---
# Docker Security Configuration

- name: Create Docker security profiles directory
  file:
    path: /etc/docker/security
    state: directory
    owner: root
    group: root
    mode: '0755'
  tags:
    - docker
    - security

- name: Install seccomp security profile
  template:
    src: seccomp-default.json.j2
    dest: /etc/docker/seccomp-default.json
    owner: root
    group: root
    mode: '0644'
  tags:
    - docker
    - security
    - seccomp

- name: Install AppArmor profile for Docker
  template:
    src: docker-framework-apparmor.j2
    dest: /etc/apparmor.d/docker-framework
    owner: root
    group: root
    mode: '0644'
  notify: reload apparmor
  when: ansible_os_family == 'Debian'
  tags:
    - docker
    - security
    - apparmor

- name: Load AppArmor profile
  command: apparmor_parser -r -W /etc/apparmor.d/docker-framework
  when: ansible_os_family == 'Debian'
  changed_when: false
  tags:
    - docker
    - security
    - apparmor

- name: Configure user namespace mapping
  template:
    src: subuid.j2
    dest: /etc/subuid
    owner: root
    group: root
    mode: '0644'
    backup: true
  tags:
    - docker
    - security
    - userns

- name: Configure group namespace mapping
  template:
    src: subgid.j2
    dest: /etc/subgid
    owner: root
    group: root
    mode: '0644'
    backup: true
  tags:
    - docker
    - security
    - userns

- name: Create Docker TLS certificates directory
  file:
    path: /etc/docker/certs
    state: directory
    owner: root
    group: docker
    mode: '0750'
  tags:
    - docker
    - security
    - tls

- name: Generate Docker TLS certificates
  command: >
    openssl req -new -x509 -days 365 -nodes
    -out /etc/docker/certs/server-cert.pem
    -keyout /etc/docker/certs/server-key.pem
    -subj "/CN={{ inventory_hostname }}"
  args:
    creates: /etc/docker/certs/server-cert.pem
  tags:
    - docker
    - security
    - tls

- name: Set correct permissions on Docker TLS certificates
  file:
    path: "{{ item.path }}"
    owner: root
    group: docker
    mode: "{{ item.mode }}"
  loop:
    - { path: "/etc/docker/certs/server-cert.pem", mode: "0644" }
    - { path: "/etc/docker/certs/server-key.pem", mode: "0640" }
  tags:
    - docker
    - security
    - tls
    - permissions

- name: Configure Docker Content Trust
  lineinfile:
    path: /etc/environment
    line: "DOCKER_CONTENT_TRUST=1"
    create: true
  when: environment == 'production'
  tags:
    - docker
    - security
    - trust

- name: Install Docker security scanning tools
  package:
    name:
      - runc
      - docker-bench-security
    state: present
  ignore_errors: true
  tags:
    - docker
    - security
    - tools

- name: Create Docker security audit script
  template:
    src: docker-security-audit.sh.j2
    dest: /usr/local/bin/docker-security-audit.sh
    owner: root
    group: root
    mode: '0755'
  tags:
    - docker
    - security
    - audit

- name: Schedule Docker security audits
  cron:
    name: "Docker security audit"
    minute: "0"
    hour: "5"
    weekday: "1"
    job: "/usr/local/bin/docker-security-audit.sh | mail -s 'Docker Security Audit - {{ inventory_hostname }}' {{ ssl_email }}"
    user: root
  when: environment == 'production'
  tags:
    - docker
    - security
    - audit
    - cron

- name: Configure Docker socket security
  file:
    path: /var/run/docker.sock
    owner: root
    group: docker
    mode: '0660'
  tags:
    - docker
    - security
    - socket