From 188a6f539fe29b8664e4e1d7b6ef934fde38a184 Mon Sep 17 00:00:00 2001
From: Bert-Jan Fikse <bert-jan@whatwedo.ch>
Date: Thu, 18 Dec 2025 11:28:14 +0100
Subject: [PATCH] chore: migrate to apt keyring for validation/signing

---
 roles/base/tasks/main.yml | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml
index 63cd09b..4758d77 100644
--- a/roles/base/tasks/main.yml
+++ b/roles/base/tasks/main.yml
@@ -31,15 +31,23 @@
     state: present
   when: ansible_os_family == "Debian"
 
+- name: Create keyrings directory
+  ansible.builtin.file:
+    path: /etc/apt/keyrings
+    state: directory
+    mode: '0755'
+  when: ansible_os_family == "Debian"
+
 - name: Add Docker GPG key
-  ansible.builtin.apt_key:
+  ansible.builtin.get_url:
     url: https://download.docker.com/linux/debian/gpg
-    state: present
+    dest: /etc/apt/keyrings/docker.asc
+    mode: '0644'
   when: ansible_os_family == "Debian"
 
 - name: Add Docker repository
   ansible.builtin.apt_repository:
-    repo: "deb [arch=amd64] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable"
+    repo: "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable"
     state: present
   when: ansible_os_family == "Debian"