Add gpg check and install nginx repo key.

defaults/main.yml

@@ -3,6 +3,9 @@
 nginx_default_release: ""
 # Used only for RHEL/Centos installation. Set to false for mainline repo.
 nginx_el_install_mainline: yes
+# Used only for RHEL/Centos installation. Define the short gpg key id for nginx repo.
+# Here: https://pgp.mit.edu/pks/lookup?op=vindex&search=0xABF5BD827BD9BF62
+nginx_el_repo_gpg_key: 7BD9BF62
 
 nginx_worker_processes: "1"
 nginx_worker_connections: "1024"

tasks/setup-RedHat.yml

@@ -1,4 +1,19 @@
 ---
+- name: Check key id exists
+  command: rpm -qa gpg-pubkey
+  register: gpg_key_presence
+  changed_when: "'gpg-pubkey-{{ nginx_el_repo_gpg_key | lower }}-' not in gpg_key_presence.stdout"
+
+- name: Install nginx repo gpg key
+  rpm_key: state=present key=http://nginx.org/keys/nginx_signing.key
+  register: gpg_key_download
+  when: gpg_key_presence.changed
+
+# Throws error that key is not found. This means that after installing the key previously and its still missing# we have a MITM.
+- name: Ensure keyid exists with proper keyid.
+  rpm_key: state=present key="{{ nginx_el_repo_gpg_key | upper }}"
+  when: gpg_key_download.changed
+
 - name: (RedHat) Enable nginx repo.
   template:
     src: nginx.rhel.repo.j2

templates/nginx.rhel.repo.j2

@@ -2,12 +2,12 @@
 [nginx]
 name=nginx repo mainline
 baseurl=http://nginx.org/packages/mainline/rhel/$releasever/$basearch/
-gpgcheck=0
+gpgcheck=1
 enabled=1
 {% else %}
 [nginx]
 name=nginx repo stable
 baseurl=http://nginx.org/packages/rhel/$releasever/$basearch/
-gpgcheck=0
+gpgcheck=1
 enabled=1
 {% endif %}