diff --git a/roles/pikvm_ssl/tasks/main.yml b/roles/pikvm_ssl/tasks/main.yml
new file mode 100644
index 0000000..b9a76db
--- /dev/null
+++ b/roles/pikvm_ssl/tasks/main.yml
@@ -0,0 +1,6 @@
+---
+
+- name: ssl template config
+  template:
+    src: ssl.conf.j2
+    dest: /etc/kvmd/nginx/ssl.conf
diff --git a/roles/pikvm_ssl/templates/ssl.conf.j2 b/roles/pikvm_ssl/templates/ssl.conf.j2
new file mode 100644
index 0000000..e567976
--- /dev/null
+++ b/roles/pikvm_ssl/templates/ssl.conf.j2
@@ -0,0 +1,5 @@
+ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1 TLSv1;
+ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
+ssl_certificate { kvmd_pst_data }/acme/{ domain }/fullchain.cer;
+ssl_certificate_key { kvmd_pst_data }/acme/{ domain }/{ domain }.key;
+add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
diff --git a/roles/pikvm_ssl/vars/main.yml b/roles/pikvm_ssl/vars/main.yml
new file mode 100644
index 0000000..08e3df1
--- /dev/null
+++ b/roles/pikvm_ssl/vars/main.yml
@@ -0,0 +1 @@
+kvmd_pst_data: /var/lib/kvmd/pst/data