docker data is encrypted

tasks/docker.yml

@@ -1,4 +1,9 @@
 ---
+# TODO: Use a BTRFS subvolume instead?
+- name: "Mount encrypted partition to /srv."
+  shell: "mount /srv"
+  args:
+    creates: "/srv/docker"
 - name: "Prepare /srv to encrypt Docker files."
   file:
     state: "directory"
@@ -7,11 +12,6 @@
   - "/srv/docker"
   - "/var/lib/docker"
 - name: "Bind mount /srv/docker to /var/lib/docker."
-  mount:
+  shell: "mount /var/lib/docker"
-    state: "mounted"
-    src: "/srv/docker"
-    path: "/var/lib/docker"
-    opts: "bind"
-    fstype: "none"
 - name: "Start Docker service."
   shell: "/etc/init.d/docker start"

templates/etc/fstab.j2

@@ -1,4 +1,5 @@
-{{disk_device}}2  /         btrfs  compress=zstd,noatime,nodiratime,lazytime,discard         0  1
+{{disk_device}}2  /               btrfs  compress=zstd,noatime,nodiratime,lazytime,discard         0  1
-{{disk_device}}1  /boot     ext2   noatime,nodiratime,lazytime,ro                            0  2
+{{disk_device}}1  /boot           ext2   noatime,nodiratime,lazytime,ro                            0  2
-/dev/mapper/srv   /srv      btrfs  compress=zstd,noatime,nodiratime,lazytime,discard,noauto  0  2
+/dev/mapper/srv   /srv            btrfs  compress=zstd,noatime,nodiratime,lazytime,discard,noauto  0  2
-tmpfs             /var/log  tmpfs  defaults                                                  0  0
+tmpfs             /var/log        tmpfs  defaults                                                  0  0
+/srv/docker       /var/lib/docker none   bind                                                      0  0