diff --git a/inventory/group_vars/bastion_stg b/inventory/group_vars/bastion_stg
new file mode 100644
index 0000000000..00175852ee
--- /dev/null
+++ b/inventory/group_vars/bastion_stg
@@ -0,0 +1,48 @@
+---
+# Define resources for this group of hosts here.
+lvm_size: 20000
+mem_size: 3192
+num_cpus: 2
+
+tcp_ports: [ 22 ]
+
+#
+# drop incoming traffic from less trusted vpn hosts
+# allow ntp from internal phx2 10 nets
+#
+custom_rules: [
+    '-A INPUT -s 192.168.100/24 -j REJECT --reject-with icmp-host-prohibited',
+    '-A INPUT -s 10.0.0.0/8 -p udp -m udp --dport 123 -j ACCEPT',
+]
+#
+# allow a bunch of sysadmin groups here so they can access internal stuff
+
+# TODO - remove modularity-wg membership here once it is not longer needed:
+# https://fedorahosted.org/fedora-infrastructure/ticket/5363
+fas_client_groups: sysadmin-ask,sysadmin-atomic,sysadmin-web,sysadmin-main,sysadmin-cvs,sysadmin-noc,sysadmin-releng,sysadmin-dba,sysadmin-hosted,sysadmin-tools,sysadmin-spin,sysadmin-cloud,fi-apprentice,sysadmin-badges,sysadmin-troubleshoot,sysadmin-qa,sysadmin-centos,sysadmin-ppc,sysadmin-koschei,sysadmin-secondary,sysadmin-fedimg,sysadmin-veteran,sysadmin-mbs,modularity-wg,pungi-devel,sysadmin-upstreamfirst,sysadmin-releasemonitoring,sysadmin-gnome,sysadmin-copr,sysadmin-coreos,sysadmin-dbgserver,sysadmin-osbs,sysadmin-odcs
+
+# Disable mail stuff in stg
+fas_aliases: false
+
+#
+# Sometimes there are lots of postfix processes
+#
+nrpe_procs_warn: 1100
+nrpe_procs_crit: 1200
+
+# These variables are pushed into /etc/system_identification by the base role.
+# Groups and individual hosts should override them with specific info.
+# See http://infrastructure.fedoraproject.org/csi/security-policy/
+
+csi_security_category: High
+csi_primary_contact: sysadmin-main admin@fedoraproject.org
+csi_purpose: SSH proxy to access STAGING infrastructure not exposed to the web
+csi_relationship: |
+  - Provides ssh access to all phx2/vpn connected servers.
+  - Bastion is the hub for all infrastructure's VPN connections.
+  - All incoming SMTP from phx2 and VPN, as well as outgoing SMTP, pass or are filtered here.
+  - Bastion does not accept any mail outside phx2/vpn.
+
+nagios_Check_Services:
+  nrpe: true
+  mail: false
diff --git a/inventory/host_vars/bastion01.stg.phx2.fedoraproject.org b/inventory/host_vars/bastion01.stg.phx2.fedoraproject.org
new file mode 100644
index 0000000000..10eccdefb2
--- /dev/null
+++ b/inventory/host_vars/bastion01.stg.phx2.fedoraproject.org
@@ -0,0 +1,13 @@
+---
+nm: 255.255.255.0
+gw: 10.5.128.254
+dns: 10.5.126.21
+
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-8
+ks_repo: http://10.5.126.23/repo/rhel/RHEL8-x86_64/
+
+volgroup: /dev/vg_virthost16
+eth0_ip: 10.5.128.22
+vmhost: virthost05.stg.phx2.fedoraproject.org
+datacenter: phx2
+tcp_ports: [22]
diff --git a/inventory/inventory b/inventory/inventory
index b43053a250..79959776ca 100644
--- a/inventory/inventory
+++ b/inventory/inventory
@@ -95,6 +95,9 @@ bastion02.phx2.fedoraproject.org
 bastion-comm01.qa.fedoraproject.org
 bastion13.fedoraproject.org
 
+[bastion_stg]
+bastion01.stg.phx2.fedoraproject.org
+
 [blockerbugs]
 blockerbugs01.phx2.fedoraproject.org
 blockerbugs02.phx2.fedoraproject.org
@@ -700,6 +703,7 @@ autosign01.stg.phx2.fedoraproject.org
 badges-backend01.stg.phx2.fedoraproject.org
 badges-web01.stg.phx2.fedoraproject.org
 basset01.stg.phx2.fedoraproject.org
+bastion01.stg.phx2.fedoraproject.org
 beaker-stg01.qa.fedoraproject.org
 blockerbugs01.stg.phx2.fedoraproject.org
 bodhi-backend01.stg.phx2.fedoraproject.org
@@ -1424,9 +1428,6 @@ wiki02.phx2.fedoraproject.org
 copr-fe.cloud.fedoraproject.org
 retrace01.qa.fedoraproject.org
 
-#[rhel8beta]
-#el8betatest01.stg.phx2.fedoraproject.org
-
 [nfs_servers]
 storinator01.fedorainfracloud.org
 
diff --git a/playbooks/groups/bastion_stg.yml b/playbooks/groups/bastion_stg.yml
new file mode 100644
index 0000000000..4d6acd0210
--- /dev/null
+++ b/playbooks/groups/bastion_stg.yml
@@ -0,0 +1,34 @@
+- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=bastion_stg"
+
+- name: make the boxen be real for real
+  hosts: bastion_stg
+  user: root
+  gather_facts: True
+
+  vars_files:
+   - /srv/web/infra/ansible/vars/global.yml
+   - "/srv/private/ansible/vars.yml"
+   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+  roles:
+  - base
+  #- rkhunter
+  #- nagios_client
+  - hosts
+  #- fas_client
+  - sudo
+  #- collectd/base
+  #- { role: openvpn/server, when: not inventory_hostname.startswith('bastion-comm01') or inventory_hostname.startswith('bastion13') }
+  #- { role: openvpn/client, when: inventory_hostname.startswith('bastion13') }
+  #- { role: packager_alias, when: not inventory_hostname.startswith('bastion-comm01') or inventory_hostname.startswith('bastion13') }
+  #- opendkim
+
+  pre_tasks:
+  - import_tasks: "{{ tasks_path }}/yumrepos.yml"
+
+  tasks:
+  - import_tasks: "{{ tasks_path }}/2fa_client.yml"
+  - import_tasks: "{{ tasks_path }}/motd.yml"
+
+  handlers:
+  - import_tasks: "{{ handlers_path }}/restart_services.yml"