diff --git a/roles/ipsilon/tasks/main.yml b/roles/ipsilon/tasks/main.yml
index 7c26bf8464..e2e9fc37f4 100644
--- a/roles/ipsilon/tasks/main.yml
+++ b/roles/ipsilon/tasks/main.yml
@@ -76,8 +76,8 @@
   - restart apache
 
 - name: copy ipsilon httpd config
-  copy: src=ipsilon-httpd.conf
-        dest=/etc/httpd/conf.d/ipsilon.conf
+  template: src=ipsilon-httpd.conf.j2
+            dest=/etc/httpd/conf.d/ipsilon.conf
 
 - name: Create Ipsilon config symlink
   file: dest=/var/lib/ipsilon/ipsilon.conf
diff --git a/roles/ipsilon/files/ipsilon-httpd.conf b/roles/ipsilon/templates/ipsilon-httpd.conf.j2
similarity index 89%
rename from roles/ipsilon/files/ipsilon-httpd.conf
rename to roles/ipsilon/templates/ipsilon-httpd.conf.j2
index 1f904fe704..338280197e 100644
--- a/roles/ipsilon/files/ipsilon-httpd.conf
+++ b/roles/ipsilon/templates/ipsilon-httpd.conf.j2
@@ -11,7 +11,11 @@ WSGIImportScript /usr/libexec/ipsilon process-group=ipsilon application-group=ip
 
 <Location /login/gssapi/negotiate>
     AuthName "GSSAPI Single Sign On Login"
+{% if env == "staging" %}
     GssapiCredStore keytab:/etc/krb5.HTTP_id.stg.fedoraproject.org.keytab
+{% else %}
+    GssapiCredStore keytab:/etc/krb5.HTTP_id.stg.fedoraproject.org.keytab
+{% endif %}
     AuthType GSSAPI
     # This is off because Apache (and thus mod_auth_gssapi) doesn't know this is proxied over TLS
     GssapiSSLonly Off