diff --git a/roles/mastodon-config/tasks/main.yml b/roles/mastodon-config/tasks/main.yml
index db1a80e..0d2490b 100644
--- a/roles/mastodon-config/tasks/main.yml
+++ b/roles/mastodon-config/tasks/main.yml
@@ -30,7 +30,22 @@
     executable: /bin/bash
   become: true
   become_user: mastodon
-- name: Copy Mastodon .env.production
+- name: Copy Mastodon .env.production the first time
+  template:
+    src: .env.production
+    dest: /home/mastodon/live/.env.production
+  become: true
+  become_user: mastodon
+- name: Generate VAPID keys and register it
+  shell: cd /home/mastodon/live && /home/mastodon/.rbenv/shims/bundle exec rake mastodon:webpush:generate_vapid_key
+  register: VAPID_KEYS
+  environment:
+    RAILS_ENV: production
+  args:
+    executable: /bin/bash
+  become: true
+  become_user: mastodon
+- name: Copy Mastodon .env.production the second time
   template:
     src: .env.production
     dest: /home/mastodon/live/.env.production
diff --git a/roles/mastodon-config/templates/.env.production.sample b/roles/mastodon-config/templates/.env.production.sample
index 89ce8e7..9b83d34 100644
--- a/roles/mastodon-config/templates/.env.production.sample
+++ b/roles/mastodon-config/templates/.env.production.sample
@@ -27,10 +27,8 @@ SECRET_KEY_BASE={{ SECRET_KEY_BASE.stdout }}
 OTP_SECRET={{ OTP_SECRET.stdout }}
 
 # Web Push VAPID keys
-# Generate with `web-push generate-vapid-keys` on Mastodon host and then
-# fill the following out
-VAPID_PRIVATE_KEY=
-VAPID_PUBLIC_KEY=
+# Don't edit the two below, we get this from a registered variable
+{{ VAPID_KEYS.stdout }}
 
 # All SMTP details, Mailgun and Sparkpost have free tiers
 SMTP_SERVER=