diff --git a/roles/nginx/handlers/main.yaml b/roles/nginx/handlers/main.yaml
index 57e07fc..bc420db 100644
--- a/roles/nginx/handlers/main.yaml
+++ b/roles/nginx/handlers/main.yaml
@@ -3,3 +3,8 @@
     name: nginx.service
     state: restarted
   become: true
+
+- name: apt-get update
+  ansible.builtin.apt:
+    update_cache: true
+  become: true
diff --git a/roles/nginx/meta/argument_specs.yaml b/roles/nginx/meta/argument_specs.yaml
index 693e196..d79ba9e 100644
--- a/roles/nginx/meta/argument_specs.yaml
+++ b/roles/nginx/meta/argument_specs.yaml
@@ -1,6 +1,15 @@
 argument_specs:
   main:
     options:
+      nginx__version_spec:
+        description: >-
+          The version specification to use for installing the `nginx` package. The
+          provided version specification will be used like the following: `nginx={{
+          nginx__version_spec }}*`. This makes it possible to e.g. specify
+          until a minor version (like `1.3.`) and then have patch versions be
+          installed automatically (like `1.3.1` and so on).
+        type: str
+        required: true
       nginx__deploy_redirect_conf:
         description: >-
           Whether or not to deploy a `redirect.conf` to
diff --git a/roles/nginx/tasks/main.yaml b/roles/nginx/tasks/main.yaml
index 89c9be2..6ecb2da 100644
--- a/roles/nginx/tasks/main.yaml
+++ b/roles/nginx/tasks/main.yaml
@@ -3,7 +3,12 @@
     name: nginx
     tasks_from: make_sure_nginx_configuration_names_are_valid
 
-- name: ensure NGINX is installed
+- name: make sure NGINX repos are setup
+  ansible.builtin.include_role:
+    name: nginx
+    tasks_from: main/repo_setup
+
+- name: make sure NGINX is installed
   ansible.builtin.include_role:
     name: nginx
     tasks_from: main/nginx_install
diff --git a/roles/nginx/tasks/main/nginx_install.yaml b/roles/nginx/tasks/main/nginx_install.yaml
index 4b650b6..6d63ad3 100644
--- a/roles/nginx/tasks/main/nginx_install.yaml
+++ b/roles/nginx/tasks/main/nginx_install.yaml
@@ -1,53 +1,13 @@
-- name: gather package facts
-  ansible.builtin.package_facts:
-    manager: apt
-
-- name: make sure `gnupg` package is installed
+- name: make sure the `nginx` package is installed
   ansible.builtin.apt:
-    name: gnupg
-    state: present
-    update_cache: true
-  become: true
-  when: "'gnupg' not in ansible_facts.packages"
-
-- name: make sure NGINX signing key is added
-  ansible.builtin.get_url:
-    url: https://nginx.org/keys/nginx_signing.key
-    dest: /etc/apt/trusted.gpg.d/nginx.asc
-    mode: "0644"
-    owner: root
-    group: root
-  become: true
-
-- name: make sure NGINX APT repository is added
-  ansible.builtin.apt_repository:
-    repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx"
-    state: present
-  become: true
-
-- name: make sure NGINX APT source repository is added
-  ansible.builtin.apt_repository:
-    repo: "deb-src [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx"
-    state: present
-  become: true
-
-- name: set up repository pinning to make sure nginx package gets installed from NGINX repositories
-  ansible.builtin.copy:
-    content: |
-      Package: *
-      Pin: origin nginx.org
-      Pin: release o=nginx
-      Pin-Priority: 900
-    dest: /etc/apt/preferences.d/99nginx
-    owner: root
-    group: root
-    mode: "0644"
-  become: true
-
-- name: Ensure NGINX is installed
-  ansible.builtin.apt:
-    name: nginx
+    name: nginx={{ nginx__version_spec }}*
     state: present
     allow_change_held_packages: true
     update_cache: true
   become: true
+
+- name: apt-mark hold `nginx`
+  ansible.builtin.dpkg_selections:
+    name: nginx
+    selection: hold
+  become: true
diff --git a/roles/nginx/tasks/main/repo_setup.yaml b/roles/nginx/tasks/main/repo_setup.yaml
new file mode 100644
index 0000000..9edc156
--- /dev/null
+++ b/roles/nginx/tasks/main/repo_setup.yaml
@@ -0,0 +1,51 @@
+- name: gather package facts
+  ansible.builtin.package_facts:
+    manager: apt
+
+- name: make sure `gnupg` package is installed
+  ansible.builtin.apt:
+    name: gnupg
+    state: present
+    update_cache: true
+  become: true
+  when: "'gnupg' not in ansible_facts.packages"
+
+- name: make sure NGINX signing key is added
+  ansible.builtin.get_url:
+    url: https://nginx.org/keys/nginx_signing.key
+    dest: /etc/apt/trusted.gpg.d/nginx.asc
+    mode: "0644"
+    owner: root
+    group: root
+  become: true
+  notify: apt-get update
+
+- name: make sure NGINX APT repository is added
+  ansible.builtin.apt_repository:
+    repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx"
+    state: present
+  become: true
+  notify: apt-get update
+
+- name: make sure NGINX APT source repository is added
+  ansible.builtin.apt_repository:
+    repo: "deb-src [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx"
+    state: present
+  become: true
+  notify: apt-get update
+
+- name: set up repository pinning to make sure nginx package gets installed from NGINX repositories
+  ansible.builtin.copy:
+    content: |
+      Package: *
+      Pin: origin nginx.org
+      Pin: release o=nginx
+      Pin-Priority: 900
+    dest: /etc/apt/preferences.d/99nginx
+    owner: root
+    group: root
+    mode: "0644"
+  become: true
+
+- name: Flush handlers to make sure "apt-get update" handler runs, if needed
+  ansible.builtin.meta: flush_handlers