diff --git a/inventory/host_vars/mm-frontend-checkin01.phx2.fedoraproject.org b/inventory/host_vars/mm-frontend-checkin01.phx2.fedoraproject.org
new file mode 100644
index 0000000000..12f94160bf
--- /dev/null
+++ b/inventory/host_vars/mm-frontend-checkin01.phx2.fedoraproject.org
@@ -0,0 +1,17 @@
+---
+lvm_size: 20000
+mem_size: 8192
+num_cpus: 2
+nm: 255.255.255.0
+gw: 10.5.126.254
+dns: 10.5.126.21
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7
+ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/
+volgroup: /dev/vg_guests
+eth0_ip: 10.5.126.187
+vmhost: virthost02.phx2.fedoraproject.org
+datacenter: phx2
+
+tcp_ports: [ 80, 443 ]
+
+mm2_checkin: true
diff --git a/inventory/host_vars/mm-frontend01.phx2.fedoraproject.org b/inventory/host_vars/mm-frontend01.phx2.fedoraproject.org
index d0d5cdbd43..10ada80ce7 100644
--- a/inventory/host_vars/mm-frontend01.phx2.fedoraproject.org
+++ b/inventory/host_vars/mm-frontend01.phx2.fedoraproject.org
@@ -14,3 +14,4 @@ datacenter: phx2
tcp_ports: [ 80, 443 ]
+mm2_checkin: false
diff --git a/inventory/host_vars/mm-frontend01.stg.phx2.fedoraproject.org b/inventory/host_vars/mm-frontend01.stg.phx2.fedoraproject.org
index 9289bf5da6..ba9a3a808d 100644
--- a/inventory/host_vars/mm-frontend01.stg.phx2.fedoraproject.org
+++ b/inventory/host_vars/mm-frontend01.stg.phx2.fedoraproject.org
@@ -14,3 +14,4 @@ datacenter: phx2
tcp_ports: [ 80, 443 ]
+mm2_checkin: true
diff --git a/inventory/host_vars/mm-frontend02.phx2.fedoraproject.org b/inventory/host_vars/mm-frontend02.phx2.fedoraproject.org
index d8caa83cf5..2f99b1a9c1 100644
--- a/inventory/host_vars/mm-frontend02.phx2.fedoraproject.org
+++ b/inventory/host_vars/mm-frontend02.phx2.fedoraproject.org
@@ -14,3 +14,4 @@ datacenter: phx2
tcp_ports: [ 80, 443 ]
+mm2_checkin: false
diff --git a/inventory/inventory b/inventory/inventory
index dbc90f2d5c..124bfe8f75 100644
--- a/inventory/inventory
+++ b/inventory/inventory
@@ -439,6 +439,7 @@ mirrorlist-phx2.stg.phx2.fedoraproject.org
[mm-frontend]
mm-frontend01.phx2.fedoraproject.org
mm-frontend02.phx2.fedoraproject.org
+mm-frontend-checkin01.phx2.fedoraproject.org
[mm-backend]
mm-backend01.phx2.fedoraproject.org
diff --git a/roles/mirrormanager/frontend2/templates/mirrormanager.conf b/roles/mirrormanager/frontend2/templates/mirrormanager.conf
index 06e1181de5..27c90767de 100644
--- a/roles/mirrormanager/frontend2/templates/mirrormanager.conf
+++ b/roles/mirrormanager/frontend2/templates/mirrormanager.conf
@@ -13,6 +13,14 @@ WSGIPythonOptimize 1
WSGIScriptAlias /mirrormanager /var/www/mirrormanager2.wsgi
+
+{% if mm2_checkin %}
+ Require all granted
+{% else %}
+ Require all denied
+{% endif %}
+
+
WSGIProcessGroup mirrormanager
diff --git a/roles/mirrormanager/frontend2/templates/mirrormanager2.cfg b/roles/mirrormanager/frontend2/templates/mirrormanager2.cfg
index 26abf33957..4f8f90ccd1 100644
--- a/roles/mirrormanager/frontend2/templates/mirrormanager2.cfg
+++ b/roles/mirrormanager/frontend2/templates/mirrormanager2.cfg
@@ -8,20 +8,30 @@ MirrorManager2 sample configuration.
# Most important configuration items
###
-
-# url to the database server:
-DB_URL='postgresql://{{ mirrormanager_db_user }}:{{ mirrormanager_db_pass }}@{{ mirrormanager_db_host }}/{{ mirrormanager_db_name }}'
-
# the number of items to display on the search pages
# Default: ``50``.
ITEMS_PER_PAGE = 50
+
+{% if mm2_checkin %}
+# url to the database server:
+DB_URL='postgresql://{{ mirrormanager_checkin_db_user }}:{{ mirrormanager_checkin_db_pass }}@{{ mirrormanager_db_host }}/{{ mirrormanager_db_name }}'
+
+# The checkin server does not use the secret key or password secret. Let's not leak it.
+SECRET_KEY = 'invalid'
+PASSWORD_SEED = 'invalid'
+
+{% else %}
+# url to the database server:
+DB_URL='postgresql://{{ mirrormanager_db_user }}:{{ mirrormanager_db_pass }}@{{ mirrormanager_db_host }}/{{ mirrormanager_db_name }}'
+
# secret key used to generate unique csrf token
SECRET_KEY = '{{ mirrormanager_secret_key }}'
# Seed used to make the password harder to brute force in case of leaking
# This should be kept really secret!
PASSWORD_SEED = "{{ mirrormanager_password_seed }}"
+{% endif %}
# Make browsers send session cookie only via HTTPS
SESSION_COOKIE_SECURE=True
diff --git a/roles/openvpn/server/files/ccd/mm-frontend-checkin01.phx2.fedoraproject.org b/roles/openvpn/server/files/ccd/mm-frontend-checkin01.phx2.fedoraproject.org
new file mode 100644
index 0000000000..84e33f9dee
--- /dev/null
+++ b/roles/openvpn/server/files/ccd/mm-frontend-checkin01.phx2.fedoraproject.org
@@ -0,0 +1 @@
+ifconfig-push 192.168.100.11 192.168.100.11