diff --git a/site-cookbooks/kosmos-ejabberd/recipes/default.rb b/site-cookbooks/kosmos-ejabberd/recipes/default.rb
index 86e80f4..1c07c3c 100644
--- a/site-cookbooks/kosmos-ejabberd/recipes/default.rb
+++ b/site-cookbooks/kosmos-ejabberd/recipes/default.rb
@@ -104,6 +104,12 @@ modules:
   }
 ]
 
+ldap_domain = node['kosmos-dirsrv']['master_hostname']
+ldap_encryption_type = node.chef_environment == "development" ? "none" : "tls"
+ldap_base = "cn=users,dc=kosmos,dc=org"
+
+admin_users = ejabberd_credentials['admins']
+
 hosts.each do |host|
   postgresql_database host[:sql_database] do
     owner 'ejabberd'
@@ -116,14 +122,21 @@ hosts.each do |host|
     command "psql #{host[:sql_database]}} < #{Chef::Config[:file_cache_path]}/pg.sql"
     action :nothing
   end
+
+  template "/opt/ejabberd/conf/#{host[:name]}.yml" do
+    source    "vhost.yml.erb"
+    mode      0640
+    owner     'ejabberd'
+    group     'ejabberd'
+    sensitive true
+    variables pgsql_password: postgresql_data_bag_item['ejabberd_user_password'],
+              host: host,
+              ldap_base: ldap_base,
+              ldap_server: ldap_domain,
+              ldap_encryption_type: ldap_encryption_type
+  end
 end
 
-ldap_domain = node['kosmos-dirsrv']['master_hostname']
-ldap_encryption_type = node.chef_environment == "development" ? "none" : "tls"
-ldap_base = "cn=users,dc=kosmos,dc=org"
-
-admin_users = ejabberd_credentials['admins']
-
 template "/opt/ejabberd/conf/ejabberd.yml" do
   source    "ejabberd.yml.erb"
   mode      0640
diff --git a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb
index a8c37e9..a78f3a1 100644
--- a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb
+++ b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb
@@ -6,40 +6,10 @@ log_rotate_count: 1
 
 log_rate_limit: 100
 
-hosts:
 <% @hosts.each do |host| -%>
-  - "<%= host[:name] %>"
+include_config_file: "/opt/ejabberd/conf/<%= host[:name] %>.yml"
 <% end -%>
 
-host_config:
-<% @hosts.each do |host| -%>
-  "<%= host[:name] %>":
-    sql_type: pgsql
-    sql_server: "localhost"
-    sql_database: "<%= host[:sql_database] %>"
-    sql_username: "ejabberd"
-    sql_password: "<%= @pgsql_password %>"
-  <% if host[:ldap_enabled] -%>
-    auth_method: ldap
-    ldap_servers: ["<%= @ldap_server %>"]
-    ldap_rootdn: "cn=xmpp,ou=<%= host[:name] %>,<%= @ldap_base %>"
-    ldap_password: "<%= host[:ldap_password] %>"
-    ldap_encrypt: <%= @ldap_encryption_type %>
-    ldap_tls_verify: hard # when TLS is enabled, don't proceed if a cert is invalid
-    ldap_base: "ou=<%= host[:name] %>,<%= @ldap_base %>"
-    ldap_filter: "(nsRole=cn=xmpp_role,ou=<%= host[:name] %>,<%= @ldap_base %>)"
-  <% end -%>
-<% end -%>
-
-<% if @hosts.any? { |host| File.exist?("/opt/ejabberd/conf/#{host[:name]}.crt") && File.exist?("/opt/ejabberd/conf/#{host[:name]}.key") } -%>
-certfiles:
-<% @hosts.each do |host| -%>
-  <% if File.exist?("/opt/ejabberd/conf/#{host[:name]}.crt") && File.exist?("/opt/ejabberd/conf/#{host[:name]}.key") -%>
-  - "/opt/ejabberd/conf/<%= host[:name] %>.crt"
-  - "/opt/ejabberd/conf/<%= host[:name] %>.key"
-  <% end -%>
-<% end -%>
-<% end -%>
 ca_file: "/opt/ejabberd/conf/cacert.pem"
 
 define_macro:
@@ -248,12 +218,6 @@ modules:
   mod_s2s_dialback: {}
   mod_http_api: {}
 
-append_host_config:
-<% @hosts.each do |host| -%>
-  "<%= host[:name] %>":
-    <%= host[:append_host_config].chomp %>
-<% end -%>
-
 allow_contrib_modules: true
 
 ### Local Variables:
diff --git a/site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb b/site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb
new file mode 100644
index 0000000..616d71e
--- /dev/null
+++ b/site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb
@@ -0,0 +1,31 @@
+# Generated by Chef for <%= @host[:name] %>
+hosts:
+  - "<%= @host[:name] %>"
+
+<% if File.exist?("/opt/ejabberd/conf/#{@host[:name]}.crt") && File.exist?("/opt/ejabberd/conf/#{@host[:name]}.key") -%>
+certfiles:
+  - "/opt/ejabberd/conf/<%= @host[:name] %>.crt"
+  - "/opt/ejabberd/conf/<%= @host[:name] %>.key"
+<% end -%>
+host_config:
+  "<%= @host[:name] %>":
+    sql_type: pgsql
+    sql_server: "localhost"
+    sql_database: "<%= @host[:sql_database] %>"
+    sql_username: "ejabberd"
+    sql_password: "<%= @pgsql_password %>"
+  <% if @host[:ldap_enabled] -%>
+    auth_method: ldap
+    ldap_servers: ["<%= @ldap_server %>"]
+    ldap_rootdn: "cn=xmpp,ou=<%= @host[:name] %>,<%= @ldap_base %>"
+    ldap_password: "<%= @host[:ldap_password] %>"
+    ldap_encrypt: <%= @ldap_encryption_type %>
+    ldap_tls_verify: hard # when TLS is enabled, don't proceed if a cert is invalid
+    ldap_base: "ou=<%= @host[:name] %>,<%= @ldap_base %>"
+    ldap_filter: "(nsRole=cn=xmpp_role,ou=<%= @host[:name] %>,<%= @ldap_base %>)"
+  <% end -%>
+
+append_host_config:
+  "<%= @host[:name] %>":
+    <%= @host[:append_host_config].chomp %>
+