refactor: update condition for removing legacy Docker APT source and add checks for GPG key

2025-06-29 23:07:29 -05:00
parent 02693ef4a4
commit ac0f0d358b
1 changed files with 13 additions and 2 deletions
--- a/playbooks/install-standard-docker.yml
+++ b/playbooks/install-standard-docker.yml
@@ -16,11 +16,12 @@
      ignore_errors: true
      changed_when: false

-    - name: Remove legacy docker APT source if present
+    - name: Remove legacy docker APT source if missing signed-by
      file:
        path: "{{ docker_repo_file }}"
        state: absent
-      when: docker_installed.rc != 0 or "signed-by=" not in (lookup("file", docker_repo_file, errors="ignore") or "")
+      when: docker_installed.rc != 0 or
+        "signed-by=" not in (lookup("file", docker_repo_file, errors="ignore") or "")

    - name: Ensure keyring directory exists
      file:
@@ -34,6 +35,16 @@
        dest: "{{ docker_key_path }}"
        mode: "0644"

+    - name: Stat Docker GPG key file
+      stat:
+        path: "{{ docker_key_path }}"
+      register: docker_key_stat
+
+    - name: Fail early if key file is missing or unreadable
+      fail:
+        msg: "Docker GPG key is missing or unreadable"
+      when: not docker_key_stat.stat.exists or docker_key_stat.stat.size == 0
+
    - name: Add Docker APT repository (signed-by style)
      apt_repository:
        repo: "deb [arch=amd64 signed-by={{ docker_key_path }}] https://download.docker.com/linux/ubuntu {{ ansible_lsb.codename }} stable"