tcitcs/semaphore
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a9cb923ccb2846e6fe3ad202ac826a8b1ec7ecd9
semaphore/playbooks/install-standard-docker.yml
Ryan Hamilton 6a683a7a38 init commit
2025-07-21 14:26:07 -05:00

147 lines
4.1 KiB
YAML
Raw Blame History

---
- name: Install Docker using official Docker documentation steps and set up /opt/docker and /srv/docker
hosts: docker
become: true
gather_facts: true
vars:
docker_keyring_path: /etc/apt/keyrings/docker.asc
docker_repo_list_path: /etc/apt/sources.list.d/docker.list
docker_acl_path: /opt/docker
srv_docker_path: /srv/docker
docker_data_user: dockeruser
docker_data_group: dockerdata
docker_data_uid: 2011
docker_data_gid: 2011
tasks:
# --- Prereqs ---
- name: Ensure required packages are installed
apt:
name:
- ca-certificates
- curl
- acl # Required for setfacl
state: present
update_cache: yes
- name: Ensure keyring directory exists
file:
path: /etc/apt/keyrings
state: directory
mode: "0755"
- name: Download Docker's official GPG key
get_url:
url: https://download.docker.com/linux/ubuntu/gpg
dest: "{{ docker_keyring_path }}"
mode: "0644"
register: docker_key_download
- name: Get native architecture (dpkg --print-architecture)
command: dpkg --print-architecture
register: dpkg_arch_result
changed_when: false
- name: Add Docker repository to Apt sources
copy:
dest: "{{ docker_repo_list_path }}"
content: |
deb [arch={{ dpkg_arch_result.stdout }} signed-by={{ docker_keyring_path }}] https://download.docker.com/linux/ubuntu {{ ansible_lsb.codename }} stable
notify: Update apt cache
- name: Flush handlers to update apt cache before install
meta: flush_handlers
# --- Docker Install ---
- name: Install Docker packages
apt:
name:
- docker-ce
- docker-ce-cli
- containerd.io
- docker-buildx-plugin
- docker-compose-plugin
state: present
update_cache: no
- name: Ensure docker group exists
group:
name: docker
state: present
- name: Ensure Docker service is enabled and running
systemd:
name: docker
enabled: true
state: started
# --- ACL & Folder Standardization ---
- name: Ensure Docker base folder exists with correct ownership
file:
path: "{{ docker_acl_path }}"
state: directory
owner: root
group: docker
mode: "0775"
- name: Set setgid bit on /opt/docker so group is inherited
file:
path: "{{ docker_acl_path }}"
mode: "2775"
- name: Check for existing default ACL on Docker folder
command: getfacl --access --default {{ docker_acl_path }}
register: facl_check
changed_when: false
failed_when: false
- name: Set default ACL for docker group if not already present
command: setfacl -d -m g:docker:rwx {{ docker_acl_path }}
when: "'group:docker:rwx' not in facl_check.stdout"
# --- New: Dedicated Docker Data User/Group and /srv/docker Setup ---
- name: Create docker data group with fixed GID
group:
name: "{{ docker_data_group }}"
gid: "{{ docker_data_gid }}"
state: present
system: yes
- name: Create docker data user with fixed UID and GID
user:
name: "{{ docker_data_user }}"
uid: "{{ docker_data_uid }}"
group: "{{ docker_data_group }}"
shell: /usr/sbin/nologin
create_home: no
system: yes
state: present
- name: Ensure /srv/docker exists with correct ownership
file:
path: "{{ srv_docker_path }}"
state: directory
owner: "{{ docker_data_user }}"
group: "{{ docker_data_group }}"
mode: "0770"
- name: Set setgid bit on /srv/docker so group is inherited
file:
path: "{{ srv_docker_path }}"
mode: "2770"
- name: Set default ACL for dockerdata group on /srv/docker
ansible.posix.acl:
path: "{{ srv_docker_path }}"
entity: "{{ docker_data_group }}"
etype: group
permissions: rwx
default: yes
state: present
handlers:
- name: Update apt cache
apt:
update_cache: yes
Reference in New Issue View Git Blame Copy Permalink