diff --git a/roles/yubikey/files/yk-ksm.conf b/roles/yubikey/files/yk-ksm.conf
new file mode 100644
index 0000000000..9b8bd7fec0
--- /dev/null
+++ b/roles/yubikey/files/yk-ksm.conf
@@ -0,0 +1 @@
+Alias /yk-ksm /usr/share/ykksm/ykksm-decrypt.php
diff --git a/roles/yubikey/files/yk-val-proxy.conf b/roles/yubikey/files/yk-val-proxy.conf
new file mode 100644
index 0000000000..067dec4feb
--- /dev/null
+++ b/roles/yubikey/files/yk-val-proxy.conf
@@ -0,0 +1,5 @@
+# Expose ykval
+RewriteEngine On
+
+ProxyPass /yk-val/verify http://localhost:10004/yk-val/verify
+ProxyPassReverse /yk-val/verify http://localhost:10004/yk-val/verify
diff --git a/roles/yubikey/files/yk-val.conf b/roles/yubikey/files/yk-val.conf
new file mode 100644
index 0000000000..2dd4847337
--- /dev/null
+++ b/roles/yubikey/files/yk-val.conf
@@ -0,0 +1,2 @@
+Alias /yk-val/verify /usr/share/ykval/ykval-verify.php
+Alias /yk-val/sync /usr/share/ykval/ykval-sync.php
diff --git a/roles/yubikey/tasks/main.yml b/roles/yubikey/tasks/main.yml
new file mode 100644
index 0000000000..834f0307b1
--- /dev/null
+++ b/roles/yubikey/tasks/main.yml
@@ -0,0 +1,57 @@
+---
+# Tasks to set up yubikey_verifier
+
+- name: install needed packages
+  yum: pkg={{ item }} state=installed
+  with_items:
+  - yubikey-ksm
+  - yubikey-val
+  - php-pgsql
+  tags:
+  - packages
+
+- name: enable httpd_can_network_connect selinux boolean
+  seboolean: name=httpd_can_network_connect state=yes persistent=yes
+  tags:
+  - config
+
+- name: install /etc/ykksm/ykksm-config.php
+  template: >
+    src="ykksm-config.php.j2"
+    dest="/etc/ykksm/ykksm-config.php"
+    owner=root
+    group=apache
+    mode=0640
+
+- name: install /etc/httpd/conf.d/yk-ksm.conf
+  copy: >
+    src=yk-ksm.conf
+    dest=/etc/httpd/conf.d/yk-ksm.conf
+
+- name: install /usr/share/ykksm/ykksm-config.php
+  copy: >
+    src=ykksm-config.php
+    dest=/usr/share/ykksm/ykksm-config.php
+
+- name: install /etc/ykval/ykval-config.php
+  template: >
+    src="ykval-config.php"
+    dest="/etc/ykval/ykval-config.php"
+    owner=root
+    group=apache
+    mode=0640
+
+- name: install /etc/httpd/conf.d/yk-val.conf
+  copy: >
+    src=yk-val.php
+    dest=/etc/httpd/conf.d/yk-val.conf
+
+- name: install /usr/share/ykval/ykval-config.php
+  copy: >
+    src=ykval-config.pyp
+    dest=/usr/share/ykval/ykval-config.php
+
+- name: install /etc/httpd/conf.d/admin.fedoraproject.org/yk-val.conf
+  copy: >
+    src=yk-val.conf
+    dest=/etc/httpd/conf.d/admin.fedoraproject.org/yk-val.conf
diff --git a/roles/yubikey/templates/ykksm-config.php.erb b/roles/yubikey/templates/ykksm-config.php.erb
new file mode 100644
index 0000000000..471bdf201c
--- /dev/null
+++ b/roles/yubikey/templates/ykksm-config.php.erb
@@ -0,0 +1,8 @@
+<?php
+$db_dsn      = "<%= db_dsn %>";
+$db_username = "ykksmreader";
+$db_password = "<%= ykksmreaderPassword %>";
+$db_options  = array();
+$logfacility = LOG_LOCAL0;
+?>
+
diff --git a/roles/yubikey/templates/ykval-config.php.erb b/roles/yubikey/templates/ykval-config.php.erb
new file mode 100644
index 0000000000..ea8bfb0a69
--- /dev/null
+++ b/roles/yubikey/templates/ykval-config.php.erb
@@ -0,0 +1,54 @@
+<?php                                                             # -*- php -*-
+
+# For the validation interface.
+$baseParams = array ();
+<% if environment == "staging" %>
+$baseParams['__YKVAL_DB_DSN__'] = "pgsql:dbname=ykval;host=db-fas01.stg";
+<% else %>
+$baseParams['__YKVAL_DB_DSN__'] = "pgsql:dbname=ykval;host=db-ykval";
+<% end %>
+$baseParams['__YKVAL_DB_USER__'] = 'ykval_verifier';
+$baseParams['__YKVAL_DB_PW__'] = '<%= ykvalDBPassword %>';
+$baseParams['__YKVAL_DB_OPTIONS__'] = array();
+
+# For the validation server sync
+#$baseParams['__YKVAL_SYNC_POOL__'] = array("http://api2.example.com/wsapi/2.0/sync", 
+#					   "http://api3.example.com/wsapi/2.0/sync", 
+#					   "http://api4.example.com/wsapi/2.0/sync");
+# An array of IP addresses allowed to issue sync requests
+# NOTE: You must use IP addresses here.
+#$baseParams['__YKVAL_ALLOWED_SYNC_POOL__'] = array("1.2.3.4", 
+#						   "2.3.4.5", 
+#						   "3.4.5.6");
+
+# Specify how often the sync daemon awakens
+$baseParams['__YKVAL_SYNC_INTERVAL__'] = 10;
+# Specify how long the sync daemon will wait for response
+$baseParams['__YKVAL_SYNC_RESYNC_TIMEOUT__'] = 30;
+# Specify how old entries in the database should be considered aborted attempts
+$baseParams['__YKVAL_SYNC_OLD_LIMIT__'] = 10;
+
+# These are settings for the validation server.
+$baseParams['__YKVAL_SYNC_FAST_LEVEL__'] = 1;
+$baseParams['__YKVAL_SYNC_SECURE_LEVEL__'] = 40;
+$baseParams['__YKVAL_SYNC_DEFAULT_LEVEL__'] = 60;
+$baseParams['__YKVAL_SYNC_DEFAULT_TIMEOUT__'] = 1;
+
+// otp2ksmurls: Return array of YK-KSM URLs for decrypting OTP for
+// CLIENT.  The URLs must be fully qualified, i.e., contain the OTP
+// itself.
+function otp2ksmurls ($otp, $client) {
+  if ($client == 42) {
+    return array("http://another-ykkms.example.com/wsapi/decrypt?otp=$otp");
+  }
+
+  if (preg_match ("/^dteffujehknh/", $otp)) {
+    return array("http://different-ykkms.example.com/wsapi/decrypt?otp=$otp");
+  }
+
+  return array(
+	       "http://localhost/yk-ksm?otp=$otp",
+	       );
+}
+
+?>