From b7f4ba65024cd641113f1f4f7e5c66b1228283ea Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jakub=20=C5=BD=C3=A1=C4=8Dek?= <jakub@zacekj.cz>
Date: Sat, 16 May 2026 15:51:14 +0200
Subject: [PATCH] Add dockhand role to initial_install

Tagged never,dockhand_install so it only runs when explicitly requested.
Installs docker.io + docker-compose-v2, templates a compose file for
fnsys/dockhand:latest at /docker/dockhand, and wires a oneshot systemd
unit that brings the stack up.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 initial_install/playbook.yml                  | 12 +++++
 .../roles/dockhand/handlers/main.yml          |  9 ++++
 initial_install/roles/dockhand/tasks/main.yml | 46 +++++++++++++++++++
 .../dockhand/templates/docker-compose.yml.j2  | 14 ++++++
 .../dockhand/templates/dockhand.service.j2    | 16 +++++++
 5 files changed, 97 insertions(+)
 create mode 100644 initial_install/roles/dockhand/handlers/main.yml
 create mode 100644 initial_install/roles/dockhand/tasks/main.yml
 create mode 100644 initial_install/roles/dockhand/templates/docker-compose.yml.j2
 create mode 100644 initial_install/roles/dockhand/templates/dockhand.service.j2

diff --git a/initial_install/playbook.yml b/initial_install/playbook.yml
index d851619..cb3e651 100644
--- a/initial_install/playbook.yml
+++ b/initial_install/playbook.yml
@@ -22,6 +22,18 @@
   roles:
     - role: freeipa_client
 
+# ==============================
+# DOCKHAND (optional)
+# ==============================
+
+- name: Install dockhand
+  hosts: all
+  become: true
+  tags: never,dockhand_install
+
+  roles:
+    - role: dockhand
+
 # ==============================
 # SSH HARDENING (run last!)
 # ==============================
diff --git a/initial_install/roles/dockhand/handlers/main.yml b/initial_install/roles/dockhand/handlers/main.yml
new file mode 100644
index 0000000..cde2563
--- /dev/null
+++ b/initial_install/roles/dockhand/handlers/main.yml
@@ -0,0 +1,9 @@
+---
+- name: Reload systemd
+  ansible.builtin.systemd:
+    daemon_reload: true
+
+- name: Restart dockhand
+  ansible.builtin.systemd:
+    name: dockhand
+    state: restarted
diff --git a/initial_install/roles/dockhand/tasks/main.yml b/initial_install/roles/dockhand/tasks/main.yml
new file mode 100644
index 0000000..24c5f1a
--- /dev/null
+++ b/initial_install/roles/dockhand/tasks/main.yml
@@ -0,0 +1,46 @@
+---
+- name: Install Docker and Compose
+  ansible.builtin.package:
+    name:
+      - docker.io
+      - docker-compose-v2
+    state: present
+
+- name: Ensure Docker is running
+  ansible.builtin.systemd:
+    name: docker
+    enabled: true
+    state: started
+
+- name: Ensure /docker/dockhand exists
+  ansible.builtin.file:
+    path: /docker/dockhand
+    state: directory
+    owner: root
+    group: root
+    mode: '0755'
+
+- name: Deploy dockhand docker-compose.yml
+  ansible.builtin.template:
+    src: docker-compose.yml.j2
+    dest: /docker/dockhand/docker-compose.yml
+    owner: root
+    group: root
+    mode: '0644'
+  notify: Restart dockhand
+
+- name: Deploy dockhand systemd unit
+  ansible.builtin.template:
+    src: dockhand.service.j2
+    dest: /etc/systemd/system/dockhand.service
+    owner: root
+    group: root
+    mode: '0644'
+  notify: Reload systemd
+
+- name: Enable and start dockhand
+  ansible.builtin.systemd:
+    name: dockhand
+    enabled: true
+    state: started
+    daemon_reload: true
diff --git a/initial_install/roles/dockhand/templates/docker-compose.yml.j2 b/initial_install/roles/dockhand/templates/docker-compose.yml.j2
new file mode 100644
index 0000000..d802148
--- /dev/null
+++ b/initial_install/roles/dockhand/templates/docker-compose.yml.j2
@@ -0,0 +1,14 @@
+# Managed by Ansible — do not edit by hand.
+services:
+  dockhand:
+    image: fnsys/dockhand:latest
+    container_name: dockhand
+    restart: unless-stopped
+    ports:
+      - "3000:3000"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - dockhand_data:/app/data
+
+volumes:
+  dockhand_data:
diff --git a/initial_install/roles/dockhand/templates/dockhand.service.j2 b/initial_install/roles/dockhand/templates/dockhand.service.j2
new file mode 100644
index 0000000..f3d9ace
--- /dev/null
+++ b/initial_install/roles/dockhand/templates/dockhand.service.j2
@@ -0,0 +1,16 @@
+[Unit]
+Description=dockhand (docker compose stack)
+Requires=docker.service
+After=docker.service network-online.target
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+WorkingDirectory=/docker/dockhand
+ExecStart=/usr/bin/docker compose up -d --remove-orphans
+ExecStop=/usr/bin/docker compose down
+TimeoutStartSec=300
+
+[Install]
+WantedBy=multi-user.target