diff --git a/roles/rabbitmq_cluster/templates/rabbitmq.config b/roles/rabbitmq_cluster/templates/rabbitmq.config
index 7f06159c86..7e11da9e25 100644
--- a/roles/rabbitmq_cluster/templates/rabbitmq.config
+++ b/roles/rabbitmq_cluster/templates/rabbitmq.config
@@ -1,6 +1,24 @@
 [
  {rabbit,
   [
+   %% We do not want plain TCP, only TLS
+   {tcp_listeners, []},
+   %% Here goes TLS
+   {ssl_listeners, [5671]},
+   {ssl_options, [{cacertfile,  "/etc/rabbitmq/ca.crt"},
+                  {certfile,    "/etc/rabbitmq/node.crt"},
+                  {keyfile,     "/etc/rabbitmq/node.key"},
+                  {verify,      verify_peer},
+                  {fail_if_no_peer_cert, true}]},
+   {auth_mechanisms, ['EXTERNAL']},
+
+   %% Here goes the cluster config
+   {cluster_nodes, {['rabbit@rabbitmq01{{env_suffix}}.phx2.fedoraproject.org',
+                     'rabbit@rabbitmq02{{env_suffix}}.phx2.fedoraproject.org'
+                     'rabbit@rabbitmq03{{env_suffix}}.phx2.fedoraproject.org'],
+                    disc}},
+
+   %% And some general config
    {log_levels, [{connection, none}]},
    {default_user_tags, [administrator]},
    {heartbeat, 600},
@@ -11,6 +29,11 @@
   ]},
  {rabbitmq_management,
   [
+   {listener, [{port, 15672},
+               {ssl, true},
+               {ssl_opts, [{cacertfile, "/etc/rabbitmq/ca.crt"},
+                           {certfile,   "/etc/rabbitmq/node.crt"},
+                           {keyfile,    "/etc/rabbitmq/node.key"}]}]},
   ]},
 
  {rabbitmq_management_agent,