diff --git a/hieradata/roles/infra/reposync/syncer.yaml b/hieradata/roles/infra/reposync/syncer.yaml
index 762a9d4..bbf8213 100644
--- a/hieradata/roles/infra/reposync/syncer.yaml
+++ b/hieradata/roles/infra/reposync/syncer.yaml
@@ -2,6 +2,11 @@
 profiles::packages::install:
   - createrepo
 
+profiles::pki::vault::alt_names:
+  - repos.main.unkin.net
+
+profiles::reposync::webserver::nginx_listen_mode: both
+profiles::reposync::webserver::nginx_cert_type: vault
 profiles::reposync::repos_list:
   almalinux_8_9_baseos:
     repository: 'BaseOS'
diff --git a/site/profiles/manifests/reposync/webserver.pp b/site/profiles/manifests/reposync/webserver.pp
index 789ce21..baa7f76 100644
--- a/site/profiles/manifests/reposync/webserver.pp
+++ b/site/profiles/manifests/reposync/webserver.pp
@@ -2,21 +2,71 @@
 class profiles::reposync::webserver (
   String  $www_root = '/data/repos/snap',
   String  $nginx_vhost = 'repos.main.unkin.net',
-  Integer $nginx_port = 80,
+  Stdlib::Port $nginx_port = 80,
+  Stdlib::Port $nginx_ssl_port = 443,
   Boolean $favicon = true,
+  Enum['http','https','both'] $nginx_listen_mode = 'http',
+  Enum['puppet', 'vault'] $nginx_cert_type = 'vault'
 ) {
 
+  # select the certificates to use based on cert type
+  case $nginx_cert_type {
+    'puppet': {
+      $selected_ssl_cert = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt"
+      $selected_ssl_key  = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key"
+    }
+    'vault': {
+      $selected_ssl_cert = '/etc/pki/tls/vault/certificate.crt'
+      $selected_ssl_key  = '/etc/pki/tls/vault/private.key'
+    }
+    default: {
+      # enum param prevents this ever being reached
+    }
+  }
+
+  # set variables based on the listen_mode
+  case $nginx_listen_mode {
+    'http': {
+      $enable_ssl = false
+      $ssl_cert = undef
+      $ssl_key = undef
+      $listen_port = $nginx_port
+      $listen_ssl_port = undef
+    }
+    'https': {
+      $enable_ssl = true
+      $ssl_cert = $selected_ssl_cert
+      $ssl_key = $selected_ssl_key
+      $listen_port = $nginx_ssl_port
+      $listen_ssl_port = $nginx_ssl_port
+    }
+    'both': {
+      $enable_ssl = true
+      $ssl_cert = $selected_ssl_cert
+      $ssl_key = $selected_ssl_key
+      $listen_port = $nginx_port
+      $listen_ssl_port = $nginx_ssl_port
+    }
+    default: {
+      # enum param prevents this ever being reached
+    }
+  }
+
   class { 'nginx': }
 
   # create the nginx vhost
   nginx::resource::server { $nginx_vhost:
-    listen_port          => $nginx_port,
+    listen_port          => $listen_port,
     server_name          => [$nginx_vhost],
     use_default_location => true,
     access_log           => "/var/log/nginx/${nginx_vhost}_access.log",
     error_log            => "/var/log/nginx/${nginx_vhost}_error.log",
     www_root             => $www_root,
     autoindex            => 'on',
+    ssl                  => $enable_ssl,
+    ssl_cert             => $ssl_cert,
+    ssl_key              => $ssl_key,
+    ssl_port             => $listen_ssl_port,
   }
 
   if $favicon {