diff --git a/site-cookbooks/kosmos-base/recipes/default.rb b/site-cookbooks/kosmos-base/recipes/default.rb
index 4d32ae6..7d7b5eb 100644
--- a/site-cookbooks/kosmos-base/recipes/default.rb
+++ b/site-cookbooks/kosmos-base/recipes/default.rb
@@ -24,11 +24,17 @@
 # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 # THE SOFTWARE.
 
-include_recipe 'apt'
-include_recipe 'timezone_iii'
-include_recipe 'ntp'
-include_recipe 'kosmos-base::journald_conf'
-include_recipe 'kosmos-base::systemd_emails'
+include_recipe "apt"
+
+directory "/etc/apt/keyrings" do
+  mode "0755"
+  action :create
+end
+
+include_recipe "timezone_iii"
+include_recipe "ntp" if node["platform"] == "ubuntu" && node["platform_version"].to_f < 24.04
+include_recipe "kosmos-base::journald_conf"
+include_recipe "kosmos-base::systemd_emails"
 
 node.override["apt"]["unattended_upgrades"]["enable"] = true
 node.override["apt"]["unattended_upgrades"]["mail_only_on_error"] = false
@@ -43,57 +49,57 @@ node.override["apt"]["unattended_upgrades"]["allowed_origins"] = [
 ]
 node.override["apt"]["unattended_upgrades"]["mail"] = "ops@kosmos.org"
 node.override["apt"]["unattended_upgrades"]["syslog_enable"] = true
-include_recipe 'apt::unattended-upgrades'
+include_recipe "apt::unattended-upgrades"
 
-package 'mailutils'
-package 'mosh'
-package 'vim'
+package "mailutils"
+package "mosh"
+package "vim"
 
 # Don't create users and rewrite the sudo config in development environment.
 # It breaks the vagrant user
 unless node.chef_environment == "development"
   # Searches data bag "users" for groups attribute "sysadmin".
   # Places returned users in Unix group "sysadmin" with GID 2300.
-  users_manage 'sysadmin' do
+  users_manage "sysadmin" do
     group_id 2300
-    action [:remove, :create]
+    action %i[remove create]
   end
 
   sudo "sysadmin" do
     groups "sysadmin"
     nopasswd true
     defaults [
-    # not default on Ubuntu, explicitely enable. Uses a minimal white list of
-    # environment variables
-    'env_reset',
-    # Send emails on unauthorized attempts
-    'mail_badpass',
-    'secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"',
+      # not default on Ubuntu, explicitely enable. Uses a minimal white list of
+      # environment variables
+      "env_reset",
+      # Send emails on unauthorized attempts
+      "mail_badpass",
+      'secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"'
     ]
   end
 
   include_recipe "kosmos-base::firewall"
 
-  include_recipe 'kosmos-postfix'
+  include_recipe "kosmos-postfix"
 
-  node.override['set_fqdn'] = '*'
-  include_recipe 'hostname'
+  node.override["set_fqdn"] = "*"
+  include_recipe "hostname"
 
-  package 'ca-certificates'
+  package "ca-certificates"
 
-  directory '/usr/local/share/ca-certificates/cacert' do
+  directory "/usr/local/share/ca-certificates/cacert" do
     action :create
   end
 
-  ['http://www.cacert.org/certs/root.crt', 'http://www.cacert.org/certs/class3.crt'].each do |cert|
+  ["http://www.cacert.org/certs/root.crt", "http://www.cacert.org/certs/class3.crt"].each do |cert|
     remote_file "/usr/local/share/ca-certificates/cacert/#{File.basename(cert)}" do
       source cert
       action :create_if_missing
-      notifies :run, 'execute[update-ca-certificates]', :immediately
+      notifies :run, "execute[update-ca-certificates]", :immediately
     end
   end
 
-  execute 'update-ca-certificates' do
+  execute "update-ca-certificates" do
     action :nothing
   end
 end