diff --git a/roles/bodhi2/backend/files/bodhi-masher.conf b/roles/bodhi2/backend/files/bodhi-masher.conf
new file mode 100644
index 0000000000..1f962ed504
--- /dev/null
+++ b/roles/bodhi2/backend/files/bodhi-masher.conf
@@ -0,0 +1,15 @@
+Alias /updates/static /usr/share/bodhi/static
+
+WSGISocketPrefix run/wsgi
+WSGIRestrictSignal Off
+
+WSGIDaemonProcess bodhi user=masher group=masher display-name=bodhi
+WSGIPythonOptimize 1
+
+WSGIScriptAlias /updates /usr/share/bodhi/bodhi.wsgi/updates
+
+<Directory /usr/share/bodhi>
+    WSGIProcessGroup bodhi
+    Order deny,allow
+    Allow from all
+</Directory>
diff --git a/roles/bodhi2/backend/files/el6-epel-testing.mash b/roles/bodhi2/backend/files/el6-epel-testing.mash
new file mode 100644
index 0000000000..cafc1568af
--- /dev/null
+++ b/roles/bodhi2/backend/files/el6-epel-testing.mash
@@ -0,0 +1,17 @@
+# mash config file
+
+[el6-epel-testing]
+rpm_path = %(arch)s/
+source_path = SRPMS/
+debuginfo_path = %(arch)s/debug
+debuginfo = True
+multilib = True
+multilib_method = devel
+tag = dist-6E-epel-testing
+inherit = False
+strict_keys = True
+keys = 0608b895
+use_repoview = True
+repoviewurl = http://download.fedoraproject.org/pub/epel/testing/6/%(arch)s/
+repoviewtitle = "Fedora EPEL Testing 6 - %(arch)s"
+arches = i386 x86_64 ppc64
diff --git a/roles/bodhi2/backend/files/el6-epel.mash b/roles/bodhi2/backend/files/el6-epel.mash
new file mode 100644
index 0000000000..72b209e36c
--- /dev/null
+++ b/roles/bodhi2/backend/files/el6-epel.mash
@@ -0,0 +1,17 @@
+# mash config file
+
+[el6-epel]
+rpm_path = %(arch)s/
+source_path = SRPMS/
+debuginfo_path = %(arch)s/debug
+debuginfo = True
+multilib = True
+multilib_method = devel
+tag = dist-6E-epel
+inherit = False
+strict_keys = True
+keys = 0608b895
+use_repoview = True
+repoviewurl = http://download.fedoraproject.org/pub/epel/6/%(arch)s/
+repoviewtitle = "Fedora EPEL 6 - %(arch)s"
+arches = i386 x86_64 ppc64
diff --git a/roles/bodhi2/backend/files/epel7-testing.mash b/roles/bodhi2/backend/files/epel7-testing.mash
new file mode 100644
index 0000000000..6d95a57fce
--- /dev/null
+++ b/roles/bodhi2/backend/files/epel7-testing.mash
@@ -0,0 +1,18 @@
+# mash config file
+
+[epel7-testing]
+rpm_path = %(arch)s/
+source_path = SRPMS/
+debuginfo_path = %(arch)s/debug
+debuginfo = True
+multilib = False
+tag = epel7-testing
+inherit = False
+strict_keys = True
+keys = 352C64E5
+use_repoview = True
+repoviewurl = http://download.fedoraproject.org/pub/epel/testing/7/%(arch)s/
+repoviewtitle = "Fedora EPEL Testing 7 - %(arch)s"
+arches = x86_64 ppc64
+hash_packages = True
+delta = False
diff --git a/roles/bodhi2/backend/files/epel7.mash b/roles/bodhi2/backend/files/epel7.mash
new file mode 100644
index 0000000000..8b5ff7097f
--- /dev/null
+++ b/roles/bodhi2/backend/files/epel7.mash
@@ -0,0 +1,18 @@
+# mash config file
+
+[epel7]
+rpm_path = %(arch)s/
+source_path = SRPMS/
+debuginfo_path = %(arch)s/debug
+debuginfo = True
+multilib = False
+tag = epel7
+inherit = False
+strict_keys = True
+keys = 352C64E5
+use_repoview = True
+repoviewurl = http://download.fedoraproject.org/pub/epel/7/%(arch)s/
+repoviewtitle = "Fedora EPEL 7 - %(arch)s"
+arches = x86_64 ppc64
+hash_packages = True
+delta = False
diff --git a/roles/bodhi2/backend/files/f20-updates-testing.mash b/roles/bodhi2/backend/files/f20-updates-testing.mash
new file mode 100644
index 0000000000..7d6b0f1911
--- /dev/null
+++ b/roles/bodhi2/backend/files/f20-updates-testing.mash
@@ -0,0 +1,21 @@
+# mash config file
+
+[f20-updates-testing]
+rpm_path = %(arch)s/
+source_path = SRPMS/
+debuginfo = True
+multilib = True
+multilib_method = devel
+tag = f20-updates-testing
+inherit = False
+strict_keys = True
+keys = 246110C1
+repoviewurl = http://download.fedoraproject.org/pub/fedora/linux/updates/testing/20/%(arch)s/
+repoviewtitle = "Fedora 20 Updates Testing - %(arch)s"
+arches = armhfp i386 x86_64
+delta = True
+#delta_dirs = /pub/fedora/linux/releases/20/Everything/%(arch)s/os/,/mnt/koji/mash/updates/f20-updates/%(arch)s/
+#parent_repos = http://download.fedoraproject.org/pub/fedora/linux/updates/20/%(arch)s, http://download.fedoraproject.org/pub/fedora/linux/releases/20/Everything/%(arch)s/os
+# point to branched till we release then use above
+delta_dirs = /pub/fedora/linux/development/20/%(arch)s/os/
+parent_repos = http://download.fedoraproject.org/pub/fedora/linux/development/20/%(arch)s/os/
diff --git a/roles/bodhi2/backend/files/f20-updates.mash b/roles/bodhi2/backend/files/f20-updates.mash
new file mode 100644
index 0000000000..894123947e
--- /dev/null
+++ b/roles/bodhi2/backend/files/f20-updates.mash
@@ -0,0 +1,20 @@
+[f20-updates]
+rpm_path = %(arch)s/
+source_path = SRPMS/
+debuginfo = True
+multilib = True 
+multilib_method = devel
+tag = f20-updates
+inherit = False
+strict_keys = True
+keys = 246110C1
+repoviewurl = http://download.fedoraproject.org/pub/fedora/linux/updates/20/%(arch)s/
+repoviewtitle = "Fedora 20 Updates - %(arch)s"
+arches = armhfp i386 x86_64
+delta = True
+#generate deltas against branched
+delta_dirs = /pub/fedora/linux/development/20/%(arch)s/os/,/mnt/koji/mash/updates/f20-updates/%(arch)s/
+parent_repos = http://download.fedoraproject.org/pub/fedora/linux/development/20/%(arch)s/os
+# Bellow needs enabling at GA
+#delta_dirs = /pub/fedora/linux/releases/20/Everything/%(arch)s/os/,/mnt/koji/mash/updates/f20-updates/%(arch)s/
+#parent_repos = http://download.fedoraproject.org/pub/fedora/linux/releases/20/Everything/%(arch)s/os
diff --git a/roles/bodhi2/backend/files/f21-updates-testing.mash b/roles/bodhi2/backend/files/f21-updates-testing.mash
new file mode 100644
index 0000000000..42a3034ef8
--- /dev/null
+++ b/roles/bodhi2/backend/files/f21-updates-testing.mash
@@ -0,0 +1,22 @@
+# mash config file
+
+[f21-updates-testing]
+rpm_path = %(arch)s/
+source_path = SRPMS/
+debuginfo = True
+multilib = True
+multilib_method = devel
+tag = f21-updates-testing
+inherit = False
+strict_keys = True
+keys = 95A43F54
+repoviewurl = http://download.fedoraproject.org/pub/fedora/linux/updates/testing/21/%(arch)s/
+repoviewtitle = "Fedora 21 Updates Testing - %(arch)s"
+arches = armhfp i386 x86_64
+hash_packages = True
+delta = True
+delta_dirs = /pub/fedora/linux/releases/21/Everything/%(arch)s/os/,/mnt/koji/mash/updates/f21-updates/%(arch)s/
+parent_repos = http://download.fedoraproject.org/pub/fedora/linux/updates/21/%(arch)s, http://download.fedoraproject.org/pub/fedora/linux/releases/21/Everything/%(arch)s/os
+# point to branched till we release then use above
+#delta_dirs = /pub/fedora/linux/development/21/%(arch)s/os/
+#parent_repos = http://download.fedoraproject.org/pub/fedora/linux/development/21/%(arch)s/os/
diff --git a/roles/bodhi2/backend/files/f21-updates.mash b/roles/bodhi2/backend/files/f21-updates.mash
new file mode 100644
index 0000000000..9e5469cf43
--- /dev/null
+++ b/roles/bodhi2/backend/files/f21-updates.mash
@@ -0,0 +1,20 @@
+[f21-updates]
+rpm_path = %(arch)s/
+source_path = SRPMS/
+debuginfo = True
+multilib = True 
+multilib_method = devel
+tag = f21-updates
+inherit = False
+strict_keys = True
+keys = 95A43F54
+repoviewurl = http://download.fedoraproject.org/pub/fedora/linux/updates/21/%(arch)s/
+repoviewtitle = "Fedora 21 Updates - %(arch)s"
+arches = armhfp i386 x86_64
+hash_packages = True
+delta = True
+#generate deltas against branched
+#delta_dirs = /pub/fedora/linux/development/21/%(arch)s/os/,/mnt/koji/mash/updates/f21-updates/%(arch)s/
+#parent_repos = http://download.fedoraproject.org/pub/fedora/linux/development/21/%(arch)s/os
+delta_dirs = /pub/fedora/linux/releases/21/Everything/%(arch)s/os/,/mnt/koji/mash/updates/f21-updates/%(arch)s/
+parent_repos = http://download.fedoraproject.org/pub/fedora/linux/releases/21/Everything/%(arch)s/os
diff --git a/roles/bodhi2/backend/files/f22-updates-testing.mash b/roles/bodhi2/backend/files/f22-updates-testing.mash
new file mode 100644
index 0000000000..edc30d7d74
--- /dev/null
+++ b/roles/bodhi2/backend/files/f22-updates-testing.mash
@@ -0,0 +1,22 @@
+# mash config file
+
+[f22-updates-testing]
+rpm_path = %(arch)s/
+source_path = SRPMS/
+debuginfo = True
+multilib = True
+multilib_method = devel
+tag = f22-updates-testing
+inherit = False
+strict_keys = True
+keys = 8E1431D5
+repoviewurl = http://download.fedoraproject.org/pub/fedora/linux/updates/testing/22/%(arch)s/
+repoviewtitle = "Fedora 22 Updates Testing - %(arch)s"
+arches = armhfp i386 x86_64
+hash_packages = True
+delta = True
+#delta_dirs = /pub/fedora/linux/releases/22/Everything/%(arch)s/os/,/mnt/koji/mash/updates/f22-updates/%(arch)s/
+#parent_repos = http://download.fedoraproject.org/pub/fedora/linux/updates/22/%(arch)s, http://download.fedoraproject.org/pub/fedora/linux/releases/22/Everything/%(arch)s/os
+# point to branched till we release then use above
+delta_dirs = /pub/fedora/linux/development/22/%(arch)s/os/
+parent_repos = http://download.fedoraproject.org/pub/fedora/linux/development/22/%(arch)s/os/
diff --git a/roles/bodhi2/backend/files/f22-updates.mash b/roles/bodhi2/backend/files/f22-updates.mash
new file mode 100644
index 0000000000..1261bb36b6
--- /dev/null
+++ b/roles/bodhi2/backend/files/f22-updates.mash
@@ -0,0 +1,20 @@
+[f22-updates]
+rpm_path = %(arch)s/
+source_path = SRPMS/
+debuginfo = True
+multilib = True 
+multilib_method = devel
+tag = f22-updates
+inherit = False
+strict_keys = True
+keys = 8E1431D5
+repoviewurl = http://download.fedoraproject.org/pub/fedora/linux/updates/22/%(arch)s/
+repoviewtitle = "Fedora 22 Updates - %(arch)s"
+arches = armhfp i386 x86_64
+hash_packages = True
+delta = True
+#generate deltas against branched
+delta_dirs = /pub/fedora/linux/development/22/%(arch)s/os/,/mnt/koji/mash/updates/f22-updates/%(arch)s/
+parent_repos = http://download.fedoraproject.org/pub/fedora/linux/development/22/%(arch)s/os
+#delta_dirs = /pub/fedora/linux/releases/22/Everything/%(arch)s/os/,/mnt/koji/mash/updates/f22-updates/%(arch)s/
+#parent_repos = http://download.fedoraproject.org/pub/fedora/linux/releases/22/Everything/%(arch)s/os
diff --git a/roles/bodhi2/backend/files/fedora-epel-push b/roles/bodhi2/backend/files/fedora-epel-push
new file mode 100755
index 0000000000..169b2107a7
--- /dev/null
+++ b/roles/bodhi2/backend/files/fedora-epel-push
@@ -0,0 +1,111 @@
+#!/bin/sh
+
+SOURCE=/mnt/koji/mash/updates
+DEST=/pub/epel/
+
+OPTIONS="-rlptDvHh --stats --delay-updates $RSYNC_OPTS"
+
+for rel in 5 6; do
+
+    OUTPUT1=$(rsync $OPTIONS --exclude "repodata/*" --exclude "headers/*" \
+            $SOURCE/el$rel-epel/ $DEST/$rel/)
+    OUTPUT2=$(rsync $OPTIONS --delete --delete-delay \
+            $SOURCE/el$rel-epel/ $DEST/$rel/)
+
+    # Grep out some signals from the stats
+    bytes=$(echo "$OUTPUT1" | grep "Literal data" | awk ' { print $3 } ')
+    deleted=$(echo "$OUTPUT2" | grep "deleting " | wc -l)
+
+    # If anything changed, then publish a fedmsg message as bodhi.updates.sync
+    if [ "$bytes" != "0" -o "$deleted" != "0" ]; then
+      echo "{\"bytes\": \"$bytes\", \"deleted\": \"$deleted\", \"repo\": \"epel\", \"release\": \"$rel\"}" | fedmsg-logger \
+          --cert-prefix ftpsync \
+          --modname bodhi \
+          --topic updates.epel.sync \
+          --json-input &> /dev/null
+    fi
+
+    OUTPUT1=$(rsync $OPTIONS --exclude "repodata/*" --exclude "headers/*" \
+            $SOURCE/el$rel-epel-testing/ $DEST/testing/$rel/)
+    OUTPUT2=$(rsync $OPTIONS --delete --delete-delay \
+            $SOURCE/el$rel-epel-testing/ $DEST/testing/$rel/)
+
+    # Grep out some signals from the stats
+    bytes=$(echo "$OUTPUT1" | grep "Literal data" | awk ' { print $3 } ')
+    deleted=$(echo "$OUTPUT2" | grep "deleting " | wc -l)
+
+    # If anything changed, then publish a fedmsg message as bodhi.updates.sync
+    if [ "$bytes" != "0" -o "$deleted" != "0" ]; then
+      echo "{\"bytes\": \"$bytes\", \"deleted\": \"$deleted\", \"repo\": \"epel-testing\", \"release\": \"$rel\"}" | fedmsg-logger \
+          --cert-prefix ftpsync \
+          --modname bodhi \
+          --topic updates.epel.sync \
+          --json-input &> /dev/null
+    fi
+done
+
+for rel in 7; do
+
+    OUTPUT1=$(rsync $OPTIONS --exclude "repodata/*" \
+            $SOURCE/epel$rel/ $DEST/$rel/)
+    OUTPUT2=$(rsync $OPTIONS --delete --delete-delay \
+            $SOURCE/epel$rel/ $DEST/$rel/)
+
+    # Grep out some signals from the stats
+    bytes=$(echo "$OUTPUT1" | grep "Literal data" | awk ' { print $3 } ')
+    deleted=$(echo "$OUTPUT2" | grep "deleting " | wc -l)
+
+    # If anything changed, then publish a fedmsg message as bodhi.updates.sync
+    if [ "$bytes" != "0" -o "$deleted" != "0" ]; then
+      echo "{\"bytes\": \"$bytes\", \"deleted\": \"$deleted\", \"repo\": \"epel\", \"release\": \"$rel\"}" | fedmsg-logger \
+          --cert-prefix ftpsync \
+          --modname bodhi \
+          --topic updates.epel.sync \
+          --json-input &> /dev/null
+    fi
+
+    OUTPUT1=$(rsync $OPTIONS --exclude "repodata/*" \
+            $SOURCE/epel$rel-testing/ $DEST/testing/$rel/)
+    OUTPUT2=$(rsync $OPTIONS --delete --delete-delay \
+            $SOURCE/epel$rel-testing/ $DEST/testing/$rel/)
+
+    # Grep out some signals from the stats
+    bytes=$(echo "$OUTPUT1" | grep "Literal data" | awk ' { print $3 } ')
+    deleted=$(echo "$OUTPUT2" | grep "deleting " | wc -l)
+
+    # If anything changed, then publish a fedmsg message as bodhi.updates.sync
+    if [ "$bytes" != "0" -o "$deleted" != "0" ]; then
+      echo "{\"bytes\": \"$bytes\", \"deleted\": \"$deleted\", \"repo\": \"epel-testing\", \"release\": \"$rel\"}" | fedmsg-logger \
+          --cert-prefix ftpsync \
+          --modname bodhi \
+          --topic updates.epel.sync \
+          --json-input &> /dev/null
+    fi
+done
+
+for rel in 5 6 7; do
+    if [ ${rel} -eq 7 ]; then
+	TARGET_DIR=${DEST}/${rel}/x86_64/e
+    else
+	TARGET_DIR=${DEST}/${rel}/x86_64
+    fi
+
+    if [ -f ${TARGET_DIR}/epel-release*rpm ]; then
+	# We have a file to match. [This may sort wrong at -9 -> -10]
+	CANDIDATE=$( ls ${TARGET_DIR}/epel-release-*rpm | sort | tail -n 1)
+	TARGET=${DEST}/epel-release-latest-${rel}.noarch.rpm
+	# Does our symbolic link exist?
+	if [ -L ${TARGET} ]; then
+	    # check to see if the link matches the candidate
+	    TEST=$( readlink ${TARGET} )
+	    if [ ${TEST} != ${CANDIDATE} ]; then
+		ln -sf $(echo ${CANDIDATE}|sed -e "s|$DEST|./|g" -e 's|//|/|g') ${TARGET}
+	    fi
+	else
+	    # first time for everything.
+            ln -sf $(echo ${CANDIDATE}|sed -e "s|$DEST|./|g" -e 's|//|/|g') ${TARGET}
+	fi
+    else
+	echo "No target file for epel-release ${rel} to link against."
+    fi
+done
diff --git a/roles/bodhi2/backend/files/fedora-updates-push b/roles/bodhi2/backend/files/fedora-updates-push
new file mode 100755
index 0000000000..1313337ac0
--- /dev/null
+++ b/roles/bodhi2/backend/files/fedora-updates-push
@@ -0,0 +1,72 @@
+#!/bin/sh
+
+SOURCE=/mnt/koji/mash/updates
+DEST=/pub/fedora/linux/updates/
+ATOMICSOURCE=/mnt/koji/mash/atomic/
+ATOMICDEST=/pub/fedora/linux/atomic/
+
+OPTIONS="-rlptDvHh --stats --delay-updates $RSYNC_OPTS"
+
+for rel in 20 21 22; do
+
+    OUTPUT1=$(rsync $OPTIONS --exclude "repodata/*" \
+            $SOURCE/f$rel-updates/ $DEST/$rel/ --link-dest $DEST/testing/$rel/)
+    OUTPUT2=$(rsync $OPTIONS --delete --delete-delay --exclude=Live --exclude=Images \
+            $SOURCE/f$rel-updates/ $DEST/$rel/)
+
+    # Grep out some signals from the stats
+    bytes=$(echo "$OUTPUT1" | grep "Literal data" | awk ' { print $3 } ')
+    deleted=$(echo "$OUTPUT2" | grep "deleting " | wc -l)
+
+    # If anything changed, then publish a fedmsg message as bodhi.updates.sync
+    if [ "$bytes" != "0" -o "$deleted" != "0" ]; then
+      echo "{\"bytes\": \"$bytes\", \"deleted\": \"$deleted\", \"repo\": \"updates\", \"release\": \"$rel\"}" | fedmsg-logger \
+          --cert-prefix ftpsync \
+          --modname bodhi \
+          --topic updates.fedora.sync \
+          --json-input &> /dev/null
+    fi
+
+done
+for rel in 20 21 22; do
+
+    OUTPUT1=$(rsync $OPTIONS --exclude "repodata/*" \
+            $SOURCE/f$rel-updates-testing/ $DEST/testing/$rel/)
+    OUTPUT2=$(rsync $OPTIONS --delete --delete-delay --exclude=Live --exclude=Images \
+            $SOURCE/f$rel-updates-testing/ $DEST/testing/$rel/)
+
+    # Grep out some signals from the stats
+    bytes=$(echo "$OUTPUT1" | grep "Literal data" | awk ' { print $3 } ')
+    deleted=$(echo "$OUTPUT2" | grep "deleting " | wc -l)
+
+    # If anything changed, then publish a fedmsg message as bodhi.updates.sync
+    if [ "$bytes" != "0" -o "$deleted" != "0" ]; then
+      echo "{\"bytes\": \"$bytes\", \"deleted\": \"$deleted\", \"repo\": \"updates-testing\", \"release\": \"$rel\"}" | fedmsg-logger \
+          --cert-prefix ftpsync \
+          --modname bodhi \
+          --topic updates.fedora.sync \
+          --json-input &> /dev/null
+    fi
+
+done
+for rel in 21 22; do
+
+    OUTPUT1=$(rsync $OPTIONS --ignore-existing \
+            $ATOMICSOURCE/$rel/objects/ $ATOMICDEST/$rel/objects/)
+    OUTPUT2=$(rsync $OPTIONS --delete --delete-delay --exclude=objects/ \
+            $ATOMICSOURCE/$rel/ $ATOMICDEST/$rel/)
+
+    # Grep out some signals from the stats
+    bytes=$(echo "$OUTPUT1" | grep "Literal data" | awk ' { print $3 } ')
+    deleted=$(echo "$OUTPUT2" | grep "deleting " | wc -l)
+
+    # If anything changed, then publish a fedmsg message as bodhi.updates.sync
+    if [ "$bytes" != "0" -o "$deleted" != "0" ]; then
+      echo "{\"bytes\": \"$bytes\", \"deleted\": \"$deleted\", \"repo\": \"atomic\", \"release\": \"$rel\"}" | fedmsg-logger \
+          --cert-prefix ftpsync \
+          --modname bodhi \
+          --topic updates.fedora.sync \
+          --json-input &> /dev/null
+    fi
+done
+
diff --git a/roles/bodhi2/backend/files/update-fullfilelist b/roles/bodhi2/backend/files/update-fullfilelist
new file mode 100755
index 0000000000..0302c6a5b6
--- /dev/null
+++ b/roles/bodhi2/backend/files/update-fullfilelist
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# currently runs on releng2.fedora.phx.redhat.com
+
+MOD=$1
+[ -z "$MOD" ] && {
+	echo "usage: $0 <module>"
+	exit 1
+}
+
+TMPFILE=$(mktemp -p /tmp/)
+pushd /pub/$MOD > /dev/null
+find * -print > $TMPFILE
+if diff $TMPFILE fullfilelist > /dev/null; then
+	rm -f $TMPFILE
+else
+	mv $TMPFILE fullfilelist
+fi
+chmod 0644 fullfilelist
+popd > /dev/null
diff --git a/roles/bodhi2/backend/meta/main.yml b/roles/bodhi2/backend/meta/main.yml
new file mode 100644
index 0000000000..9f7f541ae1
--- /dev/null
+++ b/roles/bodhi2/backend/meta/main.yml
@@ -0,0 +1,3 @@
+---
+dependencies:
+  - { role: bodhi/base }
diff --git a/roles/bodhi2/backend/tasks/main.yml b/roles/bodhi2/backend/tasks/main.yml
new file mode 100644
index 0000000000..4832971c43
--- /dev/null
+++ b/roles/bodhi2/backend/tasks/main.yml
@@ -0,0 +1,215 @@
+---
+# tasklist for setting up bodhi/masher (requires bodhi/base)
+# This is the base set of files needed for bodhi/masher
+
+- name: add ftpsync group
+  group: name=ftpsync gid=263 system=yes state=present
+
+- name: add ftpsync user
+  user: name=ftpsync uid=263 group=ftpsync createhome=yes system=yes state=present
+
+- name: add the ftpsync update-fullfilelist script
+  copy: src=update-fullfilelist dest=/usr/local/bin/update-fullfilelist owner=ftpsync group=ftpsync mode=555
+
+- name: add masher group
+  group: name=masher gid=751 system=yes state=present
+
+# masher user 751
+- name: add masher user as 751 - and group
+  user: name=masher uid=751 group=masher home=/home/masher groups=mock,ftpsync
+
+- name: install needed packages
+  yum: pkg={{ item }} state=present
+  with_items:
+  - python-fedora-turbogears
+  tags:
+  - packages
+
+- name: install bodhi-masher /etc/httpd/conf.d/bodhi.conf file
+  copy: >
+    src="bodhi-masher.conf"
+    dest="/etc/httpd/conf.d/bodhi.conf"
+    owner=root
+    group=root
+    mode=0644
+  notify:
+  - restart httpd
+  tags:
+  - config
+
+- name: change owner and group attributes of bodhi.pem file
+  file: >
+    path="/etc/pki/bodhi/bodhi.pem"
+    owner=masher
+    group=masher
+  when: inventory_hostname.startswith('bodhi-backend')
+  tags:
+  - config
+
+- name: change owner and group attributes of /var/log/bodhi directory
+  file: path=/var/log/bodhi owner=masher group=masher
+  when: inventory_hostname.startswith('bodhi-backend')
+  tags:
+  - config
+  
+- name: setup /etc/bodhi/mash.conf file...
+  template: >
+    src=mash.conf
+    dest=/etc/bodhi/mash.conf
+    owner=masher
+    group=masher
+    mode=0640
+  tags:
+  - config
+
+- name: change type part of SELinux file context
+  file: >
+    dest=/var/tmp/bodhi/comps/
+    setype=httpd_sys_script_rw_t
+    state=directory
+    recurse=yes
+  tags:
+  - config
+
+- name: change owner attribute of /var/tmp/bodhi-bz.cookie file
+  file: >
+    path=/var/tmp/bodhi-bz.cookie 
+    owner=masher 
+  tags:
+  - config
+
+- name: install /etc/bodhi/*.mash files
+  copy: >
+    src="{{ item }}"
+    dest="/etc/bodhi/{{ item }}"
+    owner=masher
+    mode=0640
+  with_items:
+  - f20-updates.mash
+  - f20-updates-testing.mash
+  - f21-updates.mash
+  - f21-updates-testing.mash
+  - f22-updates.mash
+  - f22-updates-testing.mash
+  - el6-epel.mash
+  - el6-epel-testing.mash
+  - epel7.mash
+  - epel7-testing.mash
+  tags:
+  - config
+
+# tasks for setting up epelmasher
+
+- name: install needed packages
+  yum: pkg={{ item }} state=present
+  with_items:
+  - repoview
+  tags:
+  - packages
+
+- name: install bodhi-epel-masher /etc/bodhi/bodhi.cfg file
+  template: >
+    src="bodhi-epel-masher.cfg.j2" 
+    dest="/etc/bodhi/bodhi.cfg" 
+    owner=masher 
+    group=masher 
+    mode=0600
+  when: inventory_hostname.startswith('bodhi-backend02')
+  notify:
+  - restart httpd
+  tags:
+  - config
+
+# tasklist for setting up jobrunner
+
+- name: install bodhi-masher-jobrunner /etc/bodhi/bodhi.cfg file
+  template: >
+    src="bodhi-masher-jobrunner.cfg.j2" 
+    dest="/etc/bodhi/bodhi.cfg" 
+    owner=masher 
+    group=masher 
+    mode=0600
+  when: inventory_hostname.startswith('bodhi-backend01')
+  notify:
+  - restart httpd
+  tags:
+  - config
+
+#
+# cron job that syncs packages to koji
+#
+- name: put owner-sync-pkgdb in place
+  template: src=owner-sync-pkgdb.j2 dest=/usr/local/bin/owner-sync-pkgdb mode=0755
+  tags:
+  - config
+
+- name: sync packages from pkgdb2 to koji (el5)
+  cron: name="owner-sync-el5" minute="7,17,27,37,47,57" user="root" 
+        job="/usr/local/bin/owner-sync-pkgdb dist-5E-epel"
+        cron_file=update-koji-owner-EL-5
+  when: inventory_hostname.startswith('bodhi-backend01') and env == "production"
+
+- name: sync packages from pkgdb2 to koji (el6)
+  cron: name="owner-sync-el5" minute="7,17,27,37,47,57" user="root" 
+        job="/usr/local/bin/owner-sync-pkgdb dist-6E-epel"
+        cron_file=update-koji-owner-EL-6
+  when: inventory_hostname.startswith('bodhi-backend01') and env == "production"
+  
+- name: sync packages from pkgdb2 to koji (epel7)
+  cron: name="owner-sync-el5" minute="7,17,27,37,47,57" user="root" 
+        job="/usr/local/bin/owner-sync-pkgdb epel7"
+        cron_file=update-koji-owner-epel7
+  when: inventory_hostname.startswith('bodhi-backend01') and env == "production"
+  
+- name: sync packages from pkgdb2 to koji (f20)
+  cron: name="owner-sync-el5" minute="7,17,27,37,47,57" user="root" 
+        job="/usr/local/bin/owner-sync-pkgdb f20"
+        cron_file=update-koji-owner-f20
+        state=absent
+  when: inventory_hostname.startswith('bodhi-backend01')
+
+#
+# cron job that syncs updates to master mirror
+#
+
+- name: put fedora-updates-push in place
+  copy: src=fedora-updates-push dest=/usr/local/bin/fedora-updates-push mode=0755
+  tags:
+  - config
+  when: inventory_hostname.startswith('bodhi-backend01') and env == "production"
+
+- name: put fedora-epel-push in place
+  copy: src=fedora-epel-push dest=/usr/local/bin/fedora-epel-push mode=0755
+  tags:
+  - config
+  when: inventory_hostname.startswith('bodhi-backend02') and env == "production"
+
+- name: put update-fullfilelist in place
+  copy: src=update-fullfilelist dest=/usr/local/bin/update-fullfilelist mode=0755
+  tags:
+  - config
+  when: inventory_hostname.startswith('bodhi-backend01') and env == "production"
+
+- name: Updates sync cron job. 
+  cron: name="updates-sync" minute="15,45" user="ftpsync"
+        job="/usr/local/bin/lock-wrapper fedora-updates-push '/usr/local/bin/fedora-updates-push && /usr/local/bin/update-fullfilelist fedora"
+        cron_file=updates-sync
+  when: inventory_hostname.startswith('bodhi-backend01') and env == "production"
+  tags:
+  - config
+
+- name: epel Updates sync cron job. 
+  cron: name="epel-updates-sync" minute="15,45" user="ftpsync"
+        job="/usr/local/bin/lock-wrapper fedora-epel-push '/usr/local/bin/fedora-epel-push && /usr/local/bin/update-fullfilelist epel"
+        cron_file=updates-sync
+  when: inventory_hostname.startswith('bodhi-backend02') and env == "production"
+  tags:
+  - config
+
+- name: directory sizes update cron job. 
+  cron: name="directory-sizes-update" minute="30" hour="19" user="ftpsync"
+        job="/usr/bin/find /srv/pub/alt/ /srv/pub/archive/ /srv/pub/fedora-secondary/ /srv/pub/fedora/ /srv/pub/epel/ -type d ! -path '/srv/pub/fedora/.snapshot*' ! -path '/srv/pub/epel/.snapshot*' ! -path '/srv/pub/alt/.snapshot*' ! -path '/srv/pub/archive/.snapshot*' ! -path '/srv/pub/fedora-secondary/.snapshot*' ! -path '/srv/pub/alt/stage*' ! -path '/srv/pub/alt/tmp' ! -path '/srv/pub/alt/screenshots/f21/source' | grep -v snapshot | /usr/bin/xargs -n 1 /usr/bin/du --exclude=.snapshot --exclude=stage -sh > /tmp/DIRECTORY_SIZES.txt 2> /dev/null; cp /tmp/DIRECTORY_SIZES.txt /srv/pub/"
+        cron_file=directory-sizes-update
+  when: inventory_hostname.startswith('bodhi-backend02') and env == "production"
+  tags:
+  - config
diff --git a/roles/bodhi2/backend/templates/bodhi-epel-masher.cfg.j2 b/roles/bodhi2/backend/templates/bodhi-epel-masher.cfg.j2
new file mode 100644
index 0000000000..0d99085655
--- /dev/null
+++ b/roles/bodhi2/backend/templates/bodhi-epel-masher.cfg.j2
@@ -0,0 +1,152 @@
+[global]
+
+##
+## Bodhi Production Masher Configuration
+##
+## $Id: bodhi-prod.cfg.erb,v 1.8 2008/05/21 23:38:07 lmacken Exp $
+##
+
+arches = 'i386 x86_64 ppc/ppc64'
+
+# EPEL specific configuration
+epel7_arches = 'x86_64 ppc64'
+epel7-testing_arches = 'x86_64 ppc64'
+el6-epel_arches = 'x86_64 i386 ppc64'
+el6-epel-testing_arches = 'x86_64 i386 ppc64'
+el5-epel_arches = 'x86_64 i386 ppc'
+el5-epel-testing_arches = 'x86_64 i386 ppc'
+
+# For pushing EPEL updates from the masher
+bodhi_url = 'http://localhost/updates'
+
+sqlobject.dburi="notrans_postgres://bodhi:{{ bodhiPassword }}@db-bodhi/bodhi"
+
+masher = None # we are the masher
+
+server.socket_port=8084
+server.environment="production"
+autoreload.on = False
+server.webpath="/updates"
+server.log_file = "server.log"
+server.log_to_screen = False
+server.thread_pool = 50
+server.socket_queue_size = 30
+
+# We probably want to have apache do this for us...
+#gzipFilter.on = True
+
+session_filter.on = False
+base_url_filter.on = True
+base_url_filter.use_x_forwarded_host = False
+base_url_filter.base_url = 'https://admin.fedoraproject.org'
+
+tg.strict_parameters = True
+tg.ignore_parameters = ["_csrf_token"]
+
+# Periodic jobs
+jobs = ''
+
+# Query the Fedora Package Database for the list of Critical Path Packages.
+critpath.type = 'pkgdb'
+
+# FAS2
+#sqlalchemy.dburi="sqlite:///"
+fas.url = 'https://admin.fedoraproject.org/accounts/'
+identity.provider='jsonfas2'
+identity.saprovider.model.visit="fedora.accounts.tgfas.VisitIdentity"
+visit.manager="jsonfas2"
+visit.saprovider.model="fedora.accounts.tgfas.Visit"
+visit.cookie.secure = True
+
+# Our identity that we use to fetch bugzilla details and such
+bodhi_password='<%= bodhiBugzillaPassword %>'
+bodhi_email = 'updates@fedoraproject.org'
+
+# TurboMail 3.0 settings
+mail.on = True
+mail.transport = 'smtp'
+mail.smtp.server = 'bastion'
+# The 'utf-8-qp' encoding causes problems with TurboMail 3.x
+# https://fedorahosted.org/bodhi/ticket/648
+mail.message.encoding = 'utf-8'
+
+notice_sender = 'updates@fedoraproject.org'
+security_team = 'security_respons-members@fedoraproject.org'
+release_team_address = 'bodhiadmin-members@fedoraproject.org'
+fedora_announce_list = 'package-announce@lists.fedoraproject.org'
+fedora_test_announce_list = 'test@lists.fedoraproject.org'
+fedora_epel_announce_list = 'epel-package-announce@lists.fedoraproject.org'
+fedora_epel_test_announce_list = 'epel-devel@lists.fedoraproject.org'
+
+build_dir = '/mnt/koji/packages'
+mashed_dir = '/mnt/koji/mash/updates/'
+mashed_stage_dir = '/mnt/koji/mash/updates/'
+mash_conf = '/etc/bodhi/mash.conf'
+
+comps_dir = '/var/tmp/bodhi/comps'
+
+base_address = 'https://admin.fedoraproject.org'
+#bz_server = 'https://bzprx.vip.phx.redhat.com/xmlrpc.cgi'
+bz_server = 'https://bugzilla.redhat.com/xmlrpc.cgi'
+bz_cookie = '/var/tmp/bodhi-bz.cookie'
+bz_products = 'Fedora,Fedora EPEL,oVirt'
+
+acl_system = 'pkgdb'
+pkgdb_url = 'https://admin.fedoraproject.org/pkgdb'
+
+buildsystem = 'koji'
+client_cert = '/etc/pki/bodhi/bodhi.pem'
+clientca_cert = '/etc/pki/bodhi/fedora-upload-ca.cert'
+serverca_cert = '/etc/pki/bodhi/fedora-server-ca.cert'
+
+masher_lock_id = 'FEDORA-EPEL'
+
+master_repomd = 'http://download01.phx2.fedoraproject.org/pub/fedora/linux/updates/%d/%s/repodata/repomd.xml'
+fedora_master_repomd = 'http://download01.phx2.fedoraproject.org/pub/fedora/linux/updates/%d/%s/repodata/repomd.xml'
+fedora_epel_master_repomd = 'http://download01.phx2.fedoraproject.org/pub/epel/%d/%s/repodata/repomd.xml'
+
+
+[logging]
+
+[[handlers]]
+
+[[[debug_out]]]
+class='TimedRotatingFileHandler'
+args="('/var/log/bodhi/server.log', 'D', 7)"
+level='DEBUG'
+formatter='full_content'
+
+[[[access_out]]]
+class='TimedRotatingFileHandler'
+level='INFO'
+args="('/var/log/bodhi/access.log', 'D', 7)"
+formatter='message_only'
+
+[[[error_out]]]
+class='TimedRotatingFileHandler'
+args="('/var/log/bodhi/server.log', 'D', 7)"
+level='ERROR'
+formatter='full_content'
+
+
+[[loggers]]
+[[[bodhi]]]
+level='DEBUG'
+qualname='bodhi'
+handlers=['debug_out']
+propagate=0
+
+[[[allinfo]]]
+level='INFO'
+handlers=['debug_out']
+propagate=0
+
+#[[[access]]]
+#level='INFO'
+#qualname='turbogears.access'
+#handlers=['debug_out']
+
+[[[turbomail]]]
+level='INFO'
+qualname='turbomail'
+handlers=['debug_out']
diff --git a/roles/bodhi2/backend/templates/bodhi-masher-jobrunner.cfg.j2 b/roles/bodhi2/backend/templates/bodhi-masher-jobrunner.cfg.j2
new file mode 100644
index 0000000000..a25e1d677e
--- /dev/null
+++ b/roles/bodhi2/backend/templates/bodhi-masher-jobrunner.cfg.j2
@@ -0,0 +1,159 @@
+[global]
+
+##
+## Bodhi Production Masher Configuration
+##
+## $Id: bodhi-prod.cfg.erb,v 1.8 2008/05/21 23:38:07 lmacken Exp $
+##
+
+# Release status
+# pre-beta enforces the 'Pre Beta' policy defined here:
+# https://fedoraproject.org/wiki/Updates_Policy
+f22.status = 'pre_beta'
+
+f22.post_beta.mandatory_days_in_testing = 7
+f22.post_beta.critpath.num_admin_approvals = 0
+f22.post_beta.critpath.min_karma = 2
+f22.post_beta.critpath.stable_after_days_without_negative_karma = 14
+
+f22.pre_beta.mandatory_days_in_testing = 3
+f22.pre_beta.critpath.num_admin_approvals = 0
+f22.pre_beta.critpath.min_karma = 1
+
+sqlobject.dburi="notrans_postgres://bodhi:{{ bodhiPassword }}@db-bodhi/bodhi"
+
+masher = None # we are the masher
+
+server.socket_port=8084
+server.environment="production"
+autoreload.on = False
+server.webpath="/updates"
+server.log_file = "server.log"
+server.log_to_screen = False
+server.thread_pool = 50
+server.socket_queue_size = 30
+
+# We probably want to have apache do this for us...
+#gzipFilter.on = True
+
+session_filter.on = False
+base_url_filter.on = True
+base_url_filter.use_x_forwarded_host = False
+base_url_filter.base_url = 'https://admin.fedoraproject.org'
+
+tg.strict_parameters = True
+tg.ignore_parameters = ["_csrf_token"]
+
+# Periodic jobs
+jobs = 'nagmail cache_release_data refresh_metrics approve_testing_updates expire_buildroot_overrides clean_pending_tags'
+
+# Query the Fedora Package Database for the list of Critical Path Packages.
+critpath.type = 'pkgdb'
+
+# FAS2
+#sqlalchemy.dburi="sqlite:///"
+fas.url = 'https://admin.fedoraproject.org/accounts/'
+identity.provider='jsonfas2'
+identity.saprovider.model.visit="fedora.accounts.tgfas.VisitIdentity"
+visit.manager="jsonfas2"
+visit.saprovider.model="fedora.accounts.tgfas.Visit"
+visit.cookie.secure = True
+
+# Our identity that we use to fetch bugzilla details and such
+bodhi_password='<%= bodhiBugzillaPassword %>'
+bodhi_email = 'updates@fedoraproject.org'
+
+# TurboMail 3.0 settings
+mail.on = True
+mail.transport = 'smtp'
+mail.smtp.server = 'bastion'
+# The 'utf-8-qp' encoding causes problems with TurboMail 3.x
+# https://fedorahosted.org/bodhi/ticket/648
+mail.message.encoding = 'utf-8'
+
+notice_sender = 'updates@fedoraproject.org'
+security_team = 'security_respons-members@fedoraproject.org'
+release_team_address = 'bodhiadmin-members@fedoraproject.org'
+fedora_announce_list = 'package-announce@lists.fedoraproject.org'
+fedora_test_announce_list = 'test@lists.fedoraproject.org'
+fedora_epel_announce_list = 'epel-package-announce@lists.fedoraproject.org'
+fedora_epel_test_announce_list = 'epel-devel@lists.fedoraproject.org'
+
+build_dir = '/mnt/koji/packages'
+mashed_dir = '/mnt/koji/mash/updates/'
+mashed_stage_dir = '/mnt/koji/mash/updates/'
+mash_conf = '/etc/bodhi/mash.conf'
+
+comps_dir = '/var/tmp/bodhi/comps'
+
+base_address = 'https://admin.fedoraproject.org'
+#bz_server = 'https://bzprx.vip.phx.redhat.com/xmlrpc.cgi'
+bz_server = 'https://bugzilla.redhat.com/xmlrpc.cgi'
+bz_cookie = '/var/tmp/bodhi-bz.cookie'
+bz_products = 'Fedora,Fedora EPEL,oVirt'
+
+acl_system = 'pkgdb'
+pkgdb_url = 'https://admin.fedoraproject.org/pkgdb'
+
+buildsystem = 'koji'
+client_cert = '/etc/pki/bodhi/bodhi.pem'
+clientca_cert = '/etc/pki/bodhi/fedora-upload-ca.cert'
+serverca_cert = '/etc/pki/bodhi/fedora-server-ca.cert'
+
+masher_lock_id = 'FEDORA'
+
+master_repomd = 'http://download01.phx2.fedoraproject.org/pub/fedora/linux/updates/%d/%s/repodata/repomd.xml'
+fedora_master_repomd = 'http://download01.phx2.fedoraproject.org/pub/fedora/linux/updates/%d/%s/repodata/repomd.xml'
+fedora_epel_master_repomd = 'http://download01.phx2.fedoraproject.org/pub/epel/%d/%s/repodata/repomd.xml'
+
+arches = 'i386 x86_64'
+
+[logging]
+
+[[handlers]]
+
+[[[debug_out]]]
+class='TimedRotatingFileHandler'
+args="('/var/log/bodhi/server.log', 'D', 7)"
+level='DEBUG'
+formatter='full_content'
+
+[[[access_out]]]
+class='TimedRotatingFileHandler'
+level='INFO'
+args="('/var/log/bodhi/access.log', 'D', 7)"
+formatter='message_only'
+
+[[[error_out]]]
+class='TimedRotatingFileHandler'
+args="('/var/log/bodhi/server.log', 'D', 7)"
+level='ERROR'
+formatter='full_content'
+
+
+[[loggers]]
+[[[bodhi]]]
+level='DEBUG'
+qualname='bodhi'
+handlers=['debug_out']
+propagate=0
+
+[[[allinfo]]]
+level='INFO'
+handlers=['debug_out']
+propagate=0
+
+#[[[access]]]
+#level='INFO'
+#qualname='turbogears.access'
+#handlers=['debug_out']
+
+[[[turbomail]]]
+level='INFO'
+qualname='turbomail'
+handlers=['debug_out']
+
+[[[urllib3]]]
+level='WARN'
+qualname='urllib3'
+handlers=['debug_out']
diff --git a/roles/bodhi2/backend/templates/bodhi-masher.cfg.j2 b/roles/bodhi2/backend/templates/bodhi-masher.cfg.j2
new file mode 100644
index 0000000000..5849dd62f8
--- /dev/null
+++ b/roles/bodhi2/backend/templates/bodhi-masher.cfg.j2
@@ -0,0 +1,142 @@
+[global]
+
+##
+## Bodhi Production Masher Configuration
+##
+## $Id: bodhi-prod.cfg.erb,v 1.8 2008/05/21 23:38:07 lmacken Exp $
+##
+
+sqlobject.dburi="notrans_postgres://bodhi:{{ bodhiPassword }}@db-bodhi/bodhi"
+
+masher = None # we are the masher
+
+server.socket_port=8084
+server.environment="production"
+autoreload.on = False
+server.webpath="/updates"
+server.log_file = "server.log"
+server.log_to_screen = False
+server.thread_pool = 50
+server.socket_queue_size = 30
+
+# We probably want to have apache do this for us...
+#gzipFilter.on = True
+
+session_filter.on = False
+base_url_filter.on = True
+base_url_filter.use_x_forwarded_host = False
+base_url_filter.base_url = 'https://admin.fedoraproject.org'
+
+tg.strict_parameters = True
+tg.ignore_parameters = ["_csrf_token"]
+
+# Periodic jobs
+jobs = ''
+
+# Query the Fedora Package Database for the list of Critical Path Packages.
+# This pkgdb feature is currently broken in staging.
+<% if environment == "production" %>
+critpath.type = 'pkgdb'
+<% end %>
+
+# FAS2
+#sqlalchemy.dburi="sqlite:///"
+fas.url = 'https://admin.fedoraproject.org/accounts/'
+identity.provider='jsonfas2'
+identity.saprovider.model.visit="fedora.accounts.tgfas.VisitIdentity"
+visit.manager="jsonfas2"
+visit.saprovider.model="fedora.accounts.tgfas.Visit"
+visit.cookie.secure = True
+
+# Our identity that we use to fetch bugzilla details and such
+bodhi_password='<%= bodhiBugzillaPassword %>'
+bodhi_email = 'updates@fedoraproject.org'
+
+mail.on = True
+mail.server = 'bastion'
+notice_sender = 'updates@fedoraproject.org'
+security_team = 'security_respons-members@fedoraproject.org'
+release_team_address = 'bodhiadmin-members@fedoraproject.org'
+fedora_announce_list = 'package-announce@lists.fedoraproject.org'
+fedora_test_announce_list = 'test@lists.fedoraproject.org'
+fedora_epel_announce_list = 'epel-package-announce@lists.fedoraproject.org'
+fedora_epel_test_announce_list = 'epel-devel@lists.fedoraproject.org'
+
+build_dir = '/mnt/koji/packages'
+mashed_dir = '/mnt/koji/mash/updates/'
+mashed_stage_dir = '/mnt/koji/mash/updates/'
+mash_conf = '/etc/bodhi/mash.conf'
+
+comps_dir = '/var/tmp/bodhi/comps'
+
+base_address = 'https://admin.fedoraproject.org'
+#bz_server = 'https://bzprx.vip.phx.redhat.com/xmlrpc.cgi'
+bz_server = 'https://bugzilla.redhat.com/xmlrpc.cgi'
+bz_cookie = '/var/tmp/bodhi-bz.cookie'
+bz_products = 'Fedora,Fedora EPEL,oVirt'
+
+acl_system = 'pkgdb'
+pkgdb_url = 'https://admin.fedoraproject.org/pkgdb'
+
+buildsystem = 'koji'
+client_cert = '/etc/pki/bodhi/bodhi.pem'
+clientca_cert = '/etc/pki/bodhi/fedora-upload-ca.cert'
+serverca_cert = '/etc/pki/bodhi/fedora-server-ca.cert'
+
+masher_lock_id = 'FEDORA'
+
+master_repomd = 'http://download01.phx2.fedoraproject.org/pub/fedora/linux/updates/%d/%s/repodata/repomd.xml'
+fedora_master_repomd = 'http://download01.phx2.fedoraproject.org/pub/fedora/linux/updates/%d/%s/repodata/repomd.xml'
+fedora_epel_master_repomd = 'http://download01.phx2.fedoraproject.org/pub/epel/%d/%s/repodata/repomd.xml'
+
+arches = 'armhfp i386 x86_64'
+
+[logging]
+
+[[handlers]]
+
+[[[debug_out]]]
+class='TimedRotatingFileHandler'
+args="('/var/log/bodhi/server.log', 'D', 7)"
+level='DEBUG'
+formatter='full_content'
+
+[[[access_out]]]
+class='TimedRotatingFileHandler'
+level='INFO'
+args="('/var/log/bodhi/access.log', 'D', 7)"
+formatter='message_only'
+
+[[[error_out]]]
+class='TimedRotatingFileHandler'
+args="('/var/log/bodhi/server.log', 'D', 7)"
+level='ERROR'
+formatter='full_content'
+
+
+[[loggers]]
+[[[bodhi]]]
+level='DEBUG'
+qualname='bodhi'
+handlers=['debug_out']
+propagate=0
+
+[[[allinfo]]]
+level='INFO'
+handlers=['debug_out']
+propagate=0
+
+#[[[access]]]
+#level='INFO'
+#qualname='turbogears.access'
+#handlers=['debug_out']
+
+[[[turbomail]]]
+level='INFO'
+qualname='turbomail'
+handlers=['debug_out']
+
+[[[urllib3]]]
+level='WARN'
+qualname='urllib3'
+handlers=['debug_out']
diff --git a/roles/bodhi2/backend/templates/bodhi-prod.cfg.erb b/roles/bodhi2/backend/templates/bodhi-prod.cfg.erb
new file mode 100644
index 0000000000..c166c65c6d
--- /dev/null
+++ b/roles/bodhi2/backend/templates/bodhi-prod.cfg.erb
@@ -0,0 +1,205 @@
+[global]
+
+##
+## Bodhi Production Configuration
+##
+## $Id: bodhi-prod.cfg.erb,v 1.8 2008/05/21 23:38:07 lmacken Exp $
+##
+
+# Release status
+# pre-beta enforces the 'Pre Beta' policy defined here:
+# https://fedoraproject.org/wiki/Updates_Policy
+f22.status = 'post_beta'
+
+f22.post_beta.mandatory_days_in_testing = 7
+f22.post_beta.critpath.num_admin_approvals = 0
+f22.post_beta.critpath.min_karma = 2
+f22.post_beta.critpath.stable_after_days_without_negative_karma = 14
+
+f22.pre_beta.mandatory_days_in_testing = 3
+f22.pre_beta.critpath.num_admin_approvals = 0
+f22.pre_beta.critpath.min_karma = 1
+
+# Bodhi Defaults:
+#
+# The number of admin approvals it takes to be able to push a critical path
+# # update to stable for a pending release.
+# critpath.num_admin_approvals = 0
+#
+# # The net karma required to submit a critial path update to a pending release)
+# critpath.min_karma = 2
+#
+# # Allow critpath to submit for stable after 2 weeks with no negative karma
+# critpath.stable_after_days_without_negative_karma = 14
+
+
+## A notice to flash on the front page
+#frontpage_notice = 'Bodhi is now enforcing the <a href="https://fedoraproject.org/wiki/Package_update_acceptance_criteria">Package Update Acceptance Criteria</a> across all Fedora releases.'
+
+## A notice to flash on the New Update page
+#newupdate_notice = 'Koji is currently down for a scheduled outage. Please see <a href="http://status.fedoraproject.org/">status.fedoraproject.org</a> for more information'
+
+# Query the Fedora Package Database for the list of Critical Path Packages.
+<% if environment == "production" %>
+critpath.type = 'pkgdb'
+<% else %>
+<% end %>
+
+<% if environment == "production" %>
+deployment_type = "prod"
+<% end %>
+<% if environment == "staging" %>
+deployment_type = "stg"
+<% end %>
+<% if environment == "development" %>
+deployment_type = "dev"
+<% end %>
+
+# We no longer require proventester karma for critpath approval 
+# https://fedorahosted.org/bodhi/ticket/653
+critpath.num_admin_approvals = 0
+
+#f17.pre_beta.critpath.num_admin_approvals = 0
+
+query_wiki_test_cases = True
+
+sqlobject.dburi="notrans_postgres://bodhi:<%= bodhiPassword %>@db-bodhi/bodhi"
+
+masher = 'http://releng04/updates'
+
+# For the build auto-complete widget
+tg_mochikit.packed = True
+
+server.socket_port=8084
+server.environment="production"
+autoreload.on = False
+server.webpath="/updates"
+server.log_file = "server.log"
+server.log_to_screen = False
+server.thread_pool = 50
+server.socket_queue_size = 30
+
+# We probably want to have apache do this for us...
+#gzipFilter.on = True
+
+session_filter.on = False
+base_url_filter.on = True
+base_url_filter.use_x_forwarded_host = False
+<% if environment == "staging" %>
+base_url_filter.base_url = 'https://admin.stg.fedoraproject.org'
+<% else %>
+base_url_filter.base_url = 'https://admin.fedoraproject.org'
+<% end %>
+
+tg.strict_parameters = True
+tg.ignore_parameters = ["_csrf_token"]
+
+# Periodic jobs
+jobs = 'cache_release_data'
+
+# FAS2
+#sqlalchemy.dburi="sqlite:///"
+fas.url = 'https://admin.fedoraproject.org/accounts/'
+identity.provider='jsonfas2'
+identity.saprovider.model.visit="fedora.accounts.tgfas.VisitIdentity"
+visit.manager="jsonfas2"
+visit.saprovider.model="fedora.accounts.tgfas.Visit"
+visit.cookie.secure = True
+visit.cookie.httponly = True
+
+# Our identity that we use to fetch bugzilla details and such
+bodhi_password='<%= bodhiBugzillaPassword %>'
+bodhi_email = 'updates@fedoraproject.org'
+security_team = 'security_respons-members@fedoraproject.org'
+release_team_address = 'bodhiadmin-members@fedoraproject.org'
+fedora_announce_list = 'package-announce@lists.fedoraproject.org'
+fedora_test_announce_list = 'test@lists.fedoraproject.org'
+mashed_dir = '/mnt/koji/mash/updates'
+# TurboMail 3.0 settings
+<% if environment == "staging" %>
+mail.on = False
+<% else %>
+mail.on = True
+<% end %>
+mail.transport = 'smtp'
+mail.smtp.server = 'bastion'
+# The 'utf-8-qp' encoding causes problems with TurboMail 3.x
+# https://fedorahosted.org/bodhi/ticket/648
+mail.message.encoding = 'utf-8'
+notice_sender = 'updates@fedoraproject.org'
+#bz_server = 'https://bzprx.vip.phx.redhat.com/xmlrpc.cgi'
+bz_server = 'https://bugzilla.redhat.com/xmlrpc.cgi'
+bz_cookie = '/var/tmp/bodhi-bz.cookie'
+bz_products = 'Fedora,Fedora EPEL,oVirt'
+
+build_dir = '/mnt/koji/packages'
+<% if environment == "staging" %>
+base_address = 'https://admin.stg.fedoraproject.org'
+<% else %>
+base_address = 'https://admin.fedoraproject.org'
+<% end %>
+
+acl_system = 'pkgdb'
+<% if environment == "staging" %>
+pkgdb_url = 'http://localhost/pkgdb'
+<% else %>
+pkgdb_url = 'https://admin.fedoraproject.org/pkgdb'
+<% end %>
+
+<% if environment == "staging" %>
+buildsystem = 'dev'
+<% else %>
+buildsystem = 'koji'
+<% end %>
+client_cert = '/etc/pki/bodhi/bodhi.pem'
+clientca_cert = '/etc/pki/bodhi/fedora-upload-ca.cert'
+serverca_cert = '/etc/pki/bodhi/fedora-server-ca.cert'
+
+[logging]
+
+[[handlers]]
+
+[[[debug_out]]]
+class='TimedRotatingFileHandler'
+args="('/var/log/bodhi/server.log', 'D', 7)"
+level='DEBUG'
+formatter='full_content'
+
+[[[access_out]]]
+class='TimedRotatingFileHandler'
+level='INFO'
+args="('/var/log/bodhi/access.log', 'D', 7)"
+formatter='message_only'
+
+[[[error_out]]]
+class='TimedRotatingFileHandler'
+args="('/var/log/bodhi/server.log', 'D', 7)"
+level='ERROR'
+formatter='full_content'
+
+[[loggers]]
+[[[bodhi]]]
+level='DEBUG'
+qualname='bodhi'
+handlers=['debug_out']
+propagate=0
+
+[[[allinfo]]]
+level='INFO'
+handlers=['debug_out']
+propagate=0
+
+#[[[access]]]
+#level='INFO'
+#qualname='turbogears.access'
+#handlers=['debug_out']
+
+[[[turbomail]]]
+level='INFO'
+qualname='turbomail'
+handlers=['debug_out']
+
+[[[urllib3]]]
+level='WARN'
+qualname='urllib3'
+handlers=['debug_out']
diff --git a/roles/bodhi2/backend/templates/mash.conf b/roles/bodhi2/backend/templates/mash.conf
new file mode 100644
index 0000000000..e68d26af94
--- /dev/null
+++ b/roles/bodhi2/backend/templates/mash.conf
@@ -0,0 +1,14 @@
+[defaults]
+{% if environment == 'staging' %}
+buildhost = http://koji.stg.fedoraproject.org/kojihub
+{% else %}
+buildhost = http://koji.fedoraproject.org/kojihub
+{% endif %}
+
+symlink = False
+configdir = /etc/bodhi/
+repodir = /mnt/koji
+fork = True
+use_sqlite = True
+strict_keys = True
+max_delta_rpm_size = 1500000000
diff --git a/roles/bodhi2/backend/templates/owner-sync-pkgdb.j2 b/roles/bodhi2/backend/templates/owner-sync-pkgdb.j2
new file mode 100755
index 0000000000..cb69b49c67
--- /dev/null
+++ b/roles/bodhi2/backend/templates/owner-sync-pkgdb.j2
@@ -0,0 +1,202 @@
+#!/usr/bin/python2
+
+# cronjobs are run on releng01.stg
+# Looks like:
+# /usr/local/bin/owner-sync-pkgdb f19 
+# /usr/local/bin/owner-sync-pkgdb dist-5E-epel 
+# /usr/local/bin/owner-sync-pkgdb dist-6E-epel
+# /usr/local/bin/owner-sync-pkgdb epel7 
+
+import sys
+import os
+import ConfigParser
+from urlparse import urljoin
+
+import requests
+
+DEBUG=False
+VERIFY=True
+{% if env == 'staging' %}
+BASEURL = os.environ.get('PACKAGEDBURL') or 'https://admin.stg.fedoraproject.org/pkgdb/'
+{% else %}
+BASEURL = os.environ.get('PACKAGEDBURL') or 'https://admin.fedoraproject.org/pkgdb/'
+{% endif %}
+if not BASEURL.endswith('/'):
+    BASEURL = BASEURL + '/'
+
+# Why do we have this?  Seems insecure....
+sys.path.append('.')
+
+try:
+    import koji
+except:
+    import brew as koji
+
+extraArchList = {'kernel': ('i586', 'i686', 'noarch'),
+                'kernel-xen-2.6': ('i586', 'i686', 'noarch'),
+                'glibc': ('i686',),
+                'openssl': ('i686',),
+                'em8300-kmod': ('i586', 'i686'),
+                'sysprof-kmod': ('i586', 'i686'),
+                }
+
+def usage():
+    print "Usage: owner-sync <tag>"
+    print "    <tag>: tag to synchronize owners for"
+    sys.exit(1)
+
+def get_options():
+    # shamelessly stolen from koji CLI
+    opts = {
+{% if env == 'staging' %}
+        'server': 'http://koji.stg.fedoraproject.org/kojihub',
+        'weburl': 'http://koji.stg.fedoraproject.org/koji',
+{% else %}
+        'server': 'http://koji.fedoraproject.org/kojihub',
+        'weburl': 'http://koji.fedoraproject.org/koji',
+{% endif %}
+        'cert': '/etc/pki/pkgdb/pkgdb.pem',
+        'ca': '/etc/pki/pkgdb/fedora-server-ca.cert',
+        'serverca': '/etc/pki/pkgdb/fedora-server-ca.cert'
+    }
+    for configFile in ('/etc/koji.conf', os.path.expanduser('~/.koji/config')):
+        if os.access(configFile, os.F_OK):
+            f = open(configFile)
+            config = ConfigParser.ConfigParser()
+            config.readfp(f)
+            f.close()
+            if config.has_section('koji'):
+                for name, value in config.items('koji'):
+                    if opts.has_key(name):
+                        opts[name] = value
+    for entry in opts.keys():
+        if entry == 'server' or entry == 'weburl':
+            pass
+        opts[entry] = os.path.expanduser(opts[entry])
+    return opts
+
+if __name__ == '__main__':
+    try:
+        tag=sys.argv[1]
+    except:
+        print "ERROR: no tag specified!\n"
+        usage()
+
+    if tag.endswith('epel') or tag.startswith('epel'):
+        if tag.startswith('epel'):
+            version = tag.split('epel')[1]
+        else:
+            version = tag.split('-')[1][:-1]
+
+        data = requests.get(urljoin(BASEURL, 'api/collections'), verify=VERIFY).json()
+        branch_names = set()
+        for collection in (c for c in data['collections'] if c['status'] != 'EOL'):
+            ### TODO: check with pingou that this is now returning the same
+            # format as the collection names in api/vcs
+            # By moving the data from gitbranchname into branchname, I think
+            # that the data will now match
+            branch_names.add(collection['branchname'])
+
+        if tag.startswith('epel'):
+            # Ex: epel7 => epel7
+            reponame = tag
+        else:
+            # Ex: dist-6E-epel => el6
+            reponame = 'el%s' % version
+        if reponame not in branch_names:
+            print 'tag %s => repo %s: does not seem to be a non-EOL branch' % (tag, reponame)
+            sys.exit(1)
+
+        # EPEL needs a separate entry in koji for each epel version
+
+        data = requests.get(urljoin(BASEURL, 'api/vcs?format=json'), verify=VERIFY).json()
+        acls = data['packageAcls']
+        pkgs = {}
+        for pkg_name in acls:
+            try:
+                owners = acls[pkg_name][reponame]
+            except KeyError:
+                # Package is not branched for this release
+                continue
+            if len(owners['commit']['people']):
+                # Arbitrarily take the first committer listed as the owner in
+                # koji
+                pkgs[pkg_name] = owners['commit']['people'][0]
+            else:
+                pkgs[pkg_name] = 'orphan'
+        pkgList = pkgs.keys()
+        BuildEPEL = True
+        arches = ["primary"]
+    else:
+        # Fedora only needs one entry per package for all Fedora releases
+        # Use the owner from bugzilla for simplicity
+        data = requests.get(urljoin(BASEURL, 'api/bugzilla?format=json'), verify=VERIFY).json()
+        acls = data['bugzillaAcls']
+        pkgList = acls['Fedora'].keys()
+        pkgs = {}
+        for pkg in acls['Fedora']:
+            owner = acls['Fedora'][pkg]['owner']
+            owner = owner.replace('group::', '').replace('@', '')
+            pkgs[pkg] = owner
+
+        #pkgs = dict(((p, acls['Fedora'][p]['owner']) for p in acls['Fedora']))
+        BuildEPEL = False
+{% if env == 'staging' %}
+        arches = ["primary"]
+{% else %}
+        arches = ["primary", "arm", "ppc", "s390"]
+{% endif %}
+    pkgList.sort()
+
+    options = get_options()
+
+    for arch in arches:
+        if arch == "primary":
+{% if env == 'staging' %}
+            session = koji.ClientSession("http://koji.stg.fedoraproject.org/kojihub")
+{% else %}
+            session = koji.ClientSession("http://koji.fedoraproject.org/kojihub")
+{% endif %}
+        else:
+            session = koji.ClientSession("http://%s.koji.fedoraproject.org/kojihub" % arch)
+        try:
+            session.ssl_login(options['cert'], options['ca'], options['serverca'])
+        except:
+            print "Unable to sync to %s hub" % arch
+            continue
+        kojitag = session.getTag(tag)
+        if kojitag is None:
+            print "ERROR: tag %s does not exist!\n" % (tag)
+            usage()
+
+        kojipkgs = {}
+        kojiusers = [user['name'] for user in session.listUsers()]
+
+        for p in session.listPackages(tagID=tag, inherited = True):
+            kojipkgs[p['package_name']] = p
+
+        for pkg in pkgList:
+            owner = pkgs[pkg]
+            if DEBUG:
+                print '[DEBUG] Package: %s, Owner: %s' % (pkg, owner)
+
+            if not owner in kojiusers:
+                # add the user first
+                if DEBUG:
+                    print "Adding user %s" % owner
+                else:
+                    session.createUser(owner)
+                    kojiusers.append(owner)
+            if not kojipkgs.has_key(pkg):
+                if DEBUG:
+                    print "Adding package %s for %s with owner %s" % (pkg, tag, owner)
+                else:
+                    extraArches = None
+                    if pkg in extraArchList:
+                        extraArches = extraArchList[pkg]
+                    session.packageListAdd(tag, pkg, owner = owner, extra_arches=extraArches)
+            elif kojipkgs[pkg]['owner_name'] != owner:
+                if DEBUG:
+                    print "Setting owner for %s in %s to %s" % (pkg, tag, owner)
+                else:
+                    session.packageListSetOwner(tag, pkg, owner, force = True)
diff --git a/roles/bodhi2/base/tasks/main.yml b/roles/bodhi2/base/tasks/main.yml
new file mode 100644
index 0000000000..2fb12907fa
--- /dev/null
+++ b/roles/bodhi2/base/tasks/main.yml
@@ -0,0 +1,138 @@
+---
+# tasklist for setting up bodhi
+# This is the base set of files needed for bodhi
+
+- name: install needed packages
+  yum: pkg={{ item }} state=present
+  with_items:
+  - bodhi-server
+  tags:
+  - packages
+  - bodhi
+
+- name: setup /etc/bodhi/ directory
+  file: path=/etc/bodhi owner=root group=root mode=0755 state=directory
+  tags:
+  - config
+  - bodhi
+
+- name: setup basic /etc/bodhi/ contents
+  template: > 
+    src="staging.ini.j2" 
+    dest="/etc/bodhi/production.ini" 
+    owner=bodhi 
+    group=bodhi 
+    mode=0600
+  when: inventory_hostname.startswith('bodhi0') and env == 'staging'
+  notify:
+  - restart httpd
+  tags:
+  - config
+  - bodhi
+
+- name: setup basic /etc/bodhi/ contents
+  template: > 
+    src="production.ini.j2" 
+    dest="/etc/bodhi/production.ini" 
+    owner=bodhi 
+    group=bodhi 
+    mode=0600
+  when: inventory_hostname.startswith('bodhi0') and env == 'production'
+  notify:
+  - restart httpd
+  tags:
+  - config
+  - bodhi
+
+
+- name: setup basic /etc/httpd/conf.d/ bodhi contents
+  copy: >
+    src="bodhi-app.conf"  
+    dest="/etc/httpd/conf.d/bodhi.conf"
+    owner=root
+    group=root
+    mode=0644
+  when: inventory_hostname.startswith('bodhi0')
+  notify:
+  - restart httpd
+  tags:
+  - config
+  - bodhi
+
+- name: setup /etc/pki/bodhi directory
+  file: path=/etc/pki/bodhi owner=root group=root mode=0755 state=directory
+  tags:
+  - config
+  - bodhi
+
+- name: install bodhi.pem file
+  copy: >
+    src="{{ puppet_private }}/bodhi_key_and_cert.pem"
+    dest="/etc/pki/bodhi/bodhi.pem"
+    owner=bodhi
+    group=bodhi
+    mode=0400
+  when: inventory_hostname.startswith('bodhi0')
+  tags:
+  - config
+  - bodhi
+
+- name: install bodhi certificates
+  copy: >
+    src="{{ puppet_private }}/fedora-ca.cert"
+    dest="/etc/pki/bodhi/{{ item }}"
+    owner=root
+    group=root
+    mode=0644
+  with_items:
+  - fedora-server-ca.cert
+  - fedora-upload-ca.cert
+  tags:
+  - config
+  - bodhi
+
+#- name: setup /var/log/bodhi directory
+#  file: path=/var/log/bodhi owner=bodhi group=bodhi mode=0755 state=directory
+#  when: inventory_hostname.startswith('bodhi0')
+#  tags:
+#  - config
+#  - bodhi
+
+- name: check the selinux context of the bugzilla cookie
+  command: matchpathcon /var/tmp/bodhi-bz.cookie
+  register: cookiecontext
+  always_run: yes
+  changed_when: "1 != 1"
+  tags:
+  - config
+  - bodhi
+  - selinux
+
+- name: set the SELinux policy for the bugzilla cookie
+  command: semanage fcontext -a -t httpd_tmp_t "/var/tmp/bodhi-bz.cookie"
+  when: cookiecontext.stdout.find('httpd_tmp_t') == -1
+  tags:
+  - config
+  - bodhi
+  - selinux
+
+- name: enable httpd_tmp_exec SELinux boolean 
+  seboolean: name=httpd_tmp_exec state=yes persistent=yes
+  tags:
+  - config
+  - bodhi
+  - selinux
+
+- name: enable httpd_can_network_connect_db SELinux boolean 
+  seboolean: name=httpd_can_network_connect_db state=yes persistent=yes
+  tags:
+  - config
+  - bodhi
+  - selinux
+
+- name: enable httpd_can_network_connect SELinux boolean
+  seboolean: name=httpd_can_network_connect state=yes persistent=yes
+  tags:
+  - config
+  - bodhi
+  - selinux
diff --git a/roles/bodhi2/base/templates/production.ini.j2 b/roles/bodhi2/base/templates/production.ini.j2
new file mode 100644
index 0000000000..5711262a8c
--- /dev/null
+++ b/roles/bodhi2/base/templates/production.ini.j2
@@ -0,0 +1,442 @@
+[app:main]
+use = egg:bodhi
+
+##
+## Messages
+##
+
+# A notice to flash on the front page
+frontpage_notice =
+
+# A notice to flash on the New Update page
+newupdate_notice =
+
+testing_approval_msg = This update has reached %d days in testing and can be pushed to stable now if the maintainer wishes
+not_yet_tested_msg = This update has not yet met the minimum testing requirements defined in the <a href="https://fedoraproject.org/wiki/Package_update_acceptance_criteria">Package Update Acceptance Criteria</a>
+stablekarma_comment = This update has reached the stable karma threshold and will be pushed to the stable updates repository
+
+# Libravatar - If this is true libravatar will work as normal. Otherwise, all
+# libravatar links will be replaced with the string "libravatar.org" so that
+# the tests can still pass.
+libravatar_enabled = True
+# Set this to true if you want to do federated dns libravatar lookup
+libravatar_dns = False
+
+# Set this to True in order to send fedmsg messages.
+#fedmsg_enabled = True
+
+
+# Captcha - if 'captcha.secret' is not None, then it will be used for comments
+# captcha.secret must be 32 url-safe base64-encoded bytes
+# you can generate afresh with >>> cryptography.fernet.Fernet.generate_key()
+captcha.secret = CHANGEME
+# Dimensions
+captcha.image_width = 300
+captcha.image_height = 80
+# Any truetype font will do.
+# This font lives in pcaro-hermit-fonts package
+captcha.font_path = /usr/share/fonts/pcaro-hermit/Hermit-medium.otf
+captcha.font_size = 36
+# Colors
+captcha.font_color = #000000
+captcha.background_color = #ffffff
+# In pixels
+captcha.padding = 5
+# If a captcha sits around for this many seconds, it will stop working.
+captcha.ttl = 300
+
+#datagrepper_url = http://localhost:5000
+datagrepper_url = https://apps.fedoraproject.org/datagrepper
+badge_ids = binary-star|both-bull-and-self-transcended-tester-viii|catching-the-bull-tester-iv|corporate-drone|corporate-overlord|corporate-shill|discovery-of-the-footprints-tester-ii|in-search-of-the-bull-tester-i|is-this-thing-on-updates-testing-i|is-this-thing-on-updates-testing-ii|is-this-thing-on-updates-testing-iii|is-this-thing-on-updates-testing-iv|it-still-works!|like-a-rock-updates-stable-i|like-a-rock-updates-stable-ii|like-a-rock-updates-stable-iii|like-a-rock-updates-stable-iv|mic-check!-updates-testing-v|missed-the-train|override,-you-say|perceiving-the-bull-tester-iii|reaching-the-source-tester-ix|return-to-society-tester-x|riding-the-bull-home-tester-vi|stop-that-update!|take-this-and-call-me-in-the-morning|taming-the-bull-tester-v|tectonic!-updates-stable-v|the-bull-transcended-tester-vii|what-goes-around-comes-around-karma-i|what-goes-around-comes-around-karma-ii|what-goes-around-comes-around-karma-iii|what-goes-around-comes-around-karma-iv|white-hat|you-can-pry-it-from-my-cold,-dead-hands
+
+
+##
+## Wiki Test Cases
+##
+
+## Query the wiki for test cases
+query_wiki_test_cases = False
+wiki_url = https://fedoraproject.org/w/api.php
+test_case_base_url = https://fedoraproject.org/wiki/
+
+# Email domain to prepend usernames to
+default_email_domain = fedoraproject.org
+
+# domain for generated message IDs
+message_id_email_domain = admin.fedoraproject.org
+
+##
+## Mash settings
+##
+
+# If defined, the bodhi masher will ensure that messages are signed with the given cert
+#releng_fedmsg_certname = releng-releng04.phx2.fedoraproject.org
+
+# The masher is a bodhi instance that is responsible for composing the update
+# repositories, regenerating metrics, sending update notices, closing bugs,
+# and other costly operations.  To set an external masher, set the masher to
+# the baseurl of the bodhi instance.  If set to None, this bodhi instance
+# will act as a masher as well.
+#masher = None
+
+# Where to initially mash repositories
+mash_dir = %(here)s/masher/mash/
+
+# Where to symlink the latest repos by their tag name
+mash_stage_dir = %(here)s/masher/
+
+mash_conf = /etc/mash/mash.conf
+
+createrepo_cache_dir = /var/cache/createrepo
+
+## Our periodic jobs
+#jobs = clean_repo nagmail fix_bug_titles cache_release_data approve_testing_updates
+jobs = cache_release_data refresh_metrics approve_testing_updates
+
+## Comps configuration
+comps_dir = /usr/share/bodhi/
+comps_url = git://git.fedorahosted.org/comps.git
+
+##
+## Mirror settings
+##
+file_url = http://download.fedoraproject.org/pub/fedora/linux/updates
+master_repomd = http://download.fedora.redhat.com/pub/fedora/linux/updates/%d/i386/repodata/repomd.xml
+fedora_master_repomd = http://download.fedora.redhat.com/pub/fedora/linux/updates/%d/i386/repodata/repomd.xml
+fedora_epel_master_repomd = http://download.fedora.redhat.com/pub/epel/%d/i386/repodata/repomd.xml
+
+## The base url of this application
+base_address = https://admin.fedoraproject.org/updates/
+
+## Supported update types
+update_types = bugfix enhancement security newpackage
+
+## Supported architechures
+##
+## To handle arch name changes between releases, you
+## can also configure bodhi to support one arch *or*
+## another. For example, EPEL5 mashes produce 'ppc'
+## repos, where EPEL6 produces 'ppc64'. To handle this
+## scenario, you can specify something like:
+##
+##   arches = ppc/ppc64
+##
+arches = i386 x86_64 armhfp
+
+##
+## Email setting
+##
+
+smtp_server = bastion
+
+# The updates system itself.  This email address is used in fetching Bugzilla
+# information, as well as email notifications
+bodhi_email = updates@fedoraproject.org
+#bodhi_password =
+
+# The address that gets the requests
+release_team_address = bodhiadmin-members@fedoraproject.org
+
+# The address to notify when security updates are initially added to bodhi
+security_team = security_respons-members@fedoraproject.org
+
+# Public announcement lists
+fedora_announce_list = package-announce@lists.fedoraproject.org
+fedora_test_announce_list = test@lists.fedoraproject.org
+fedora_epel_announce_list = epel-package-announce@lists.fedoraproject.org
+fedora_epel_test_announce_list = epel-devel@lists.fedoraproject.org
+
+# Superuser groups
+admin_groups = proventesters security_respons bodhiadmin sysadmin-main
+
+# Users that we don't want to show up in the "leaderboard(s)"
+stats_blacklist = bodhi anonymous autoqa
+
+# A list of non-person users
+system_users = bodhi autoqa
+
+# The max length for an update title before we truncate it in the web ui
+max_update_length_for_ui = 70
+
+# The number of days used for calculating the 'top testers' metric
+top_testers_timeframe = 900
+
+# The email address of the proventesters
+proventesters_email = proventesters-members@fedoraproject.org
+
+# These are the default requirements that we apply to stacks, packages, and
+# updates.  Users have free-reign to override them for each kind of entity.  At
+# the end of the day, we only consider the requirements defined by single
+# updates themselves when gating in the backend masher process.
+site_requirements = depcheck upgradepath
+## Some day we'll have rpmgrill, and that will be cool.  Ask tflink.
+#site_requirements = depcheck upgradepath rpmgrill
+
+# Where do we send update announcements to ?
+# These variables should be named per: Release.prefix_id.lower()_announce_list
+#fedora_announce_list =
+#fedora_test_announce_list =
+#fedora_epel_announce_list =
+#fedora_epel_test_announce_list =
+
+# Cache settings
+dogpile.cache.backend = dogpile.cache.dbm
+dogpile.cache.expiration_time = 100
+dogpile.cache.arguments.filename = /var/cache/bodhi-dogpile-cache.dbm
+
+# Exclude sending emails to these users
+exclude_mail = autoqa
+
+##
+## Buildsystem settings
+##
+
+# What buildsystem do we want to use?  For development, we'll use a fake
+# buildsystem that always does what we tell it to do.  For production, we'll
+# want to use 'koji'.
+buildsystem = dev
+
+# Koji's XML-RPC hub
+koji_hub = https://koji.stg.fedoraproject.org/kojihub
+
+# Root url of the Koji instance to point to. No trailing slash
+koji_url = http://koji.stg.fedoraproject.org
+
+# URL of where users should go to set up their notifications
+fmn_url = https://apps.fedoraproject.org/notifications/
+
+# URL of the resultsdb for integrating checks and stuff
+resultsdb_url = https://taskotron.fedoraproject.org/resultsdb/
+resultsdb_api_url = https://taskotron.fedoraproject.org/resultsdb_api/
+
+# Koji certs
+#client_cert =
+#clientca_cert =
+#serverca_cert =
+
+##
+## ACL system
+## Choices are 'pkgdb', which will send a JSON query to the pkgdb_url below,
+## or 'dummy', which will always return guest credentials (used for local
+## development).
+##
+acl_system = dummy
+
+##
+## Package DB
+##
+pkgdb_url = https://admin.fedoraproject.org/pkgdb
+
+# We used to get our package tags from pkgdb, but they come from tagger now.
+# https://github.com/fedora-infra/fedora-tagger/pull/74
+#pkgtags_url = https://apps.fedoraproject.org/tagger/api/v1/tag/sqlitebuildtags/
+
+##
+## Bug tracker settings
+##
+#bugtracker = bugzilla
+
+initial_bug_msg = %s has been submitted as an update to %s. %s
+stable_bug_msg = %s has been pushed to the %s repository. If problems still persist, please make note of it in this bug report.
+testing_bug_msg = \nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update %s'. You can provide feedback for this update here: %s
+
+##
+## Bugzilla settings.
+##
+
+# The username/password for our bugzilla account comes
+# from the bodhi_{email,password} fields.
+
+bz_server = https://bugzilla.redhat.com/xmlrpc.cgi
+#bz_cookie =
+
+# Bodhi will avoid touching bugs that are not against the following products
+bz_products = Fedora,Fedora EPEL
+
+buglink = https://bugzilla.redhat.com/show_bug.cgi?id=%s
+
+##
+## Packages that should suggest a reboot
+##
+reboot_pkgs = kernel kernel-smp kernel-xen-hypervisor kernel-PAE kernel-xen0 kernel-xenU kernel-xen kernel-xen-guest glibc hal dbus
+
+##
+## Critical Path Packages
+## https://fedoraproject.org/wiki/Critical_path_package
+##
+
+# Enable this to query the Fedora Package Database for the list of Critical
+# Path Packages.  If disabled, it'll just use the hardcoded list below.
+#critpath.type = pkgdb
+
+# You can hardcode a list of critical path packages instead of using the PackageDB
+critpath_pkgs = kernel
+
+# The number of admin approvals it takes to be able to push a critical path
+# update to stable for a pending release.
+critpath.num_admin_approvals = 0
+
+# The net karma required to submit a critial path update to a pending release)
+critpath.min_karma = 2
+
+# Allow critpath to submit for stable after 2 weeks with no negative karma
+critpath.stable_after_days_without_negative_karma = 14
+
+# The minimum amount of time an update must spend in testing before
+# it can reach the stable repository
+fedora.mandatory_days_in_testing = 7
+fedora_epel.mandatory_days_in_testing = 14
+
+##
+## Release status
+##
+
+# Pre-beta enforces the Pre Beta policy defined here:
+# https://fedoraproject.org/wiki/Updates_Policy
+#f15.status = 'pre_beta'
+#f15.pre_beta.mandatory_days_in_testing = 3
+#f15.pre_beta.critpath.num_admin_approvals = 0
+#f15.pre_beta.critpath.min_karma = 1
+
+# For test cases.
+f7.status = post_beta
+f7.post_beta.mandatory_days_in_testing = 7
+f7.post_beta.critpath.num_admin_approvals = 0
+f7.post_beta.critpath.min_karma = 2
+
+# The number of days worth of updates/comments to display
+feeds.num_days_to_show = 7
+feeds.max_entries = 20
+
+##
+## Buildroot Override
+##
+
+# Number of days before expiring overrides
+buildroot_overrides.expire_after = 1
+
+##
+## Groups
+##
+
+# FAS Groups that we want to pay attention to
+# When a user logs in, bodhi will look for any of these groups and associate #
+# them with the user. They will then appear as the users effective principals in
+# the format "group:groupname" and can be used in Pyramid ACE's.
+important_groups = proventesters provenpackager releng security_respons packager bodhiadmin
+
+# Groups that can push updates for any package
+admin_packager_groups = provenpackager releng security_respons
+
+# User must be a member of this group to submit updates
+mandatory_packager_groups = packager
+
+##
+## updateinfo.xml configuraiton
+##
+updateinfo_rights = Copyright (C) 2015 Red Hat, Inc. and others.
+
+##
+## Authentication & Authorization
+##
+
+# pyramid.openid
+openid.success_callback = bodhi.security:remember_me
+openid.provider = https://id.fedoraproject.org/openid/
+openid_template = {username}.id.fedoraproject.org
+
+##
+## Pyramid settings
+##
+pyramid.reload_templates = true
+pyramid.debug_authorization = true
+pyramid.debug_notfound = true
+pyramid.debug_routematch = true
+pyramid.default_locale_name = en
+
+pyramid.includes =
+    pyramid_tm
+
+debugtoolbar.hosts = 127.0.0.1 ::1
+
+##
+## Database
+##
+# XXX - you should really change this to postgres
+sqlalchemy.url = sqlite:////var/cache/bodhi.db
+
+##
+## Templates
+##
+mako.directories = bodhi:templates
+
+##
+## Authentication & Sessions
+##
+
+# CHANGE THESE IN PRODUCTION!
+authtkt.secret = changethisinproduction!
+session.secret = ChangeThisSecret!!1
+authtkt.secure = false
+
+# pyramid_beaker
+session.type = file
+session.data_dir = %(here)s/data/sessions/data
+session.lock_dir = %(here)s/data/sessions/lock
+session.key = mykey
+session.cookie_on_exception = true
+cache.regions = default_term, second, short_term, long_term
+cache.type = memory
+cache.second.expire = 1
+cache.short_term.expire = 60
+cache.default_term.expire = 300
+cache.long_term.expire = 3600
+
+[server:main]
+use = egg:waitress#main
+host = 0.0.0.0
+port = 6543
+
+[pshell]
+m = bodhi.models
+db = bodhi.models.DBSession
+t = transaction
+
+# Begin logging configuration
+
+[loggers]
+keys = root, bodhi, sqlalchemy
+
+[handlers]
+keys = console
+
+[formatters]
+keys = generic
+
+[logger_root]
+level = INFO
+handlers = console
+
+[logger_bodhi]
+level = DEBUG
+handlers =
+qualname = bodhi
+
+[logger_sqlalchemy]
+level = INFO
+handlers =
+qualname = sqlalchemy.engine
+# "level = INFO" logs SQL queries.
+# "level = DEBUG" logs SQL queries and results.
+# "level = WARN" logs neither.  (Recommended for production systems.)
+
+[handler_console]
+class = StreamHandler
+args = (sys.stderr,)
+level = NOTSET
+formatter = generic
+
+[formatter_generic]
+format = %(asctime)s %(levelname)-5.5s [%(name)s][%(threadName)s] %(message)s
+
+# End logging configuration
diff --git a/roles/bodhi2/base/templates/staging.ini.j2 b/roles/bodhi2/base/templates/staging.ini.j2
new file mode 100644
index 0000000000..5bb27d279a
--- /dev/null
+++ b/roles/bodhi2/base/templates/staging.ini.j2
@@ -0,0 +1,442 @@
+[app:main]
+use = egg:bodhi
+
+##
+## Messages
+##
+
+# A notice to flash on the front page
+frontpage_notice =
+
+# A notice to flash on the New Update page
+newupdate_notice =
+
+testing_approval_msg = This update has reached %d days in testing and can be pushed to stable now if the maintainer wishes
+not_yet_tested_msg = This update has not yet met the minimum testing requirements defined in the <a href="https://fedoraproject.org/wiki/Package_update_acceptance_criteria">Package Update Acceptance Criteria</a>
+stablekarma_comment = This update has reached the stable karma threshold and will be pushed to the stable updates repository
+
+# Libravatar - If this is true libravatar will work as normal. Otherwise, all
+# libravatar links will be replaced with the string "libravatar.org" so that
+# the tests can still pass.
+libravatar_enabled = True
+# Set this to true if you want to do federated dns libravatar lookup
+libravatar_dns = False
+
+# Set this to True in order to send fedmsg messages.
+#fedmsg_enabled = True
+
+
+# Captcha - if 'captcha.secret' is not None, then it will be used for comments
+# captcha.secret must be 32 url-safe base64-encoded bytes
+# you can generate afresh with >>> cryptography.fernet.Fernet.generate_key()
+captcha.secret = CHANGEME
+# Dimensions
+captcha.image_width = 300
+captcha.image_height = 80
+# Any truetype font will do.
+# This font lives in pcaro-hermit-fonts package
+captcha.font_path = /usr/share/fonts/pcaro-hermit/Hermit-medium.otf
+captcha.font_size = 36
+# Colors
+captcha.font_color = #000000
+captcha.background_color = #ffffff
+# In pixels
+captcha.padding = 5
+# If a captcha sits around for this many seconds, it will stop working.
+captcha.ttl = 300
+
+#datagrepper_url = http://localhost:5000
+datagrepper_url = https://apps.stg.fedoraproject.org/datagrepper
+badge_ids = binary-star|both-bull-and-self-transcended-tester-viii|catching-the-bull-tester-iv|corporate-drone|corporate-overlord|corporate-shill|discovery-of-the-footprints-tester-ii|in-search-of-the-bull-tester-i|is-this-thing-on-updates-testing-i|is-this-thing-on-updates-testing-ii|is-this-thing-on-updates-testing-iii|is-this-thing-on-updates-testing-iv|it-still-works!|like-a-rock-updates-stable-i|like-a-rock-updates-stable-ii|like-a-rock-updates-stable-iii|like-a-rock-updates-stable-iv|mic-check!-updates-testing-v|missed-the-train|override,-you-say|perceiving-the-bull-tester-iii|reaching-the-source-tester-ix|return-to-society-tester-x|riding-the-bull-home-tester-vi|stop-that-update!|take-this-and-call-me-in-the-morning|taming-the-bull-tester-v|tectonic!-updates-stable-v|the-bull-transcended-tester-vii|what-goes-around-comes-around-karma-i|what-goes-around-comes-around-karma-ii|what-goes-around-comes-around-karma-iii|what-goes-around-comes-around-karma-iv|white-hat|you-can-pry-it-from-my-cold,-dead-hands
+
+
+##
+## Wiki Test Cases
+##
+
+## Query the wiki for test cases
+query_wiki_test_cases = False
+wiki_url = https://fedoraproject.org/w/api.php
+test_case_base_url = https://fedoraproject.org/wiki/
+
+# Email domain to prepend usernames to
+default_email_domain = fedoraproject.org
+
+# domain for generated message IDs
+message_id_email_domain = admin.stg.fedoraproject.org
+
+##
+## Mash settings
+##
+
+# If defined, the bodhi masher will ensure that messages are signed with the given cert
+#releng_fedmsg_certname = releng-releng04.phx2.fedoraproject.org
+
+# The masher is a bodhi instance that is responsible for composing the update
+# repositories, regenerating metrics, sending update notices, closing bugs,
+# and other costly operations.  To set an external masher, set the masher to
+# the baseurl of the bodhi instance.  If set to None, this bodhi instance
+# will act as a masher as well.
+#masher = None
+
+# Where to initially mash repositories
+mash_dir = %(here)s/masher/mash/
+
+# Where to symlink the latest repos by their tag name
+mash_stage_dir = %(here)s/masher/
+
+mash_conf = /etc/mash/mash.conf
+
+createrepo_cache_dir = /var/cache/createrepo
+
+## Our periodic jobs
+#jobs = clean_repo nagmail fix_bug_titles cache_release_data approve_testing_updates
+jobs = cache_release_data refresh_metrics approve_testing_updates
+
+## Comps configuration
+comps_dir = /usr/share/bodhi/
+comps_url = git://git.fedorahosted.org/comps.git
+
+##
+## Mirror settings
+##
+file_url = http://download.fedoraproject.org/pub/fedora/linux/updates
+master_repomd = http://download.fedora.redhat.com/pub/fedora/linux/updates/%d/i386/repodata/repomd.xml
+fedora_master_repomd = http://download.fedora.redhat.com/pub/fedora/linux/updates/%d/i386/repodata/repomd.xml
+fedora_epel_master_repomd = http://download.fedora.redhat.com/pub/epel/%d/i386/repodata/repomd.xml
+
+## The base url of this application
+base_address = https://admin.stg.fedoraproject.org/updates/
+
+## Supported update types
+update_types = bugfix enhancement security newpackage
+
+## Supported architechures
+##
+## To handle arch name changes between releases, you
+## can also configure bodhi to support one arch *or*
+## another. For example, EPEL5 mashes produce 'ppc'
+## repos, where EPEL6 produces 'ppc64'. To handle this
+## scenario, you can specify something like:
+##
+##   arches = ppc/ppc64
+##
+arches = i386 x86_64 armhfp
+
+##
+## Email setting
+##
+
+smtp_server = bastion
+
+# The updates system itself.  This email address is used in fetching Bugzilla
+# information, as well as email notifications
+bodhi_email = updates@fedoraproject.org
+#bodhi_password =
+
+# The address that gets the requests
+release_team_address = bodhiadmin-members@fedoraproject.org
+
+# The address to notify when security updates are initially added to bodhi
+security_team = security_respons-members@fedoraproject.org
+
+# Public announcement lists
+fedora_announce_list = package-announce@lists.fedoraproject.org
+fedora_test_announce_list = test@lists.fedoraproject.org
+fedora_epel_announce_list = epel-package-announce@lists.fedoraproject.org
+fedora_epel_test_announce_list = epel-devel@lists.fedoraproject.org
+
+# Superuser groups
+admin_groups = proventesters security_respons bodhiadmin sysadmin-main
+
+# Users that we don't want to show up in the "leaderboard(s)"
+stats_blacklist = bodhi anonymous autoqa
+
+# A list of non-person users
+system_users = bodhi autoqa
+
+# The max length for an update title before we truncate it in the web ui
+max_update_length_for_ui = 70
+
+# The number of days used for calculating the 'top testers' metric
+top_testers_timeframe = 900
+
+# The email address of the proventesters
+proventesters_email = proventesters-members@fedoraproject.org
+
+# These are the default requirements that we apply to stacks, packages, and
+# updates.  Users have free-reign to override them for each kind of entity.  At
+# the end of the day, we only consider the requirements defined by single
+# updates themselves when gating in the backend masher process.
+site_requirements = depcheck upgradepath
+## Some day we'll have rpmgrill, and that will be cool.  Ask tflink.
+#site_requirements = depcheck upgradepath rpmgrill
+
+# Where do we send update announcements to ?
+# These variables should be named per: Release.prefix_id.lower()_announce_list
+#fedora_announce_list =
+#fedora_test_announce_list =
+#fedora_epel_announce_list =
+#fedora_epel_test_announce_list =
+
+# Cache settings
+dogpile.cache.backend = dogpile.cache.dbm
+dogpile.cache.expiration_time = 100
+dogpile.cache.arguments.filename = /var/cache/bodhi-dogpile-cache.dbm
+
+# Exclude sending emails to these users
+exclude_mail = autoqa
+
+##
+## Buildsystem settings
+##
+
+# What buildsystem do we want to use?  For development, we'll use a fake
+# buildsystem that always does what we tell it to do.  For production, we'll
+# want to use 'koji'.
+buildsystem = dev
+
+# Koji's XML-RPC hub
+koji_hub = https://koji.stg.fedoraproject.org/kojihub
+
+# Root url of the Koji instance to point to. No trailing slash
+koji_url = http://koji.stg.fedoraproject.org
+
+# URL of where users should go to set up their notifications
+fmn_url = https://apps.stg.fedoraproject.org/notifications/
+
+# URL of the resultsdb for integrating checks and stuff
+resultsdb_url = https://taskotron.stg.fedoraproject.org/resultsdb/
+resultsdb_api_url = https://taskotron.stg.fedoraproject.org/resultsdb_api/
+
+# Koji certs
+#client_cert =
+#clientca_cert =
+#serverca_cert =
+
+##
+## ACL system
+## Choices are 'pkgdb', which will send a JSON query to the pkgdb_url below,
+## or 'dummy', which will always return guest credentials (used for local
+## development).
+##
+acl_system = dummy
+
+##
+## Package DB
+##
+pkgdb_url = https://admin.stg.fedoraproject.org/pkgdb
+
+# We used to get our package tags from pkgdb, but they come from tagger now.
+# https://github.com/fedora-infra/fedora-tagger/pull/74
+#pkgtags_url = https://apps.fedoraproject.org/tagger/api/v1/tag/sqlitebuildtags/
+
+##
+## Bug tracker settings
+##
+#bugtracker = bugzilla
+
+initial_bug_msg = %s has been submitted as an update to %s. %s
+stable_bug_msg = %s has been pushed to the %s repository. If problems still persist, please make note of it in this bug report.
+testing_bug_msg = \nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update %s'. You can provide feedback for this update here: %s
+
+##
+## Bugzilla settings.
+##
+
+# The username/password for our bugzilla account comes
+# from the bodhi_{email,password} fields.
+
+bz_server = https://partner-bugzilla.redhat.com/xmlrpc.cgi
+#bz_cookie =
+
+# Bodhi will avoid touching bugs that are not against the following products
+bz_products = Fedora,Fedora EPEL
+
+buglink = https://partner-bugzilla.redhat.com/show_bug.cgi?id=%s
+
+##
+## Packages that should suggest a reboot
+##
+reboot_pkgs = kernel kernel-smp kernel-xen-hypervisor kernel-PAE kernel-xen0 kernel-xenU kernel-xen kernel-xen-guest glibc hal dbus
+
+##
+## Critical Path Packages
+## https://fedoraproject.org/wiki/Critical_path_package
+##
+
+# Enable this to query the Fedora Package Database for the list of Critical
+# Path Packages.  If disabled, it'll just use the hardcoded list below.
+#critpath.type = pkgdb
+
+# You can hardcode a list of critical path packages instead of using the PackageDB
+critpath_pkgs = kernel
+
+# The number of admin approvals it takes to be able to push a critical path
+# update to stable for a pending release.
+critpath.num_admin_approvals = 0
+
+# The net karma required to submit a critial path update to a pending release)
+critpath.min_karma = 2
+
+# Allow critpath to submit for stable after 2 weeks with no negative karma
+critpath.stable_after_days_without_negative_karma = 14
+
+# The minimum amount of time an update must spend in testing before
+# it can reach the stable repository
+fedora.mandatory_days_in_testing = 7
+fedora_epel.mandatory_days_in_testing = 14
+
+##
+## Release status
+##
+
+# Pre-beta enforces the Pre Beta policy defined here:
+# https://fedoraproject.org/wiki/Updates_Policy
+#f15.status = 'pre_beta'
+#f15.pre_beta.mandatory_days_in_testing = 3
+#f15.pre_beta.critpath.num_admin_approvals = 0
+#f15.pre_beta.critpath.min_karma = 1
+
+# For test cases.
+f7.status = post_beta
+f7.post_beta.mandatory_days_in_testing = 7
+f7.post_beta.critpath.num_admin_approvals = 0
+f7.post_beta.critpath.min_karma = 2
+
+# The number of days worth of updates/comments to display
+feeds.num_days_to_show = 7
+feeds.max_entries = 20
+
+##
+## Buildroot Override
+##
+
+# Number of days before expiring overrides
+buildroot_overrides.expire_after = 1
+
+##
+## Groups
+##
+
+# FAS Groups that we want to pay attention to
+# When a user logs in, bodhi will look for any of these groups and associate #
+# them with the user. They will then appear as the users effective principals in
+# the format "group:groupname" and can be used in Pyramid ACE's.
+important_groups = proventesters provenpackager releng security_respons packager bodhiadmin
+
+# Groups that can push updates for any package
+admin_packager_groups = provenpackager releng security_respons
+
+# User must be a member of this group to submit updates
+mandatory_packager_groups = packager
+
+##
+## updateinfo.xml configuraiton
+##
+updateinfo_rights = Copyright (C) 2015 Red Hat, Inc. and others.
+
+##
+## Authentication & Authorization
+##
+
+# pyramid.openid
+openid.success_callback = bodhi.security:remember_me
+openid.provider = https://id.stg.fedoraproject.org/openid/
+openid_template = {username}.id.fedoraproject.org
+
+##
+## Pyramid settings
+##
+pyramid.reload_templates = true
+pyramid.debug_authorization = true
+pyramid.debug_notfound = true
+pyramid.debug_routematch = true
+pyramid.default_locale_name = en
+
+pyramid.includes =
+    pyramid_tm
+
+debugtoolbar.hosts = 127.0.0.1 ::1
+
+##
+## Database
+##
+# XXX - you should really change this to postgres
+sqlalchemy.url = sqlite:////var/cache/bodhi.db
+
+##
+## Templates
+##
+mako.directories = bodhi:templates
+
+##
+## Authentication & Sessions
+##
+
+# CHANGE THESE IN PRODUCTION!
+authtkt.secret = changethisinproduction!
+session.secret = ChangeThisSecret!!1
+authtkt.secure = false
+
+# pyramid_beaker
+session.type = file
+session.data_dir = %(here)s/data/sessions/data
+session.lock_dir = %(here)s/data/sessions/lock
+session.key = mykey
+session.cookie_on_exception = true
+cache.regions = default_term, second, short_term, long_term
+cache.type = memory
+cache.second.expire = 1
+cache.short_term.expire = 60
+cache.default_term.expire = 300
+cache.long_term.expire = 3600
+
+[server:main]
+use = egg:waitress#main
+host = 0.0.0.0
+port = 6543
+
+[pshell]
+m = bodhi.models
+db = bodhi.models.DBSession
+t = transaction
+
+# Begin logging configuration
+
+[loggers]
+keys = root, bodhi, sqlalchemy
+
+[handlers]
+keys = console
+
+[formatters]
+keys = generic
+
+[logger_root]
+level = INFO
+handlers = console
+
+[logger_bodhi]
+level = DEBUG
+handlers =
+qualname = bodhi
+
+[logger_sqlalchemy]
+level = INFO
+handlers =
+qualname = sqlalchemy.engine
+# "level = INFO" logs SQL queries.
+# "level = DEBUG" logs SQL queries and results.
+# "level = WARN" logs neither.  (Recommended for production systems.)
+
+[handler_console]
+class = StreamHandler
+args = (sys.stderr,)
+level = NOTSET
+formatter = generic
+
+[formatter_generic]
+format = %(asctime)s %(levelname)-5.5s [%(name)s][%(threadName)s] %(message)s
+
+# End logging configuration