
    dest: /etc/pki/tls/certs/docker-ca.crt
    mode: '0644'
  with_fileglob:
  - certs/docker/{{ inventory_hostname }}/docker-ca.crt

- name: ensure docker trust key file exists
  script:
    generate-docker-key.sh
    creates=/etc/docker/key.json
- name: ensure docker systemd unit extension directory exists
  file:
    path=/etc/systemd/system/{{ docker_service }}.service.d
    mode=0755
    state=directory
#- name: ensure system protection is configured for the docker daemon
#  copy:
#    src=protect-system.systemd.conf
#    dest=/etc/systemd/system/{{ docker_service }}.service.d/protect-system.conf
#    mode=0644
#  notify:
#  - reload systemd
#  - restart docker
- name: ensure docker daemon is configured to use http proxy
  template:
    src=http-proxy.conf.j2
    dest=/etc/systemd/system/{{ docker_service }}.service.d/http-proxy.conf
    mode=0644
  notify:
  - reload systemd
  - restart docker

- name: ensure firewall is configured for docker
  firewalld:
    port: '{{ docker_listen_port }}/tcp'
    state: '{{ "enabled" if docker_allow_outside else "disabled" }}'
    permanent: false
    immediate: true
  notify: save firewalld configuration

- name: ensure docker starts at boot
  service:
    name={{ docker_service }}
    enabled=yes

- meta: flush_handlers
- name: ensure docker is running
  service:
    name={{ docker_service }}
    state=started