diff --git a/zabbix-repo/tasks/main.yml b/zabbix-repo/tasks/main.yml
index cd2e6fca341cfe577e4472716e32d915a1e2a355..8c7370b65976b541c95c8c416929fa4a86d6ec24 100644
--- a/zabbix-repo/tasks/main.yml
+++ b/zabbix-repo/tasks/main.yml
@@ -1,10 +1,19 @@
 ---
 # this essentially does what zabbix-release does, but does not mitigate package signing
 
-# TODO place file
-# see: https://repo.zabbix.com/zabbix-official-repo.key
 - name: ensure apt got the key to verify the zabbix repo
   apt_key: data="{{lookup('file', 'zabbix.gpg')}}" state=present
+  when: debian_version == "jessie"
+  notify:
+    - update apt cache
+  tags:
+    - packages
+    - repos
+    - zabbix
+
+- name: ensure apt got the key to verify the zabbix repo
+  apt_key: data="{{lookup('file', 'zabbix.gpg')}}" state=absent
+  when: debian_version == "stretch"
   notify:
     - update apt cache
   tags:
@@ -37,10 +46,10 @@
     - repos
     - zabbix
 
-- meta: flush_handlers
-
 - name: ensure chr's key is present
   apt_key: data="{{lookup('file', 'chr.gpg')}}" state=present 
+  notify:
+    - update apt cache
   tags:
     - packages
     - repos 
@@ -59,3 +68,4 @@
     - zabbix
     - chr
 
+- meta: flush_handlers