Merge branch 'master' of /git/ansible

76 files changed, 663 insertions, 99 deletions

diff --git a/inventory/builders b/inventory/builders
index dd001d6fd..21a661d31 100644
--- a/inventory/builders
+++ b/inventory/builders
@@ -243,7 +243,8 @@ buildppcle-04.ppc.fedoraproject.org
 
 [buildaarch64]
 aarch64-02a.arm.fedoraproject.org
-aarch64-03a.arm.fedoraproject.org
+# Marked DEAD in pdu
+#aarch64-03a.arm.fedoraproject.org
 aarch64-04a.arm.fedoraproject.org
 aarch64-05a.arm.fedoraproject.org
 aarch64-06a.arm.fedoraproject.org
diff --git a/inventory/group_vars/nagios-new b/inventory/group_vars/nagios-new
index 1927a4a32..352a805e3 100644
--- a/inventory/group_vars/nagios-new
+++ b/inventory/group_vars/nagios-new
@@ -149,7 +149,6 @@ phx2_management_limited:
   - rack47-pdu-b.mgmt.fedoraproject.org
   - rack47-serial.mgmt.fedoraproject.org
   - rack48-pdu-a.mgmt.fedoraproject.org
-  - rack48-pdu-b.mgmt.fedoraproject.org
   - rack48-serial.mgmt.fedoraproject.org
   - rack51-pdu-a.mgmt.fedoraproject.org
   - rack51-pdu-b.mgmt.fedoraproject.org
diff --git a/inventory/group_vars/taskotron-prod b/inventory/group_vars/taskotron-prod
index 44d747c90..4dd26ed75 100644
--- a/inventory/group_vars/taskotron-prod
+++ b/inventory/group_vars/taskotron-prod
@@ -27,6 +27,7 @@ grokmirror_repos:
   - { name: fedoraqa/check_modulemd, url: 'https://github.com/fedora-modularity/check_modulemd'}
   - { name: fedoraqa/upstream-atomic, url: 'https://pagure.io/taskotron/task-upstream-atomic.git'}
   - { name: fedoraqa/fedora-cloud-tests, url: 'https://pagure.io/taskotron/task-fedora-cloud-tests.git'}
+  - { name: fedoraqa/modularity-testing-framework, url: 'https://pagure.io/taskotron/task-modularity-testing-framework.git'}
 grokmirror_user: grokmirror
 grokmirror_default_branch: master
 
diff --git a/inventory/host_vars/artboard.fedorainfracloud.org b/inventory/host_vars/artboard.fedorainfracloud.org
index ab6185b26..8972746f0 100644
--- a/inventory/host_vars/artboard.fedorainfracloud.org
+++ b/inventory/host_vars/artboard.fedorainfracloud.org
@@ -2,7 +2,7 @@
 image: rhel7-20141015
 instance_type: m1.small
 keypair: fedora-admin-20130801
-security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default,web-443-anywhere-persistent
+security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default,web-443-anywhere-persistent,all-icmp-persistent
 zone: nova
 tcp_ports: [22, 80, 443]
 ansible_ifcfg_blacklist: true 
diff --git a/inventory/host_vars/blockerbugs-dev.cloud.fedoraproject.org b/inventory/host_vars/blockerbugs-dev.cloud.fedoraproject.org
index cbfb1aa9d..b62c5b16e 100644
--- a/inventory/host_vars/blockerbugs-dev.cloud.fedoraproject.org
+++ b/inventory/host_vars/blockerbugs-dev.cloud.fedoraproject.org
@@ -2,7 +2,7 @@
 instance_type: m1.medium
 image: "{{ el6_qcow_id }}"
 keypair: fedora-admin
-security_group: webserver
+security_group: webserver,all-icmp-persistent,default
 zone: nova
 hostbase: blockerbugs-dev-
 public_ip: 209.132.184.200
diff --git a/inventory/host_vars/communityblog.fedorainfracloud.org b/inventory/host_vars/communityblog.fedorainfracloud.org
index 3e67089d1..0217ac74b 100644
--- a/inventory/host_vars/communityblog.fedorainfracloud.org
+++ b/inventory/host_vars/communityblog.fedorainfracloud.org
@@ -2,7 +2,7 @@
 image: rhel7-20141015
 instance_type: m1.medium
 keypair: fedora-admin-20130801
-security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default
+security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default,all-icmp-persistent
 zone: nova
 tcp_ports: [22, 80, 443]
 
diff --git a/inventory/host_vars/copr-dist-git-dev.fedorainfracloud.org b/inventory/host_vars/copr-dist-git-dev.fedorainfracloud.org
index 8f1873566..67d46a42f 100644
--- a/inventory/host_vars/copr-dist-git-dev.fedorainfracloud.org
+++ b/inventory/host_vars/copr-dist-git-dev.fedorainfracloud.org
@@ -3,7 +3,7 @@ instance_type: ms1.small
 image: "{{ fedora25_x86_64 }}"
 #image: rhel7-20141015
 keypair: fedora-admin-20130801
-security_group: web-80-anywhere-persistent,ssh-anywhere-persistent,default
+security_group: web-80-anywhere-persistent,ssh-anywhere-persistent,default,all-icmp-persistent
 zone: nova
 hostbase: copr-dist-git-dev-
 public_ip: 209.132.184.179
diff --git a/inventory/host_vars/copr-dist-git.fedorainfracloud.org b/inventory/host_vars/copr-dist-git.fedorainfracloud.org
index 835f87c50..91a9e2aa3 100644
--- a/inventory/host_vars/copr-dist-git.fedorainfracloud.org
+++ b/inventory/host_vars/copr-dist-git.fedorainfracloud.org
@@ -2,7 +2,7 @@
 instance_type: ms1.medium.bigswap
 image: "{{ fedora25_x86_64 }}"
 keypair: fedora-admin-20130801
-security_group: web-80-anywhere-persistent,ssh-anywhere-persistent,default
+security_group: web-80-anywhere-persistent,ssh-anywhere-persistent,default,all-icmp-persistent
 zone: nova
 hostbase: copr-dist-git-
 public_ip: 209.132.184.163
diff --git a/inventory/host_vars/copr-fe-dev.cloud.fedoraproject.org b/inventory/host_vars/copr-fe-dev.cloud.fedoraproject.org
index c6d1f6c81..bb357250d 100644
--- a/inventory/host_vars/copr-fe-dev.cloud.fedoraproject.org
+++ b/inventory/host_vars/copr-fe-dev.cloud.fedoraproject.org
@@ -2,7 +2,7 @@
 instance_type: m1.medium
 image: "{{ fedora25_x86_64 }}"
 keypair: fedora-admin-20130801
-security_group: web-80-anywhere-persistent,web-443-anywhere-persistent,ssh-anywhere-persistent,default
+security_group: web-80-anywhere-persistent,web-443-anywhere-persistent,ssh-anywhere-persistent,default,all-icmp-persistent
 zone: nova
 hostbase: copr-fe-dev-
 public_ip: 209.132.184.55
diff --git a/inventory/host_vars/copr-fe.cloud.fedoraproject.org b/inventory/host_vars/copr-fe.cloud.fedoraproject.org
index a971d08b6..f7f30c1fd 100644
--- a/inventory/host_vars/copr-fe.cloud.fedoraproject.org
+++ b/inventory/host_vars/copr-fe.cloud.fedoraproject.org
@@ -5,7 +5,7 @@ base_pkgs_erase: ['PackageKit*', 'sendmail', 'at']
 instance_type: ms1.medium
 image: "{{ fedora25_x86_64 }}"
 keypair: fedora-admin-20130801
-security_group: web-80-anywhere-persistent,web-443-anywhere-persistent,ssh-anywhere-persistent,default
+security_group: web-80-anywhere-persistent,web-443-anywhere-persistent,ssh-anywhere-persistent,default,allow-nagios-persistent
 zone: nova
 hostbase: copr-fe-
 public_ip: 209.132.184.54
diff --git a/inventory/host_vars/copr-keygen-dev.cloud.fedoraproject.org b/inventory/host_vars/copr-keygen-dev.cloud.fedoraproject.org
index 59e4c4db8..4cabdbe2b 100644
--- a/inventory/host_vars/copr-keygen-dev.cloud.fedoraproject.org
+++ b/inventory/host_vars/copr-keygen-dev.cloud.fedoraproject.org
@@ -3,7 +3,7 @@ instance_type: ms1.small
 image: "{{ fedora25_x86_64 }}"
 keypair: fedora-admin-20130801
 # todo: remove some security groups ?
-security_group: web-80-anywhere-persistent,web-443-anywhere-persistent,ssh-anywhere-persistent,default,allow-nagios-persistent
+security_group: web-80-anywhere-persistent,web-443-anywhere-persistent,ssh-anywhere-persistent,default,all-icmp-persistent
 zone: nova
 hostbase: copr-keygen-dev-
 public_ip: 209.132.184.46
diff --git a/inventory/host_vars/darkserver-dev.fedorainfracloud.org b/inventory/host_vars/darkserver-dev.fedorainfracloud.org
index cad5fcbe6..00a392f85 100644
--- a/inventory/host_vars/darkserver-dev.fedorainfracloud.org
+++ b/inventory/host_vars/darkserver-dev.fedorainfracloud.org
@@ -2,7 +2,7 @@
 image: rhel7-20141015
 instance_type: m1.large
 keypair: fedora-admin-20130801
-security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default
+security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default,all-icmp-persistent
 zone: nova
 tcp_ports: [22, 80, 443]
 
diff --git a/inventory/host_vars/developer.fedorainfracloud.org b/inventory/host_vars/developer.fedorainfracloud.org
index 4884fc620..aeac2e7ed 100644
--- a/inventory/host_vars/developer.fedorainfracloud.org
+++ b/inventory/host_vars/developer.fedorainfracloud.org
@@ -2,7 +2,7 @@
 image: "{{ fedora25_x86_64 }}"
 instance_type: m1.large
 keypair: fedora-admin-20130801
-security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default
+security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default,all-icmp-persistent
 zone: nova
 tcp_ports: [22, 80, 443]
 
diff --git a/inventory/host_vars/dopr-dev.cloud.fedoraproject.org b/inventory/host_vars/dopr-dev.cloud.fedoraproject.org
deleted file mode 100644
index 145b8b9e6..000000000
--- a/inventory/host_vars/dopr-dev.cloud.fedoraproject.org
+++ /dev/null
@@ -1,4 +0,0 @@
----
-resolvconf: "resolv.conf/cloud"
-tcp_ports: [80, 443]
-freezes: false
diff --git a/inventory/host_vars/eclipse.fedorainfracloud.org b/inventory/host_vars/eclipse.fedorainfracloud.org
index 969ae5e6f..7ffc7ff6c 100644
--- a/inventory/host_vars/eclipse.fedorainfracloud.org
+++ b/inventory/host_vars/eclipse.fedorainfracloud.org
@@ -2,7 +2,7 @@
 image: "{{ fedora23_x86_64 }}"
 instance_type: m1.small
 keypair: fedora-admin-20130801
-security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default
+security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default,all-icmp-persistent
 zone: nova
 tcp_ports: [22, 80, 443]
 
diff --git a/inventory/host_vars/faitout.fedorainfracloud.org b/inventory/host_vars/faitout.fedorainfracloud.org
index 51e6966c5..1f4e273b4 100644
--- a/inventory/host_vars/faitout.fedorainfracloud.org
+++ b/inventory/host_vars/faitout.fedorainfracloud.org
@@ -2,7 +2,7 @@
 image: rhel7-20141015
 instance_type: m1.small
 keypair: fedora-admin-20130801
-security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,pg-5432-anywhere,default
+security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,pg-5432-anywhere,default,all-icmp-persistent
 zone: nova
 tcp_ports: [22, 80, 443, 5432]
 
diff --git a/inventory/host_vars/fas2-dev.fedorainfracloud.org b/inventory/host_vars/fas2-dev.fedorainfracloud.org
index 6fb39f88b..f3be911bc 100644
--- a/inventory/host_vars/fas2-dev.fedorainfracloud.org
+++ b/inventory/host_vars/fas2-dev.fedorainfracloud.org
@@ -2,7 +2,7 @@
 image: "{{ centos66_x86_64 }}"
 instance_type: m1.small
 keypair: fedora-admin-20130801
-security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default
+security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default,all-icmp-persistent
 zone: nova
 tcp_ports: [22, 80, 443]
 
diff --git a/inventory/host_vars/fas3-dev.fedorainfracloud.org b/inventory/host_vars/fas3-dev.fedorainfracloud.org
index d19aa4989..b15a4a265 100644
--- a/inventory/host_vars/fas3-dev.fedorainfracloud.org
+++ b/inventory/host_vars/fas3-dev.fedorainfracloud.org
@@ -2,7 +2,7 @@
 image: rhel7-20141015
 instance_type: m1.small
 keypair: fedora-admin-20130801
-security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default
+security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default,all-icmp-persistent
 zone: nova
 tcp_ports: [22, 80, 443]
 
diff --git a/inventory/host_vars/fedimg-dev.fedorainfracloud.org b/inventory/host_vars/fedimg-dev.fedorainfracloud.org
index cc2628eab..a3597d0b5 100644
--- a/inventory/host_vars/fedimg-dev.fedorainfracloud.org
+++ b/inventory/host_vars/fedimg-dev.fedorainfracloud.org
@@ -1,7 +1,7 @@
 instance_type: m1.medium
 image: rhel7-20141015
 keypair: fedora-admin-20130801
-security_group: default,ssh-anywhere-persistent
+security_group: default,ssh-anywhere-persistent,all-icmp-persistent
 zone: nova
 tcp_ports: [22, 80, 443]
 
diff --git a/inventory/host_vars/fedora-bootstrap.fedorainfracloud.org b/inventory/host_vars/fedora-bootstrap.fedorainfracloud.org
index e8cbf375d..42d6abe4c 100644
--- a/inventory/host_vars/fedora-bootstrap.fedorainfracloud.org
+++ b/inventory/host_vars/fedora-bootstrap.fedorainfracloud.org
@@ -2,7 +2,7 @@
 image: Fedora-Cloud-Base-23.x86_64-python2
 instance_type: m1.large
 keypair: fedora-admin-20130801
-security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default
+security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default,all-icmp-persistent
 zone: nova
 tcp_ports: [22, 80, 443]
 
diff --git a/inventory/host_vars/glittergallery-dev.fedorainfracloud.org b/inventory/host_vars/glittergallery-dev.fedorainfracloud.org
index ecb50aba3..17a52264e 100644
--- a/inventory/host_vars/glittergallery-dev.fedorainfracloud.org
+++ b/inventory/host_vars/glittergallery-dev.fedorainfracloud.org
@@ -2,7 +2,7 @@
 image: "{{ fedora23_x86_64 }}"
 instance_type: m1.medium
 keypair: fedora-admin-20130801
-security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default,web-443-anywhere-persistent
+security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default,web-443-anywhere-persistent,all-icmp-persistent
 zone: nova
 tcp_ports: [22, 80, 443]
 
diff --git a/inventory/host_vars/graphite.fedorainfracloud.org b/inventory/host_vars/graphite.fedorainfracloud.org
index 1bef1d3ea..fe4636c63 100644
--- a/inventory/host_vars/graphite.fedorainfracloud.org
+++ b/inventory/host_vars/graphite.fedorainfracloud.org
@@ -1,7 +1,7 @@
 instance_type: m1.large
 image: "{{ fedora23_x86_64 }}"
 keypair: fedora-admin-20130801
-security_group: default,wide-open-persistent
+security_group: default,wide-open-persistent,all-icmp-persistent
 zone: nova
 tcp_ports: [22, 80, 443]
 custom_rules:
diff --git a/inventory/host_vars/hubs-dev.fedorainfracloud.org b/inventory/host_vars/hubs-dev.fedorainfracloud.org
new file mode 100644
index 000000000..909cdd760
--- /dev/null
+++ b/inventory/host_vars/hubs-dev.fedorainfracloud.org
@@ -0,0 +1,18 @@
+---
+image: "{{ fedora25_x86_64 }}"
+instance_type: m1.medium
+keypair: fedora-admin-20130801
+security_group: ssh-anywhere-persistent,all-icmp-persistent,default,web-80-anywhere-persistent,web-443-anywhere-persistent,all-icmp-persistent
+zone: nova
+tcp_ports: [22, 80, 443]
+
+inventory_tenant: persistent
+inventory_instance_name: hubs-dev
+hostbase: hubs-dev
+public_ip: 209.132.184.47
+root_auth_users: sayan
+description: hubs development instance
+
+cloud_networks:
+  # persistent-net
+  - net-id: "67b77354-39a4-43de-b007-bb813ac5c35f"
diff --git a/inventory/host_vars/iddev.fedorainfracloud.org b/inventory/host_vars/iddev.fedorainfracloud.org
index 8ac1fdf53..e729e61af 100644
--- a/inventory/host_vars/iddev.fedorainfracloud.org
+++ b/inventory/host_vars/iddev.fedorainfracloud.org
@@ -2,7 +2,7 @@
 image: rhel7-20141015
 instance_type: m1.small
 keypair: fedora-admin-20130801
-security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default
+security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default,all-icmp-persistent
 zone: nova
 tcp_ports: [22, 80, 443]
 ansible_ifcfg_blacklist: true
diff --git a/inventory/host_vars/insim.fedorainfracloud.org b/inventory/host_vars/insim.fedorainfracloud.org
index f689bd0b5..572091026 100644
--- a/inventory/host_vars/insim.fedorainfracloud.org
+++ b/inventory/host_vars/insim.fedorainfracloud.org
@@ -2,7 +2,7 @@
 image: "{{ fedora25_x86_64 }}"
 instance_type: m1.small
 keypair: fedora-admin-20130801
-security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default
+security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default,all-icmp-persistent
 zone: nova
 tcp_ports: [22, 80, 443]
 
diff --git a/inventory/host_vars/java-deptools.fedorainfracloud.org b/inventory/host_vars/java-deptools.fedorainfracloud.org
index 7d06d29a9..00c32c049 100644
--- a/inventory/host_vars/java-deptools.fedorainfracloud.org
+++ b/inventory/host_vars/java-deptools.fedorainfracloud.org
@@ -2,7 +2,7 @@
 image: "{{ fedora24_x86_64 }}"
 instance_type: m1.medium
 keypair: fedora-admin-20130801
-security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default,web-443-anywhere-persistent
+security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default,web-443-anywhere-persistent,all-icmp-persistent
 zone: nova
 tcp_ports: [22, 80, 443]
 
diff --git a/inventory/host_vars/lists-dev.fedorainfracloud.org b/inventory/host_vars/lists-dev.fedorainfracloud.org
index 906c4f906..2ea58b343 100644
--- a/inventory/host_vars/lists-dev.fedorainfracloud.org
+++ b/inventory/host_vars/lists-dev.fedorainfracloud.org
@@ -2,7 +2,7 @@
 image: rhel7-20141015
 instance_type: m1.large
 keypair: fedora-admin-20130801
-security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default,web-443-anywhere-persistent
+security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default,web-443-anywhere-persistent,all-icmp-persistent
 zone: nova
 tcp_ports: [22, 80, 443]
 
diff --git a/inventory/host_vars/magazine.fedorainfracloud.org b/inventory/host_vars/magazine.fedorainfracloud.org
index 9c20a7654..cb5a73ae0 100644
--- a/inventory/host_vars/magazine.fedorainfracloud.org
+++ b/inventory/host_vars/magazine.fedorainfracloud.org
@@ -2,7 +2,7 @@
 image: rhel7-20141015
 instance_type: m1.large
 keypair: fedora-admin-20130801
-security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,allow-nagios-persistent,default
+security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,allow-nagios-persistent,default,all-icmp-persistent
 zone: nova
 tcp_ports: [22, 80, 443]
 
diff --git a/inventory/host_vars/modernpaste.fedorainfracloud.org b/inventory/host_vars/modernpaste.fedorainfracloud.org
index 0f8f4b8b7..bcddcaf05 100644
--- a/inventory/host_vars/modernpaste.fedorainfracloud.org
+++ b/inventory/host_vars/modernpaste.fedorainfracloud.org
@@ -2,7 +2,7 @@
 image: "{{ fedora23_x86_64 }}"
 instance_type: m1.small
 keypair: fedora-admin-20130801
-security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default
+security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default,all-icmp-persistent
 zone: nova
 tcp_ports: [22, 80, 443]
 
diff --git a/inventory/host_vars/modularity.fedorainfracloud.org b/inventory/host_vars/modularity.fedorainfracloud.org
index fb9e5f380..6f8d3a3c3 100644
--- a/inventory/host_vars/modularity.fedorainfracloud.org
+++ b/inventory/host_vars/modularity.fedorainfracloud.org
@@ -2,7 +2,7 @@
 image: "Fedora-Cloud-Base-24 (Final)"
 instance_type: m1.medium
 keypair: fedora-admin-20130801
-security_group: modularity,ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default
+security_group: modularity,ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default,all-icmp-persistent
 zone: nova
 tcp_ports: [22, 80, 443]
 
diff --git a/inventory/host_vars/piwik.fedorainfracloud.org b/inventory/host_vars/piwik.fedorainfracloud.org
index f3b14e3f7..55ac47f0e 100644
--- a/inventory/host_vars/piwik.fedorainfracloud.org
+++ b/inventory/host_vars/piwik.fedorainfracloud.org
@@ -2,7 +2,7 @@
 image: "{{ fedora24_x86_64 }}"
 instance_type: m1.large
 keypair: fedora-admin-20130801
-security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default
+security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default,all-icmp-persistent
 zone: nova
 tcp_ports: [22, 80, 443]
 
diff --git a/inventory/host_vars/qadevel.cloud.fedoraproject.org b/inventory/host_vars/qadevel.cloud.fedoraproject.org
deleted file mode 100644
index 6bf9e9dad..000000000
--- a/inventory/host_vars/qadevel.cloud.fedoraproject.org
+++ /dev/null
@@ -1,2 +0,0 @@
----
-host_backup_targets: ['/var/lib/phabricator/files', '/srv/backup']
diff --git a/inventory/host_vars/regcfp.fedorainfracloud.org b/inventory/host_vars/regcfp.fedorainfracloud.org
index cf8c74bf0..bc4e4e738 100644
--- a/inventory/host_vars/regcfp.fedorainfracloud.org
+++ b/inventory/host_vars/regcfp.fedorainfracloud.org
@@ -2,7 +2,7 @@
 image: rhel7-20141015
 instance_type: m1.medium
 keypair: fedora-admin-20130801
-security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default
+security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default,all-icmp-persistent
 zone: nova
 tcp_ports: [22, 80, 443]
 
diff --git a/inventory/host_vars/respins.fedorainfracloud.org b/inventory/host_vars/respins.fedorainfracloud.org
index 14b207c8a..18cd44304 100644
--- a/inventory/host_vars/respins.fedorainfracloud.org
+++ b/inventory/host_vars/respins.fedorainfracloud.org
@@ -2,7 +2,7 @@
 image: rhel7-20141015
 instance_type: m1.medium
 keypair: fedora-admin-20130801
-security_group: wide-open-persistent,default
+security_group: wide-open-persistent,default,all-icmp-persistent
 zone: nova
 tcp_ports: [22, 6969]
 
diff --git a/inventory/host_vars/shumgrepper-dev.fedorainfracloud.org b/inventory/host_vars/shumgrepper-dev.fedorainfracloud.org
index 6cc2116e3..c9cfeb281 100644
--- a/inventory/host_vars/shumgrepper-dev.fedorainfracloud.org
+++ b/inventory/host_vars/shumgrepper-dev.fedorainfracloud.org
@@ -2,7 +2,7 @@
 image: rhel7-20141015
 instance_type: m1.medium
 keypair: fedora-admin-20130801
-security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default
+security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,default,all-icmp-persistent
 zone: nova
 tcp_ports: [22, 80, 443]
 
diff --git a/inventory/host_vars/taiga.fedorainfracloud.org b/inventory/host_vars/taiga.fedorainfracloud.org
index 1b4716a3a..4748024d6 100644
--- a/inventory/host_vars/taiga.fedorainfracloud.org
+++ b/inventory/host_vars/taiga.fedorainfracloud.org
@@ -2,7 +2,7 @@
 image: "{{ fedora25_x86_64 }}"
 instance_type: m1.medium
 keypair: fedora-admin-20130801
-security_group: ssh-anywhere-persistent,web-443-anywhere-persistent,web-80-anywhere-persistent,default
+security_group: ssh-anywhere-persistent,web-443-anywhere-persistent,web-80-anywhere-persistent,default,all-icmp-persistent
 zone: nova
 tcp_ports: [22, 80, 443]
 
diff --git a/inventory/host_vars/taigastg.fedorainfracloud.org b/inventory/host_vars/taigastg.fedorainfracloud.org
index b4232f671..bdadd96ed 100644
--- a/inventory/host_vars/taigastg.fedorainfracloud.org
+++ b/inventory/host_vars/taigastg.fedorainfracloud.org
@@ -2,7 +2,7 @@
 image: "{{ fedora23_x86_64 }}"
 instance_type: m1.small
 keypair: fedora-admin-20130801
-security_group: ssh-anywhere-persistent,web-443-anywhere-persistent,web-80-anywhere-persistent,default
+security_group: ssh-anywhere-persistent,web-443-anywhere-persistent,web-80-anywhere-persistent,default,all-icmp-persistent
 zone: nova
 tcp_ports: [22, 80, 443]
 
diff --git a/inventory/host_vars/testdays.fedorainfracloud.org b/inventory/host_vars/testdays.fedorainfracloud.org
index 88cf72146..b5fa08542 100644
--- a/inventory/host_vars/testdays.fedorainfracloud.org
+++ b/inventory/host_vars/testdays.fedorainfracloud.org
@@ -2,7 +2,7 @@
 image: 'rhel7-20141015'
 instance_type: m1.small
 keypair: fedora-admin-20130801
-security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default
+security_group: ssh-anywhere-persistent,web-80-anywhere-persistent,web-443-anywhere-persistent,default,all-icmp-persistent
 zone: nova
 tcp_ports: [22, 80, 443]
 
diff --git a/inventory/inventory b/inventory/inventory
index 047f87852..cf74f6c35 100644
--- a/inventory/inventory
+++ b/inventory/inventory
@@ -139,7 +139,7 @@ osuosl01.fedoraproject.org
 osuosl02.fedoraproject.org
 osuosl03.fedoraproject.org
 tummy01.fedoraproject.org
-virthost-rdu01.fedoraproject.org
+#virthost-rdu01.fedoraproject.org
 virthost-cc-rdu01.fedoraproject.org
 
 [datagrepper]
@@ -269,7 +269,7 @@ autocloud-backend01.stg.phx2.fedoraproject.org
 autocloud-backend02.stg.phx2.fedoraproject.org
 
 [autosign]
-#autosign01.phx2.fedoraproject.org
+autosign01.phx2.fedoraproject.org
 
 [autosign-stg]
 autosign01.stg.phx2.fedoraproject.org
@@ -367,9 +367,6 @@ fas01.stg.phx2.fedoraproject.org
 [fas3-stg]
 fas3-01.stg.phx2.fedoraproject.org
 
-[hosted]
-hosted03.fedoraproject.org
-
 [hotness]
 hotness01.phx2.fedoraproject.org
 
@@ -634,7 +631,7 @@ proxy09.fedoraproject.org
 proxy10.phx2.fedoraproject.org
 proxy11.fedoraproject.org
 proxy12.fedoraproject.org
-proxy13.fedoraproject.org
+#proxy13.fedoraproject.org
 proxy14.fedoraproject.org
 
 [proxies-stg]
@@ -1092,10 +1089,6 @@ pdc-backend03.stg.phx2.fedoraproject.org
 [piwik-stg]
 #piwik01.stg.phx2.fedoraproject.org
 
-[transient-cloud]
-# fedora-hubs-dev
-209.132.184.98
-
 [persistent-cloud]
 # artboard instance
 artboard.fedorainfracloud.org
@@ -1160,6 +1153,8 @@ kolinahr.fedorainfracloud.org
 respins.fedorainfracloud.org
 # waiverdb-dev - ticket 6009
 waiverdb-dev.fedorainfracloud.org
+# hubs-dev
+hubs-dev.fedorainfracloud.org
 
 #
 # These are in the new cloud
@@ -1209,7 +1204,6 @@ dns
 bastion
 backup
 infracore
-hosted
 smtp-mm
 memcached
 virthost
diff --git a/master.yml b/master.yml
index a468f6447..27bb7e765 100644
--- a/master.yml
+++ b/master.yml
@@ -142,6 +142,7 @@
 - include: /srv/web/infra/ansible/playbooks/hosts/glittergallery-dev.fedorainfracloud.org.yml
 - include: /srv/web/infra/ansible/playbooks/hosts/grafana.cloud.fedoraproject.org.yml
 - include: /srv/web/infra/ansible/playbooks/hosts/graphite.fedorainfracloud.org.yml
+- include: /srv/web/infra/ansible/playbooks/hosts/hubs-dev.fedorainfracloud.org.yml
 - include: /srv/web/infra/ansible/playbooks/hosts/iddev.fedorainfracloud.org.yml
 - include: /srv/web/infra/ansible/playbooks/hosts/insim.fedorainfracloud.org.yml
 - include: /srv/web/infra/ansible/playbooks/hosts/lists-dev.fedorainfracloud.org.yml
diff --git a/playbooks/groups/noc-new.yml b/playbooks/groups/noc-new.yml
index 7d65dc01e..894a4c203 100644
--- a/playbooks/groups/noc-new.yml
+++ b/playbooks/groups/noc-new.yml
@@ -58,3 +58,10 @@
   - { role: tftp_server, when: datacenter == 'phx2' }
   - nagios_server
   - fedmsg/base
+
+  tasks:
+  - name: install some packages which arent in playbooks
+    yum: pkg={{ item }} state=present
+    with_items:
+      - nmap
+      - tcpdump
diff --git a/playbooks/hosts/fedora-hubs-dev.yml b/playbooks/hosts/hubs-dev.fedorainfroacloud.org.yml
index 73c0839ec..099bae914 100644
--- a/playbooks/hosts/fedora-hubs-dev.yml
+++ b/playbooks/hosts/hubs-dev.fedorainfroacloud.org.yml
@@ -1,16 +1,33 @@
-- name: provision instance
-  hosts: 209.132.184.98   # this is transient.. so may change if we destroy it.
-  user: root
-  gather_facts: True
+- name: check/create instance
+  hosts: hubs-dev.fedorainfracloud.org
+  gather_facts: False
+
+  vars_files:
+   - /srv/web/infra/ansible/vars/global.yml
+   - /srv/private/ansible/vars.yml
+   - /srv/web/infra/ansible/vars/fedora-cloud.yml
+   - /srv/private/ansible/files/openstack/passwords.yml
 
+  tasks:
+  - include: "{{ tasks_path }}/persistent_cloud.yml"
+
+- name: setup all the things
+  hosts: hubs-dev.fedorainfracloud.org
+  gather_facts: True
   vars_files:
    - /srv/web/infra/ansible/vars/global.yml
-   - "/srv/private/ansible/vars.yml"
+   - /srv/private/ansible/vars.yml
+   - /srv/private/ansible/files/openstack/passwords.yml
    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
 
+  pre_tasks:
+  - include: "{{ tasks_path }}/cloud_setup_basic.yml"
+  - name: set hostname (required by some services, at least postfix need it)
+    hostname: name="{{inventory_hostname}}"
+
   tasks:
   - include: "{{ tasks_path }}/yumrepos.yml"
-  - yum: name={{item}} state=present
+  - dnf: name={{item}} state=present
     with_items:
     - git
 
@@ -42,7 +59,7 @@
     - src: /srv/git/fedora-hubs/systemd/hubs-webapp.service
       dest: /usr/lib/systemd/system/hubs-webapp.service
       remote_src: True
-  - yum: name={{item}} state=present
+  - dnf: name={{item}} state=present
     with_items:
     - htop
     - tmux
diff --git a/playbooks/hosts/waiverdb-dev.fedorainfracloud.org.yml b/playbooks/hosts/waiverdb-dev.fedorainfracloud.org.yml
index 9838e189d..dae7fedfc 100644
--- a/playbooks/hosts/waiverdb-dev.fedorainfracloud.org.yml
+++ b/playbooks/hosts/waiverdb-dev.fedorainfracloud.org.yml
@@ -24,3 +24,7 @@
   - include: "{{ tasks_path }}/cloud_setup_basic.yml"
   - name: set hostname (required by some services, at least postfix need it)
     hostname: name="{{inventory_hostname}}"
+
+  roles:
+  - nginx
+  - waiverdb
diff --git a/roles/batcave/files/fedmsg-announce-commits.py b/roles/batcave/files/fedmsg-announce-commits.py
index 70fa95f10..b0fdd6609 100644
--- a/roles/batcave/files/fedmsg-announce-commits.py
+++ b/roles/batcave/files/fedmsg-announce-commits.py
@@ -49,10 +49,21 @@ def build_stats(commit):
 
     for diff in diffs:
         for patch in diff:
-            path = patch.new_file_path
-            files[path]['additions'] += patch.additions
-            files[path]['deletions'] += patch.deletions
-            files[path]['lines'] += patch.additions + patch.deletions
+           if hasattr(patch, 'new_file_path'):
+               path = patch.new_file_path
+           else:
+               path = patch.delta.new_file.path
+
+           if hasattr(patch, 'additions'):
+               files[path]['additions'] += patch.additions
+               files[path]['deletions'] += patch.deletions
+               files[path]['lines'] += patch.additions + patch.deletions
+           else:
+               files[path]['additions'] += patch.line_stats[1]
+               files[path]['deletions'] += patch.line_stats[2]
+               files[path]['lines'] += patch.line_stats[1] \
+                                       + patch.line_stats[2]
+
 
     total = defaultdict(int)
     for name, stats in files.items():
diff --git a/roles/bodhi2/backend/tasks/main.yml b/roles/bodhi2/backend/tasks/main.yml
index f50b252ca..476823168 100644
--- a/roles/bodhi2/backend/tasks/main.yml
+++ b/roles/bodhi2/backend/tasks/main.yml
@@ -413,6 +413,11 @@
   tags:
   - bodhi
 
+- name: ensure fedmsg-hub is enabled and started on the backend
+  service: name=fedmsg-hub enabled=yes state=started
+  tags:
+  - bodhi
+
 #- name: have apache own /mnt/koji/mash/updates
 #  file: path=/mnt/koji/mash/updates state=directory recurse=yes owner=apache group=apache
 #  tags:
diff --git a/roles/git/hooks/files/post-receive-fedmsg b/roles/git/hooks/files/post-receive-fedmsg
index 782accde6..3545be2e3 100755
--- a/roles/git/hooks/files/post-receive-fedmsg
+++ b/roles/git/hooks/files/post-receive-fedmsg
@@ -53,10 +53,20 @@ def build_stats(commit):
 
     for diff in diffs:
         for patch in diff:
-            path = patch.new_file_path
-            files[path]['additions'] += patch.additions
-            files[path]['deletions'] += patch.deletions
-            files[path]['lines'] += patch.additions + patch.deletions
+            if hasattr(patch, 'new_file_path'):
+                path = patch.new_file_path
+            else:
+                path = patch.delta.new_file.path
+
+            if hasattr(patch, 'additions'):
+                files[path]['additions'] += patch.additions
+                files[path]['deletions'] += patch.deletions
+                files[path]['lines'] += patch.additions + patch.deletions
+            else:
+                files[path]['additions'] += patch.line_stats[1]
+                files[path]['deletions'] += patch.line_stats[2]
+                files[path]['lines'] += patch.line_stats[1] \
+                                        + patch.line_stats[2]
 
     total = defaultdict(int)
     for name, stats in files.items():
diff --git a/roles/koji_hub/templates/hub.conf.j2 b/roles/koji_hub/templates/hub.conf.j2
index 61f6edb54..1631be758 100644
--- a/roles/koji_hub/templates/hub.conf.j2
+++ b/roles/koji_hub/templates/hub.conf.j2
@@ -128,16 +128,9 @@ channel =
     source */kernel* && has_perm secure-boot :: use secure-boot
     source */shim* && has_perm secure-boot :: use secure-boot
     source */grub2* && has_perm secure-boot :: use secure-boot
-    source */fedora-release* && has_perm secure-boot :: use secure-boot
-    source */fedora-repos* && has_perm secure-boot :: use secure-boot
     source */pesign* && has_perm secure-boot :: use secure-boot
     source */fwupdate* && has_perm secure-boot :: use secure-boot
 
-# we have some arm builders that have ssd's in them, eclipse is 7 hours faster building on them so lets
-# make sure that we always build eclipse on them.
-    source */eclipse* :: use eclipse
-    source */gcc* :: use eclipse
-
     all :: use default
 
 
diff --git a/roles/koschei/backend/templates/config-backend.cfg.j2 b/roles/koschei/backend/templates/config-backend.cfg.j2
index e2668604a..672c694ee 100644
--- a/roles/koschei/backend/templates/config-backend.cfg.j2
+++ b/roles/koschei/backend/templates/config-backend.cfg.j2
@@ -28,7 +28,7 @@ config = {
         "load_threshold": 1,
         {% else %}
         "max_builds": 60,
-        "build_arches": ['i386', 'x86_64', 'armhfp', 'aarch64', 'ppc64', 'ppc64le'],
+        "build_arches": ['i386', 'x86_64', 'armhfp', 'aarch64', 'ppc64', 'ppc64le', 's390x'],
         "load_threshold": 0.65,
         {% endif %}
         "task_priority": 30,
diff --git a/roles/nagios_server/files/nagios/services/disk.cfg b/roles/nagios_server/files/nagios/services/disk.cfg
index f425e8e95..c927e973e 100644
--- a/roles/nagios_server/files/nagios/services/disk.cfg
+++ b/roles/nagios_server/files/nagios/services/disk.cfg
@@ -13,13 +13,6 @@ define service {
 }
 
 define service {
-  hostgroup_name	hosted
-  service_description   Disk Space /srv
-  check_command		check_by_nrpe!check_disk_/srv
-  use                   disktemplate
-}
-
-define service {
   hostgroup_name        qahardware
   service_description   Disk Space /srv
   check_command         check_by_nrpe!check_disk_/srv
diff --git a/roles/nagios_server/files/nagios/services/hosted.cfg b/roles/nagios_server/files/nagios/services/hosted.cfg
deleted file mode 100644
index 763261e6b..000000000
--- a/roles/nagios_server/files/nagios/services/hosted.cfg
+++ /dev/null
@@ -1,3 +0,0 @@
-#
-# This file is dead.
-#
diff --git a/roles/nagios_server/files/nagios/services/swap.cfg b/roles/nagios_server/files/nagios/services/swap.cfg
index 75cc6553d..dab4ff7d9 100644
--- a/roles/nagios_server/files/nagios/services/swap.cfg
+++ b/roles/nagios_server/files/nagios/services/swap.cfg
@@ -1,6 +1,6 @@
 define service {
-  hostgroup             noswap
-  service_description   No Swap
+  hostgroup             CheckSwap
+  service_description   Swap-Is-Low
   check_command         check_by_nrpe!check_swap
   use                   criticaltemplate
 }
diff --git a/roles/nagios_server/files/nagios/services/websites.cfg b/roles/nagios_server/files/nagios/services/websites.cfg
index e5f605a97..d1d94a166 100644
--- a/roles/nagios_server/files/nagios/services/websites.cfg
+++ b/roles/nagios_server/files/nagios/services/websites.cfg
@@ -184,7 +184,7 @@ define service {
 define service {
   hostgroup_name        koji
   service_description   http-koji
-  check_command         check_website!koji.fedoraproject.org!/koji/hosts!arm04-builder
+  check_command         check_website!koji.fedoraproject.org!/koji/hosts!fedoraproject.org
   use                   websitetemplate
 }
 
diff --git a/roles/nagios_server/files/nrpe/nrpe.cfg b/roles/nagios_server/files/nrpe/nrpe.cfg
index fac5e37e5..daaec1e35 100644
--- a/roles/nagios_server/files/nrpe/nrpe.cfg
+++ b/roles/nagios_server/files/nrpe/nrpe.cfg
@@ -287,7 +287,6 @@ include_dir=/etc/nrpe.d/
 command[check_nrpe]=/bin/date
 command[check_users]=/usr/lib64/nagios/plugins/check_users -w 5 -c 10
 command[check_load]=/usr/lib64/nagios/plugins/check_load -w 15,10,5 -c 30,25,20
-command[check_hosted_load]=/usr/lib64/nagios/plugins/check_load -w 35,30,25 -c 70,60,50
 command[check_raid]=/usr/lib64/nagios/plugins/check_raid.py
 command[check_disk_/]=/usr/lib64/nagios/plugins/check_disk -w 15% -c 10% -p /
 command[check_disk_/u01]=/usr/lib64/nagios/plugins/check_disk -w 15% -c 10% -p /u01
diff --git a/roles/nagios_server/tasks/main.yml b/roles/nagios_server/tasks/main.yml
index 66bcf1268..e9e12f51d 100644
--- a/roles/nagios_server/tasks/main.yml
+++ b/roles/nagios_server/tasks/main.yml
@@ -182,7 +182,6 @@
     - file_age.cfg
     - fmn.cfg
     - haproxy.cfg
-    - hosted.cfg
     - ipa.cfg
     - koji.cfg
     - koschei.cfg
@@ -311,7 +310,7 @@
   with_items:
     - all.cfg
     - nomail.cfg
-    - noswap.cfg
+    - checkswap.cfg
   tags:
   - nagios_server
 
diff --git a/roles/nagios_server/templates/nagios/hostgroups/checkswap.cfg.j2 b/roles/nagios_server/templates/nagios/hostgroups/checkswap.cfg.j2
new file mode 100644
index 000000000..c9750a6c4
--- /dev/null
+++ b/roles/nagios_server/templates/nagios/hostgroups/checkswap.cfg.j2
@@ -0,0 +1,6 @@
+define hostgroup {
+        hostgroup_name  CheckSwap
+        alias           Swap-Is-Low
+	members         *, !status-fedora2, !phx2-gw, !ibiblio-gw, !cloud-gw, !bodhost-gw, !coloamer-gw, !dedicated-gw, !host1plus-gw, !internetx-gw, !osuosl-gw, !rdu-gw, !rdu-cc-gw, !tummy-gw, !proxy05.fedoraproject.org, !mirrorlist-host1plus.fedoraproject.org, !download-rdu01.fedoraproject.org, !virthost-rdu01.fedoraproject.org, !fas3-01.stg.phx2.fedoraproject.org, !osbs-control01.phx2.fedoraproject.org, {% for host in groups['builders'] %}!{{host}},{% endfor %} {% for host in groups['builders-stg'] %}!{{host}},{% endfor %} {% for host in groups['cloud'] %}!{{host}}, {% endfor %} {% for host in vars['phx2_management_limited'] %}!{{host}},{% endfor %}  {% for host in vars['phx2_management_hosts'] %}!{{host}}{% if not loop.last %},{% endif %} {% endfor %} 
+
+}
diff --git a/roles/nagios_server/templates/nagios/hostgroups/nomail.cfg.j2 b/roles/nagios_server/templates/nagios/hostgroups/nomail.cfg.j2
index 47857f983..ab79d7646 100644
--- a/roles/nagios_server/templates/nagios/hostgroups/nomail.cfg.j2
+++ b/roles/nagios_server/templates/nagios/hostgroups/nomail.cfg.j2
@@ -1,6 +1,6 @@
 define hostgroup {
         hostgroup_name  nomail
         alias           No Mail
-	members         *, !status-fedora2, !phx2-gw, !ibiblio-gw, !cloud-gw, !bodhost-gw, !coloamer-gw, !dedicated-gw, !host1plus-gw, !internetx-gw, !osuosl-gw, !rdu-gw, !rdu-cc-gw, !tummy-gw, {% for host in groups['bastion'] %}!{{host}}, {% endfor %}{% for host in groups['smtp-mm'] %}!{{host}}, {% endfor %} {% for host in groups['builders'] %}!{{host}},{% endfor %} {% for host in groups['builders-stg'] %}!{{host}},{% endfor %} {% for host in groups['cloud'] %}!{{host}}, {% endfor %} {% for host in vars['phx2_management_limited'] %}!{{host}},{% endfor %}  {% for host in vars['phx2_management_hosts'] %}!{{host}}{% if not loop.last %},{% endif %} {% endfor %} 
+	members         *, !status-fedora2, !phx2-gw, !ibiblio-gw, !cloud-gw, !bodhost-gw, !coloamer-gw, !dedicated-gw, !host1plus-gw, !internetx-gw, !osuosl-gw, !rdu-gw, !rdu-cc-gw, !tummy-gw, !proxy05.fedoraproject.org, !mirrorlist-host1plus.fedoraproject.org, !download-rdu01.fedoraproject.org, !virthost-rdu01.fedoraproject.org, !fas3-01.stg.phx2.fedoraproject.org, !osbs-control01.phx2.fedoraproject.org, {% for host in groups['bastion'] %}!{{host}}, {% endfor %}{% for host in groups['smtp-mm'] %}!{{host}}, {% endfor %} {% for host in groups['builders'] %}!{{host}},{% endfor %} {% for host in groups['builders-stg'] %}!{{host}},{% endfor %} {% for host in groups['cloud'] %}!{{host}}, {% endfor %} {% for host in vars['phx2_management_limited'] %}!{{host}},{% endfor %}  {% for host in vars['phx2_management_hosts'] %}!{{host}}{% if not loop.last %},{% endif %} {% endfor %} 
 
 }
diff --git a/roles/nagios_server/templates/nagios/hostgroups/noswap.cfg.j2 b/roles/nagios_server/templates/nagios/hostgroups/noswap.cfg.j2
deleted file mode 100644
index 1399aa171..000000000
--- a/roles/nagios_server/templates/nagios/hostgroups/noswap.cfg.j2
+++ /dev/null
@@ -1,6 +0,0 @@
-define hostgroup {
-        hostgroup_name  noswap
-        alias           No Swap
-	members         *, !status-fedora2, !phx2-gw, !ibiblio-gw, !cloud-gw, !bodhost-gw, !coloamer-gw, !dedicated-gw, !host1plus-gw, !internetx-gw, !osuosl-gw, !rdu-gw, !rdu-cc-gw, !tummy-gw, {% for host in groups['builders'] %}!{{host}},{% endfor %} {% for host in groups['builders-stg'] %}!{{host}},{% endfor %} {% for host in groups['cloud'] %}!{{host}}, {% endfor %} {% for host in vars['phx2_management_limited'] %}!{{host}},{% endfor %}  {% for host in vars['phx2_management_hosts'] %}!{{host}}{% if not loop.last %},{% endif %} {% endfor %} 
-
-}
diff --git a/roles/nginx/README.md b/roles/nginx/README.md
new file mode 100644
index 000000000..f760a289b
--- /dev/null
+++ b/roles/nginx/README.md
@@ -0,0 +1,72 @@
+Overview
+========
+
+Role for using nginx.  Sets up ssl certs in known locations and inactive
+template for application use.
+
+
+Role options
+------------
+* `update_ssl_certs` - Only push the SSL key and PEM files and restart Nginx
+
+
+SSL
+---
+This role will copy over key/crt by default.
+It can be disabled by setting `httpd_no_ssl` to true
+
+You will still need to configure the application to use ssl.  A reference template templates/example_ssl.conf.j2 is provided
+
+The script will look for keys and certs in the paths specified by the
+`httpd_ssl_key_file`, `httpd_ssl_crt_file` and `httpd_ssl_pem_file` variables.
+
+If that fails, it will attempt to create key/crt pair if there isn't one already installed.
+
+If a pem file exists in the location specified by `httpd_ssl_pem_file`,
+it will be copied across as `ssl.pem`. Applications that required the certificate
+chain should point at `/etc/nginx/conf.d/ssl.pem`.
+
+Caveats
+-------
+The key, crt and pem will always be stored on the host under `/etc/nginx/conf.d/{{
+inventory_hostname }}.{key,crt,pem}` due to the multi-sourcing nature of the setup.
+Use `httpd_no_ssl` and setup as desired if it deviates from what is covered here.
+
+Logrotate
+---------
+
+A default template is configured.
+
+SELinux
+-------
+
+selinux contexts are application specific.  Enable the following as needed by your setup:
+
+```
+httpd_can_network_relay
+httpd_can_network_memcache
+httpd_can_network_connect *
+httpd_can_network_connect_db *
+httpd_can_sendmail
+```
+
+- * commonly used items enabled by default
+
+Handlers
+--------
+
+restart nginx - restart the nginx service
+
+Variables
+---------
+
+* `service_name` - canonical name for service
+* `httpd_no_ssl` - don't set up ssl
+* `httpd_ssl_key_file` - local path to use as source for ssl.key file
+* `httpd_ssl_crt_file` - local path to use as source for ssl.crt file
+* `httpd_ssl_pem_file` - local path to use as source for ssl.pem file
+* `ssl_fast_dh` - whether to use a speedy method to generate Diffie Hellman
+    parameters
+* `ssl_intermediate_ca_pattern` - pattern to check if certificate is
+    self-signed
+* `ssl_self_signed_string` - location and CN settings for self signed cert
diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml
new file mode 100644
index 000000000..0758337b9
--- /dev/null
+++ b/roles/nginx/defaults/main.yml
@@ -0,0 +1,18 @@
+---
+## set some defaults with the expectation that they will be set in/from calling role
+service_name: "{{ inventory_hostname }}"
+
+## nginx core configuration defaults
+nginx_default_port: 80
+nginx_error_level: "warn"
+nginx_worker_processes: 1
+nginx_gzip_status: "on"
+
+## variables unset by default
+httpd_no_ssl: false
+httpd_ssl_key_file: "{{ ssl_key_file | default('/THIS/FILE/PROBABLY/DOESNT/EXIST') }}"
+httpd_ssl_crt_file: "{{ ssl_crt_file | default('/THIS/FILE/PROBABLY/DOESNT/EXIST') }}"
+httpd_ssl_pem_file: "{{ ssl_pem_file | default('/THIS/FILE/PROBABLY/DOESNT/EXIST') }}"
+ssl_self_signed_string: "/C=US/ST=New York/L=New York City/O=My Department/CN={{ service_name }}"
+ssl_fast_dh: false
+nginx_ssl_ca_line: "#ssl_client_certificate /path/to/ca/file;"
diff --git a/roles/nginx/files/etc/logrotate.d/nginx b/roles/nginx/files/etc/logrotate.d/nginx
new file mode 100644
index 000000000..b02b62636
--- /dev/null
+++ b/roles/nginx/files/etc/logrotate.d/nginx
@@ -0,0 +1,13 @@
+/var/log/nginx/*.log {
+        daily
+        missingok
+        rotate 30
+        compress
+        delaycompress
+        notifempty
+        create 640 nginx adm
+        sharedscripts
+        postrotate
+                [ -f /var/run/nginx.pid ] && kill -USR1 `cat /var/run/nginx.pid`
+        endscript
+}
diff --git a/roles/nginx/files/etc/nginx/conf.d/default.conf b/roles/nginx/files/etc/nginx/conf.d/default.conf
new file mode 100644
index 000000000..f2afdc286
--- /dev/null
+++ b/roles/nginx/files/etc/nginx/conf.d/default.conf
@@ -0,0 +1,44 @@
+server {
+    listen       80;
+    server_name  localhost;
+
+    #charset koi8-r;
+    #access_log  /var/log/nginx/log/host.access.log  main;
+
+    location / {
+        root   /usr/share/nginx/html;
+        index  index.html index.htm;
+    }
+
+    #error_page  404              /404.html;
+
+    # redirect server error pages to the static page /50x.html
+    #
+    error_page   500 502 503 504  /50x.html;
+    location = /50x.html {
+        root   /usr/share/nginx/html;
+    }
+
+    # proxy the PHP scripts to Apache listening on 127.0.0.1:80
+    #
+    #location ~ \.php$ {
+    #    proxy_pass   http://127.0.0.1;
+    #}
+
+    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
+    #
+    #location ~ \.php$ {
+    #    root           html;
+    #    fastcgi_pass   127.0.0.1:9000;
+    #    fastcgi_index  index.php;
+    #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
+    #    include        fastcgi_params;
+    #}
+
+    # deny access to .htaccess files, if Apache's document root
+    # concurs with nginx's one
+    #
+    #location ~ /\.ht {
+    #    deny  all;
+    #}
+}
diff --git a/roles/nginx/handlers/main.yml b/roles/nginx/handlers/main.yml
new file mode 100644
index 000000000..6deed0cd0
--- /dev/null
+++ b/roles/nginx/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: restart nginx
+  service:
+    name: nginx
+    state: restarted
diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
new file mode 100644
index 000000000..83f24cdee
--- /dev/null
+++ b/roles/nginx/tasks/main.yml
@@ -0,0 +1,5 @@
+---
+- include: nginx.yml
+
+- include: ssl-setup.yml
+  when: not httpd_no_ssl
diff --git a/roles/nginx/tasks/nginx.yml b/roles/nginx/tasks/nginx.yml
new file mode 100644
index 000000000..6cb2eea43
--- /dev/null
+++ b/roles/nginx/tasks/nginx.yml
@@ -0,0 +1,33 @@
+- name: install nginx
+  dnf:
+    name: nginx
+    state: present
+
+- name: Ensure nginx is started and enabled to start at boot.
+  service: name=nginx state=started enabled=yes
+
+- name: install nginx logrotation file
+  copy:
+    src: etc/logrotate.d/nginx
+    dest: /etc/logrotate.d/nginx
+    owner: root
+    group: root
+    mode: 0644
+
+- name: install /etc/nginx/nginx.conf
+  template:
+    src: etc/nginx/nginx.conf.j2
+    dest: /etc/nginx/nginx.conf
+    owner: root
+    group: root
+    mode: 0644
+  notify: restart nginx
+
+- name: install /etc/nginx/conf.d/default.conf
+  copy:
+    src: etc/nginx/conf.d/default.conf
+    dest: /etc/nginx/conf.d/default.conf
+    owner: root
+    group: root
+    mode: 0644
+  notify: restart nginx
diff --git a/roles/nginx/tasks/ssl-setup.yml b/roles/nginx/tasks/ssl-setup.yml
new file mode 100644
index 000000000..a0e138f54
--- /dev/null
+++ b/roles/nginx/tasks/ssl-setup.yml
@@ -0,0 +1,45 @@
+- name: copy over ssl key
+  copy:
+    src: "{{ item }}"
+    dest: "/etc/nginx/conf.d/ssl.key"
+  with_first_found:
+  - files:
+    - "{{ httpd_ssl_key_file }}"
+    skip: True
+  register: setup_ssl_key
+  notify: restart nginx service
+  no_log: True
+  tags:
+  - update_ssl_certs
+
+- name: copy over ssl pem file
+  copy:
+    src: "{{ item }}"
+    dest: "/etc/nginx/conf.d/ssl.pem"
+  with_first_found:
+  - files:
+    - "{{ httpd_ssl_pem_file }}"
+    - "{{ httpd_ssl_crt_file }}"
+    skip: True
+  register: setup_ssl_pem
+  when: setup_ssl_key|success
+  tags:
+  - update_ssl_certs
+
+  #  generate our own key/crt if pem is missing
+- name: generate self signed ssl certificate
+  command: openssl req -new -nodes -x509 -subj "{{ ssl_self_signed_string }}" -days 3650 -keyout /etc/nginx/conf.d/ssl.key -out /etc/nginx/conf.d/ssl.pem -extensions v3_ca
+  args:
+    creates: /etc/nginx/conf.d/ssl.pem
+  when: setup_ssl_key|failed or setup_ssl_pem|failed
+
+- name: warn that the next step takes a while
+  debug:
+    msg: "the next step can take around 15 minutes if it hasn't already been done"
+
+- name: create Diffie Hellman ephemeral parameters
+  # https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
+  command: openssl dhparam {{ '-dsaparam' if ssl_fast_dh else '' }} -out dhparam.pem 4096
+  args:
+    chdir: /etc/ssl/certs
+    creates: /etc/ssl/certs/dhparam.pem
diff --git a/roles/nginx/templates/etc/nginx/nginx.conf.j2 b/roles/nginx/templates/etc/nginx/nginx.conf.j2
new file mode 100644
index 000000000..0f396060c
--- /dev/null
+++ b/roles/nginx/templates/etc/nginx/nginx.conf.j2
@@ -0,0 +1,50 @@
+user  nginx;
+worker_processes  {{ nginx_worker_processes }};
+
+error_log  /var/log/nginx/error.log {{ nginx_error_level }};
+{% if ansible_distribution_major_version == "7" %}
+pid        /run/nginx.pid;
+{% else %}
+pid        /var/run/nginx.pid;
+{% endif %}
+
+# Load dynamic modules. See /usr/share/nginx/README.dynamic.
+include /usr/share/nginx/modules/*.conf;
+
+
+events {
+    worker_connections  1024;
+}
+
+
+http {
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile        on;
+    tcp_nopush     on;
+    tcp_nodelay         on;
+    keepalive_timeout   65;
+    types_hash_max_size 2048;
+    server_names_hash_bucket_size  128;
+
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    gzip  {{ nginx_gzip_status }};
+
+    include /etc/nginx/conf.d/*.conf;
+
+    # bind server context for status explicitly to loopback to allow local only actions
+    server {
+        listen      [::1]:{{ nginx_default_port }} default_server;
+	    listen      127.0.0.1:{{ nginx_default_port }} default_server;
+        server_name  _;
+        root         /usr/share/nginx/html;
+       # Load configuration files for the default server block.
+        include /etc/nginx/default.d/*.conf;
+    }
+}
diff --git a/roles/nginx/templates/example_ssl.conf.2 b/roles/nginx/templates/example_ssl.conf.2
new file mode 100644
index 000000000..42bc89722
--- /dev/null
+++ b/roles/nginx/templates/example_ssl.conf.2
@@ -0,0 +1,29 @@
+
+
+# HTTPS server
+#
+#server {
+#    listen       443;
+#    server_name  {{ service_name }};
+
+#    ssl                  on;
+#    ssl_certificate      /etc/nginx/conf.d/ssl.pem;
+#    ssl_certificate_key  /etc/nginx/conf.d/ssl.key;
+#    {{ nginx_ssl_ca_line }}
+
+#    ssl_session_timeout  5m;
+
+#    # https://mozilla.github.io/server-side-tls/ssl-config-generator/
+#    # modern configuration. tweak to your needs.
+#    ssl_protocols TLSv1.1 TLSv1.2;
+#    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
+#    ssl_prefer_server_ciphers on;
+#
+#    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
+#    add_header Strict-Transport-Security max-age=15768000;
+
+#    location / {
+#        root   /usr/share/nginx/html;
+#        index  index.html index.htm;
+#    }
+#}
diff --git a/roles/taskotron/taskotron-trigger/templates/trigger_rules.yml.j2 b/roles/taskotron/taskotron-trigger/templates/trigger_rules.yml.j2
index 0e3b76d05..887dad13d 100644
--- a/roles/taskotron/taskotron-trigger/templates/trigger_rules.yml.j2
+++ b/roles/taskotron/taskotron-trigger/templates/trigger_rules.yml.j2
@@ -48,9 +48,7 @@
   do:
     - {tasks: [fedora-cloud-tests]}
 
-{% if deployment_type in ['dev', 'stg'] %}
 - when:
     message_type: ModuleBuildComplete
   do:
     - {tasks: [modularity-testing-framework]}
-{% endif %}
diff --git a/roles/waiverdb/defaults/main.yml b/roles/waiverdb/defaults/main.yml
new file mode 100644
index 000000000..a03421267
--- /dev/null
+++ b/roles/waiverdb/defaults/main.yml
@@ -0,0 +1,6 @@
+---
+waiverdb_db_port: 5432
+waiverdb_oidc_auth_uri: 'https://iddev.fedorainfracloud.org/openidc/Authorization'
+waiverdb_oidc_token_uri: 'https://iddev.fedorainfracloud.org/openidc/Token'
+waiverdb_oidc_token_introspection_uri: 'https://iddev.fedorainfracloud.org/openidc/TokenInfo'
+waiverdb_oidc_userinfo_uri: 'https://iddev.fedorainfracloud.org/openidc/UserInfo"'
diff --git a/roles/waiverdb/files/pg/pg_hba.conf b/roles/waiverdb/files/pg/pg_hba.conf
new file mode 100644
index 000000000..9fcf02373
--- /dev/null
+++ b/roles/waiverdb/files/pg/pg_hba.conf
@@ -0,0 +1,29 @@
+# This file is managed by Ansible - changes may be lost
+#
+# PostgreSQL Client Authentication Configuration File
+# ===================================================
+#
+# Refer to the "Client Authentication" section in the PostgreSQL
+# documentation for a complete description of this file.  A short
+# synopsis follows.
+#
+# This file controls: which hosts are allowed to connect, how clients
+# are authenticated, which PostgreSQL user names they can use, which
+# databases they can access.  Records take one of these forms:
+#
+# local      DATABASE  USER  METHOD  [OPTIONS]
+# host       DATABASE  USER  ADDRESS  METHOD  [OPTIONS]
+# hostssl    DATABASE  USER  ADDRESS  METHOD  [OPTIONS]
+# hostnossl  DATABASE  USER  ADDRESS  METHOD  [OPTIONS]
+#
+# TYPE  DATABASE        USER            ADDRESS                 METHOD
+
+# Default:
+# 
+local  all  postgres    trust
+# "local" is for Unix domain socket connections only
+local  all  all    trust
+# IPv4 local connections:
+host  all  all  127.0.0.1/32  trust
+# IPv6 local connections:
+host  all  all  ::1/128  trust
diff --git a/roles/waiverdb/handlers/main.yml b/roles/waiverdb/handlers/main.yml
new file mode 100644
index 000000000..40cbeb8b6
--- /dev/null
+++ b/roles/waiverdb/handlers/main.yml
@@ -0,0 +1,10 @@
+---
+- name: restart waiverdb
+  systemd:
+    name: waiverdb.service
+    state: restarted
+
+- name: restart postgresql
+  systemd:
+    name: postgresql.service
+    state: restarted
diff --git a/roles/waiverdb/tasks/main.yml b/roles/waiverdb/tasks/main.yml
new file mode 100644
index 000000000..6ba8ffae3
--- /dev/null
+++ b/roles/waiverdb/tasks/main.yml
@@ -0,0 +1,49 @@
+---
+- include: psql_setup.yml
+
+- name: install needed packages (yum)
+  yum: pkg={{ item }} state=present
+  with_items:
+  - waiverdb
+  - gunicorn
+  - python-psycopg2
+  notify:
+  - restart waiverdb
+  when: ansible_distribution_major_version|int < 22
+
+- name: install needed packages (dnf)
+  dnf: pkg={{ item }} state=present
+  with_items:
+  - waiverdb
+  - gunicorn
+  - python-psycopg2
+  notify:
+  - restart waiverdb
+  when: ansible_distribution_major_version|int > 21
+
+- name: start waiverdb on boot
+  systemd:
+    name: waiverdb.socket
+    enabled: yes
+
+- name: copy client secrets
+  template:
+    src: etc/waiverdb/client_secrets.json
+    dest: /etc/wavierdb/client_secrets.json
+    owner: root
+    group: root
+    mode: 0640
+  notify:
+  - restart waiverdb
+
+- name: generate the app config
+  template:
+    src: etc/waiverdb/settings.py.j2
+    dest: /etc/waiverdb/settings.py
+    owner: root
+    group: root
+    mode: 0660
+    backup: yes
+    force: yes
+  notify:
+  - restart waiverdb
diff --git a/roles/waiverdb/tasks/psql_setup.yml b/roles/waiverdb/tasks/psql_setup.yml
new file mode 100644
index 000000000..9a099fe93
--- /dev/null
+++ b/roles/waiverdb/tasks/psql_setup.yml
@@ -0,0 +1,63 @@
+- name: install postresql (yum)
+  yum: state=present pkg={{ item }}
+  with_items:
+  - "postgresql-server"
+  - "postgresql-contrib"
+  - "python-psycopg2"
+  when: ansible_distribution_major_version|int < 22
+
+- name: install postresql (dnf)
+  dnf: state=present pkg={{ item }}
+  with_items:
+  - "postgresql-server"
+  - "postgresql-contrib"
+  - "python-psycopg2"
+  when: ansible_distribution_major_version|int > 21
+
+- name: See if postgreSQL is installed
+  stat: path=/var/lib/pgsql/initdb_postgresql.log
+  register: pgsql_installed
+
+- name: init postgresql
+  shell: "postgresql-setup initdb"
+  when: not pgsql_installed.stat.exists
+
+- name: copy pg_hba.conf
+  copy: src="pg/pg_hba.conf" dest=/var/lib/pgsql/data/pg_hba.conf owner=postgres group=postgres mode=0600
+  notify:
+  - restart postgresql
+  tags:
+  - config
+
+- name: Ensure postgres has a place to backup to
+  file: dest=/backups state=directory owner=postgres
+  tags:
+  - config
+
+- name: Copy over backup scriplet
+  copy: src="{{ files }}/../roles/postgresql_server/files/backup-database" dest=/usr/local/bin/backup-database mode=0755
+  tags:
+  - config
+
+- name: Set up some cronjobs to backup databases as configured
+  template: >
+    src="{{ files }}/../roles/postgresql_server/templates/cron-backup-database"
+    dest="/etc/cron.d/cron-backup-database-{{ item }}"
+  with_items:
+  - "{{ dbs_to_backup }}"
+  when: dbs_to_backup != []
+  tags:
+  - config
+
+- name: enable Pg service
+  service: state=started enabled=yes name=postgresql
+
+- name: Create db
+  postgresql_db: name="waiverdb" encoding='UTF-8'
+  become: yes
+  become_user: postgres
+
+- name: Create db user
+  postgresql_user: db="waiverdb" name="wavierdb-user" role_attr_flags=SUPERUSER,NOCREATEDB,NOCREATEROLE
+  become: yes
+  become_user: postgres
diff --git a/roles/waiverdb/templates/etc/nginx/conf.d/waiverdb.conf.j2 b/roles/waiverdb/templates/etc/nginx/conf.d/waiverdb.conf.j2
new file mode 100644
index 000000000..d5d013974
--- /dev/null
+++ b/roles/waiverdb/templates/etc/nginx/conf.d/waiverdb.conf.j2
@@ -0,0 +1,39 @@
+# HTTP server
+# rewrite to HTTPS
+server {
+  listen       80;
+  server_name  {{service_name}};
+  return       301 https://$server_name$request_uri;
+}
+# HTTPs server
+server {
+    listen       443;
+    server_name  {{ service_name }};
+
+    ssl                  on;
+    ssl_certificate      /etc/nginx/conf.d/ssl.pem;
+    ssl_certificate_key  /etc/nginx/conf.d/ssl.key;
+
+    ssl_session_timeout  5m;
+
+    # https://mozilla.github.io/server-side-tls/ssl-config-generator/
+    # modern configuration. tweak to your needs.
+    ssl_protocols TLSv1.1 TLSv1.2;
+    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
+    ssl_prefer_server_ciphers on;
+
+    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
+    add_header Strict-Transport-Security max-age=15768000;
+
+    location / {
+        root   /usr/share/nginx/html;
+        index  index.html index.htm;
+    }
+    location /api {
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_pass http://unix:/run/waiverdb/socket:/api;
+    }
+}
diff --git a/roles/waiverdb/templates/etc/waiverdb/client_secrets.json b/roles/waiverdb/templates/etc/waiverdb/client_secrets.json
new file mode 100644
index 000000000..83dc8b0ed
--- /dev/null
+++ b/roles/waiverdb/templates/etc/waiverdb/client_secrets.json
@@ -0,0 +1,11 @@
+{
+    "web": {
+        "auth_uri": "{{ waiverdb_oidc_auth_uri }}",
+        "client_id": "{{ waiverdb_oidc_client_id }}",
+        "client_secret": "{{ waiverdb_oidc_client_secret }}",
+        "redirect_uris": [],
+        "token_uri": "{{ waiverdb_oidc_token_uri }}",
+        "token_introspection_uri": "{{ waiverdb_oidc_token_introspection_uri }}",
+        "userinfo_uri": "{{ waiverdb_oidc_userinfo_uri }}"
+    }
+}
diff --git a/roles/waiverdb/templates/etc/waiverdb/settings.py.j2 b/roles/waiverdb/templates/etc/waiverdb/settings.py.j2
new file mode 100644
index 000000000..67ce5c8b5
--- /dev/null
+++ b/roles/waiverdb/templates/etc/waiverdb/settings.py.j2
@@ -0,0 +1,2 @@
+SECRET_KEY = '{{ waiverdb_secret_key }}'
+SQLALCHEMY_DATABASE_URI = 'postgresql://waiverdb_user@:{{ waiverdb_db_port }/waiverdb