diff --git a/inventory/host_vars/upstreamfirst.fedorainfracloud.org b/inventory/host_vars/upstreamfirst.fedorainfracloud.org
new file mode 100644
index 0000000000..e8a22ee4fe
--- /dev/null
+++ b/inventory/host_vars/upstreamfirst.fedorainfracloud.org
@@ -0,0 +1,98 @@
+---
+
+instance_type: m1.medium
+image: CentOS-7-x86_64-GenericCloud-1503
+keypair: fedora-admin-20130801
+security_group: default  # NOTE: security_group MUST contain default.
+zone: nova
+tcp_ports: [ 22, 25, 80, 443, 9418,
+    # Used for the eventsource server
+    8088,
+    # This is for the pagure public fedmsg relay
+    9940]
+
+inventory_tenant: persistent
+inventory_instance_name: upstreamfirst
+hostbase: upstreamfirst
+public_ip: 209.132.184.153
+root_auth_users:  tflink roshi
+description: upstream-first pagure server
+security_group: ssh-anywhere-persistent,web-443-anywhere-persistent,web-80-anywhere-persistent,default,all-icmp-persistent,mail-25-anywhere-persistent,allow-nagios-persistent,fedmsg-relay-persistent,pagure-ports
+
+volumes:
+  - volume_id: 81c1cb3e-5fb0-4abd-a252-b0102f1378de
+    device: /dev/vdc
+
+cloud_networks:
+  # persistent-net
+  - net-id: "67b77354-39a4-43de-b007-bb813ac5c35f"
+
+stunnel_service: "eventsource"
+stunnel_source_port: 8088
+stunnel_destination_port: 8080
+
+# not doing anything with fedmsg right now
+## These are consumed by a task in roles/fedmsg/base/main.yml
+#fedmsg_certs:
+#- service: shell
+#  owner: root
+#  group: sysadmin
+#  can_send:
+#  - logger.log
+#- service: pagure
+#  owner: git
+#  group: apache
+#  can_send:
+#  - pagure.issue.assigned.added
+#  - pagure.issue.assigned.reset
+#  - pagure.issue.comment.added
+#  - pagure.issue.dependency.added
+#  - pagure.issue.dependency.removed
+#  - pagure.issue.edit
+#  - pagure.issue.new
+#  - pagure.issue.tag.added
+#  - pagure.issue.tag.removed
+#  - pagure.project.edit
+#  - pagure.project.forked
+#  - pagure.project.new
+#  - pagure.project.tag.edited
+#  - pagure.project.tag.removed
+#  - pagure.project.user.added
+#  - pagure.pull-request.closed
+#  - pagure.pull-request.comment.added
+#  - pagure.pull-request.flag.added
+#  - pagure.pull-request.flag.updated
+#  - pagure.request.assigned.added
+#  - pagure.pull-request.new
+#
+#fedmsg_prefix: io.pagure
+#fedmsg_env: stg
+
+fas_client_groups: sysadmin-noc,sysadmin-web,sysadmin-qa
+
+freezes: false
+#env: pagure-staging
+#postfix_group: vpn.pagure-stg
+
+# Configuration for the git-daemon/server
+git_group: git
+git_port: 9418
+git_server: /usr/libexec/git-core/git-daemon
+git_server_args: --export-all --syslog --inetd --verbose
+git_basepath: /srv/git/repositories
+git_daemon_user: git
+
+# For the MOTD
+csi_security_category: Low
+csi_primary_contact: Fedora admins - admin@fedoraproject.org
+csi_purpose: Stage testcases being submitted upstream to Fedora
+csi_relationship: |
+    There are a few things running here:
+
+    - The apache/mod_wsgi app for pagure
+
+    - This host relies on:
+      - A postgres db server running locally
+
+    - Things that rely on this host:
+      - nothing currently
diff --git a/playbooks/hosts/upstreamfirst.fedorainfracloud.org.yml b/playbooks/hosts/upstreamfirst.fedorainfracloud.org.yml
new file mode 100644
index 0000000000..3aa43bf827
--- /dev/null
+++ b/playbooks/hosts/upstreamfirst.fedorainfracloud.org.yml
@@ -0,0 +1,70 @@
+- name: check/create instance
+  hosts: upstreamfirst.fedorainfracloud.org
+  gather_facts: False
+
+  vars_files:
+   - /srv/web/infra/ansible/vars/global.yml
+   - /srv/private/ansible/vars.yml
+   - /srv/web/infra/ansible/vars/fedora-cloud.yml
+   - /srv/private/ansible/files/openstack/passwords.yml
+
+  tasks:
+  - include: "{{ tasks_path }}/persistent_cloud.yml"
+
+- name: do base configuration
+  hosts: upstreamfirst.fedorainfracloud.org
+  user: root
+  gather_facts: True
+
+  vars_files:
+   - /srv/web/infra/ansible/vars/global.yml
+   - "/srv/private/ansible/vars.yml"
+   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+  roles:
+  - base
+  - rkhunter
+  - nagios_client
+  - hosts
+  - fas_client
+  - sudo
+  - collectd/base
+  - openvpn/client
+  - postgresql_server
+
+  tasks:
+  - include: "{{ tasks_path }}/yumrepos.yml"
+  - include: "{{ tasks_path }}/2fa_client.yml"
+  - include: "{{ tasks_path }}/motd.yml"
+
+  handlers:
+  - include: "{{ handlers_path }}/restart_services.yml"
+
+- name: deploy pagure
+  hosts: upstreamfirst.fedorainfracloud.org
+  user: root
+  gather_facts: True
+
+  vars_files:
+   - /srv/web/infra/ansible/vars/global.yml
+   - "/srv/private/ansible/vars.yml"
+   - "{{ vars_path }}/{{ ansible_distribution }}.yml"
+
+  pre_tasks:
+  - name: install fedmsg-relay
+    yum: pkg=fedmsg-relay state=present
+    tags:
+    - pagure
+    - pagure/fedmsg
+  - name: and start it
+    service: name=fedmsg-relay state=started
+    tags:
+    - pagure
+    - pagure/fedmsg
+
+  roles:
+  - pagure/frontend
+  - pagure/fedmsg
+
+  handlers:
+  - include: "{{ handlers_path }}/restart_services.yml"