diff --git a/ansible/roles/docker/tasks/main.yml b/ansible/roles/docker/tasks/main.yml
index 5872d0c..82e964d 100644
--- a/ansible/roles/docker/tasks/main.yml
+++ b/ansible/roles/docker/tasks/main.yml
@@ -1,20 +1,65 @@
 ---
-# Install Docker and docker-compose, start the daemon.
+# Set up Docker's official apt repository and install Docker + Compose plugin.
 
-- name: Install Docker (Debian)
+# --- Debian/Ubuntu: add Docker official repo ---
+
+- name: Install prerequisites for Docker repo (Debian/Ubuntu)
   ansible.builtin.apt:
     name:
-      - docker.io
+      - ca-certificates
+      - curl
+      - gnupg
+    state: present
+    update_cache: true
+  when: ansible_facts["os_family"] == "Debian"
+
+- name: Create keyrings directory
+  ansible.builtin.file:
+    path: /etc/apt/keyrings
+    state: directory
+    mode: '0755'
+  when: ansible_facts["os_family"] == "Debian"
+
+- name: Add Docker GPG key
+  ansible.builtin.get_url:
+    url: "https://download.docker.com/linux/{{ 'ubuntu' if ansible_facts['distribution'] == 'Ubuntu' else 'debian' }}/gpg"
+    dest: /etc/apt/keyrings/docker.asc
+    mode: '0644'
+    force: false
+  when: ansible_facts["os_family"] == "Debian"
+
+- name: Add Docker apt repository
+  ansible.builtin.apt_repository:
+    repo: >-
+      deb [arch={{ ansible_facts['architecture'] | regex_replace('x86_64', 'amd64') | regex_replace('aarch64', 'arm64') }}
+      signed-by=/etc/apt/keyrings/docker.asc]
+      https://download.docker.com/linux/{{ 'ubuntu' if ansible_facts['distribution'] == 'Ubuntu' else 'debian' }}
+      {{ ansible_facts['distribution_release'] }} stable
+    filename: docker
+    state: present
+    update_cache: true
+  when: ansible_facts["os_family"] == "Debian"
+
+- name: Install Docker (Debian/Ubuntu)
+  ansible.builtin.apt:
+    name:
+      - docker-ce
+      - docker-ce-cli
+      - containerd.io
       - docker-compose-plugin
     state: present
   when: ansible_facts["os_family"] == "Debian"
 
-- name: Remove conflicting docker-compose package (Debian)
+- name: Remove old docker packages (Debian/Ubuntu)
   ansible.builtin.apt:
-    name: docker-compose
+    name:
+      - docker.io
+      - docker-compose
     state: absent
   when: ansible_facts["os_family"] == "Debian"
 
+# --- Alpine ---
+
 - name: Install Docker (Alpine)
   community.general.apk:
     name:
@@ -23,6 +68,8 @@
     state: present
   when: ansible_facts["os_family"] == "Alpine"
 
+# --- Common ---
+
 - name: Enable and start Docker
   ansible.builtin.service:
     name: docker