---
- name: Check if Docker GPG key exists and is correct
  ansible.builtin.shell: |
    if [ -f /etc/apt/keyrings/docker.gpg ]; then
      if file /etc/apt/keyrings/docker.gpg | grep -q "PGP"; then
        echo "correct_key"
      else
        echo "wrong_key"
      fi
    else
      echo "not_exists"
    fi
  register: docker_key_check
  failed_when: false
  changed_when: false

- name: Remove incorrect Docker GPG key
  ansible.builtin.file:
    path: /etc/apt/keyrings/docker.gpg
    state: absent
  become: true
  when: docker_key_check.stdout == "wrong_key"

- name: Download Docker's official GPG key only if needed
  ansible.builtin.get_url:
    url: https://download.docker.com/linux/ubuntu/gpg
    dest: /tmp/docker.gpg
    mode: '0644'
  when: docker_key_check.stdout in ["not_exists", "wrong_key"]

- name: Convert and install Docker GPG key only if needed
  ansible.builtin.shell: gpg --dearmor < /tmp/docker.gpg > /etc/apt/keyrings/docker.gpg
  changed_when: false
  when: docker_key_check.stdout in ["not_exists", "wrong_key"]

- name: Set permissions on Docker GPG key only if needed
  ansible.builtin.file:
    path: /etc/apt/keyrings/docker.gpg
    mode: '0644'
  when: docker_key_check.stdout in ["not_exists", "wrong_key"]

- name: Clean up temporary GPG key file
  ansible.builtin.file:
    path: /tmp/docker.gpg
    state: absent
  when: docker_key_check.stdout in ["not_exists", "wrong_key"]