whisperpine · whisperpine · May 8, 2026 · May 8, 2026 · May 8, 2026 · May 8, 2026
diff --git a/whisperpine/ansitofu/roles/consul/defaults/main.yml b/whisperpine/ansitofu/roles/consul/defaults/main.yml
@@ -3,13 +3,14 @@ consul_user: "consul"
 consul_group: "consul"
 
 consul_dependencies:
-  - ca-certificates # required by the "ansible.builtin.apt_key" module
-  - gnupg # required by the "ansible.builtin.apt_key" module
+  - gnupg
+  - ca-certificates # required by the "ansible.builtin.get_url" module
   - iproute2 # make the "hostvars[inventory_hostname].ansible_default_ipv4.address" fact be gathered
 
 # Variables used when installing consul.
 consul_gpg_url: https://apt.releases.hashicorp.com/gpg
 consul_repo_url: https://apt.releases.hashicorp.com
+consul_key_file: /etc/apt/keyrings/consul.gpg
 
 consul_data_dir: "/opt/consul/data"
 consul_config_dir: "/etc/consul.d"

diff --git a/whisperpine/ansitofu/roles/consul/tasks/install.yml b/whisperpine/ansitofu/roles/consul/tasks/install.yml
@@ -22,14 +22,22 @@
     shell: /usr/sbin/nologin
     system: true
 
-- name: Add consul gpg key
-  ansible.builtin.apt_key:
+- name: Download consul gpg key
+  ansible.builtin.get_url:
     url: "{{ consul_gpg_url }}"
-    state: present
+    dest: /tmp/consul.asc
+    mode: "0644"
+
+- name: Convert consul gpg key to binary
+  ansible.builtin.command:
+    cmd: gpg --dearmor -o "{{ consul_key_file }}" /tmp/consul.asc
+    creates: "{{ consul_key_file }}"
 
 - name: Add HashiCorp apt repository
   ansible.builtin.apt_repository:
-    repo: "deb [arch=amd64] {{ consul_repo_url }} {{ ansible_facts['distribution_release'] }} main"
+    repo: >-
+      deb [arch=amd64 signed-by={{ consul_key_file }}]
+      {{ consul_repo_url }} {{ ansible_facts['distribution_release'] }} main
     state: present
 
 - name: Install consul

diff --git a/whisperpine/ansitofu/roles/install_docker/defaults/main.yml b/whisperpine/ansitofu/roles/install_docker/defaults/main.yml
@@ -4,18 +4,19 @@ install_docker_arch: amd64
 # Repository URLs.
 install_docker_gpg_url: https://download.docker.com/linux/ubuntu/gpg
 install_docker_repo_url: https://download.docker.com/linux/ubuntu
+install_docker_key_file: /etc/apt/keyrings/docker.gpg
 
 # Users to add to the docker group.
 install_docker_users:
   - "{{ ansible_facts['user_id'] }}"
 
 # Dependencies required for installation.
 install_docker_dependencies:
-  - apt-transport-https
+  - gnupg
   - ca-certificates
-  - curl
+  - apt-transport-https
   - software-properties-common
-  - gnupg
+  - curl
 
 # Docker packages to install.
 install_docker_packages:

diff --git a/whisperpine/ansitofu/roles/install_docker/tasks/main.yml b/whisperpine/ansitofu/roles/install_docker/tasks/main.yml
@@ -1,23 +1,28 @@
-- name: Update apt package cache
-  ansible.builtin.apt:
-    update_cache: true
-    cache_valid_time: 3600
-  no_log: true
-
 - name: Install required dependencies
   ansible.builtin.apt:
     name: "{{ install_docker_dependencies }}"
     state: present
+    update_cache: true
   no_log: true
 
-- name: Add Docker GPG key
-  ansible.builtin.apt_key:
+- name: Download Docker GPG key
+  ansible.builtin.get_url:
     url: "{{ install_docker_gpg_url }}"
-    state: present
+    dest: /tmp/docker.asc
+    mode: "0644"
+
+- name: Convert Docker GPG key to binary
+  ansible.builtin.command:
+    cmd: gpg --dearmor -o "{{ install_docker_key_file }}" /tmp/docker.asc
+    creates: "{{ install_docker_key_file }}"
 
 - name: Add Docker repository
   ansible.builtin.apt_repository:
-    repo: "deb [arch={{ install_docker_arch }}] {{ install_docker_repo_url }} {{ ansible_facts['distribution_release'] }} stable"
+    repo: >-
+      deb [arch={{ install_docker_arch }} signed-by={{ install_docker_key_file }}]
+      {{ install_docker_repo_url }}
+      {{ ansible_facts['distribution_release'] }}
+      stable
     state: present
     filename: docker
 

diff --git a/whisperpine/ansitofu/roles/mongodb/defaults/main.yml b/whisperpine/ansitofu/roles/mongodb/defaults/main.yml
@@ -1,11 +1,11 @@
 mongodb_dependencies:
-  - ca-certificates # required by the "ansible.builtin.apt_key" module
-  - gnupg # required by the "ansible.builtin.apt_key" module
+  - ca-certificates # required by the "ansible.builtin.get_url" module
   - iproute2 # make the "hostvars[inventory_hostname].ansible_default_ipv4.address" fact be gathered
   - cron # required by the "ansible.builtin.cron" module
 
 mongodb_version: "8.0"
 mongodb_repo_url: https://repo.mongodb.org/apt/ubuntu
+mongodb_key_file: /etc/apt/keyrings/mongodb.asc
 
 mongodb_port: 27017
 mongodb_repl_set: rs0

diff --git a/whisperpine/ansitofu/roles/mongodb/tasks/install.yml b/whisperpine/ansitofu/roles/mongodb/tasks/install.yml
@@ -5,15 +5,19 @@
     update_cache: true
   no_log: true
 
-- name: Add mongodb gpg key
-  ansible.builtin.apt_key:
+- name: Download mongodb gpg key
+  ansible.builtin.get_url:
     url: https://pgp.mongodb.com/server-{{ mongodb_version }}.asc
-    state: present
-  no_log: true
+    dest: "{{ mongodb_key_file }}"
+    mode: "0644"
 
 - name: Add mongodb repository
   ansible.builtin.apt_repository:
-    repo: "deb [arch=amd64] {{ mongodb_repo_url }} {{ ansible_facts['distribution_release'] }}/mongodb-org/{{ mongodb_version }} multiverse"
+    repo: >-
+      deb [arch=amd64 signed-by={{ mongodb_key_file }}]
+      {{ mongodb_repo_url }}
+      {{ ansible_facts['distribution_release'] }}/mongodb-org/{{ mongodb_version }}
+      multiverse
     state: present
 
 - name: Install mongodb