ansible-infra/playbooks/roles/nginx/tasks/main/repo_setup.yaml

- name: gather package facts
  ansible.builtin.package_facts:
    manager: apt

- name: make sure `gnupg` package is installed
  ansible.builtin.apt:
    name: gnupg
    state: present
    update_cache: true
  become: true
  when: "'gnupg' not in ansible_facts.packages"

- name: make sure NGINX signing key is added
  ansible.builtin.get_url:
    url: https://nginx.org/keys/nginx_signing.key
    dest: /etc/apt/trusted.gpg.d/nginx.asc
    mode: "0644"
    owner: root
    group: root
  become: true
  notify: apt-get update

- name: make sure NGINX APT repository is added
  ansible.builtin.apt_repository:
    repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx"
    state: present
  become: true
  notify: apt-get update

- name: make sure NGINX APT source repository is added
  ansible.builtin.apt_repository:
    repo: "deb-src [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx"
    state: present
  become: true
  notify: apt-get update

- name: set up repository pinning to make sure nginx package gets installed from NGINX repositories
  ansible.builtin.copy:
    content: |
      Package: *
      Pin: origin nginx.org
      Pin: release o=nginx
      Pin-Priority: 900
    dest: /etc/apt/preferences.d/99nginx
    owner: root
    group: root
    mode: "0644"
  become: true

- name: Flush handlers to make sure "apt-get update" handler runs, if needed
  ansible.builtin.meta: flush_handlers