Add dockhand role to initial_install

Tagged never,dockhand_install so it only runs when explicitly requested.
Installs docker.io + docker-compose-v2, templates a compose file for
fnsys/dockhand:latest at /docker/dockhand, and wires a oneshot systemd
unit that brings the stack up.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

initial_install/playbook.yml

@@ -22,6 +22,18 @@
   roles:
     - role: freeipa_client
 
+# ==============================
+# DOCKHAND (optional)
+# ==============================
+
+- name: Install dockhand
+  hosts: all
+  become: true
+  tags: never,dockhand_install
+
+  roles:
+    - role: dockhand
+
 # ==============================
 # SSH HARDENING (run last!)
 # ==============================

initial_install/roles/dockhand/handlers/main.yml

@@ -0,0 +1,9 @@
+---
+- name: Reload systemd
+  ansible.builtin.systemd:
+    daemon_reload: true
+
+- name: Restart dockhand
+  ansible.builtin.systemd:
+    name: dockhand
+    state: restarted

initial_install/roles/dockhand/tasks/main.yml

@@ -0,0 +1,46 @@
+---
+- name: Install Docker and Compose
+  ansible.builtin.package:
+    name:
+      - docker.io
+      - docker-compose-v2
+    state: present
+
+- name: Ensure Docker is running
+  ansible.builtin.systemd:
+    name: docker
+    enabled: true
+    state: started
+
+- name: Ensure /docker/dockhand exists
+  ansible.builtin.file:
+    path: /docker/dockhand
+    state: directory
+    owner: root
+    group: root
+    mode: '0755'
+
+- name: Deploy dockhand docker-compose.yml
+  ansible.builtin.template:
+    src: docker-compose.yml.j2
+    dest: /docker/dockhand/docker-compose.yml
+    owner: root
+    group: root
+    mode: '0644'
+  notify: Restart dockhand
+
+- name: Deploy dockhand systemd unit
+  ansible.builtin.template:
+    src: dockhand.service.j2
+    dest: /etc/systemd/system/dockhand.service
+    owner: root
+    group: root
+    mode: '0644'
+  notify: Reload systemd
+
+- name: Enable and start dockhand
+  ansible.builtin.systemd:
+    name: dockhand
+    enabled: true
+    state: started
+    daemon_reload: true

initial_install/roles/dockhand/templates/docker-compose.yml.j2

@@ -0,0 +1,14 @@
+# Managed by Ansible — do not edit by hand.
+services:
+  dockhand:
+    image: fnsys/dockhand:latest
+    container_name: dockhand
+    restart: unless-stopped
+    ports:
+      - "3000:3000"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - dockhand_data:/app/data
+
+volumes:
+  dockhand_data:

initial_install/roles/dockhand/templates/dockhand.service.j2

@@ -0,0 +1,16 @@
+[Unit]
+Description=dockhand (docker compose stack)
+Requires=docker.service
+After=docker.service network-online.target
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+WorkingDirectory=/docker/dockhand
+ExecStart=/usr/bin/docker compose up -d --remove-orphans
+ExecStop=/usr/bin/docker compose down
+TimeoutStartSec=300
+
+[Install]
+WantedBy=multi-user.target