ansible-infra/roles/nginx/tasks/main/02_repo_setup.yaml

- name: Ensure gnupg is installed
  ansible.builtin.apt:
    name: gnupg
    state: present
  become: true

- name: Ensure NGINX signing key is added
  ansible.builtin.get_url:
    url: https://nginx.org/keys/nginx_signing.key
    dest: /etc/apt/trusted.gpg.d/nginx.asc
    mode: "0644"
    owner: root
    group: root
  become: true

- name: Ensure NGINX APT repository is added
  ansible.builtin.apt_repository:
    repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx"
    state: present
  become: true

- name: Ensure NGINX APT source repository is added
  ansible.builtin.apt_repository:
    repo: "deb-src [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx"
    state: present
  become: true

- name: Ensure repository pinning to make sure nginx package gets installed from NGINX repositories is set up
  ansible.builtin.copy:
    content: |
      Package: *
      Pin: origin nginx.org
      Pin: release o=nginx
      Pin-Priority: 900
    dest: /etc/apt/preferences.d/99nginx
    owner: root
    group: root
    mode: "0644"
  become: true