diff --git a/inventory/group_vars/all b/inventory/group_vars/all
index 98a057a63b..38c5f8be5d 100644
--- a/inventory/group_vars/all
+++ b/inventory/group_vars/all
@@ -266,4 +266,6 @@ nagios_Check_Services:
   dhcpd: false
   httpd: false
 
-
+# Set variable if we want to use our global iptables defaults
+# Some things need to set their own.
+baseiptables: True
diff --git a/inventory/group_vars/openstack-compute b/inventory/group_vars/openstack-compute
index af900eeef7..0fed5183fd 100644
--- a/inventory/group_vars/openstack-compute
+++ b/inventory/group_vars/openstack-compute
@@ -3,3 +3,4 @@ host_group: openstack-compute
 nrpe_procs_warn: 1100
 nrpe_procs_crit: 1200
 ansible_ifcfg_blacklist: true 
+baseiptables: False
diff --git a/inventory/group_vars/os b/inventory/group_vars/os
index e837201446..53196a3e9e 100644
--- a/inventory/group_vars/os
+++ b/inventory/group_vars/os
@@ -1,2 +1,3 @@
 ---
 host_group: os
+baseiptables: False
diff --git a/inventory/group_vars/os-stg b/inventory/group_vars/os-stg
new file mode 100644
index 0000000000..53196a3e9e
--- /dev/null
+++ b/inventory/group_vars/os-stg
@@ -0,0 +1,3 @@
+---
+host_group: os
+baseiptables: False
diff --git a/inventory/group_vars/osbs b/inventory/group_vars/osbs
index d337069253..ea03d3700e 100644
--- a/inventory/group_vars/osbs
+++ b/inventory/group_vars/osbs
@@ -19,3 +19,5 @@ osbs_koji_username: "kojibuilder"
 koji_url: "koji.fedoraproject.org"
 
 osbs_client_conf_path: /etc/osbs.conf
+
+baseiptables: False
diff --git a/inventory/group_vars/osbs-stg b/inventory/group_vars/osbs-stg
new file mode 100644
index 0000000000..2e3e4d513d
--- /dev/null
+++ b/inventory/group_vars/osbs-stg
@@ -0,0 +1,2 @@
+---
+baseiptables: False
diff --git a/inventory/host_vars/fed-cloud09.cloud.fedoraproject.org b/inventory/host_vars/fed-cloud09.cloud.fedoraproject.org
index a72a6bb8ac..dee6f4e15b 100644
--- a/inventory/host_vars/fed-cloud09.cloud.fedoraproject.org
+++ b/inventory/host_vars/fed-cloud09.cloud.fedoraproject.org
@@ -8,3 +8,5 @@ ansible_ifcfg_blacklist: true
 nagios_Check_Services:
   nrpe: true
   sshd: true
+
+baseiptables: False
diff --git a/inventory/inventory b/inventory/inventory
index b0063c3e9d..aff5a23c35 100644
--- a/inventory/inventory
+++ b/inventory/inventory
@@ -1330,6 +1330,16 @@ osbs-master01.stg.phx2.fedoraproject.org
 osbs-node01.stg.phx2.fedoraproject.org
 osbs-node02.stg.phx2.fedoraproject.org
 
+[osbs:children]
+osbs-control
+osbs-nodes
+osbs-masters
+
+[osbs-stg:children]
+osbs-control-stg
+osbs-nodes-stg
+osbs-masters-stg
+
 [os-control-stg]
 os-control01.stg.phx2.fedoraproject.org
 
@@ -1342,7 +1352,7 @@ os-master03.stg.phx2.fedoraproject.org
 os-node01.stg.phx2.fedoraproject.org
 os-node02.stg.phx2.fedoraproject.org
 
-[os:children]
+[os-stg:children]
 os-nodes-stg
 os-masters-stg
 os-control-stg
diff --git a/master.yml b/master.yml
index f1253b134b..4b433002cc 100644
--- a/master.yml
+++ b/master.yml
@@ -33,6 +33,7 @@
 - include: /srv/web/infra/ansible/playbooks/groups/buildvm.yml
 - include: /srv/web/infra/ansible/playbooks/groups/bugyou.yml
 - include: /srv/web/infra/ansible/playbooks/groups/busgateway.yml
+- include: /srv/web/infra/ansible/playbooks/groups/ci.yml
 - include: /srv/web/infra/ansible/playbooks/groups/copr-backend.yml
 - include: /srv/web/infra/ansible/playbooks/groups/copr-dist-git.yml
 - include: /srv/web/infra/ansible/playbooks/groups/copr-frontend.yml
@@ -143,11 +144,11 @@
 - include: /srv/web/infra/ansible/playbooks/hosts/insim.fedorainfracloud.org.yml
 - include: /srv/web/infra/ansible/playbooks/hosts/lists-dev.fedorainfracloud.org.yml
 - include: /srv/web/infra/ansible/playbooks/hosts/kolinahr.fedorainfracloud.org.yml
-- include: /srv/web/infra/ansible/playbooks/hosts/magazine.fedorainfracloud.org.yml
+- include: /srv/web/infra/ansible/playbooks/hosts/magazine2.fedorainfracloud.org.yml
 - include: /srv/web/infra/ansible/playbooks/hosts/modernpaste.fedorainfracloud.org.yml
 - include: /srv/web/infra/ansible/playbooks/hosts/modularity.fedorainfracloud.org.yml
 - include: /srv/web/infra/ansible/playbooks/hosts/piwik.fedorainfracloud.org.yml
-#- include: /srv/web/infra/ansible/playbooks/hosts/regcfp.fedorainfracloud.org.yml
+#- include: /srv/web/infra/ansible/playbooks/hosts/regcfp2.fedorainfracloud.org.yml
 - include: /srv/web/infra/ansible/playbooks/hosts/respins.fedorainfracloud.org.yml
 - include: /srv/web/infra/ansible/playbooks/hosts/shogun-ca.cloud.fedoraproject.org.yml
 - include: /srv/web/infra/ansible/playbooks/hosts/shumgrepper-dev.fedorainfracloud.org.yml
diff --git a/playbooks/hosts/magazine.fedorainfracloud.org.yml b/playbooks/hosts/magazine.fedorainfracloud.org.yml
deleted file mode 100644
index b0d219a85f..0000000000
--- a/playbooks/hosts/magazine.fedorainfracloud.org.yml
+++ /dev/null
@@ -1,55 +0,0 @@
-- name: check/create instance
-  hosts: magazine.fedorainfracloud.org
-  gather_facts: False
-
-  vars_files:
-   - /srv/web/infra/ansible/vars/global.yml
-   - /srv/private/ansible/vars.yml
-   - /srv/web/infra/ansible/vars/fedora-cloud.yml
-   - /srv/private/ansible/files/openstack/passwords.yml
-
-  tasks:
-  - include: "{{ tasks_path }}/persistent_cloud.yml"
-
-- name: setup all the things
-  hosts: magazine.fedorainfracloud.org
-  gather_facts: True
-  vars_files:
-   - /srv/web/infra/ansible/vars/global.yml
-   - /srv/private/ansible/vars.yml
-   - /srv/private/ansible/files/openstack/passwords.yml
-   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
-
-  pre_tasks:
-  - include: "{{ tasks_path }}/cloud_setup_basic.yml"
-  - name: set hostname (required by some services, at least postfix need it)
-    hostname: name="{{inventory_hostname}}"
-
-  tasks:
-  - name: add packages
-    yum: state=present name={{ item }}
-    with_items:
-    - httpd
-    - php
-    - php-mysql
-    - mariadb-server
-    - mariadb
-    - mod_ssl
-    - php-mcrypt
-    - php-mbstring
-    - wget
-    - unzip
-    - postfix
-
-  - name: enable httpd service
-    service: name=httpd enabled=yes state=started
-
-  - name: configure postfix for ipv4 only
-    raw: postconf -e inet_protocols=ipv4
-
-  - name: enable local postfix service
-    service: name=postfix enabled=yes state=started
-
-  roles:
-  - nagios_client
-  - mariadb_server
diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml
index 052ef2efb0..8f43f13ade 100644
--- a/roles/base/tasks/main.yml
+++ b/roles/base/tasks/main.yml
@@ -233,7 +233,7 @@
    - iptables/iptables.{{ host_group }}
    - iptables/iptables.{{ env }}
    - iptables/iptables
-  when: not inventory_hostname.startswith(('fed-cloud','osbs'))
+  when: baseiptables is true
   notify:
   - restart iptables
   - reload libvirtd
@@ -248,6 +248,7 @@
   - iptables
   - service
   - base
+  when: baseiptables is true
 
 - name: ip6tables
   template: src={{ item }} dest=/etc/sysconfig/ip6tables mode=0600 backup=yes
@@ -257,7 +258,7 @@
    - iptables/ip6tables.{{ host_group }}
    - iptables/ip6tables.{{ env }}
    - iptables/ip6tables
-  when: not inventory_hostname.startswith('fed-cloud09')
+  when: baseiptables is true
   notify:
   - restart ip6tables
   - reload libvirtd
@@ -272,6 +273,7 @@
   - ip6tables
   - service
   - base
+  when: baseiptables is true
 
 - name: enable journald persistence
   file: path=/var/log/journal state=directory