---
- name: Deploy Docker
  hosts: ubuntu
  become: true
  tasks:
  - name: Check if host has docker service
    ansible.builtin.set_fact:
      has_docker_service: "{{'docker' in services}}"

  - name: Skip hosts without docker service
    ansible.builtin.meta: end_host
    when: not has_docker_service
    
  - name: Add Docker repository
    ansible.builtin.deb822_repository:
      name: docker
      types: [deb]
      uris: https://download.docker.com/linux/ubuntu
      suites: ["{{ ansible_distribution_release }}"]
      components: [stable]
      signed_by: https://download.docker.com/linux/ubuntu/gpg
      state: present

  - name: Update apt and install docker-ce
    ansible.builtin.apt:
      name: docker-ce
      state: latest
      update_cache: true

  - name: Enable and start docker service
    ansible.builtin.systemd:
      name: docker
      enabled: true
      state: started

  - name: Add keeper_user to docker group
    ansible.builtin.user:
      name: "{{keeper_user}}"
      groups: docker
      append: true

  - name: Check if Docker API should be enabled
    ansible.builtin.set_fact:
      enable_docker_api: "{{ docker_api_enabled | default(false) }}"

  - name: Configure Docker daemon for API exposure
    ansible.builtin.copy:
      content: |
        {
          "hosts": ["unix:///var/run/docker.sock", "tcp://{{ docker_api_host }}:{{ docker_api_port }}"],
          "log-driver": "json-file",
          "log-opts": {
            "max-size": "10m",
            "max-file": "3"
          }
        }
      dest: /etc/docker/daemon.json
      owner: root
      group: root
      mode: '644'
    when: enable_docker_api
    notify: restart docker

  - name: Create systemd override directory
    ansible.builtin.file:
      path: /etc/systemd/system/docker.service.d
      state: directory
      mode: '755'

  - name: Create AppArmor workaround for Incus nested Docker
    ansible.builtin.copy:
      content: |
        [Service]
        Environment=container="setmeandforgetme"
      dest: /etc/systemd/system/docker.service.d/apparmor-workaround.conf
      owner: root
      group: root
      mode: '644'
    notify: restart docker

  - name: Create systemd override for Docker API
    ansible.builtin.copy:
      content: |
        [Service]
        ExecStart=
        ExecStart=/usr/bin/dockerd
      dest: /etc/systemd/system/docker.service.d/override.conf
      owner: root
      group: root
      mode: '644'
    when: enable_docker_api
    notify: restart docker

  handlers:
  - name: restart docker
    ansible.builtin.systemd:
      name: docker
      state: restarted
      daemon_reload: true