diff --git a/inventory/group_vars/sundries b/inventory/group_vars/sundries
index 556898d3fb..d511388d57 100644
--- a/inventory/group_vars/sundries
+++ b/inventory/group_vars/sundries
@@ -14,4 +14,4 @@ fas_client_groups: sysadmin-noc,fi-apprentice
 master_sundries_node: False
 
 # A host group for rsync config
-host_group: sundries
+rsync_group: sundries
diff --git a/inventory/group_vars/sundries-stg b/inventory/group_vars/sundries-stg
index 556898d3fb..d511388d57 100644
--- a/inventory/group_vars/sundries-stg
+++ b/inventory/group_vars/sundries-stg
@@ -14,4 +14,4 @@ fas_client_groups: sysadmin-noc,fi-apprentice
 master_sundries_node: False
 
 # A host group for rsync config
-host_group: sundries
+rsync_group: sundries
diff --git a/inventory/inventory b/inventory/inventory
index d0e462c884..57baee16de 100644
--- a/inventory/inventory
+++ b/inventory/inventory
@@ -219,7 +219,7 @@ download02.phx2.fedoraproject.org
 download03.phx2.fedoraproject.org
 download04.phx2.fedoraproject.org
 download05.phx2.fedoraproject.org
-download06.phx2.fedoraproject.org
+#download06.phx2.fedoraproject.org
 download07.phx2.fedoraproject.org
 download08.phx2.fedoraproject.org
 download09.phx2.fedoraproject.org
diff --git a/playbooks/groups/sundries.yml b/playbooks/groups/sundries.yml
index bdbb6970ff..8ece5d631d 100644
--- a/playbooks/groups/sundries.yml
+++ b/playbooks/groups/sundries.yml
@@ -47,6 +47,7 @@
   - role: fedora_owner_change
     when: master_sundries_node
   - rsyncd
+  - mirrormanager/frontend
 
   tasks:
   - include: "{{ tasks }}/hosts.yml"
diff --git a/roles/download/tasks/main.yml b/roles/download/tasks/main.yml
index 746520ac8a..35b7fd8ffc 100644
--- a/roles/download/tasks/main.yml
+++ b/roles/download/tasks/main.yml
@@ -36,13 +36,13 @@
   command: semanage fcontext -a -t httpd_sys_content_t "/srv/pub(/.*)?"
 
 - name: Copy wildcard cert from puppet private
-  copy: src="{{puppet_private}}/httpd/wildcard-2014.fedoraproject.org.cert" dest=/etc/pki/tls/certs/wildcard-2014.fedoraproject.org.cert owner=root group=root mode=0600
+  copy: src="{{puppet_private}}/httpd/wildcard-2014.fedoraproject.org.cert" dest=/etc/pki/tls/certs/wildcard-2014.fedoraproject.org.cert owner=root group=root mode=0644
 
 - name: Copy wildcard key from puppet private
   copy: src="{{puppet_private}}/httpd/wildcard-2014.fedoraproject.org.key" dest=/etc/pki/tls/private/wildcard-2014.fedoraproject.org.key owner=root group=root mode=0600
 
 - name: Copy intermediate wildcard cert from puppet private
-  copy: src="{{puppet_private}}/httpd/wildcard-2014.fedoraproject.org.intermediate.cert" dest=/etc/pki/tls/certs/wildcard-2014.fedoraproject.org.intermediate.cert owner=root group=root mode=0600
+  copy: src="{{puppet_private}}/httpd/wildcard-2014.fedoraproject.org.intermediate.cert" dest=/etc/pki/tls/certs/wildcard-2014.fedoraproject.org.intermediate.cert owner=root group=root mode=0644
 
 - name: Configure httpd dl main conf
   copy: src=httpd/dl.fedoraproject.org.conf dest=/etc/httpd/conf.d/dl.fedoraproject.org.conf
diff --git a/roles/easyfix/tasks/main.yml b/roles/easyfix/tasks/main.yml
index 12c9ff90fc..ec79a6f41c 100644
--- a/roles/easyfix/tasks/main.yml
+++ b/roles/easyfix/tasks/main.yml
@@ -57,6 +57,6 @@
 - name: Install the easyfix cronjob
   copy: >
     src=easyfix.cron dest=/etc/cron.d/easyfix.cron
-    owner=root group=root mode=0755
+    owner=root group=root mode=0644
   tags:
   - files
diff --git a/roles/fedmsg/base/templates/endpoints.py.j2 b/roles/fedmsg/base/templates/endpoints.py.j2
index 4c85c13ada..6fffebe29b 100644
--- a/roles/fedmsg/base/templates/endpoints.py.j2
+++ b/roles/fedmsg/base/templates/endpoints.py.j2
@@ -98,9 +98,6 @@ config = dict(
             for i in range(32)
         ],
 {% endif %}
-        "busmon_consumers.busgateway01": [
-            "tcp://busgateway01.%s:3000" % suffix,
-        ],
 {% if env != 'staging' %}
         "supybot.value03": [
             "tcp://value03.%s:3000" % suffix,
diff --git a/roles/fedmsg/base/templates/ssl.py.j2 b/roles/fedmsg/base/templates/ssl.py.j2
index 26823d5c16..0952ee11d6 100644
--- a/roles/fedmsg/base/templates/ssl.py.j2
+++ b/roles/fedmsg/base/templates/ssl.py.j2
@@ -86,7 +86,6 @@ config = dict(
         ("ftpsync.relepel01", "ftpsync-relepel01.%s" % suffix),
         ("ftpsync.releng04", "ftpsync-releng04.%s" % suffix),
     ] + [
-        ("busmon_consumers.busgateway01", "busmon-busgateway01.%s" % suffix),
         ("shell.busgateway01", "shell-busgateway01.%s" % suffix),
     ] + [
         ("shell.value01", "shell-value01.%s" % suffix),
diff --git a/roles/fedora_owner_change/tasks/main.yml b/roles/fedora_owner_change/tasks/main.yml
index 822bd4029e..c5d06a8627 100644
--- a/roles/fedora_owner_change/tasks/main.yml
+++ b/roles/fedora_owner_change/tasks/main.yml
@@ -23,6 +23,6 @@
 - name: Install the fedora-owner-change cronjob
   copy: >
     src=fedora-owner-change.cron dest=/etc/cron.d/fedora-owner-change.cron
-    owner=root group=root mode=0755
+    owner=root group=root mode=0644
   tags:
   - files
diff --git a/roles/mirrormanager/frontend/files/mirrormanager-app.conf b/roles/mirrormanager/frontend/files/mirrormanager-app.conf
new file mode 100644
index 0000000000..9aa2c2c1e0
--- /dev/null
+++ b/roles/mirrormanager/frontend/files/mirrormanager-app.conf
@@ -0,0 +1,35 @@
+Alias /mirrormanager/static /usr/share/mirrormanager/server/mirrormanager/static
+Alias /mirrormanager/crawler /var/log/mirrormanager/crawler
+
+WSGISocketPrefix /var/run/mirrormanager/wsgi
+WSGIRestrictSignal Off
+
+WSGIDaemonProcess mirrormanager user=mirrormanager group=mirrormanager display-name=mirrormanager maximum-requests=1000 processes=4 threads=1 umask=0007
+WSGIPythonOptimize 1
+
+WSGIScriptAlias /mirrormanager /usr/share/mirrormanager/server/mirrormanager.wsgi/mirrormanager
+
+<Directory /usr/share/mirrormanager/server>
+    WSGIProcessGroup mirrormanager
+    <IfModule mod_authz_core.c>
+        # Apache 2.4
+        Require all granted
+    </IfModule>
+    <IfModule !mod_authz_core.c>
+        # Apache 2.2
+        Order deny,allow
+        Allow from all
+    </IfModule>
+</Directory>
+
+<Directory /var/log/mirrormanager/crawler>
+    <IfModule mod_authz_core.c>
+        # Apache 2.4
+        Require all granted
+    </IfModule>
+    <IfModule !mod_authz_core.c>
+        # Apache 2.2
+        Order deny,allow
+        Allow from all
+    </IfModule>
+</Directory>
diff --git a/roles/mirrormanager/frontend/meta/main.yml b/roles/mirrormanager/frontend/meta/main.yml
new file mode 100644
index 0000000000..4590c3dc7f
--- /dev/null
+++ b/roles/mirrormanager/frontend/meta/main.yml
@@ -0,0 +1,3 @@
+---
+dependencies:
+  - { role: mirrormanager/package }
diff --git a/roles/mirrormanager/frontend/tasks/main.yml b/roles/mirrormanager/frontend/tasks/main.yml
new file mode 100644
index 0000000000..7ed2b992a9
--- /dev/null
+++ b/roles/mirrormanager/frontend/tasks/main.yml
@@ -0,0 +1,19 @@
+---
+# tasklist for setting up the mirrormanager app components
+
+- name: set sebooleans so mirrormanager can connect to its db
+  action: seboolean name=httpd_can_network_connect_db
+                    state=true
+                    persistent=true
+
+- name: install /etc/httpd/conf.d/mirrormanager-app.conf
+  copy: >
+    src="mirrormanager-app.conf"
+    dest="/etc/httpd/conf.d/mirrormanager.conf"
+    owner=root
+    group=root
+    mode=0644
+  notify:
+  - restart httpd
+  tags:
+  - config
diff --git a/roles/mirrormanager/package/tasks/main.yml b/roles/mirrormanager/package/tasks/main.yml
new file mode 100644
index 0000000000..7e775cd6af
--- /dev/null
+++ b/roles/mirrormanager/package/tasks/main.yml
@@ -0,0 +1,69 @@
+---
+# tasklist for setting up the mirrormanager package components
+
+- name: set sebooleans so mirrormanager can read its homedir
+  action: seboolean name=httpd_enable_homedirs
+                    state=true
+                    persistent=true
+
+- name: add mirrormanager group - gid 441
+  group: name=mirrormanager gid=441
+
+- name: add mirrors group - gid 263
+  group: name=mirrors gid=263
+
+- name: add mirrors2 group - gid 529
+  group: name=mirrors2 gid=529
+
+- name: add mirrormanager user - uid 441
+  user: >
+    name=mirrormanager 
+    uid=441 
+    group=mirrormanager 
+    groups=mirrors,mirrors2,apache 
+    state=present 
+    home=/home/mirrormanager 
+    createhome=yes 
+    shell=/bin/bash
+
+- name: install mirrormanager package
+  yum: pkg={{ item }} state=installed
+  with_items:
+  - mirrormanager
+  tags:
+  - packages
+
+- name: install /etc/mirrormanager/prod.cfg
+  template: >
+    src="mirrormanager-prod.cfg.j2"
+    dest="/etc/mirrormanager/prod.cfg"
+    owner=mirrormanager
+    group=mirrormanager
+    mode=0600
+  notify:
+  - restart httpd
+  tags:
+  - config
+
+- name: setup mirrormanager directories
+  file: path="{{ item }}" owner=mirrormanager group=mirrormanager mode=0755 state=directory
+  with_items:
+  - /var/lock/mirrormanager
+  - /var/lib/mirrormanager
+  - /var/run/mirrormanager
+  - /var/log/mirrormanager
+  - /var/log/mirrormanager/crawler
+  - /home/mirrormanager
+  tags:
+  - config
+
+- name: setup /home/mirrormanager/.ssh directory
+  copy: >
+    src="{{ puppet_private }}/mirrormanager/"
+    dest="/home/mirrormanager/.ssh"
+    directory_mode=yes
+    owner=mirrormanager
+    group=mirrormanager
+    mode=0700
+  tags:
+  - config
diff --git a/roles/mirrormanager/package/templates/mirrormanager-prod.cfg.j2 b/roles/mirrormanager/package/templates/mirrormanager-prod.cfg.j2
new file mode 100644
index 0000000000..07f713fae4
--- /dev/null
+++ b/roles/mirrormanager/package/templates/mirrormanager-prod.cfg.j2
@@ -0,0 +1,131 @@
+[global]
+# This is where all of your settings go for your development environment
+# Settings that are the same for both development and production
+# (such as template engine, encodings, etc.) all go in 
+# mirrormanager/config/app.cfg
+
+# pick the form for your database
+# sqlobject.dburi="postgres://username@hostname/databasename"
+# sqlobject.dburi="mysql://username:password@hostname:port/databasename"
+# sqlobject.dburi="sqlite:///file_name_and_path"
+
+# If you have sqlite, here's a simple default to get you started
+# in development
+#sqlobject.dburi="postgres://mirrormanager@127.0.0.1/mirrormanager"
+
+# This is for local development purposes.  It won't be used for
+# production.
+{% if env == "staging" %}
+sqlobject.dburi="notrans_postgres://mirroradmin:{{ mirrorPassword }}@db-mirrormanager.stg:5432/mirrormanager"
+{% else %}
+sqlobject.dburi="notrans_postgres://mirroradmin:{{ mirrorPassword }}@db-mirrormanager:5432/mirrormanager"
+{% endif %}
+
+# if you are using a database or table type without transactions
+# (MySQL default, for example), you should turn off transactions
+# by prepending notrans_ on the uri
+# sqlobject.dburi="notrans_mysql://username:password@hostname:port/databasename"
+
+# for Windows users, sqlite URIs look like:
+# sqlobject.dburi="sqlite:///drive_letter:/path/to/file"
+
+# SERVER
+
+# Some server parameters that you may want to tweak
+# running as a WSGI under apache.  This is used by TG when it generates a redirect.
+server.socket_port=80
+
+server.socket_timeout = 60
+server.thread_pool = 50
+server.socket_queue_size = 30
+
+# Enable the debug output at the end on pages.
+# log_debug_info_filter.on = False
+
+server.environment="production"
+server.webpath="/mirrormanager"
+autoreload.package="mirrormanager"
+
+# session_filter.on = True
+
+# Set to True if you'd like to abort execution if a controller gets an
+# unexpected parameter. False by default
+tg.strict_parameters = True
+tg.ignore_parameters = ["_csrf_token"]
+
+##############################
+# Fedora Account System config
+fas.url = 'https://admin.fedoraproject.org/accounts/'
+identity.provider='jsonfas2'
+identity.saprovider.model.visit="fedora.accounts.tgfas.VisitIdentity"
+visit.manager="jsonfas2"
+visit.saprovider.model="fedora.accounts.tgfas.Visit"
+visit.cookie.secure = True
+visit.cookie.httponly = True
+
+mirrormanager.admin_group = 'sysadmin-web'
+mirrormanager.max_stale_days = 2
+mirrormanager.max_propogation_days = 1
+mirrormanager.report_problems_to_email = 'mirror-admin at fedoraproject.org'
+
+##############################
+# update-master-directory-list category list and master locations
+# be very careful here.  Trailing slashes on url directory names are necessary.
+umdl.master_directories = ''' [
+	{ 'type':'directory', 'path':'/pub/fedora/linux/', 'category':'Fedora Linux' },
+	{ 'type':'directory', 'path':'/pub/archive/', 'category':'Fedora Archive' },
+ 	{ 'type':'directory', 'path':'/pub/epel/', 'category':'Fedora EPEL' },
+	{ 'type':'directory', 'path':'/pub/fedora-secondary/', 'category':'Fedora Secondary Arches' },
+	{ 'type':'directory', 'path':'/pub/alt/', 'category':'Fedora Other',
+          'excludes':['.*/stage$']},
+	{ 'type':'directory', 'path':'/pub/redhat/rhel/', 'category':'RHEL' },
+	] '''
+
+# manage-repo-redirects (mrr) repository definition
+# this can be used to define a repository redirect
+# for example from an upcoming release to the current development tree
+mrr.repos = ''' {
+	'fedora-%s':'rawhide',
+	'fedora-debug-%s':'rawhide-debug',
+	'fedora-source-%s':'rawhide-source',
+	'updates-released-f%s':'rawhide',
+	'updates-released-debug-f%s':'rawhide-debug',
+	'updates-released-source-f%s':'rawhide-source',
+	'updates-testing-f%s':'rawhide',
+	'updates-testing-debug-f%s':'rawhide-debug',
+	'updates-testing-source-f%s':'rawhide-source'
+	} '''
+
+base_url_filter.on = True
+{% if env == "staging" %}
+base_url_filter.base_url = "https://admin.stg.fedoraproject.org"
+{% else %}
+base_url_filter.base_url = "https://admin.fedoraproject.org"
+{% endif %}
+base_url_filter.use_x_forwarded_host = False
+
+[/xmlrpc]
+xmlrpc_filter.on = True
+
+# LOGGING
+# Logging configuration generally follows the style of the standard
+# Python logging module configuration. Note that when specifying
+# log format messages, you need to use *() for formatting variables.
+# Deployment independent log configuration is in mirrormanager/config/log.cfg
+[logging]
+
+[[loggers]]
+[[[mirrormanager]]]
+level='DEBUG'
+qualname='mirrormanager'
+handlers=['debug_out']
+
+[[[allinfo]]]
+level='INFO'
+handlers=['debug_out']
+
+[[[access]]]
+level='WARN'
+qualname='turbogears.access'
+handlers=['access_out']
+propagate=0
diff --git a/roles/rsyncd/tasks/main.yml b/roles/rsyncd/tasks/main.yml
index ea195925d9..e43f49bf01 100644
--- a/roles/rsyncd/tasks/main.yml
+++ b/roles/rsyncd/tasks/main.yml
@@ -19,6 +19,7 @@
     - "{{ rsyncd_conf }}"
     - rsyncd.conf.{{ ansible_fqdn }}
     - rsyncd.conf.{{ host_group }}
+    - rsyncd.conf.{{ rsync_group }}
     - rsyncd.conf.default
   notify:
   - restart xinetd
@@ -31,6 +32,7 @@
     - "{{ rsync }}"
     - rsync.{{ ansible_fqdn }}
     - rsync.{{ host_group }}
+    - rsync.{{ rsync_group }}
     - rsync.default
   notify:
   - restart xinetd
@@ -41,3 +43,9 @@
   service: name=xinetd state=started
   tags:
   - services
+
+- name: set sebooleans so rsync can read dirs
+  action: seboolean name=rsync_export_all_ro
+                    state=true
+                    persistent=true
+