From e86ccc997942596e062d702f3d65feec26b3db09 Mon Sep 17 00:00:00 2001
From: Alan Orth <alan.orth@gmail.com>
Date: Tue, 22 Aug 2023 21:33:19 +0300
Subject: [PATCH] roles/nginx: minor rework of apt key stuff

---
 roles/nginx/tasks/main.yml                    | 33 +++++++++++++++----
 .../nginx/templates/nginx_org_sources.list.j2 |  8 ++---
 2 files changed, 30 insertions(+), 11 deletions(-)

diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
index 2deee49..ea0c9f5 100644
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@@ -1,13 +1,32 @@
 ---
-- name: Add nginx.org apt signing key
+- name: Remove nginx apt signing key from apt-key
   ansible.builtin.apt_key:
     id: 0x573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62
-    url: https://nginx.org/keys/nginx_signing.key
-    state: present
-  register: add_nginx_apt_key
+    state: absent
   tags:
-    - nginx
     - packages
+    - nginx
+
+- name: Check nginx apt signing key
+  ansible.builtin.stat:
+    path: /usr/share/keyrings/nginx_signing.key
+  register: nginx_signing_key_stat
+  tags:
+    - packages
+    - nginx
+
+- name: Download nginx apt signing key
+  ansible.builtin.get_url:
+    url: https://nginx.org/keys/nginx_signing.key
+    dest: /usr/share/keyrings/nginx_signing.key
+    owner: root
+    group: root
+    mode: 0644
+  register: download_nginx_signing_key
+  when: not nginx_signing_key_stat.stat.exists
+  tags:
+    - packages
+    - nginx
 
 - name: Add nginx.org repo
   ansible.builtin.template:
@@ -22,10 +41,10 @@
     - packages
 
 - name: Update apt cache
-  ansible.builtin.apt:
+  ansible.builtin.apt: # noqa no-handler
     update_cache: true
   when:
-    add_nginx_apt_key is changed or
+    (download_nginx_signing_key.status_code is defined and download_nginx_signing_key.status_code == 200) or
     add_nginx_apt_repository is changed
 
 - name: Install nginx
diff --git a/roles/nginx/templates/nginx_org_sources.list.j2 b/roles/nginx/templates/nginx_org_sources.list.j2
index 8e269c2..c1bbef6 100644
--- a/roles/nginx/templates/nginx_org_sources.list.j2
+++ b/roles/nginx/templates/nginx_org_sources.list.j2
@@ -3,17 +3,17 @@
 {% if ansible_distribution == 'Ubuntu' %}
 
 {% if nginx_version == "stable" %}
-deb [arch=amd64] https://nginx.org/packages/ubuntu/ {{ ansible_distribution_release }} nginx
+deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/ubuntu/ {{ ansible_distribution_release }} nginx
 {% elif nginx_version == "mainline" %}
-deb [arch=amd64] https://nginx.org/packages/mainline/ubuntu/ {{ ansible_distribution_release }} nginx
+deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/mainline/ubuntu/ {{ ansible_distribution_release }} nginx
 {% endif %}
 
 {% elif ansible_distribution == 'Debian' %}
 
 {% if nginx_version == "stable" %}
-deb [arch=amd64] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx
+deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx
 {% elif nginx_version == "mainline" %}
-deb [arch=amd64] https://nginx.org/packages/mainline/debian/ {{ ansible_distribution_release }} nginx
+deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/mainline/debian/ {{ ansible_distribution_release }} nginx
 {% endif %}
 
 {% endif %}