diff --git a/roles/munin-master/tasks/main.yml b/roles/munin-master/tasks/main.yml
index 2456634..e1f3d32 100644
--- a/roles/munin-master/tasks/main.yml
+++ b/roles/munin-master/tasks/main.yml
@@ -12,6 +12,12 @@
     owner: munin
     group: apache
 
+- name: add munin to hostkey group
+  user:
+    name: munin
+    groups: hostkey
+    append: yes
+
 - name: create apache config
   copy:
     dest: /etc/httpd/conf.local.d/munin.conf
@@ -21,6 +27,14 @@
     group: "{{ ansible_wheel }}"
   notify: restart apache
 
+- name: create tls config
+  template:
+    dest: /etc/munin/conf.d/00-tls.conf
+    src: tls.conf.j2
+    mode: 0644
+    owner: root
+    group: "{{ ansible_wheel }}"
+
 - name: remove localhost node
   file:
     path: /etc/munin/conf.d/local.conf
diff --git a/roles/munin-master/templates/tls.conf.j2 b/roles/munin-master/templates/tls.conf.j2
new file mode 100644
index 0000000..61eea1f
--- /dev/null
+++ b/roles/munin-master/templates/tls.conf.j2
@@ -0,0 +1,5 @@
+tls paranoid
+tls_verify_certificate yes
+tls_private_key {{ tls_private }}/{{ inventory_hostname }}.key
+tls_certificate {{ tls_certs }}/{{ inventory_hostname }}.crt
+tls_ca_certificate {{ tls_certs }}/ca.crt