roles/nginx: Add extra-security headers to PHP block

nginx inherits headers from higher-level blocks UNLESS we also set
headers in the current block. In this case the FastCGI cache header
was being set, so we weren't getting the extra-security ones.

Signed-off-by: Alan Orth <alan.orth@gmail.com>

roles/nginx/templates/vhost.conf.j2

@@ -71,6 +71,8 @@ server {
         # Enable this if you want HSTS (recommended, but be careful)
         add_header Strict-Transport-Security max-age=15768000 always;
         {% endif %}
+
+        include extra-security.conf;
     }
 
     include extra-security.conf;