diff --git a/roles/dbscripts/tasks/main.yml b/roles/dbscripts/tasks/main.yml
index 090a3009a4227bdaa9ec0ce8ba660bdce03860f7..2d9a8e3d30febab2a52f7e37ffd85f6b098ce210 100644
--- a/roles/dbscripts/tasks/main.yml
+++ b/roles/dbscripts/tasks/main.yml
@@ -172,10 +172,11 @@
   file: path=/etc/rsyncd-conf-genscripts state=directory owner=root group=root mode=0700
 
 - name: install rsync.conf.proto
-  copy: src=rsyncd.conf.proto dest=/etc/rsyncd-conf-genscripts/rsyncd.conf.proto owner=root group=root mode=0644
+  template: src=rsyncd.conf.proto.j2 dest=/etc/rsyncd-conf-genscripts/rsyncd.conf.proto owner=root group=root mode=0644
 
 - name: install rsyncd.secrets
   copy: src=rsyncd.secrets dest=/etc/rsyncd.secrets owner=root group=root mode=0600
+  no_log: true
 
 - name: configure gen_rsyncd.conf.pl
   template: src=gen_rsyncd.conf.pl dest=/etc/rsyncd-conf-genscripts/gen_rsyncd.conf.pl owner=root group=root mode=0700
diff --git a/roles/dbscripts/templates/gen_rsyncd.conf.pl b/roles/dbscripts/templates/gen_rsyncd.conf.pl
index bcca6e092a78c53f21d0d6503db75b6e41a4ba19..c7ba294db05d00238c5c748a9c32b0736f653f60 100755
--- a/roles/dbscripts/templates/gen_rsyncd.conf.pl
+++ b/roles/dbscripts/templates/gen_rsyncd.conf.pl
@@ -8,7 +8,7 @@ use Data::Dumper;
 # TODO put these into credentials.ini and use Config::Simple to read it
 my $user = '{{ archweb_db_dbscripts_user }}';
 my $pass = '{{ archweb_db_dbscripts_password }}';
-my $db = 'DBI:Pg:dbname={{ archweb_db }};host={{ archweb_db_host }};sslmode=require';
+my $db = 'DBI:Pg:dbname={{ archweb_db }};host={{ archweb_db_host }}{% if postgres_ssl == 'on' %};sslmode=require{% endif %}';
 
 my $scriptdir="/etc/rsyncd-conf-genscripts";
 my $infile="$scriptdir/rsyncd.conf.proto";
diff --git a/roles/dbscripts/templates/rsyncd.conf.proto.j2 b/roles/dbscripts/templates/rsyncd.conf.proto.j2
new file mode 100644
index 0000000000000000000000000000000000000000..e38ffa5199d0abaee1db6a8c02c815b8ffbd99ac
--- /dev/null
+++ b/roles/dbscripts/templates/rsyncd.conf.proto.j2
@@ -0,0 +1,140 @@
+# DO NOT CHANGE rsync.conf, CHANGE rsync.conf.proto INSTEAD! 
+# Hosts are managed by archweb, talk to someone that has permission to
+# play with mirrors to get new IP addresses added.
+
+use chroot = no
+max connections = 12
+lock file = /var/run/rsyncd/main.lock
+syslog facility = local5
+pid file = /var/run/rsyncd.pid
+#transfer logging = yes
+transfer logging = no
+motd file = /etc/rsyncd.motd
+timeout = 600
+
+# ALLOW ONLY TIERED MIRRORS
+# This effectively disables all sections but abs, *_tier1 and *_auth
+# We keep the configuration around in case we need to revert again
+hosts allow = 127.0.0.1
+
+# DENY THE REST
+hosts deny = *
+
+# ABS
+[abs]
+	path = /srv/abs/rsync
+	comment = ABS rsync
+	list = false
+	exclude = CVS .svn .~tmp~
+	hosts allow = *
+	read only = true
+	refuse options = c compress
+	dont compress = *
+	max connections = 50
+	transfer logging = no
+	lock file = /var/run/rsyncd/abs.lock
+
+# Just the release/stable iso/packages (for most mirrors)
+[ftp]
+	path = /srv/ftp
+	comment = ftp area (most mirrors should use this)
+	exclude = /archive/ /other/ /sources/
+
+[ftp_tier1]
+	path = /srv/ftp
+	comment = ftp area (most mirrors should use this)
+	exclude = /archive/ /other/ /sources/
+	hosts allow = @@ALLOWHOSTS_TIER1@@
+	max connections = 0
+
+[ftp_auth]
+	path = /srv/ftp
+	comment = ftp area, passworded (same as 'ftp')
+	exclude = /archive/ /other/ /sources/
+	hosts allow = *
+	auth users = *
+	secrets file = /etc/rsyncd.secrets
+	max connections = 0
+
+# The whole she-bang, except /sources
+[ftpfull]
+	path = /srv/ftp
+	comment = ftp area (everything, including very old versions, except sources)
+	exclude = /sources/
+
+[ftpfull_tier1]
+	path = /srv/ftp
+	comment = ftp area (everything, including very old versions, except sources)
+	exclude = /sources/
+	hosts allow = @@ALLOWHOSTS_TIER1@@
+	max connections = 0
+
+[ftpfull_auth]
+	path = /srv/ftp
+	comment = ftp area (everything, including very old versions, except sources)
+	exclude = /sources/
+	hosts allow = *
+	auth users = *
+	secrets file = /etc/rsyncd.secrets
+	max connections = 0
+
+# The whole she-bang
+[kitchensink]
+	path = /srv/ftp
+	comment = ftp area (everything, including very old versions)
+	hosts allow = {{ hostvars['apollo.archlinux.org']['ipv4_address'] }} {{ hostvars['apollo.archlinux.org']['ipv6_address'] }}
+
+[kitchensink_tier1]
+	path = /srv/ftp
+	comment = ftp area (everything, including very old versions)
+	hosts allow = @@ALLOWHOSTS_TIER1@@
+	max connections = 0
+
+[kitchensink_auth]
+	path = /srv/ftp
+	comment = ftp area (everything, including very old versions)
+	hosts allow = *
+	auth users = *
+	secrets file = /etc/rsyncd.secrets
+	max connections = 0
+
+# Special module for ftp.archlinux.org only, allows it to always get through
+[ftp-archlinux]
+	hosts allow = 209.85.41.143 209.85.41.144 209.85.41.145
+	max connections = 4
+	lock file = /var/run/rsyncd/archftp.lock
+	path = /srv/ftp
+	list = false
+	comment = ftp (priority) for ftp.archlinux.org
+	exclude = /archive/
+
+# Individual repositories
+[core]
+	path = /srv/ftp/core
+	comment = core repository
+
+[extra]
+	path = /srv/ftp/extra
+	comment = extra repository
+
+[community]
+	path = /srv/ftp/community
+	comment = community repository
+
+[testing]
+	path = /srv/ftp/testing
+	comment = testing repository
+
+[community-testing]
+	path = /srv/ftp/community-testing
+	comment = community-testing repository
+
+[communitysvn]
+	path = /srv/repos/svn-community/svn/
+	comment = community svn rep
+	hosts allow = 66.211.214.132
+
+[packagessvn]
+	path = /srv/repos/svn-packages/svn/
+	comment = community svn rep
+	hosts allow = 66.211.214.132