diff --git a/defaults/main.yml b/defaults/main.yml
index 0509dbe..ff5cb90 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -4,6 +4,7 @@ nginx_default_release: ""
 
 # Used only for Redhat installation, enables source Nginx repo.
 nginx_yum_repo_enabled: true
+nginx_yum_repo_mainline: false
 
 # Use the official Nginx PPA for Ubuntu, and the version to use if so.
 nginx_ppa_use: false
diff --git a/tasks/setup-RedHat.yml b/tasks/setup-RedHat.yml
index 2507397..a7614cf 100644
--- a/tasks/setup-RedHat.yml
+++ b/tasks/setup-RedHat.yml
@@ -7,8 +7,18 @@
     group: "{{ root_group }}"
     mode: 0644
   when: nginx_yum_repo_enabled | bool
+  register: repo
+
+- name: Clean the nginx repo
+  command: >
+    yum clean all --disablerepo="*" --enablerepo=nginx
+  args:
+    warn: false
+  when: repo.changed
+  tags: ['skip_ansible_lint']
 
 - name: Ensure nginx is installed.
   package:
     name: "{{ nginx_package_name }}"
-    state: present
+    state: "{{ 'latest' if repo.changed else 'present' }}"
+  notify: restart nginx
diff --git a/templates/nginx.repo.j2 b/templates/nginx.repo.j2
index 9a853b7..b33067f 100644
--- a/templates/nginx.repo.j2
+++ b/templates/nginx.repo.j2
@@ -1,5 +1,7 @@
 [nginx]
 name=nginx repo
-baseurl=http://nginx.org/packages/centos/{{ ansible_distribution_major_version }}/$basearch/
-gpgcheck=0
+baseurl=http://nginx.org/packages{{ '/mainline' if nginx_yum_repo_mainline }}/centos/{{ ansible_distribution_major_version }}/$basearch/
 enabled=1
+gpgcheck=1
+gpgkey=https://nginx.org/keys/nginx_signing.key
+module_hotfixes=true
\ No newline at end of file