From 171b3474d975c2faa3d48fa31654b8ab5981b4d4 Mon Sep 17 00:00:00 2001
From: Peter Palfrader <peter@palfrader.org>
Date: Fri, 23 Sep 2016 20:37:27 +0000
Subject: [PATCH] ship pin set for people.debian.org

---
 modules/apache2/manifests/pin.pp | 8 ++++++++
 modules/roles/manifests/init.pp  | 1 +
 2 files changed, 9 insertions(+)
 create mode 100644 modules/apache2/manifests/pin.pp

diff --git a/modules/apache2/manifests/pin.pp b/modules/apache2/manifests/pin.pp
new file mode 100644
index 000000000..020f221d5
--- /dev/null
+++ b/modules/apache2/manifests/pin.pp
@@ -0,0 +1,8 @@
+define apache2::pin () {
+	$snippet = gen_hpkp_pin($name)
+
+	concat::fragment { "puppet-ssl-key-pins-header-${name}":
+		target => '/etc/apache2/conf-available/puppet-ssl-key-pins.conf',
+		content => $snippet,
+	}
+}
diff --git a/modules/roles/manifests/init.pp b/modules/roles/manifests/init.pp
index 1d7282435..e7369d450 100644
--- a/modules/roles/manifests/init.pp
+++ b/modules/roles/manifests/init.pp
@@ -91,6 +91,7 @@ class roles {
 	if has_role('people') {
 		ssl::service { 'people.debian.org': notify  => Exec['service apache2 reload'], key => true, }
 		onion::service { 'people.debian.org': port => 80, target_address => 'people.debian.org', target_port => 80, direct => true }
+		apache2::pin { 'people.debian.org': }
 	}
 
 	if has_role('security_master') {
-- 
2.20.1