--- a/provision/roles/fruitbar/tasks/main.yml	Wed Apr 06 13:26:28 2016 +0800
+++ b/provision/roles/fruitbar/tasks/main.yml	Wed Apr 06 13:35:00 2016 +0800
@@ -31,10 +31,13 @@
 
 - name: Extract information for HPKP header
   shell: >
-    openssl x509 -pubkey -noout -in '{{ ssl_cert }}'
+    openssl x509 -pubkey -noout -in '{{ item }}'
     | openssl pkey -pubin -outform der
     | openssl dgst -sha256 -binary
     | openssl enc -base64
+  with_flattened:
+    - ['{{ ssl_cert }}']
+    - '{{ ssl_intermediates }}'
   register: hpkpinfo
   when: certfile.stat.exists and keyfile.stat.exists
   always_run: yes

--- a/provision/roles/fruitbar/templates/etc/nginx/sites-available/fruitbar	Wed Apr 06 13:26:28 2016 +0800
+++ b/provision/roles/fruitbar/templates/etc/nginx/sites-available/fruitbar	Wed Apr 06 13:35:00 2016 +0800
@@ -40,6 +40,11 @@
     resolver {{ nginx_resolver }};
     resolver_timeout {{ nginx_resolver_timeout }};
 
+{% if hpkpinfo.results|length > 1 %}
+    # HPKP: 5184000 = 60 days
+    add_header Public-Key-Pins '{% for r in hpkpinfo.results %}pin-sha256="{{ r.stdout }}"; {% endfor %}max-age=5184000';
+{% endif %}
+
     # HSTS: 31536000 = 365 days (set to 0 to expire and allow plain HTTP)
     add_header Strict-Transport-Security 'max-age=31536000';
 

--- a/provision/roles/fruitbar/vars/main.yml	Wed Apr 06 13:26:28 2016 +0800
+++ b/provision/roles/fruitbar/vars/main.yml	Wed Apr 06 13:35:00 2016 +0800
@@ -3,4 +3,5 @@
 site_order: 50
 ssl_cert: /etc/ssl/local/fruitbar.{{ umbrella }}.pem
 ssl_key: /etc/ssl/local/fruitbar.{{ umbrella }}.clean.key
+ssl_intermediates: []
 ...