updating key sites

aknot242 · aknot242 · commit 27a47ec32ba6 · 2020-07-28T12:06:13.000-07:00
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -36,6 +36,10 @@ nginx_timeout: 180
 # App Protect Temporary Directory to use (Default: /tmp)
 app_protect_tempdir: /tmp
 
+# Choose where to fetch the NGINX signing key from.
+# Default is the official NGINX signing key host.
+# nginx_signing_key: https://cs.nginx.com/static/keys/nginx_signing.key
+
 # Choose where to fetch the NGINX App Protect signing key from.
 # Default is the official NGINX App Protect signing key host.
 # app_protect_signing_key: https://cs.nginx.com/static/keys/app-protect.key
diff --git a/tasks/keys/apt-key.yml b/tasks/keys/apt-key.yml
@@ -1,14 +1,18 @@
 ---
-- name: "(Install: APT OSs) Set Default APT NGINX App Protect Signing Key URL"
+- name: "(Install: APT OSs) Set APT NGINX Signing Key URL"
   set_fact:
     key_value: "" # appeasing the linter
-    default_keysite: "http://nginx.org/keys/nginx_signing.key"
+    nginx_keysite: "{{ nginx_signing_key | default('https://cs.nginx.com/static/keys/nginx_signing.key') }}"
 
 - name: "(Install: APT OSs) Set APT NGINX App Protect Signing Key URL"
   set_fact:
     key_value: "" # appeasing the linter
-    keysite: "{{ app_protect_signing_key | default(default_keysite) }}"
+    app_protect_keysite: "{{ app_protect_signing_key | default('https://cs.nginx.com/static/keys/app-protect.key') }}"
+
+- name: "(Install: APT OSs) Add APT NGINX Signing Key"
+  apt_key:
+    url: "{{ nginx_keysite }}"
 
 - name: "(Install: APT OSs) Add APT NGINX App Protect Signing Key"
   apt_key:
-    url: "{{ keysite }}"
+    url: "{{ app_protect_keysite }}"
diff --git a/tasks/keys/rpm-key.yml b/tasks/keys/rpm-key.yml
@@ -1,14 +1,18 @@
 ---
-- name: "(Install: RPM OSs) Set Default RPM NGINX App Protect Signing Key"
+- name: "(Install: RPM OSs) Set Default RPM NGINX Signing Key"
   set_fact:
     key_value: "" # appeasing the linter
-    default_keysite: "http://nginx.org/keys/nginx_signing.key"
+    nginx_keysite: "{{ nginx_signing_key | default('https://cs.nginx.com/static/keys/nginx_signing.key') }}"
 
-- name: "(Install: RPM OSs) Set RPM NGINX App Protect Signing Key URL"
+- name: "(Install: RPM OSs) Set Default RPM NGINX App Protect Signing Key"
   set_fact:
     key_value: "" # appeasing the linter
-    keysite: "{{ app_protect_signing_key | default(default_keysite) }}"
+    app_protect_keysite: "{{ app_protect_signing_key | default('https://cs.nginx.com/static/keys/app-protect.key') }}"
+
+- name: "(Install: RPM OSs) Add RPM NGINX Signing Key"
+  rpm_key:
+    key: "{{ nginx_keysite }}"
 
 - name: "(Install: RPM OSs) Add RPM NGINX App Protect Signing Key"
   rpm_key:
-    key: "{{ keysite }}"
+    key: "{{ app_protect_keysite }}"
diff --git a/tasks/setup-redhat-repos.yml b/tasks/setup-redhat-repos.yml
@@ -31,7 +31,7 @@
         sslclientcert: "/etc/ssl/nginx/{{ nginx_license.certificate | basename }}"
         sslclientkey: "/etc/ssl/nginx/{{ nginx_license.key | basename }}"
         enabled: true
-        gpgcheck: false
+        gpgcheck: true
         gpgkey: https://cs.nginx.com/static/keys/app-protect.key
         state: "{{ nginx_license_status | default ('present') }}"
 
@@ -44,7 +44,7 @@
         sslclientcert: "/etc/ssl/nginx/{{ nginx_license.certificate | basename }}"
         sslclientkey: "/etc/ssl/nginx/{{ nginx_license.key | basename }}"
         enabled: true
-        gpgcheck: false
+        gpgcheck: true
         gpgkey: https://cs.nginx.com/static/keys/app-protect.key
         state: "{{ nginx_license_status | default ('present') }}"
   when: ansible_distribution != "Amazon"
