diff --git a/docs/ssh-hostkeys.txt b/docs/ssh-hostkeys.txt
index b795552f33ad3779b5d73ad9f6a76876d2def365..f84cfdeae31c9801a2834fde32375e8b04a7d026 100644
--- a/docs/ssh-hostkeys.txt
+++ b/docs/ssh-hostkeys.txt
@@ -73,18 +73,11 @@
 256 MD5:02:38:35:e8:5c:62:dc:56:29:be:fb:1c:96:2c:17:4c root@archlinux-packer (ED25519)
 3072 MD5:0a:a1:a1:44:4e:65:8b:10:f3:54:83:eb:17:41:f1:0c root@archlinux-packer (RSA)
 
-1024 MD5:cf:10:49:2f:d2:35:99:35:59:8f:e2:54:b3:05:cb:a7 root@archlinux-packer (DSA)
-256 MD5:d1:94:76:51:bb:7b:88:41:03:6d:12:63:a5:03:5f:58 root@archlinux-packer (ECDSA)
-256 MD5:d6:d3:a9:2e:c1:7d:69:c1:9a:21:c9:6f:30:53:e6:74 root@archlinux-packer (ED25519)
-3072 MD5:06:6d:1f:87:6b:fb:60:b3:a8:c7:64:37:15:b5:b5:6c root@archlinux-packer (RSA)
-
 # build.archlinux.org
-1024 SHA256:yJv47oZbEr7trxi3Md2RskrKDq3YSz66q5Z6eg5b6v0 root@build.archlinux.org (DSA)
 256 SHA256:h/9vac9LT+cI3VvXbO+BeN4s75GkEeqLDw1ucK61VpQ root@build.archlinux.org (ECDSA)
 256 SHA256:OyJ47eAF9V3nQU70BFpCkrSjSXNApNdTdy5DrEbly2I root@build.archlinux.org (ED25519)
 3072 SHA256:tKHdMeKtQuX42AoRhfvkECjaVhcVYKlL1Rvdo+upd4E root@build.archlinux.org (RSA)
 
-1024 MD5:75:d3:44:04:85:14:17:19:99:a9:fe:09:b1:fd:2b:d7 root@build.archlinux.org (DSA)
 256 MD5:a4:b9:26:2d:49:de:a1:d5:47:83:47:5a:a8:10:f9:62 root@build.archlinux.org (ECDSA)
 256 MD5:7b:38:67:01:59:c8:a7:b3:66:ec:78:df:ec:dd:30:72 root@build.archlinux.org (ED25519)
 3072 MD5:f2:6a:ba:b0:53:9b:d4:73:83:21:d6:76:0f:70:71:72 root@build.archlinux.org (RSA)
@@ -292,6 +285,15 @@
 256 MD5:5a:49:d5:f3:00:ca:49:17:d8:cc:3e:84:1d:60:be:06 root@archlinux-packer (ED25519)
 3072 MD5:1e:52:48:56:d3:13:20:e5:02:4f:10:1b:af:27:e5:c7 root@archlinux-packer (RSA)
 
+# repos.archlinux.org
+256 SHA256:uR8mRzpo828jM6U1jmdBxXvHEiDbuNSwpLur5odBrRA root@repos.archlinux.org (ECDSA)
+256 SHA256:JApvSFU4OvaafW5ebe3ktmlp41WSsOffCkOBvtdNeDU root@repos.archlinux.org (ED25519)
+3072 SHA256:wlSAfyb4o94izuemzbOILFeVPgDZd0Y9n890gq1pyxY root@repos.archlinux.org (RSA)
+
+256 MD5:55:ee:72:27:c3:9d:f0:c3:89:b4:24:ff:75:dd:60:bf root@repos.archlinux.org (ECDSA)
+256 MD5:90:98:6c:ee:72:b5:a6:dc:bf:ae:12:39:2e:99:b2:c4 root@repos.archlinux.org (ED25519)
+3072 MD5:48:53:1e:51:81:7f:40:fd:ee:7c:dc:06:7c:98:a3:9e root@repos.archlinux.org (RSA)
+
 # repro2.pkgbuild.com
 1024 SHA256:sppthtBQD60z8f0bDUnoMUesg55M7/ez4qGXVUUDtRQ root@repro2.pkgbuild.com (DSA)
 256 SHA256:enqq08K6vQV8CcISu1upR3Ooa63HD6Z+PtRzMVArnTk root@repro2.pkgbuild.com (ECDSA)
diff --git a/docs/ssh-known_hosts.txt b/docs/ssh-known_hosts.txt
index b1df104c8e6f535eaf93b883229a9415959bbba6..241cbf06f73528b5af3c239ad712bcfbeae90bf0 100644
--- a/docs/ssh-known_hosts.txt
+++ b/docs/ssh-known_hosts.txt
@@ -145,6 +145,11 @@ redirect.archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIb
 redirect.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID8cqRGOzfp+waFo4fxxq2oUKPFsTNRL0MB1M3xT2Y5L
 redirect.archlinux.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC3VdhG7Lm+UYBGjf/G8eUSXL43N2QLRTm23LaSKaegx9/41mtlRJAoHfpHsJg8a2nBEGebooZqp5rwP4kxj0pB7394VP5UjThhqBQ9lWKJgCkceRsvkRYkbrBQHyNiRcFQ7/3YxPFJyNlxQwxiBe9sRk1HHUtQOeleGAQoB+GOMkKSPmqD6k/D5GzoX/maqraFK8S0egapKF5VMWw+6apAv+vp7O/zyPrOddaKLB2XK2c86Jl04z1vA3UMAJ+mQ9P0+WLYzEdxx3OmChw/CQOQk2n3Q/civV7prhkf4Qs58uw6Eg2dGmcP5+z5NeC2J/egxQROoSgUpbUf0W/UDEApjAzAIuzDIXOLwXqqf4b7NKfvCiycCQvk9fTWd14AuTfh/qjwKaP4dEkkmDjR7/mvan5M/mxs82QZIMDW6THYvAnkQ0715Ai4C1+WE1gvzpLbtfJxZhngigDi1YpG3uLf2D7PwKNWc6A6OGpW36GB0nlT3kns13xxmMauxhBJW78=
 
+# repos.archlinux.org
+repos.archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEXs1EWDKrts9/CtrsRVOaoINSL2nrsyGFvdPPAhPz0FZgBZD68PxLv3I+KHKp4WOhvnOSMdE8DGnmvfVbKJ9FQ=
+repos.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILfbdE2a3e/Hv7kbZyBPgAaZPfS23A4LTSSqqmaJwUXK
+repos.archlinux.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCwZXm2CjJu4CKMnd5sZk1H5/WX6cjtI0yBZyRDLRCq180VEuCK6Cwh2ccih3OLv0SwZBecAKA1o5dkMEXJygBTPTLf8xaFA0MdOr7GVs68SLNm1dACkMn8Qty69O/vhcxkM2I4JYT4D0RkwCyRnyYqmKXHldmMDCUiiIJi+L0McBxCz6J9pySSzVZNhRMjaHxFCfJ83cKozwx8NZFGHL5mns/2oaADNirNdw871z/AwCU1BYbxjKt3Xo/qseWyCJ90YpUTtEB3mQK6dG3+N4D9Y44etqbwKfUXHvdcLv0kwvQB/GvfemVzxNQK/L+ag8D/QF3HLWCxYdYoi1/mBgojy1Ybfo5a9k1OdZfdRENZFdodNYe/psix+BATpp/BGCJLw7Zvz1Z6mqFevLiwtWkB7W3RzeclNCoEGDT1RF/6LBiZVPyK4LoVunDReWpK7dKX8Y83wix4sLJmSgt6+6YbTx6typjz7pynWyMieIQSv9oeGj8LHsKx8/nqCP1GN4c=
+
 # repro2.pkgbuild.com
 repro2.pkgbuild.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBE/RhEBp4KFplFM6l/oLUc1aNeQtKXi+dGmP6JUtdLNfHg6TVfDFQDVQo7gIFSTulvOybsccJeJWjYBAmPhsvFs=
 repro2.pkgbuild.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICYgWZak/Rud9WuGQNiDoSLgOOOey+6ig415au8PfI8S
diff --git a/host_vars/repos.archlinux.org/misc b/host_vars/repos.archlinux.org/misc
new file mode 100644
index 0000000000000000000000000000000000000000..c82016d3c48c71b421ffd7d81990e13fdc6d5a2b
--- /dev/null
+++ b/host_vars/repos.archlinux.org/misc
@@ -0,0 +1,17 @@
+hostname: "repos.archlinux.org"
+
+ipv4_address: "168.119.141.106"
+ipv4_netmask: "/32"
+ipv6_address: "2a01:4f8:251:598::"
+ipv6_netmask: "/64"
+ipv4_gateway: "168.119.141.65"
+ipv6_gateway: "fe80::1"
+filesystem: "btrfs"
+system_disks:
+- /dev/nvme0n1
+- /dev/nvme1n1
+- /dev/nvme2n1
+raid_level: "raid1"
+
+wireguard_address: 10.0.0.45
+wireguard_public_key: MDt3DqmYppnV81CFHLII1O80BWFGYeGGNrDWlQcX5H8=
diff --git a/host_vars/repos.archlinux.org/vault_wireguard.yml b/host_vars/repos.archlinux.org/vault_wireguard.yml
new file mode 100644
index 0000000000000000000000000000000000000000..2912bfe8ce58e777f26acf7b85901a71494ed871
--- /dev/null
+++ b/host_vars/repos.archlinux.org/vault_wireguard.yml
@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+31636166336635646637363937613362656434373536616461323562313134333035366436326632
+3834663131386336356331373530356533383238626361380a326233643634653433633733623865
+37616439396230303431393730326662646633613838313532393536393365326562653561653264
+6631616564333265660a343765636564383065353831386531353138373234386538323836623532
+62343662393739626630343062643964343535353931356337643661663238393130346634373362
+66373364623962363637653963643631393438386264323630316234386531383931383264643462
+66306337313864353761613433393961336438636632616435393163353462613765666162313333
+31646239623765643531
diff --git a/hosts b/hosts
index 2034453d0c884a6fa46b99e498ae92b5d49f9cc7..c8b58a99e2211f3e45ee8a264c5fe164b1f743ce 100644
--- a/hosts
+++ b/hosts
@@ -3,6 +3,8 @@ build.archlinux.org
 gemini.archlinux.org
 gitlab.archlinux.org
 secure-runner1.archlinux.org
+#TODO(gromit): remove ansible host once the DNS record is set
+repos.archlinux.org ansible_host=168.119.141.106
 
 [equinix_metal]
 repro3.pkgbuild.com
@@ -18,6 +20,8 @@ london.mirror.pkgbuild.com
 mirror.pkgbuild.com
 seoul.mirror.pkgbuild.com
 sydney.mirror.pkgbuild.com
+#TODO(gromit): remove ansible host once the DNS record is set
+repos.archlinux.org ansible_host=168.119.141.106
 
 [geo_mirrors]
 america.mirror.pkgbuild.com
@@ -51,6 +55,8 @@ reproducible.archlinux.org
 security.archlinux.org
 state.archlinux.org
 wiki.archlinux.org
+#TODO(gromit): remove ansible host once the DNS record is set
+repos.archlinux.org ansible_host=168.119.141.106
 
 [public_html]
 homedir.archlinux.org
diff --git a/playbooks/repos.archlinux.org.yml b/playbooks/repos.archlinux.org.yml
new file mode 100644
index 0000000000000000000000000000000000000000..57395587f24645f891441d11e85b60463184a3ed
--- /dev/null
+++ b/playbooks/repos.archlinux.org.yml
@@ -0,0 +1,16 @@
+- name: Setup repos.archlinux.org
+  hosts: repos.archlinux.org
+  remote_user: root
+  roles:
+    - { role: common }
+    - { role: tools }
+    - { role: firewalld }
+    - { role: wireguard }
+    - { role: sshd }
+    - { role: root_ssh }
+    - { role: borg_client, tags: ['borg'] }
+    - { role: sudo, tags: ['archusers'] }
+    - { role: fail2ban }
+    - { role: mirrorsync }
+    - { role: prometheus_exporters }
+    - { role: promtail }