1 files changed, 12 insertions, 1 deletions

diff --git a/roles/webmail/tasks/roundcube.yml b/roles/webmail/tasks/roundcube.yml
index caa91dc..15544c2 100644
--- a/roles/webmail/tasks/roundcube.yml
+++ b/roles/webmail/tasks/roundcube.yml
@@ -114,34 +114,45 @@
   service: name=php5-fpm state=started
 
 - name: Copy /etc/nginx/sites-available/roundcube
   copy: src=etc/nginx/sites-available/roundcube
         dest=/etc/nginx/sites-available/roundcube
         owner=root group=root
         mode=0644
   register: r1
   notify:
     - Restart Nginx
 
 - name: Create /etc/nginx/sites-enabled/roundcube
   file: src=../sites-available/roundcube
         dest=/etc/nginx/sites-enabled/roundcube
         owner=root group=root
         state=link force=yes
   register: r2
   notify:
     - Restart Nginx
 
+- name: Copy HPKP header snippet
+  # never modify the pined pubkeys as we don't want to lock out our users
+  template: src=etc/nginx/snippets/mail.fripost.org.hpkp-hdr.j2
+            dest=/etc/nginx/snippets/mail.fripost.org.hpkp-hdr
+            validate=/bin/false
+            owner=root group=root
+            mode=0644
+  register: r3
+  notify:
+    - Restart Nginx
+
 - name: Start Nginx
   service: name=nginx state=started
-  when: not (r1.changed or r2.changed)
+  when: not (r1.changed or r2.changed or r3.changed)
 
 - meta: flush_handlers
 
 - name: Fetch Nginx's X.509 certificate
   # Ensure we don't fetch private data
   become: False
   fetch_cmd: cmd="openssl x509 -noout -pubkey"
              stdin=/etc/nginx/ssl/mail.fripost.org.pem
              dest=certs/public/mail.fripost.org.pub
   tags:
     - genkey