1 files changed, 12 insertions, 1 deletions

diff --git a/roles/wiki/tasks/main.yml b/roles/wiki/tasks/main.yml
index 4a64c2f..ff2d724 100644
--- a/roles/wiki/tasks/main.yml
+++ b/roles/wiki/tasks/main.yml
@@ -76,43 +76,54 @@
         mode=0644
   register: r1
   with_items:
     - website
     - wiki
   notify:
     - Restart Nginx
 
 - name: Create /etc/nginx/sites-enabled/{wiki,website}
   file: src=../sites-available/{{ item }}
         dest=/etc/nginx/sites-enabled/{{ item }}
         owner=root group=root
         state=link force=yes
   register: r2
   with_items:
     - website
     - wiki
   notify:
     - Restart Nginx
 
+- name: Copy HPKP header snippet
+  # never modify the pined pubkeys as we don't want to lock out our users
+  template: src=etc/nginx/snippets/fripost.org.hpkp-hdr.j2
+            dest=/etc/nginx/snippets/fripost.org.hpkp-hdr
+            validate=/bin/false
+            owner=root group=root
+            mode=0644
+  register: r3
+  notify:
+    - Restart Nginx
+
 - name: Start Nginx
   service: name=nginx state=started
-  when: not (r1.changed or r2.changed)
+  when: not (r1.changed or r2.changed or r3.changed)
 
 - meta: flush_handlers
 
 - name: Fetch Nginx's X.509 certificate
   # Ensure we don't fetch private data
   become: False
   fetch_cmd: cmd="openssl x509 -noout -pubkey"
              stdin=/etc/nginx/ssl/www.fripost.org.pem
              dest=certs/public/fripost.org.pub
   tags:
     - genkey
 
 - name: Create directory /var/www/fripost.org/autoconfig/mail
   file: path=/var/www/fripost.org/autoconfig/mail
         state=directory
         owner=root group=root
         mode=0755
 
 - name: Copy /var/www/fripost.org/autoconfig/mail/config-v1.1.xml
   copy: src=var/www/fripost.org/autoconfig/mail/config-v1.1.xml