diff --git a/docs/README.apt.keyrings.rst b/docs/README.apt.keyrings.rst
index 5755eac..7319c96 100644
--- a/docs/README.apt.keyrings.rst
+++ b/docs/README.apt.keyrings.rst
@@ -10,8 +10,8 @@ in favor of using `keyring files` which contain a binary OpenPGP format of the k
 As nginx and passenger don't provide such key files, we created them following the
 official recomendations in their sites and install the resulting files.
 
-Ngninx
-------
+Nginx
+-----
 
 See https://nginx.org/en/linux_packages.html#Debian for details
 
diff --git a/nginx/map.jinja b/nginx/map.jinja
index 77b41ca..0667327 100644
--- a/nginx/map.jinja
+++ b/nginx/map.jinja
@@ -19,6 +19,9 @@
             'server_use_symlink': True,
             'pid_file': '/run/nginx.pid',
             'openssl_package': 'openssl',
+            'package_repo_keyring': '/usr/share/keyrings/nginx-archive-keyring.gpg',
+            'passenger_package_repo_keyring': '/usr/share/keyrings/phusionpassenger-archive-keyring.gpg',
+
         },
         'CentOS': {
             'package': 'nginx',
diff --git a/nginx/pkg.sls b/nginx/pkg.sls
index 2640b24..4dd8d0e 100644
--- a/nginx/pkg.sls
+++ b/nginx/pkg.sls
@@ -37,11 +37,11 @@ nginx_install:
     - name: {{ nginx.lookup.package }}
     {% endif %}
 
-{% if salt['grains.get']('os_family') == 'Debian' %}
+{% if grains.os_family == 'Debian' %}
   {%- if from_official %}
 nginx_official_repo_keyring:
   file.managed:
-    - name: /usr/share/keyrings/nginx-archive-keyring.gpg
+    - name: {{ nginx.lookup.package_repo_keyring }}
     - source: {{ files_switch(['nginx-archive-keyring.gpg'],
                               lookup='nginx_official_repo_keyring'
                  )
@@ -58,8 +58,10 @@ nginx_official_repo:
     - absent
     {%- endif %}
     - humanname: nginx apt repo
-    - name: deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] http://nginx.org/packages/{{ grains['os'].lower() }}/ {{ grains['oscodename'] }} nginx
-    - file: /etc/apt/sources.list.d/nginx-official-{{ grains['oscodename'] }}.list
+    - name: >-
+        deb [signed-by={{ nginx.lookup.package_repo_keyring }}]
+        http://nginx.org/packages/{{ grains.os | lower }}/ {{ grains.oscodename }} nginx
+    - file: /etc/apt/sources.list.d/nginx-official-{{ grains.oscodename }}.list
     - require_in:
       - pkg: nginx_install
     - watch_in:
@@ -74,10 +76,10 @@ nginx_ppa_repo:
     {%- else %}
     - absent
     {%- endif %}
-    {% if salt['grains.get']('os') == 'Ubuntu' %}
+    {% if grains.os == 'Ubuntu' %}
     - ppa: nginx/{{ nginx.ppa_version }}
     {% else %}
-    - name: deb http://ppa.launchpad.net/nginx/{{ nginx.ppa_version }}/ubuntu {{ grains['oscodename'] }} main
+    - name: deb http://ppa.launchpad.net/nginx/{{ nginx.ppa_version }}/ubuntu {{ grains.oscodename }} main
     - keyid: C300EE8C
     - keyserver: keyserver.ubuntu.com
     {% endif %}
@@ -101,12 +103,12 @@ nginx_phusionpassenger_repo_keyring:
 # Remove the old repo file
 nginx_phusionpassenger_repo_remove:
   pkgrepo.absent:
-    - name: deb http://nginx.org/packages/{{ grains['os'].lower() }}/ {{ grains['oscodename'] }} nginx
+    - name: deb http://nginx.org/packages/{{ grains.os |lower }}/ {{ grains.oscodename }} nginx
     - keyid: 561F9B9CAC40B2F7
     - require_in:
       - pkgrepo: nginx_phusionpassenger_repo
   file.absent:
-    - name: /etc/apt/sources.list.d/nginx-phusionpassenger-{{ grains['oscodename'] }}.list
+    - name: /etc/apt/sources.list.d/nginx-phusionpassenger-{{ grains.oscodename }}.list
     - require_in:
       - pkgrepo: nginx_phusionpassenger_repo
   {%- endif %}
@@ -119,15 +121,17 @@ nginx_phusionpassenger_repo:
     - absent
     {%- endif %}
     - humanname: nginx phusionpassenger repo
-    - name: deb [signed-by=/usr/share/keyrings/phusionpassenger-archive-keyring.gpg] https://oss-binaries.phusionpassenger.com/apt/passenger {{ grains['oscodename'] }} main
-    - file: /etc/apt/sources.list.d/phusionpassenger-official-{{ grains['oscodename'] }}.list
+    - name: >-
+        deb [signed-by={{ nginx.lookup.passenger_package_repo_keyring }}]
+        https://oss-binaries.phusionpassenger.com/apt/passenger {{ grains.oscodename }} main
+    - file: /etc/apt/sources.list.d/phusionpassenger-official-{{ grains.oscodename }}.list
     - require_in:
       - pkg: nginx_install
     - watch_in:
       - pkg: nginx_install
 {% endif %}
 
-{% if salt['grains.get']('os_family') == 'Suse' or salt['grains.get']('os') == 'SUSE' %}
+{% if grains.os_family == 'Suse' or grains.os == 'SUSE' %}
 nginx_zypp_repo:
   pkgrepo:
     {%- if from_official %}
@@ -148,8 +152,8 @@ nginx_zypp_repo:
       - pkg: nginx_install
 {% endif %}
 
-{% if salt['grains.get']('os_family') == 'RedHat' %}
-{%   if salt['grains.get']('osfinger', '') in ['Amazon Linux-2'] %}
+{% if grains.os_family == 'RedHat' %}
+{%   if grains.osfinger in ['Amazon Linux-2'] %}
 nginx_epel_repo:
   pkgrepo.managed:
     - name: epel
diff --git a/test/integration/passenger/controls/repository.rb b/test/integration/passenger/controls/repository.rb
index b559392..92f8294 100644
--- a/test/integration/passenger/controls/repository.rb
+++ b/test/integration/passenger/controls/repository.rb
@@ -1,10 +1,10 @@
 # frozen_string_literal: true
 
-case os[:name]
-when 'centos'
+case os.family
+when 'redhat'
   repo_file = '/etc/yum.repos.d/passenger.repo'
   repo_url = 'https://oss-binaries.phusionpassenger.com/yum/passenger/el/$releasever/$basearch'
-when 'debian', 'ubuntu'
+when 'debian'
   # Inspec does not provide a `codename` matcher, so we add ours
   case platform[:release].to_f.truncate
   # ubuntu
@@ -13,6 +13,8 @@ when 'debian', 'ubuntu'
   when 20
     codename = 'focal'
   # debian
+  when 9
+    codename = 'stretch'
   when 10
     codename = 'buster'
   when 11