diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index e08325e..b5714dd 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -368,6 +368,28 @@ profiles::ceph::client::mons:
   - 10.18.15.1
   - 10.18.15.2
   - 10.18.15.3
+
+profiles::ceph::conf::config:
+  global:
+    auth_client_required: 'cephx'
+    auth_cluster_required: 'cephx'
+    auth_service_required: 'cephx'
+    fsid: 'de96a98f-3d23-465a-a899-86d3d67edab8'
+    mon_allow_pool_delete: true
+    mon_initial_members: 'prodnxsr0009,prodnxsr0010,prodnxsr0011,prodnxsr0012,prodnxsr0013'
+    mon_host: '198.18.23.9,198.18.23.10,198.18.23.11,198.18.23.12,198.18.23.13'
+    ms_bind_ipv4: true
+    ms_bind_ipv6: false
+    osd_crush_chooseleaf_type: 1
+    osd_pool_default_min_size: 2
+    osd_pool_default_size: 3
+    osd_pool_default_pg_num: 128
+    public_network: >
+      198.18.23.1/32,198.18.23.2/32,198.18.23.3/32,198.18.23.4/32,
+      198.18.23.5/32,198.18.23.6/32,198.18.23.7/32,198.18.23.8/32,
+      198.18.23.9/32,198.18.23.10/32,198.18.23.11/32,198.18.23.12/32,
+      198.18.23.13/32
+
 #profiles::base::hosts::additional_hosts:
 #  - ip: 198.18.17.9
 #    hostname: prodinf01n09.main.unkin.net
diff --git a/hieradata/roles/infra/ceph/rgw.eyaml b/hieradata/roles/infra/ceph/rgw.eyaml
new file mode 100644
index 0000000..fe96189
--- /dev/null
+++ b/hieradata/roles/infra/ceph/rgw.eyaml
@@ -0,0 +1,8 @@
+---
+
+profiles::ceph::rgw::ceph_client_keys:
+  ausyd1nxvm2115: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAovOUUtTm/9nXWj6D+kVhmbZedVVkA5N80ULNYqISrv0A+KlXCx/V2sB56SpJ9eL6aPHdC+CKkrtrrdo1h2j2em7wTA5ghhbFVF0NIS7bbn0jzpl5YqbUrNxOtDSpjzX1aCGnyMvw69Lp+NcHwxIj+1XFgK6335138s9wbX3HmYF3jcsQkMqTzynELe1OQPWFXVKTjUfFFLdCQOFryp8UY8L9j/PpV6wd4w6p7R6eXhX21rjSaN4aqN1zjsnF2OVhL8Ge0QxMhePWKGOqsUfi72kh3II028DjqU0DcZQvoxnoqRPyUUjysH0nTKoLeXOGNgJdphY1dHBJ+SJnw2gqQDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBB9wA3ZJjmU95W+9r8va5uagDAMAv2APfdzrPnAU7NJPL+IW08osGuQWWamqF+XGVeHRoBmoFKwZ7grYRV2e3aabyc=]
+  ausyd1nxvm2116: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAf5ksy/pyUZSwTh+HiKw+1Uhj16A0DVZEKAbkKUQzXVmc+QpL4Dn7YBoXlEwrY8CcsTrxTQjADvtu9FC3o34QIdh06noSgYYA+7fna2A+9+oYoNtgwC3b8LeglxO/SQ9dKoJ90jRtmlw5P/CtrxA2RelMK6FNRekp1CaWMM4q20fJGgr/E33vgx38UJyp4/q0bTu2lLehCuDUP80j3XGbSNZ2snfYdIo91Cl+nSxLSU2TdnFpWaabsH19HwDnkWGiILlLBVvvhY7copCxs5DS1ueoOTCsqnWSrTrBMJjnu7WZd/s4NLw/0q/UP5xcFA51caY3Kv+sI6bfIYkNoLazwDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDrCF16nrtukRPamx1VbGY+gDAK5dw0kV8MpATpwxTkJG6JtlFlwdpU9THs1bNwqSRD1ZhEWxQeWwsyyTtjUXi4bP8=]
+  ausyd1nxvm2117: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAKtvsgDk2QTmL8flBBE4nA43sRSnroq4I6T2CUAYv/lRdzCCWvE961o/51zyQEz8L5QyDo7L3gcGYIBqthYjRe9Gp5a5d4qds0qskupgQKnb0KR2RLFVUtH5vxHqyJZHjXaP+PQreyRoSIfRWXAdoZu544FeJ9DKKbmEzZaH5B2OdDMrf4Ufuud0maEAw0PJthS//ghCfGi74F1xlJnIWVvMhp66b0iMxC+ACClEHunG3oKx7M/w05HllG0wcxPTg4PFrbnFXjRuIxsykF9aVHJkRnCdgbMXRM4o6FrYyZRR74F1HKRujFCUA7kYWDKLxHxJpYCvCHp4HMhfzjs824zBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBbaSig6kgVVNfmSI53sNimgDDQ5O10Dzfa7S7RdJVLLUFBaZ5TG2g3Bwmy0k3wKZvABYMuYyOxQdfk6eMsKC+sC5w=]
+  ausyd1nxvm2118: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAdKl0ude3ZxW0ihyA758mpQp43qZvzTI2Bp83WzCp2ifJCgAIjRWdd01P64rSHaa4lus/wqB9jxg38g6DrN4ejX56Y/CJ6GQKxz6b1BO5nDfsLx6QEzCt+cfg5d/PPoTtEpz2VSvDfxFUrHiABA6++Sqzb9Og+nQCFMYJD3NHCk67QpkjPGQ/ejZk4MNXZQVCfKOlFqay/fF0jEmQixFOlX/Fdm9UoKttbrKluUmzpaVUzfGRaTTFVgzc3x2t/z1q1k0P7ClI9Uu02kUXpFVs9LPX99Zc2GtrnP06mYqqARhWF1NMK0zlmxtKpfObahRP/HmtI3fgnQsU1Cpwah0emTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAILqpYx3FKY3xXLJRu2oDlgDCIOXeX6hxpu0qpj5c/9jMUSeV2DIydnxO+MiT3mceS50ip8B+zGQy5UedPmLt36Zs=]
+  ausyd1nxvm2119: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEASlZglUxazp+9azfV3QkgRv+ACo+MH0RO5b18blbelgdmr38iwK7MwwEFpEfVJEyc/ph9RunWwrMmofDQHj5bBribfzZ2pH2CGiOrR0i5lZMtN0yQXPBA/+jm1Pi1AWGJLtoquuhMbibuHOTiXwBCBVrHHHaFTR5Xt34ABN/p/mCaG+N9nWux93msHCCextCalKBMmPhmI2q6HodfjanEVgYAe3/5hRPnpsi6IGSDNGygsTC3MG+hjGMpNF8izbwk9Lpzn6kY51aeNxI2ed9Jm8UZ/k+8b+o7ZQyWIBbf7DTFpEzk4G46puaDbXIorBWQ4azCjN3gt8VB91hwihtzcDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBB6U+9z4cSzMTA1z9bmoX82gDBfy5zbRPK8GxImJo6evecMOTtaY2c4aEnESXtGBCS02enmxljv9dv1UYQD0/a6S3A=]
diff --git a/hieradata/roles/infra/ceph/rgw.yaml b/hieradata/roles/infra/ceph/rgw.yaml
new file mode 100644
index 0000000..181d7e2
--- /dev/null
+++ b/hieradata/roles/infra/ceph/rgw.yaml
@@ -0,0 +1,59 @@
+---
+hiera_include:
+  - profiles::ceph::rgw
+  - profiles::nginx::simpleproxy
+
+profiles::ceph::rgw::enable: true
+
+# FIXME: puppet-python wants to try manage python-dev, which is required by the ceph package
+python::manage_dev_package: false
+
+# additional altnames
+profiles::pki::vault::alt_names:
+  - radosgw.main.unkin.net
+  - radosgw.service.consul
+  - radosgw.query.consul
+  - "radosgw.service.%{facts.country}-%{facts.region}.consul"
+
+# additional repos
+profiles::yum::global::repos:
+  ceph:
+    name: ceph
+    descr: ceph repository
+    target: /etc/yum.repos.d/ceph.repo
+    baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/%{facts.os.architecture}
+    gpgkey: https://download.ceph.com/keys/release.asc
+    mirrorlist: absent
+  ceph-noarch:
+    name: ceph-noarch
+    descr: ceph-noarch repository
+    target: /etc/yum.repos.d/ceph-noarch.repo
+    baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/noarch
+    gpgkey: https://download.ceph.com/keys/release.asc
+    mirrorlist: absent
+
+# manage a simple nginx reverse proxy
+profiles::nginx::simpleproxy::nginx_vhost: 'radosgw.service.consul'
+profiles::nginx::simpleproxy::nginx_aliases:
+  - radosgw.service.au-syd1.consul
+profiles::nginx::simpleproxy::proxy_port: 7480
+profiles::nginx::simpleproxy::proxy_path: '/'
+
+# manage consul service
+consul::services:
+  radosgw:
+    service_name: 'radosgw'
+    address: "%{facts.networking.ip}"
+    port: 443
+    checks:
+      - id: 'radosgw_https_check'
+        name: 'RADOSGW HTTPS Check'
+        http: "https://%{facts.networking.fqdn}:443"
+        method: 'GET'
+        tls_skip_verify: true
+        interval: '10s'
+        timeout: '1s'
+profiles::consul::client::node_rules:
+  - resource: service
+    segment: radosgw
+    disposition: write
diff --git a/site/profiles/manifests/ceph/conf.pp b/site/profiles/manifests/ceph/conf.pp
new file mode 100644
index 0000000..a8f1f89
--- /dev/null
+++ b/site/profiles/manifests/ceph/conf.pp
@@ -0,0 +1,36 @@
+class profiles::ceph::conf (
+  Hash $config = {}
+) {
+
+  package {[
+    'ceph',
+    'ceph-common'
+  ]:
+    ensure => installed,
+  }
+
+  file {'/etc/ceph':
+    ensure  => directory,
+    owner   => 'ceph',
+    group   => 'ceph',
+    mode    => '0755',
+    require => Package['ceph'],
+  }
+
+  file {'/var/log/ceph':
+    ensure  => directory,
+    owner   => 'ceph',
+    group   => 'ceph',
+    mode    => '0755',
+    require => Package['ceph'],
+  }
+
+  file { '/etc/ceph/ceph.conf':
+    ensure  => file,
+    owner   => 'ceph',
+    group   => 'ceph',
+    mode    => '0644',
+    content => template('profiles/ceph/conf.erb'),
+    require => Package['ceph-common'],
+  }
+}
diff --git a/site/profiles/manifests/ceph/rgw.pp b/site/profiles/manifests/ceph/rgw.pp
new file mode 100644
index 0000000..93c42be
--- /dev/null
+++ b/site/profiles/manifests/ceph/rgw.pp
@@ -0,0 +1,41 @@
+class profiles::ceph::rgw (
+  Boolean $enable = true,
+  Hash[String, String] $ceph_client_keys = {},
+  Stdlib::Absolutepath $base_path = '/var/lib/ceph'
+){
+
+  $key = $ceph_client_keys[$facts['networking']['hostname']]
+
+  if $enable {
+
+    include profiles::ceph::conf
+
+    package {'ceph-radosgw':
+      ensure => installed,
+    }
+
+    file { [
+      "${base_path}/radosgw",
+      "${base_path}/radosgw/ceph-${facts['networking']['hostname']}"
+    ]:
+      ensure => directory,
+      owner  => 'ceph',
+      group  => 'ceph',
+      mode   => '0750',
+    }
+
+    file { "${base_path}/radosgw/ceph-${facts['networking']['hostname']}/keyring":
+      ensure  => file,
+      owner   => 'ceph',
+      group   => 'ceph',
+      mode    => '0750',
+      content => Sensitive("[client.${facts['networking']['hostname']}]\n	key = ${key}\n")
+    }
+
+    service {"ceph-radosgw@${facts['networking']['hostname']}":
+      ensure    => true,
+      enable    => true,
+      subscribe => File["${base_path}/radosgw/ceph-${facts['networking']['hostname']}/keyring"]
+    }
+  }
+}
diff --git a/site/profiles/templates/ceph/conf.erb b/site/profiles/templates/ceph/conf.erb
new file mode 100644
index 0000000..52024fd
--- /dev/null
+++ b/site/profiles/templates/ceph/conf.erb
@@ -0,0 +1,9 @@
+# Managed by Puppet in profiles::ceph::conf
+<% @config.each do |section, settings| -%>
+[<%= section %>]
+<% settings.each do |key, value| -%>
+<%# Convert booleans and numbers to strings, leave strings untouched %>
+<%= key %> = <%= value.is_a?(TrueClass) ? 'true' : value.is_a?(FalseClass) ? 'false' : value %>
+<% end -%>
+
+<% end -%>