diff --git a/inventory/group_vars/pkgs b/inventory/group_vars/pkgs
new file mode 100644
index 0000000000..625f87b904
--- /dev/null
+++ b/inventory/group_vars/pkgs
@@ -0,0 +1,45 @@
+---
+# TODO: Define resources for this group of hosts here?
+
+tcp_ports: [80, 443, 9418,
+    # These 16 ports are used by fedmsg.  One for each wsgi thread.
+    3000, 3001, 3002, 3003, 3004, 3005, 3006, 3007,
+    3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015]
+
+fas_client_groups: sysadmin-main,sysadmin-cvs,sysadmin-build,sysadmin-noc
+fas_client_restricted_app: /usr/bin/gl-auth-command
+fas_client_admin_app: /usr/bin/gl-auth-command -s
+fas_client_ssh_groups = @cvs,sysadmin-main,sysadmin-cvs,sysadmin-build,sysadmin-noc
+
+git_group: packager
+git_port: 9418
+git_server: /usr/libexec/git-core/git-daemon
+git_server_args: --export-all --syslog --inetd --verbose
+git_basepath: /srv/git/rpms
+
+clamscan_mailto: admin@fedoraproject.org
+clamscan_paths:
+- /srv/cache/lookaside/pkgs
+clamscan_excludes:
+- clamav-
+- amavisd-new-2.3.3.tar.gz
+- bro-20080804.tgz
+- mailman-
+- sagator-
+- nicotine
+- fwsnort-1.0.6.tar.gz
+- psad-2.1.7.tar.bz2
+- pymilter-
+- linkchecker-
+
+# These are consumed by a task in roles/fedmsg/base/main.yml
+fedmsg_certs:
+- service: shell
+  owner: root
+  group: sysadmin
+- service:scm
+  owner: root
+  group: packager
+- service: lookaside
+  owner: root
+  group: apache
diff --git a/inventory/host_vars/pkgs01.phx2.fedoraproject.org b/inventory/host_vars/pkgs01.phx2.fedoraproject.org
index fbc0826155..be260f621c 100644
--- a/inventory/host_vars/pkgs01.phx2.fedoraproject.org
+++ b/inventory/host_vars/pkgs01.phx2.fedoraproject.org
@@ -1,2 +1,5 @@
 ---
 host_backup_targets: ['/srv']
+
+nm: 255.255.255.0
+eth1_ip: 10.5.127.67
diff --git a/inventory/host_vars/pkgs01.stg.phx2.fedoraproject.org b/inventory/host_vars/pkgs01.stg.phx2.fedoraproject.org
new file mode 100644
index 0000000000..ea61164474
--- /dev/null
+++ b/inventory/host_vars/pkgs01.stg.phx2.fedoraproject.org
@@ -0,0 +1,3 @@
+---
+nm: 255.255.255.0
+eth0_ip: 10.5.126.83
diff --git a/playbooks/groups/pkgs.yml b/playbooks/groups/pkgs.yml
new file mode 100644
index 0000000000..35bf7f6eeb
--- /dev/null
+++ b/playbooks/groups/pkgs.yml
@@ -0,0 +1,56 @@
+- name: make pkgs
+  hosts: pkgs:pkgs-stg
+  user: root
+  gather_facts: False
+
+  vars_files:
+  - /srv/web/infra/ansible/vars/global.yml
+  - "{{ private }}/vars.yml"
+  - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+  tasks:
+  - include: "{{ tasks }}/virt_instance_create.yml"
+
+  handlers:
+  - include: "{{ handlers }}/restart_services.yml"
+
+- name: make the box be real
+  hosts: pkgs:pkgs-stg
+  user: root
+  gather_facts: True
+  accelerate: "{{ accelerated }}"
+
+  vars_files:
+  - /srv/web/infra/ansible/vars/global.yml
+  - "{{ private }}/vars.yml"
+  - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+  roles:
+  - base
+  - rkhunter
+  - denyhosts
+  - nagios_client
+  - fas_client
+  - collectd/base
+  - fedmsg/base
+  - fedmsg/hub
+  - sudo
+  - git/hooks
+  - git/make_checkout_seed
+  - git/server
+  - gitolite/base
+  - gitolite/check_fedmsg_hooks
+  - cgit/base
+  - cgit/clean_lock_cron
+  - cgit/make_pkgs_list
+  - clamav
+  - distgit
+
+  tasks:
+  - include: "{{ tasks }}/yumrepos.yml"
+  - include: "{{ tasks }}/motd.yml"
+  - include: "{{ tasks }}/apache.yml"
+  - include: "{{ tasks }}/drbackupkey.yml"
+
+  handlers:
+  - include: "{{ handlers }}/restart_services.yml"
diff --git a/roles/base/files/ssh/sshd_config.pkgs b/roles/base/files/ssh/sshd_config.pkgs
new file mode 100644
index 0000000000..7fddcd6ffd
--- /dev/null
+++ b/roles/base/files/ssh/sshd_config.pkgs
@@ -0,0 +1,121 @@
+#	$OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options change a
+# default value.
+
+#Port 22
+#Protocol 2,1
+Protocol 2
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+# HostKey for protocol version 1
+#HostKey /etc/ssh/ssh_host_key
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_dsa_key
+
+# Lifetime and size of ephemeral version 1 server key
+#KeyRegenerationInterval 1h
+#ServerKeyBits 768
+
+# Logging
+# obsoletes QuietMode and FascistLogging
+#SyslogFacility AUTH
+SyslogFacility AUTHPRIV
+LogLevel VERBOSE
+
+# Authentication:
+
+#LoginGraceTime 2m
+PermitRootLogin without-password
+StrictModes yes
+#MaxAuthTries 6
+
+#RSAAuthentication yes
+#PubkeyAuthentication yes
+#AuthorizedKeysFile	.ssh/authorized_keys
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#RhostsRSAAuthentication no
+# similar for protocol version 2
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# RhostsRSAAuthentication and HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+#PasswordAuthentication yes
+#PermitEmptyPasswords no
+PasswordAuthentication no
+
+# Change to no to disable s/key passwords
+#ChallengeResponseAuthentication yes
+ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+GSSAPICleanupCredentials no
+
+# Set this to 'yes' to enable PAM authentication, account processing, 
+# and session processing. If this is enabled, PAM authentication will 
+# be allowed through the ChallengeResponseAuthentication mechanism. 
+# Depending on your PAM configuration, this may bypass the setting of 
+# PasswordAuthentication, PermitEmptyPasswords, and 
+# "PermitRootLogin without-password". If you just want the PAM account and 
+# session checks to run without PAM authentication, then enable this but set 
+# ChallengeResponseAuthentication=no
+#UsePAM no
+UsePAM yes
+
+# Accept locale-related environment variables
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES 
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT 
+AcceptEnv LC_IDENTIFICATION LC_ALL
+#AllowTcpForwarding yes
+AllowTcpForwarding no
+
+
+#GatewayPorts no
+#X11Forwarding no
+X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PrintMotd yes
+#PrintLastLog yes
+#TCPKeepAlive yes
+#UseLogin no
+#UsePrivilegeSeparation yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#ShowPatchLevel no
+#UseDNS yes
+#PidFile /var/run/sshd.pid
+#MaxStartups 10
+PermitTunnel no
+
+# no default banner path
+#Banner /some/path
+
+# override default of no subsystems
+Subsystem	sftp	/usr/libexec/openssh/sftp-server