Fix TLS cert mismatch and constrained-Docker volume failures

- Remove /var/lib/docker/volumes mount (fails on nested Docker hosts)
- Add AGENT_HOST env var so agent cert is valid for host's real IP
- Add TLSSkipVerify/TLSSkipClientVerify to Portainer endpoint registration
  to handle existing agents with bridge-IP certs
- Remove final delegate_to: localhost (wait_for now runs on remote host)
- Add ignore_errors: true to agent deploy and enrollment tasks
- Guard existing_endpoints.json with | default([]) for failed API calls

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

playbooks/find_docker_enroll_portainer.yml

@@ -120,20 +120,21 @@
           - "{{ portainer_agent_port }}:9001"
         volumes:
           - /var/run/docker.sock:/var/run/docker.sock
-          - /var/lib/docker/volumes:/var/lib/docker/volumes
         env:
           AGENT_PORT: "9001"
+          # Ensures the agent's self-signed TLS cert covers the host's real IP,
+          # not just the Docker bridge (172.17.0.x) IP.
+          AGENT_HOST: "{{ ansible_host }}"
       when: "'Up' not in (agent_status.stdout | default(''))"
       register: agent_deployed
+      ignore_errors: true
 
     - name: Wait for Portainer Agent to be ready
       ansible.builtin.wait_for:
         port: "{{ portainer_agent_port }}"
-        host: "{{ ansible_host }}"
+        host: "127.0.0.1"
         delay: 3
         timeout: 30
-      delegate_to: localhost
-      become: false
       when: agent_deployed is changed
 
 
@@ -166,12 +167,13 @@
         status_code: 200
         validate_certs: false
       register: existing_endpoints
+      ignore_errors: true
 
     - name: Determine if this host is already enrolled
       ansible.builtin.set_fact:
         already_enrolled: >-
           {{
-            existing_endpoints.json
+            (existing_endpoints.json | default([]))
             | selectattr('Name', 'equalto', inventory_hostname)
             | list | length > 0
           }}
@@ -187,25 +189,29 @@
           Name: "{{ inventory_hostname }}"
           EndpointCreationType: "2"
           URL: "tcp://{{ ansible_host }}:{{ portainer_agent_port }}"
+          TLS: "true"
+          TLSSkipVerify: "true"
+          TLSSkipClientVerify: "true"
         status_code: [200, 201]
         return_content: true
         validate_certs: false
       register: portainer_enroll
       when: not already_enrolled
+      ignore_errors: true
 
     - name: Store enrollment result
       ansible.builtin.set_fact:
         portainer_endpoint_id: >-
           {{
             (portainer_enroll.json.Id | string)
-            if (portainer_enroll is not skipped and portainer_enroll.json is defined)
+            if (portainer_enroll is not skipped and portainer_enroll is not failed and portainer_enroll.json is defined)
             else (
-              existing_endpoints.json
+              (existing_endpoints.json | default([]))
               | selectattr('Name', 'equalto', inventory_hostname)
-              | map(attribute='Id') | list | first | string
+              | map(attribute='Id') | list | first | default('unknown') | string
             )
           }}
-        portainer_enrolled_now: "{{ portainer_enroll is changed }}"
+        portainer_enrolled_now: "{{ portainer_enroll is changed and portainer_enroll is not failed }}"
 
 
 # ---------------------------------------------------------------------------