diff --git a/pillar/id/discourse01_infra_opensuse_org.sls b/pillar/id/discourse01_infra_opensuse_org.sls
new file mode 100644
index 0000000..00fab09
--- /dev/null
+++ b/pillar/id/discourse01_infra_opensuse_org.sls
@@ -0,0 +1,18 @@
+grains:
+  city: nuremberg
+  country: de
+  hostusage:
+    - discourse
+  roles: []
+  reboot_safe: yes
+  salt_cluster: opensuse
+  virt_cluster: atreju
+
+  aliases: []
+  description: Instance of discourse behind openSUSE Forums
+  documentation: []
+  responsible:
+    - hellcp
+  partners: []
+  weburls:
+    - https://forums.opensuse.org
diff --git a/pillar/id/pagure01_infra_opensuse_org.sls b/pillar/id/pagure01_infra_opensuse_org.sls
new file mode 100644
index 0000000..fd16785
--- /dev/null
+++ b/pillar/id/pagure01_infra_opensuse_org.sls
@@ -0,0 +1,20 @@
+grains:
+  city: nuremberg
+  country: de
+  hostusage:
+    - pagure
+  roles:
+    - pagure
+  reboot_safe: yes
+  salt_cluster: opensuse
+  virt_cluster: atreju
+
+  aliases: []
+  description: Instance of pagure behind openSUSE Code
+  documentation: []
+  responsible:
+    - hellcp
+  partners: []
+  weburls:
+    - https://code.opensuse.org
+    - https://pages.opensuse.org
diff --git a/pillar/role/pagure.sls b/pillar/role/pagure.sls
new file mode 100644
index 0000000..84acfbf
--- /dev/null
+++ b/pillar/role/pagure.sls
@@ -0,0 +1,52 @@
+include:
+{% if salt['grains.get']('include_secrets', True) %}
+  - secrets.role.pagure
+{% endif %}
+  - role.common.nginx
+
+profile:
+  pagure:
+    database_user: pagure
+    database_host: 192.168.47.4
+    server_list:
+      - code.opensuse.org
+      - pagure01.infra.opensuse.org
+
+nginx:
+  ng:
+    servers:
+      managed:
+        code.opensuse.org.conf:
+          config:
+            - server:
+                - server_name: code.opensuse.org
+                - listen:
+                    - 80
+                    - default_server
+                - location @pagure:
+                    - proxy_set_header: Host $http_host
+                    - proxy_set_header: X-Real-IP $remote_addr
+                    - proxy_set_header: X-Forwarded-For $proxy_add_x_forwarded_for
+                    - proxy_set_header: X-Forwarded-Proto $scheme
+                    - proxy_pass: http://unix:/srv/gitolite/.pagure_web.sock
+                - location /:
+                    - try_files: $uri @pagure
+                - location /releases:
+                    - alias: /srv/www/pagure-releases/
+                    - autoindex: on
+          enabled: True
+        pages.opensuse.org.conf:
+          config:
+            - server:
+                - server_name: pages.opensuse.org
+                - listen:
+                    - 80
+                - location @pagure_docs:
+                    - proxy_set_header: Host $http_host
+                    - proxy_set_header: X-Real-IP $remote_addr
+                    - proxy_set_header: X-Forwarded-For $proxy_add_x_forwarded_for
+                    - proxy_set_header: X-Forwarded-Proto $scheme
+                    - proxy_pass: http://unix:/srv/gitolite/.pagure_docs_web.sock
+                - location /:
+                    - try_files: $uri @pagure_docs
+          enabled: True
diff --git a/pillar/secrets/role/pagure.sls b/pillar/secrets/role/pagure.sls
new file mode 100644
index 0000000..a82ba4a
--- /dev/null
+++ b/pillar/secrets/role/pagure.sls
@@ -0,0 +1,12 @@
+#!yaml|gpg
+
+profile:
+  pagure:
+    secret_key: |
+    salt_email: |
+
+
+postgres:
+  users:
+    pagure:
+      password: |
diff --git a/salt/profile/pagure/files/alembic.ini b/salt/profile/pagure/files/alembic.ini
new file mode 100644
index 0000000..6d4bac2
--- /dev/null
+++ b/salt/profile/pagure/files/alembic.ini
@@ -0,0 +1,60 @@
+# A generic, single database configuration.
+
+[alembic]
+# path to migration scripts
+script_location = /usr/share/pagure/alembic
+
+# template used to generate migration files
+# file_template = %%(rev)s_%%(slug)s
+
+# max length of characters to apply to the
+# "slug" field
+#truncate_slug_length = 40
+
+# set to 'true' to run the environment during
+# the 'revision' command, regardless of autogenerate
+# revision_environment = false
+
+# set to 'true' to allow .pyc and .pyo files without
+# a source .py file to be detected as revisions in the
+# versions/ directory
+# sourceless = false
+
+#sqlalchemy.url = driver://user:pass@localhost/dbname
+sqlalchemy.url = postgres://{{ pillar['profile']['pagure']['database_user'] }}:{{ pillar['postgres']['users']['pagure']['password'] }}@{{ pillar['profile']['pagure']['database_host'] }}/pagure
+
+
+# Logging configuration
+[loggers]
+keys = root,sqlalchemy,alembic
+
+[handlers]
+keys = console
+
+[formatters]
+keys = generic
+
+[logger_root]
+level = WARN
+handlers = console
+qualname =
+
+[logger_sqlalchemy]
+level = WARN
+handlers =
+qualname = sqlalchemy.engine
+
+[logger_alembic]
+level = INFO
+handlers =
+qualname = alembic
+
+[handler_console]
+class = StreamHandler
+args = (sys.stderr,)
+level = NOTSET
+formatter = generic
+
+[formatter_generic]
+format = %(levelname)-5.5s [%(name)s] %(message)s
+datefmt = %H:%M:%S
diff --git a/salt/profile/pagure/files/pagure.cfg b/salt/profile/pagure/files/pagure.cfg
new file mode 100644
index 0000000..f17f886
--- /dev/null
+++ b/salt/profile/pagure/files/pagure.cfg
@@ -0,0 +1,266 @@
+import os
+from datetime import timedelta
+
+### Set the time after which the admin session expires
+# There are two sessions on pagure, login that holds for 31 days and
+# the session defined here after which an user has to re-login.
+# This session is used when accessing all administrative parts of pagure
+# (ie: changing a project's or a user's settings)
+ADMIN_SESSION_LIFETIME = timedelta(minutes=20)
+
+# Enable tickets and docs for all repos
+ENABLE_TICKETS = True
+ENABLE_DOCS = True
+
+# Enables / Disables private projects
+PRIVATE_PROJECTS = True
+
+### Secret key for the Flask application
+SECRET_KEY='{{ pillar['profile']['pagure']['secret_key'] }}'
+
+### url to the database server:
+#DB_URL = 'mysql://user:pass@host/db_name'
+#DB_URL = 'postgres://user:pass@host/db_name'
+DB_URL = 'postgres://{{ pillar['profile']['pagure']['database_user'] }}:{{ pillar['postgres']['users']['pagure']['password'] }}@{{ pillar['profile']['pagure']['database_host'] }}/pagure'
+
+### Send FedMsg notifications of events in pagure
+FEDMSG_NOTIFICATIONS = False
+
+### The FAS group in which the admin of pagure are
+ADMIN_GROUP = ['sysadmin-main']
+
+### Hard-coded list of global admins
+PAGURE_ADMIN_USERS = ['hellcp']
+
+### Enables sending email using SMTP credentials.
+EMAIL_SEND = True
+
+### The email address to which the flask.log will send the errors (tracebacks)
+EMAIL_ERROR = 'root@localhost'
+
+### SMTP settings
+SMTP_SERVER = 'localhost'
+SMTP_PORT = 25
+SMTP_SSL = False
+
+#Specify both for enabling SMTP with auth
+SMTP_USERNAME = None
+SMTP_PASSWORD = None
+
+### Information used to sent notifications
+FROM_EMAIL = 'pagure@opensuse.org'
+DOMAIN_EMAIL_NOTIFICATIONS = 'code.opensuse.org'
+SALT_EMAIL = '{{ pillar['profile']['pagure']['salt_email'] }}'
+
+### Restrict outgoing emails to these domains:
+## If set, adding emailaccounts that don't end with these domainnames
+## will not be permitted. Mails to already existing emailaccounts
+## that are not covered by this list will not get sent.
+# ALLOWED_EMAIL_DOMAINS = [ 'localhost.localdomain', 'example.com' ]
+
+### Disallow remote pull requests
+## If set, remote pull requests will be disabled and not available
+## anymore as a selection in the PR dropdown menus
+DISABLE_REMOTE_PR = False
+
+### The URL at which the project is available.
+APP_URL = 'https://code.opensuse.org/'
+### The URL at which the documentation of projects will be available
+## This should be in a different domain to avoid XSS issues since we want
+## to allow raw html to be displayed (different domain, ie not a sub-domain).
+DOC_APP_URL = 'https://pages.opensuse.org'
+
+### The URL to use to clone git repositories.
+GIT_URL_SSH = 'ssh://git@code.opensuse.org/'
+GIT_URL_GIT = 'https://code.opensuse.org/'
+
+
+### Folder containing the pagure user SSH authorized keys
+SSH_FOLDER = os.path.join(
+    '/srv',
+    'gitolite',
+    '.ssh'
+)
+
+### Folder containing to the git repos
+GIT_FOLDER = os.path.join(
+    '/srv',
+    'gitolite',
+    'repositories'
+)
+
+REPOSPANNER_PSEUDO_FOLDER = os.path.join(
+    '/srv',
+    'gitolite',
+    'pseudo'
+)
+
+### Folder containing the clones for the remote pull-requests
+REMOTE_GIT_FOLDER = os.path.join(
+    '/srv',
+    'gitolite',
+    'remotes'
+)
+
+### Whether to enable scanning for viruses in attachments
+VIRUS_SCAN_ATTACHMENTS = False
+
+GIT_AUTH_BACKEND = "pagure_authorized_keys"
+HTTP_REPO_ACCESS_GITOLITE = None
+
+SSH_COMMAND_NON_REPOSPANNER = ([
+    "/usr/bin/%(cmd)s",
+    "/srv/gitolite/repositories/%(reponame)s",
+], {"GL_USER": "%(username)s"})
+
+### Configuration file for gitolite
+GITOLITE_CONFIG = os.path.join(
+    '/srv',
+    'gitolite',
+    '.gitolite',
+    'conf',
+    'gitolite.conf'
+)
+
+
+### Home folder of the gitolite user
+### Folder where to run gl-compile-conf from
+GITOLITE_HOME = '/srv/gitolite'
+
+### Version of gitolite used: 2 or 3?
+GITOLITE_VERSION = 3
+
+### Folder containing all the public ssh keys for gitolite
+GITOLITE_KEYDIR = os.path.join(GITOLITE_HOME, '.gitolite', 'keydir')
+
+### Path to the gitolite.rc file
+GL_RC = None
+
+### Path to the /bin directory where the gitolite tools can be found
+GL_BINDIR = None
+
+
+# SSH Information
+
+### The ssh certificates of the git server to be provided to the user
+### /!\ format is important
+# SSH_KEYS = {'RSA': {'fingerprint': '<foo>', 'pubkey': '<bar>'}}
+
+
+
+# Optional configuration
+
+### Number of items displayed per page
+# Used when listing items
+ITEM_PER_PAGE = 50
+
+### Maximum size of the uploaded content
+# Used to limit the size of file attached to a ticket for example
+MAX_CONTENT_LENGTH = 4 * 1024 * 1024  # 4 megabytes
+
+### Lenght for short commits ids or file hex
+SHORT_LENGTH = 6
+
+### List of blacklisted project names that can conflicts for pagure's URLs
+### or other
+BLACKLISTED_PROJECTS = [
+    'static', 'pv', 'releases', 'new', 'api', 'settings',
+    'logout', 'login', 'users', 'groups', 'projects']
+
+### IP addresses allowed to access the internal endpoints
+### These endpoints are used by the milter and are security sensitive, thus
+### the IP filter
+IP_ALLOWED_INTERNAL = ['127.0.0.1', 'localhost', '::1']
+
+### EventSource/Web-Hook/Redis configuration
+# The eventsource integration is what allows pagure to refresh the content
+# on your page when someone else comments on the ticket (and this without
+# asking you to reload the page.
+# By default it is off, ie: EVENTSOURCE_SOURCE is None, to turn it on, specify
+# here what the URL of the eventsource server is, for example:
+# https://ev.pagure.io or https://pagure.io:8080 or whatever you are using
+# (Note: the urls sent to it start with a '/' so no need to add one yourself)
+EVENTSOURCE_SOURCE = None
+# Port where the event source server is running (maybe be the same port
+# as the one specified in EVENTSOURCE_SOURCE or a different one if you
+# have something running in front of the server such as apache or stunnel).
+EVENTSOURCE_PORT = 8080
+# If this port is specified, the event source server will run another server
+# at this port and will provide information about the number of active
+# connections running on the first (main) event source server
+#EV_STATS_PORT = 8888
+# Web-hook can be turned on or off allowing using them for notifications, or
+# not.
+WEBHOOK = False
+
+### Redis configuration
+# A redis server is required for both the Event-Source server or the web-hook
+# server.
+REDIS_HOST = '0.0.0.0'
+REDIS_PORT = 6379
+REDIS_DB = 0
+
+# Authentication related configuration option
+
+### Switch the authentication method
+# Specify which authentication method to use.
+# Available options: `fas`, `openid`, `oidc`, `local`
+# Default: ``local``.
+PAGURE_AUTH = 'openid'
+
+FAS_OPENID_ENDPOINT = 'https://id.opensuse.org/openid'
+
+# When this is set to True, the session cookie will only be returned to the
+# server via ssl (https). If you connect to the server via plain http, the
+# cookie will not be sent. This prevents sniffing of the cookie contents.
+# This may be set to False when testing your application but should always
+# be set to True in production.
+# Default: ``True``.
+SESSION_COOKIE_SECURE = True
+
+# The name of the cookie used to store the session id.
+# Default: ``.pagure``.
+SESSION_COOKIE_NAME = 'pagure'
+
+# Boolean specifying whether to check the user's IP address when retrieving
+# its session. This make things more secure (thus is on by default) but
+# under certain setup it might not work (for example is there are proxies
+# in front of the application).
+CHECK_SESSION_IP = True
+
+# Used by SESSION_COOKIE_PATH
+APPLICATION_ROOT = '/'
+
+# Allow the backward compatiblity endpoints for the old URLs schema to
+# see the commits of a repo. This is only interesting if you pagure instance
+# was running since before version 1.3 and if you care about backward
+# compatibility in your URLs.
+OLD_VIEW_COMMIT_ENABLED = False
+
+# repoSpanner integration settings
+# https://repospanner.org/
+# Whether to create new repositories on repoSpanner by default.
+# Either None or a region name.
+REPOSPANNER_NEW_REPO = None
+# Whether to allow admins to override region selection on creation.
+REPOSPANNER_NEW_REPO_ADMIN_OVERRIDE = False
+# Whether to create new forks on repoSpanner.
+# Either None (no repoSpanner), True (same as origin project) or a region name.
+REPOSPANNER_NEW_FORK = True
+# Whether to allow an admin to manually migrate an individual project.
+REPOSPANNER_ADMIN_MIGRATION = False
+# The repoSpanner regions to be used in this Pagure instance.
+# Example entry:
+# 'default': {'url': 'https://nodea.regiona.repospanner.local:8444',
+#             'repo_prefix': 'pagure/',
+#             'hook': None,
+#             'ca': '',
+#             'admin_cert': {'cert': '',
+#                            'key': ''},
+#             'push_cert': {'cert': '',
+#                           'key': ''}}
+REPOSPANNER_REGIONS = {}
+
+# Path to the plugins configuration file that is used to load plugins. Please
+# look at files/plugins.cfg.sample for a configuration example.
+# PAGURE_PLUGINS_CONFIG = "/etc/pagure/plugins.cfg"
diff --git a/salt/profile/pagure/init.sls b/salt/profile/pagure/init.sls
new file mode 100644
index 0000000..80be2b4
--- /dev/null
+++ b/salt/profile/pagure/init.sls
@@ -0,0 +1,48 @@
+include:
+  - profile.pagure.redis
+
+pagure_pgks:
+  pkg.installed:
+    - pkgs:
+      - pagure
+      - pagure-web-nginx
+
+pagure_conf:
+  file.managed:
+    - name: /etc/pagure/pagure.cfg
+    - source: salt://profile/pagure/files/pagure.cfg
+    - template: jinja
+    - require_in:
+      - service: pagure_web_service
+    - watch_in:
+      - module: pagure_web_restart
+
+pagure_alembic_conf:
+  file.managed:
+    - name: /etc/pagure/alembic.cfg
+    - source: salt://profile/pagure/files/alembic.cfg
+    - template: jinja
+    - require_in:
+      - service: pagure_web_service
+    - watch_in:
+      - module: pagure_web_restart
+
+pagure_database_setup:
+  cmd.run:
+    - name: python3 /usr/share/pagure/pagure_createdb.py -c /etc/pagure/pagure.cfg -i /etc/pagure/alembic.ini
+
+{% set services = ['pagure_web', 'pagure_docs_web', 'pagure_worker', 'pagure_authorized_keys_worker', 'pagure_api_key_expire_mail.timer', 'pagure_mirror_project_in.timer'] %}
+
+{% for service in services %}
+{{ service }}_service:
+  service.running:
+    - name: {{ service }}
+    - enable: True
+
+{{ service }}_restart:
+  module.wait:
+    - name: service.restart
+    - m_name: {{ service }}
+    - require:
+      - service: {{ service }}
+{% endfor %}
diff --git a/salt/profile/pagure/redis.sls b/salt/profile/pagure/redis.sls
new file mode 100644
index 0000000..b9df23c
--- /dev/null
+++ b/salt/profile/pagure/redis.sls
@@ -0,0 +1,26 @@
+redis_pgks:
+  pkg.installed:
+    - pkgs:
+      - redis
+
+redis_config_file:
+  file.managed:
+    - name: /etc/redis/default.conf
+    - source: /etc/redis/default.conf.example
+    - user: redis
+    - group: redis
+    - replace: False
+    - require_in:
+      - service: redis_service
+
+redis_service:
+  service.running:
+    - name: redis@default
+    - enable: True
+
+redis_restart:
+  module.wait:
+    - name: service.restart
+    - m_name: redis@default
+    - require:
+      - service: redis_service
diff --git a/salt/profile/postgresql/files/postgresql/pg_hba.conf b/salt/profile/postgresql/files/postgresql/pg_hba.conf
index 37ac8d3..cc678db 100644
--- a/salt/profile/postgresql/files/postgresql/pg_hba.conf
+++ b/salt/profile/postgresql/files/postgresql/pg_hba.conf
@@ -165,3 +165,7 @@ host    mailman            mailman            192.168.47.102/32 md5
 host    mailman_frontend   mailman            192.168.47.4/32   md5
 host    mailman_frontend   mailman            192.168.47.101/32 md5
 host    mailman_frontend   mailman            192.168.47.102/32 md5
+# pagure01.infra.opensuse.org
+host    pagure             pagure             192.168.47.4/32   md5
+host    pagure             pagure             192.168.47.101/32 md5
+host    pagure             pagure             192.168.47.102/32 md5
diff --git a/salt/role/pagure.sls b/salt/role/pagure.sls
new file mode 100644
index 0000000..b6a69a6
--- /dev/null
+++ b/salt/role/pagure.sls
@@ -0,0 +1,3 @@
+include:
+  - profile.web.server.nginx
+  - profile.pagure