diff --git a/inventory/group_vars/osbs-stg b/inventory/group_vars/osbs-stg
index 1b6424de3c..3f98440405 100644
--- a/inventory/group_vars/osbs-stg
+++ b/inventory/group_vars/osbs-stg
@@ -1,10 +1,14 @@
 ---
-# Define resources for this group of hosts here. 
+# Define resources for this group of hosts here.
 lvm_size: 60000
 mem_size: 8192
 num_cpus: 2
 
-tcp_ports: [ 80, 443 ]
+tcp_ports: [ 80, 443, 8443]
 
 fas_client_groups: sysadmin-releng,fi-apprentice
 sudoers: "{{ private }}/files/sudo/00releng-sudoers"
+
+osbs_api_cert: "osbs.stg.fedoraproject.org.crt"
+osbs_api_key: "osbs.stg.fedoraproject.org.key"
+
diff --git a/playbooks/groups/osbs-master.yml b/playbooks/groups/osbs-master.yml
index 79b90f8e7e..91fd3dfee7 100644
--- a/playbooks/groups/osbs-master.yml
+++ b/playbooks/groups/osbs-master.yml
@@ -28,3 +28,300 @@
 
   handlers:
   - include: "{{ handlers }}/restart_services.yml"
+
+- name: pre-install osbs tasks
+  hosts: osbs:osbs-stg
+  vars_files:
+    - /srv/web/infra/ansible/vars/global.yml
+    - /srv/private/ansible/vars.yml
+    - /srv/private/ansible/files/openstack/passwords.yml
+    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+  tasks:
+    - name: place htpasswd file
+      copy:
+        src: "{{private}}/files/httpd/osbs.htpasswd"
+        dest: /etc/origin/htpasswd
+
+    - name: create cert dir for openshift public facing REST API SSL
+      file:
+        path: "/etc/origin/master/named_certificates"
+        state: "directory"
+
+    - name: install cert for openshift public facing REST API SSL
+      copy:
+        src: "{{private}}/files/osbs/osbs-stg.certs/{{osbs_api_cert}}"
+        dest: "/etc/origin/master/named_certificates/{{osbs_api_cert}}"
+
+    - name: install key for openshift public facing REST API SSL
+      copy:
+        src: "{{private}}/files/osbs/osbs-stg.certs/{{osbs_api_key}}"
+        dest: "/etc/origin/master/named_certificates/{{osbs_api_key}}"
+
+- name: setup osbs
+  hosts: osbs:osbs-stg
+  vars_files:
+    - /srv/web/infra/ansible/vars/global.yml
+    - /srv/private/ansible/vars.yml
+    - /srv/private/ansible/files/openstack/passwords.yml
+    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+  roles:
+    - osbs-atomic-reactor
+    - osbs-common
+    - osbs-install-openshift
+    - {
+        role: osbs-master,
+          osbs_master_export_port: true,
+          osbs_manage_firewalld: true,
+          osbs_proxy_cert_file: '/etc/origin/proxy_selfsigned.crt',
+          osbs_proxy_key_file: '/etc/origin/proxy_selfsigned.key',
+          osbs_proxy_certkey_file: '/etc/origin/proxy_certkey.crt',
+          osbs_proxy_ca_file: '/etc/origin/proxy_selfsigned.crt',
+          osbs_readonly_users: [],
+          osbs_readonly_groups: [],
+          osbs_readwrite_users: [ "{{ osbs_koji_stg_username }}" ],
+          osbs_readwrite_groups: [],
+          osbs_admin_users: [],
+          osbs_admin_groups: [],
+          osbs_master_max_pods: 3,
+          osbs_update_packages: false,
+          osbs_image_gc_high_threshold: 90,
+          osbs_image_gc_low_threshold: 80,
+          osbs_identity_provider: "htpasswd_provider",
+          osbs_identity_htpasswd: {
+            name: htpasswd_provider,
+            challenge: true,
+            login: true,
+            provider_file: "/etc/origin/htpasswd"
+          },
+          osbs_named_certificates: {
+            enabled: true,
+            cert_file: "named_certificates/osbs.stg.fedoraproject.org.crt",
+            key_file: "named_certificates/osbs.stg.fedoraproject.org.key",
+            names: [ "osbs.stg.fedoraproject.org" ],
+          },
+          osbs_public_api_url: "osbs.stg.fedoraproject.org",
+          when: env == "staging"
+      }
+    - {
+        role: osbs-master,
+          osbs_master_export_port: true,
+          osbs_manage_firewalld: true,
+          osbs_proxy_cert_file: '/etc/origin/proxy_selfsigned.crt',
+          osbs_proxy_key_file: '/etc/origin/proxy_selfsigned.key',
+          osbs_proxy_certkey_file: '/etc/origin/proxy_certkey.crt',
+          osbs_proxy_ca_file: '/etc/origin/proxy_selfsigned.crt',
+          osbs_readonly_users: [],
+          osbs_readonly_groups: [],
+          osbs_readwrite_users: [ "{{ osbs_koji_stg_username }}" ],
+          osbs_readwrite_groups: [],
+          osbs_admin_users: [],
+          osbs_admin_groups: [],
+          osbs_master_max_pods: 3,
+          osbs_update_packages: false,
+          osbs_image_gc_high_threshold: 90,
+          osbs_image_gc_low_threshold: 80,
+          osbs_identity_provider: "htpasswd_provider",
+          osbs_identity_htpasswd: {
+            name: htpasswd_provider,
+            challenge: true,
+            login: true,
+            provider_file: "/etc/origin/htpasswd"
+          },
+          osbs_named_certificates: {
+            enabled: true,
+            cert_file: "named_certificates/osbs.fedoraproject.org.crt",
+            key_file: "named_certificates/osbs.fedoraproject.org.key",
+            names: [ "osbs.stg.fedoraproject.org" ],
+          },
+          osbs_public_api_url: "osbs.fedoraproject.org",
+          when: env == "production"
+      }
+
+    - {
+      role: osbs-client,
+        general: {
+          verbose: 0,
+          build_json_dir: '/usr/share/osbs/',
+          openshift_required_version: 1.1.0,
+        },
+        default: {
+          username: "{{ osbs_koji_stg_username }}",
+          password: "{{ osbs_koji_stg_password }}",
+          koji_certs_secret: "koji",
+          openshift_url: 'https://osbs.stg.fedoraproject.org:8443/',
+          registry_uri: 'https://registry.stg.fedoraproject.org/v2',
+          source_registry_uri: 'https://osbs.stg.fedoraproject.org/v2',
+          build_host: 'osbs.stg.fedoraproject.org',
+          koji_root: 'http://koji.fedoraproject.org/koji',
+          koji_hub: 'http://koji.fedoraproject.org/kojihub',
+          sources_command: 'fedpkg sources',
+          build_type: 'prod',
+          authoritative_registry: 'registry.example.com',
+          vendor: 'Fedora Project',
+          verify_ssl: false,
+          use_auth: true,
+          builder_use_auth: true,
+          distribution_scope: 'private',
+          registry_api_versions: 'v2',
+          builder_openshift_url: 'https://172.17.0.1:8443/'
+        },
+      when: env == "staging"
+      }
+    - {
+      role: osbs-client,
+        general: {
+          verbose: 0,
+          build_json_dir: '/usr/share/osbs/',
+          openshift_required_version: 1.1.0,
+        },
+        default: {
+          username: "{{ osbs_koji_username }}",
+          password: "{{ osbs_koji_password }}",
+          koji_certs_secret: "koji",
+          openshift_url: 'https://osbs.fedoraproject.org:8443/',
+          registry_uri: 'https://osbs.fedoraproject.org/v2',
+          source_registry_uri: 'https://osbs.fedoraproject.org/v2',
+          build_host: 'osbs.fedoraproject.org',
+          koji_root: 'http://koji.fedoraproject.org/koji',
+          koji_hub: 'http://koji.fedoraproject.org/kojihub',
+          sources_command: 'fedpkg sources',
+          build_type: 'prod',
+          authoritative_registry: 'registry.example.com',
+          vendor: 'Fedora Project',
+          verify_ssl: false,
+          use_auth: true,
+          builder_use_auth: true,
+          distribution_scope: 'private',
+          registry_api_versions: 'v2',
+          builder_openshift_url: 'https://172.17.0.1:8443/'
+        },
+      when: env == "production"
+      }
+
+- name: post-install osbs tasks
+  hosts: osbs:osbs-stg
+  vars_files:
+    - /srv/web/infra/ansible/vars/global.yml
+    - /srv/private/ansible/vars.yml
+    - /srv/private/ansible/files/openstack/passwords.yml
+    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+  vars:
+    osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig
+    osbs_environment:
+      KUBECONFIG: "{{ osbs_kubeconfig_path }}"
+    koji_pki_dir: /etc/pki/koji
+    koji_ca_cert_path: "{{koji_pki_dir}}/fedora-server-ca.cert"
+    koji_cert_path: "{{koji_pki_dir}}/fedora-builder.pem"
+    koji_builder_user: dockerbuilder
+    osbs_builder_user: builder
+
+
+  handlers:
+    - name: buildroot container
+      shell: atomic-reactor create-build-image --reactor-tarball-path /usr/share/atomic-reactor/atomic-reactor.tar.gz /etc/osbs/buildroot/ buildroot
+
+    - name: oc secrets new
+      shell: "oc secrets new koji cert={{ koji_cert_path }} ca={{ koji_ca_cert_path }} serverca={{ koji_ca_cert_path }}"
+      environment: "{{ osbs_environment }}"
+      notify: oc secrets add
+
+    - name: oc secrets add
+      shell: "oc secrets add serviceaccount/{{ osbs_builder_user }} secrets/koji --for=mount"
+      environment: "{{ osbs_environment }}"
+
+
+  tasks:
+    - name: Ensure koji dockerbuilder cert path exists
+      file:
+        path: "{{ koji_pki_dir }}"
+        state: "directory"
+        mode: 0400
+
+    - name: Add koji dockerbuilder cert for Content Generator import
+      copy:
+        src: "{{private}}/files/koji/containerbuild.pem"
+        dest: "{{ koji_cert_path }}"
+      notify: oc secrets new
+
+    - name: Add koji dockerbuilder ca cert for Content Generator import
+      copy:
+        src: "{{private}}/files/koji/buildercerts/fedora-ca.cert"
+        dest: "{{ koji_ca_cert_path }}"
+      notify: oc secrets new
+
+    - name: install docker
+      action: "{{ ansible_pkg_mgr }} name=docker state=installed"
+
+    - name: ensure docker daemon cert dir exists
+      file: "{{docker_cert_dir}}"
+        path:
+        state: directory
+
+    - name: install docker client cert for registry
+      copy:
+        src: "{{private}}/files/koji/containerbuild.cert.pem"
+        dest: "{{docker_cert_dir}}/client.cert"
+
+    - name: install docker client key for registry
+      copy:
+        src: "{{private}}/files/koji/containerbuild.key.pem"
+        dest: "{{docker_cert_dir}}/client.key"
+
+    - name: start and enable docker
+      service: name=docker state=started enabled=yes
+
+    - name: create fedora image stream for OpenShift
+      shell: "echo '{ \"apiVersion\": \"v1\", \"kind\": \"ImageStream\", \"metadata\": { \"name\": \"fedora\" }, \"spec\": { \"dockerImageRepository\": \"{{docker_registry}}/fedora\" } }' | oc create -f -"
+      environment: "{{ osbs_environment }}"
+      args:
+        creates: /etc/osbs_fedora_imagestream_created
+
+    - name: set policy for koji builder in openshift for osbs
+      shell: "oadm policy add-role-to-user -n default edit htpasswd_provider: {{ osbs_koji_stg_username }}"
+      when: env == "staging"
+
+    - name: set policy for koji builder in openshift for osbs
+      shell: "oadm policy add-role-to-user -n default edit htpasswd_provider: {{ osbs_koji_username }}"
+      when: env == "production"
+
+    - name: set policy for koji builder in openshift for atomic-reactor
+      shell: "oadm policy add-role-to-user -n default edit system:serviceaccount:default:builder"
+
+    - name: make sure latest fedora image is pulled and pushed to osbs registry
+      shell: "docker pull fedora && docker tag -f fedora:latest {{docker_registry}}/fedora:latest && docker push {{docker_registry}}/fedora:latest"
+      tags:
+        - containerupdate
+
+    - name: Create buildroot container conf directory
+      file:
+        path: "/etc/osbs/buildroot/"
+        state: directory
+
+    - name: Upload Dockerfile for buildroot container
+      copy:
+        src: "{{ files }}/osbs-buildroot-Dockerfile"
+        dest: "/etc/osbs/buildroot/Dockerfile"
+        mode: 0400
+      notify:
+        - buildroot container
+
+    - name: Upload internal CA for buildroot
+      copy:
+        src: "{{private}}/{{osbs_internal_ca}}"
+        dest: "/etc/osbs/buildroot/ca.crt"
+        mode: 0400
+      notify:
+        - buildroot container
+
+    - name: clean up exited containers
+      shell: for i in $(docker ps -a | awk '/Exited/ { print $1 }') ; do docker rm $i; done
+      tags:
+        - cleanup
+
+    - name: clean up dangling images
+      shell: for i in $(docker images -q -f "dangling=true") ; do docker rmi $i; done
+      tags:
+        - cleanup
+