Docker: Add Debian support

roles/docker/defaults/main.yml

@@ -0,0 +1,8 @@
+docker_apt_release_channel: stable
+docker_repo_url: https://download.docker.com/linux
+docker_apt_arch: "{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}"
+docker_apt_repository: "deb [arch={{ docker_apt_arch }} signed-by=/etc/apt/trusted.gpg.d/docker.asc] {{ docker_repo_url }}/debian {{ ansible_distribution_release }} {{ docker_apt_release_channel }}"
+docker_apt_ignore_key_error: true
+docker_apt_gpg_key: "{{ docker_repo_url }}/{{ ansible_distribution | lower }}/gpg"
+docker_apt_gpg_key_checksum: "sha256:1500c1f56fa9e26b9b8f42452a553675796ade0807cdce11975eb98170b3a570"
+docker_apt_filename: "docker"

roles/docker/tasks/main.yml

@@ -1,16 +1,9 @@
 ---
-- name: Add Docker GPG key.
-  ansible.builtin.rpm_key:
-    key: "https://download.docker.com/linux/centos/gpg"
-    state: present
+- include_tasks: setup-rocky.yml
+  when: ansible_os_family == 'RedHat'
 
-- name: Add Docker repository.
-  ansible.builtin.get_url:
-    url: https://download.docker.com/linux/centos/docker-ce.repo
-    dest: '/etc/yum.repos.d/docker-ce.repo'
-    owner: root
-    group: root
-    mode: "0644"
+- include_tasks: setup-debian.yml
+  when: ansible_os_family == 'Debian'
 
 - name: Install docker
   ansible.builtin.package:
@@ -87,6 +80,13 @@
   ansible.builtin.systemd:
     service: iptables
     enabled: false
+  when: ansible_os_family == 'RedHat'
+
+- name: Disable the netfilter-persistent service
+  ansible.builtin.systemd:
+    service: netfilter-persistent
+    enabled: false
+  when: ansible_os_family == 'Debian'
 
 - name: Place the new systemd service file
   ansible.builtin.copy:

roles/docker/tasks/setup-debian.yml

@@ -0,0 +1,29 @@
+---
+- name: Ensure old versions of Docker are not installed.
+  ansible.builtin.package:
+    name:
+      - docker
+      - docker-engine
+    state: absent
+
+- name: Ensure dependencies are installed.
+  ansible.builtin.apt:
+    name:
+      - apt-transport-https
+      - ca-certificates
+    state: present
+
+- name: Add Docker apt key.
+  ansible.builtin.get_url:
+    url: "{{ docker_apt_gpg_key }}"
+    dest: /etc/apt/trusted.gpg.d/docker.asc
+    mode: '0644'
+    force: false
+    checksum: "{{ docker_apt_gpg_key_checksum | default(omit) }}"
+
+- name: Add Docker repository.
+  ansible.builtin.apt_repository:
+    repo: "{{ docker_apt_repository }}"
+    state: present
+    filename: "{{ docker_apt_filename }}"
+    update_cache: true

roles/docker/tasks/setup-rocky.yml

@@ -0,0 +1,12 @@
+- name: Add Docker GPG key.
+  ansible.builtin.rpm_key:
+    key: "https://download.docker.com/linux/centos/gpg"
+    state: present
+
+- name: Add Docker repository.
+  ansible.builtin.get_url:
+    url: https://download.docker.com/linux/centos/docker-ce.repo
+    dest: '/etc/yum.repos.d/docker-ce.repo'
+    owner: root
+    group: root
+    mode: "0644"

roles/docker/templates/ip4tables.sh.j2

@@ -78,6 +78,10 @@ done
 # Add your non docker rules here 
 
 /sbin/iptables -t filter -A INPUT -p icmp -j ACCEPT 
+# We open port 25 on docker hosts to allow containers to send emails to the docker host itself
+{% if 'docker' in group_names %}
+/sbin/iptables -t filter -A INPUT -p tcp -d {{ ansible_docker0.ipv4.address }} -m multiport --dports 25 -j ACCEPT
+{% endif %}
 
 {% if iptables_incoming is defined %}
 {% for service in iptables_incoming %}