diff --git a/inventory/host_vars/aarch64-hub01.qa.fedoraproject.org b/inventory/host_vars/aarch64-hub01.qa.fedoraproject.org
index 7aaf2cf3a3..86e642b2ae 100644
--- a/inventory/host_vars/aarch64-hub01.qa.fedoraproject.org
+++ b/inventory/host_vars/aarch64-hub01.qa.fedoraproject.org
@@ -8,3 +8,4 @@ volgroup: /dev/VirtGuests
 eth0_ip: 10.5.124.149
 vmhost: virthost-comm02.qa.fedoraproject.org
 datacenter: phx2
+host_group: aarch64
diff --git a/playbooks/groups/buildhw.yml b/playbooks/groups/buildhw.yml
index 88f48ed8d9..ba64a16d74 100644
--- a/playbooks/groups/buildhw.yml
+++ b/playbooks/groups/buildhw.yml
@@ -41,6 +41,7 @@
   - /srv/web/infra/ansible/roles/base
 
   tasks:
+  - include: $tasks/hosts.yml
   - include: $tasks/koji/builder_kernel_config.yml
 
   handlers:
diff --git a/playbooks/groups/koji-hub.yml b/playbooks/groups/koji-hub.yml
index c8b34b9693..a647f05a6e 100644
--- a/playbooks/groups/koji-hub.yml
+++ b/playbooks/groups/koji-hub.yml
@@ -36,6 +36,7 @@
   - /srv/web/infra/ansible/roles/denyhosts
   - /srv/web/infra/ansible/roles/nagios_client
   - /srv/web/infra/ansible/roles/fas_client
+  - /srv/web/infra/ansible/roles/koji_hub
 
   tasks:
   - include: $tasks/hosts.yml
@@ -44,7 +45,6 @@
   - include: $tasks/motd.yml
   - include: $tasks/sudo.yml
   - include: $tasks/collectd/client.yml
-  - include: $tasks/koji/koji_hub.yml
 
   handlers:
   - include: $handlers/restart_services.yml
diff --git a/roles/koji_hub/files/openssl.cnf.aarch64 b/roles/koji_hub/files/openssl.cnf.aarch64
new file mode 100644
index 0000000000..b0d716e357
--- /dev/null
+++ b/roles/koji_hub/files/openssl.cnf.aarch64
@@ -0,0 +1,74 @@
+HOME                    = .
+RANDFILE                = .rand
+
+[ca] 
+default_ca              = ca_default
+
+[ca_default] 
+dir                     = .
+certs                   = $dir/certs
+crl_dir                 = $dir/crl
+database                = $dir/index.txt
+new_certs_dir           = $dir/newcerts
+certificate             = $dir/%s_ca_cert.pem
+private_key             = $dir/private/%s_ca_key.pem
+serial                  = $dir/serial
+crl                     = $dir/crl.pem
+x509_extensions         = usr_cert
+name_opt                = ca_default
+cert_opt                = ca_default
+default_days            = 3650
+default_crl_days        = 30
+default_md              = md5
+preserve                = no
+policy                  = policy_match
+
+[policy_match] 
+countryName             = match
+stateOrProvinceName     = match
+organizationName        = match
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[req] 
+default_bits            = 1024
+default_keyfile         = privkey.pem
+distinguished_name      = req_distinguished_name
+attributes              = req_attributes
+x509_extensions         = v3_ca # The extentions to add to the self signed cert
+string_mask             = MASK:0x2002
+
+[req_distinguished_name] 
+countryName                     = Country Name (2 letter code)
+countryName_default             = US
+countryName_min                 = 2
+countryName_max                 = 2
+stateOrProvinceName             = State or Province Name (full name)
+stateOrProvinceName_default     = Vienna
+localityName                    = Locality Name (eg, city)
+localityName_default            = Vienna
+0.organizationName              = Organization Name (eg, company)
+0.organizationName_default      = My company
+organizationalUnitName          = Organizational Unit Name (eg, section)
+commonName                      = Common Name (eg, your name or your server\'s hostname)
+commonName_max                  = 64
+emailAddress                    = Email Address
+emailAddress_max                = 64
+
+[req_attributes] 
+challengePassword               = A challenge password
+challengePassword_min           = 4
+challengePassword_max           = 20
+unstructuredName                = An optional company name
+
+[usr_cert] 
+basicConstraints                = CA:FALSE
+nsComment                       = "OpenSSL Generated Certificate"
+subjectKeyIdentifier            = hash
+authorityKeyIdentifier          = keyid,issuer:always
+
+[v3_ca] 
+subjectKeyIdentifier            = hash
+authorityKeyIdentifier          = keyid:always,issuer:always
+basicConstraints                = CA:true
diff --git a/roles/koji_hub/tasks/main.yml b/roles/koji_hub/tasks/main.yml
new file mode 100644
index 0000000000..7af6dd0dfb
--- /dev/null
+++ b/roles/koji_hub/tasks/main.yml
@@ -0,0 +1,99 @@
+---
+#
+# Setup koji hub server. 
+#
+- name: install koji hub server packages
+  yum: name=$item state=installed
+  with_items:
+  - koji-hub
+  - koji-web
+  - koji-utils
+  - mod_ssl
+  - mod_wsgi
+  - git
+  - gnupg2
+  tags:
+  - packages
+
+- name: make koji pki directory
+  file: state=directory path=/etc/pki/koji/ owner=root group=root
+
+- name: make koji pki subdirectories
+  file: state=directory path=/etc/pki/koji/{{ item }} owner=root group=root
+  with_items:
+  - certs
+  - private
+  - confs
+
+- name: setup ssl config for koji
+  copy: src={{ item }} dest=/etc/pki/koji/openssl.cnf mode=600
+  first_available_file:
+    - openssl.cnf.{{ ansible_fqdn }}
+    - openssl.cnf.{{ host_group }}
+    - openssl.cnf.{{ dist_tag }}
+  tags:
+  - config
+
+- name: create index.txt
+  file: name=/etc/pki/koji/index.txt
+  tags:
+  - config
+
+- name: init serial file
+  shell: "echo 01 > /etc/pki/koji/serial.txt" creates=/etc/pki/koji/serial.txt
+  tags:
+  - config
+
+- name: init koji ca key file
+  shell: "openssl genrsa -out /etc/pki/koji/private/koji_ca_cert.key 2048" creates=/etc/pki/koji/private/koji_ca_cert.key
+  tags:
+  - config
+
+- name: init koji ca cert file
+  shell: "openssl req -config /etc/pki/koji/ssl.cnf -new -x509 -subj "/C=US/ST=Arizona/L=Phoenix/O=IT/CN=aarch64.koji.fedoraproject.org" -days 3650 -key /etc/pki/koji/private/koji_ca_cert.key -out /etc/pki/koji/koji_ca_cert.crt -extensions v3_ca" creates=/etc/pki/koji/koji_ca_cert.crt
+  tags:
+  - config
+
+# setup certs needed here for kojiweb/hub
+
+# Database setup
+- name: setup the database
+  hosts: db-aarch64.qa.fedoraproject.org
+  gather_facts: no
+  sudo: yes
+  sudo_user: postgres
+  vars_files:
+   - /srv/web/infra/ansible/vars/global.yml
+   - ${private}/vars.yml
+   - ${vars}/${ansible_distribution}.yml
+
+  tasks:
+
+   - name: databases creation
+     postgresql_db: name=koji owner=koji encoding=UTF-8
+
+   - name: koji db user
+     postgresql_user: name=koji password=$kojidatabasepassword
+     tags:
+     - db
+
+   - name: load initial schema 
+     shell: "psql koji koji < /usr/share/doc/koji*/docs/schema.sql" creates=/var/lib/pgql/koji-schema
+     tags:
+     - db
+
+# Todo here
+# httpd ssl.conf changes
+# koji hub.conf template
+# create skeleton /mnt/koji dirs
+# selinux config: 
+#   httpd_can_network_connect_db=1 allow_httpd_anon_write=1
+#   chcon -R -t public_content_rw_t /mnt/koji/*
+
+- name: Set httpd to run on boot
+  service: name=httpd enabled=yes
+  ignore_errors: true
+  notify:
+  - restart httpd
+  tags:
+  - service
diff --git a/tasks/koji/koji_hub.yml b/tasks/koji/koji_hub.yml
deleted file mode 100644
index ee42b2c794..0000000000
--- a/tasks/koji/koji_hub.yml
+++ /dev/null
@@ -1,23 +0,0 @@
----
-#
-# Setup koji hub server. 
-#
-- name: install koji hub server packages
-  yum: name=$item state=installed
-  with_items:
-  - koji-hub
-  - koji-web
-  - koji-utils
-  - mod_ssl
-  - git
-  - gnupg2
-  tags:
-  - packages
-
-- name: Set httpd to run on boot
-  service: name=httpd enabled=yes
-  ignore_errors: true
-  notify:
-  - restart httpd
-  tags:
-  - service