--- - name: Install Docker using official Docker documentation steps and set up /opt/docker and /srv/docker hosts: docker become: true gather_facts: true vars: docker_keyring_path: /etc/apt/keyrings/docker.asc docker_repo_list_path: /etc/apt/sources.list.d/docker.list docker_acl_path: /opt/docker srv_docker_path: /srv/docker docker_data_user: dockeruser docker_data_group: dockerdata docker_data_uid: 2011 docker_data_gid: 2011 tasks: # --- Prereqs --- - name: Ensure required packages are installed apt: name: - ca-certificates - curl - acl # Required for setfacl state: present update_cache: yes - name: Ensure keyring directory exists file: path: /etc/apt/keyrings state: directory mode: "0755" - name: Download Docker's official GPG key get_url: url: https://download.docker.com/linux/ubuntu/gpg dest: "{{ docker_keyring_path }}" mode: "0644" register: docker_key_download - name: Get native architecture (dpkg --print-architecture) command: dpkg --print-architecture register: dpkg_arch_result changed_when: false - name: Add Docker repository to Apt sources copy: dest: "{{ docker_repo_list_path }}" content: | deb [arch={{ dpkg_arch_result.stdout }} signed-by={{ docker_keyring_path }}] https://download.docker.com/linux/ubuntu {{ ansible_lsb.codename }} stable notify: Update apt cache - name: Flush handlers to update apt cache before install meta: flush_handlers # --- Docker Install --- - name: Install Docker packages apt: name: - docker-ce - docker-ce-cli - containerd.io - docker-buildx-plugin - docker-compose-plugin state: present update_cache: no - name: Ensure docker group exists group: name: docker state: present - name: Ensure Docker service is enabled and running systemd: name: docker enabled: true state: started # --- ACL & Folder Standardization --- - name: Ensure Docker base folder exists with correct ownership file: path: "{{ docker_acl_path }}" state: directory owner: root group: docker mode: "0775" - name: Set setgid bit on /opt/docker so group is inherited file: path: "{{ docker_acl_path }}" mode: "2775" - name: Check for existing default ACL on Docker folder command: getfacl --access --default {{ docker_acl_path }} register: facl_check changed_when: false failed_when: false - name: Set default ACL for docker group if not already present command: setfacl -d -m g:docker:rwx {{ docker_acl_path }} when: "'group:docker:rwx' not in facl_check.stdout" # --- New: Dedicated Docker Data User/Group and /srv/docker Setup --- - name: Create docker data group with fixed GID group: name: "{{ docker_data_group }}" gid: "{{ docker_data_gid }}" state: present system: yes - name: Create docker data user with fixed UID and GID user: name: "{{ docker_data_user }}" uid: "{{ docker_data_uid }}" group: "{{ docker_data_group }}" shell: /usr/sbin/nologin create_home: no system: yes state: present - name: Ensure /srv/docker exists with correct ownership file: path: "{{ srv_docker_path }}" state: directory owner: "{{ docker_data_user }}" group: "{{ docker_data_group }}" mode: "0770" - name: Set setgid bit on /srv/docker so group is inherited file: path: "{{ srv_docker_path }}" mode: "2770" - name: Set default ACL for dockerdata group on /srv/docker ansible.posix.acl: path: "{{ srv_docker_path }}" entity: "{{ docker_data_group }}" etype: group permissions: rwx default: yes state: present handlers: - name: Update apt cache apt: update_cache: yes