106 lines
2.8 KiB
YAML
106 lines
2.8 KiB
YAML
- name: load configuration variables
|
|
include_vars: '{{ docker_pkg }}.yml'
|
|
- name: ensure docker is installed
|
|
package:
|
|
name={{ docker_pkg }}
|
|
state=present
|
|
|
|
- name: ensure docker group exists
|
|
group:
|
|
name=docker
|
|
system=yes
|
|
state=present
|
|
when: docker_allow_unprivileged|d|bool
|
|
|
|
- name: ensure docker storage is configured
|
|
template:
|
|
src=docker-storage-setup.j2
|
|
dest=/etc/sysconfig/{{ docker_storage_setup }}
|
|
mode=0644
|
|
notify: reset docker storage
|
|
- name: ensure docker is configured
|
|
template:
|
|
src={{ docker_service }}.sysconfig.j2
|
|
dest=/etc/sysconfig/{{ docker_service }}
|
|
notify: restart docker
|
|
|
|
- name: ensure ip forwarding is enabled
|
|
sysctl:
|
|
name=net.ipv4.ip_forward
|
|
value=1
|
|
sysctl_file=/etc/sysctl.d/70-ip_forward.conf
|
|
|
|
- name: ensure docker daemon is configured
|
|
template:
|
|
src: daemon.json.j2
|
|
dest: /etc/docker/daemon.json
|
|
mode: '0644'
|
|
notify: restart docker
|
|
|
|
- name: ensure docker server certificate is installed
|
|
copy:
|
|
src: '{{ item }}'
|
|
dest: /etc/pki/tls/certs/docker.cer
|
|
mode: '0644'
|
|
with_fileglob:
|
|
- certs/docker/{{ inventory_hostname }}/docker.cer
|
|
- name: ensure docker server private key is installed
|
|
copy:
|
|
src: '{{ item }}'
|
|
dest: /etc/pki/tls/private/docker.key
|
|
mode: '0400'
|
|
with_fileglob:
|
|
- certs/docker/{{ inventory_hostname }}/docker.key
|
|
- name: ensure docker client ca certificate is installed
|
|
copy:
|
|
src: '{{ item }}'
|
|
dest: /etc/pki/tls/certs/docker-ca.crt
|
|
mode: '0644'
|
|
with_fileglob:
|
|
- certs/docker/{{ inventory_hostname }}/docker-ca.crt
|
|
|
|
- name: ensure docker trust key file exists
|
|
script:
|
|
generate-docker-key.sh
|
|
creates=/etc/docker/key.json
|
|
- name: ensure docker systemd unit extension directory exists
|
|
file:
|
|
path=/etc/systemd/system/{{ docker_service }}.service.d
|
|
mode=0755
|
|
state=directory
|
|
#- name: ensure system protection is configured for the docker daemon
|
|
# copy:
|
|
# src=protect-system.systemd.conf
|
|
# dest=/etc/systemd/system/{{ docker_service }}.service.d/protect-system.conf
|
|
# mode=0644
|
|
# notify:
|
|
# - reload systemd
|
|
# - restart docker
|
|
- name: ensure docker daemon is configured to use http proxy
|
|
template:
|
|
src=http-proxy.conf.j2
|
|
dest=/etc/systemd/system/{{ docker_service }}.service.d/http-proxy.conf
|
|
mode=0644
|
|
notify:
|
|
- reload systemd
|
|
- restart docker
|
|
|
|
- name: ensure firewall is configured for docker
|
|
firewalld:
|
|
port: '{{ docker_listen_port }}/tcp'
|
|
state: '{{ "enabled" if docker_allow_outside else "disabled" }}'
|
|
permanent: false
|
|
immediate: true
|
|
notify: save firewalld configuration
|
|
|
|
- name: ensure docker starts at boot
|
|
service:
|
|
name={{ docker_service }}
|
|
enabled=yes
|
|
|
|
- meta: flush_handlers
|
|
- name: ensure docker is running
|
|
service:
|
|
name={{ docker_service }}
|
|
state=started
|