diff --git a/inventory/service/groups.yaml b/inventory/service/groups.yaml
index 83320faecc..6adddfaee8 100644
--- a/inventory/service/groups.yaml
+++ b/inventory/service/groups.yaml
@@ -1,7 +1,13 @@
 plugin: yamlgroup
 groups:
   adns: adns*.open*.org
-  afs: afs[0-9]*.open*.org
+  afs-1.8:
+    - afs01.ord.openstack.org
+  afs:
+    - afs01.dfw.openstack.org
+    - afs02.dfw.openstack.org
+    - afsdb01.openstack.org
+    - afsdb02.openstack.org
   afs-client:
     - review-dev[0-9]*.open*.org
     - mirror[0-9]*.opendev.org
@@ -139,8 +145,10 @@ groups:
   pbx:
     - pbx[0-9]*.opendev.org
   puppet:
-    - afs[0-9]*.open*.org
-    - afsdb[0-9]*.open*.org
+    - afs01.dfw.openstack.org
+    - afs02.dfw.openstack.org
+    - afsdb01.openstack.org
+    - afsdb02.openstack.org
     - ask*.open*.org
     - backup[0-9]*.openstack.org
     - cacti[0-9]*.open*.org
@@ -173,8 +181,10 @@ groups:
     - wiki-dev[0-9]*.openstack.org
     - wiki[0-9]*.openstack.org
   puppet4:
-    - afs[0-9]*.open*.org
-    - afsdb[0-9]*.open*.org
+    - afs01.dfw.openstack.org
+    - afs02.dfw.openstack.org
+    - afsdb01.openstack.org
+    - afsdb02.openstack.org
     - ask*.open*.org
     - ask-staging[0-9]*.open*.org
     - cacti[0-9]*.open*.org
diff --git a/playbooks/roles/openafs-server/README.rst b/playbooks/roles/openafs-server/README.rst
new file mode 100644
index 0000000000..9878b44648
--- /dev/null
+++ b/playbooks/roles/openafs-server/README.rst
@@ -0,0 +1 @@
+Install openafs server components
diff --git a/playbooks/roles/openafs-server/files/CellServDB b/playbooks/roles/openafs-server/files/CellServDB
new file mode 100644
index 0000000000..28c01bf3ac
--- /dev/null
+++ b/playbooks/roles/openafs-server/files/CellServDB
@@ -0,0 +1,3 @@
+>openstack.org  #Cell name
+104.130.136.20  #afsdb01.openstack.org
+23.253.200.228  #afsdb02.openstack.org
diff --git a/playbooks/roles/openafs-server/files/ThisCell b/playbooks/roles/openafs-server/files/ThisCell
new file mode 100644
index 0000000000..3178e3d42c
--- /dev/null
+++ b/playbooks/roles/openafs-server/files/ThisCell
@@ -0,0 +1 @@
+openstack.org
diff --git a/playbooks/roles/openafs-server/tasks/main.yaml b/playbooks/roles/openafs-server/tasks/main.yaml
new file mode 100644
index 0000000000..47dd9d7fb6
--- /dev/null
+++ b/playbooks/roles/openafs-server/tasks/main.yaml
@@ -0,0 +1,85 @@
+- name: Install pre-reqs
+  package:
+    name: '{{ item }}'
+    state: present
+  loop:
+    - apt-transport-https
+    - software-properties-common
+
+- name: Ensure server directory
+  file:
+    state: directory
+    path: /etc/openafs/server
+    owner: root
+    group: root
+    mode: 0755
+
+- name: Copy configuration files
+  copy:
+    src: '{{ item }}'
+    dest: '/etc/openafs/server'
+    owner: root
+    group: root
+    mode: 0644
+  loop:
+    - CellServDB
+    - ThisCell
+
+- name: Install rxkad.keytab
+  shell: 'echo "{{ openafs_server_rxkad_keytab }}" | base64 -d > /etc/openafs/server/rxkad.keytab'
+  args:
+    creates: '/etc/openafs/server/rxkad.keytab'
+  no_log: True
+
+- name: Ensure permissions rxkad.keytab
+  file:
+    path: '/etc/openafs/server/rxkad.keytab'
+    owner: root
+    group: root
+    mode: '0400'
+
+# This is generated by aconvert from rxkad.keytab; or if we ever need
+# to regenerate everything see asetkey(8) man page, which creates this
+# from a keytab.  It's used by openafs 1.8 instead of keytabs to
+# reduce kerberos library dependencies or some such.
+- name: Install KeyfileExt
+  shell: 'echo "{{ openafs_server_keyfileext }}" | base64 -d > /etc/openafs/server/KeyFileExt'
+  args:
+    creates: '/etc/openafs/server/KeyFileExt'
+  no_log: True
+
+- name: Ensure permissions on KeyFileExt
+  file:
+    path: '/etc/openafs/server/KeyFileExt'
+    owner: root
+    group: root
+    mode: '0400'
+
+- name: Install openstackci openafs PPA
+  apt_repository:
+    repo: 'ppa:openstack-ci-core/openafs'
+
+- name: Install kernel headers dependency
+  package:
+    name:
+      - linux-headers-{{ ansible_kernel }}
+    state: present
+  become: yes
+
+# NOTE(ianw) : Need to do this first and separately so that the
+# modules are ready for the openafs server/client package to start.
+# Avoid recommends because that drags in the client, which can't start
+# without the modules which are building in this step (we do it next)
+- name: Install openafs kernel modules
+  apt:
+    name: openafs-modules-dkms
+    state: latest
+    install_recommends: no
+
+- name: Install packages
+  package:
+    name:
+      - openafs-fileserver
+      - openafs-client
+      - openafs-krb5
+    state: latest
diff --git a/playbooks/remote_puppet_afs.yaml b/playbooks/service-afs.yaml
similarity index 88%
rename from playbooks/remote_puppet_afs.yaml
rename to playbooks/service-afs.yaml
index 6f98aa5014..366a4f0746 100644
--- a/playbooks/remote_puppet_afs.yaml
+++ b/playbooks/service-afs.yaml
@@ -10,6 +10,11 @@
   roles:
     - puppet-run
 
+- hosts: "afs-1.8:!disabled"
+  name: "Configure AFS server"
+  roles:
+    - openafs-server
+
 - hosts: "mirror-update:!disabled"
   name: "Create key for remote vos release"
   tasks:
diff --git a/zuul.d/infra-prod.yaml b/zuul.d/infra-prod.yaml
index 45848f1b32..8a08606815 100644
--- a/zuul.d/infra-prod.yaml
+++ b/zuul.d/infra-prod.yaml
@@ -555,18 +555,18 @@
 # Run AFS changes separately so we can make sure to only do one at a time
 # (turns out quorum is nice to have)
 - job:
-    name: infra-prod-remote-puppet-afs
+    name: infra-prod-service-afs
     parent: infra-prod-service-base
-    description: Run remote-puppet-afs.yaml playbook.
+    description: Run AFS playbook.
     vars:
-      playbook_name: remote_puppet_afs.yaml
+      playbook_name: service-afs.yaml
       infra_prod_ansible_forks: 1
     required-projects:
       - opendev/ansible-role-puppet
       - opendev/system-config
     files:
       - inventory/
-      - playbooks/remote_puppet_afs.yaml
+      - playbooks/service-afs.yaml
       - inventory/service/group_vars/afs
       - inventory/service/group_vars/mirror-update
       - inventory/service/group_vars/puppet
@@ -576,6 +576,7 @@
       - playbooks/roles/disable-puppet-agent/
       - playbooks/roles/iptables/
       - playbooks/roles/vos-release/
+      - playbooks/roles/openafs-server/
       - modules/
       - manifests/
 
diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml
index d8e3a23e32..4923dc1e3b 100644
--- a/zuul.d/project.yaml
+++ b/zuul.d/project.yaml
@@ -274,7 +274,7 @@
               - infra-prod-service-eavesdrop
               - name: system-config-promote-image-accessbot
                 soft: true
-        - infra-prod-remote-puppet-afs
+        - infra-prod-service-afs
         - infra-prod-remote-puppet-else
         - infra-prod-run-cloud-launcher
     periodic:
@@ -310,7 +310,7 @@
         - infra-prod-service-codesearch
         - infra-prod-service-eavesdrop
         - infra-prod-run-accessbot
-        - infra-prod-remote-puppet-afs
+        - infra-prod-service-afs
     opendev-prod-hourly:
       jobs:
         - infra-prod-install-ansible