diff --git a/roles/koji-client/defaults/main.yml b/roles/koji-client/defaults/main.yml
new file mode 100644
index 0000000..1f63864
--- /dev/null
+++ b/roles/koji-client/defaults/main.yml
@@ -0,0 +1,15 @@
+koji_client_id: '{{ inventory_hostname }}'
+koji_client_dir: ~/.koji
+koji_config_path: /etc/koji.conf
+koji_client_user: '{{ ansible_user_id }}'
+koji_client_group: '{{ koji_client_user }}'
+koji_client_dir_mode: '0755'
+koji_client_config_mode: '0644'
+koji_client_cert_mode: '0600'
+
+kojihub_host: "{{ ansible_fqdn }}"
+kojihub_url: https://{{ kojihub_host }}/kojihub
+kojiweb_hostname: "{{ kojihub_host }}"
+kojiweb_url: https://{{ kojiweb_hostname }}/koji
+kojifiles_host: "{{ kojihub_host }}"
+kojifiles_url: http://{{ kojifiles_host }}/kojifiles
diff --git a/roles/koji-client/handlers/main.yml b/roles/koji-client/handlers/main.yml
new file mode 100644
index 0000000..b898998
--- /dev/null
+++ b/roles/koji-client/handlers/main.yml
@@ -0,0 +1,2 @@
+- name: update ca trust
+  command: update-ca-trust
diff --git a/roles/koji-client/tasks/main.yml b/roles/koji-client/tasks/main.yml
new file mode 100644
index 0000000..310b99a
--- /dev/null
+++ b/roles/koji-client/tasks/main.yml
@@ -0,0 +1,47 @@
+- name: ensure koji client is installed
+  package:
+    name=koji
+    state=present
+  tags:
+  - install
+
+- name: ensure koji client configuration directory exists
+  file:
+    path={{ koji_client_dir }}
+    owner={{ koji_client_user }}
+    group={{ koji_client_group }}
+    mode={{ koji_client_dir_mode }}
+    state=directory
+- name: ensure koji client is configured
+  template:
+    src=config.j2
+    dest={{ koji_config_path }}
+    owner={{ koji_client_user }}
+    group={{ koji_client_group }}
+    mode={{ koji_client_config_mode }}
+- name: ensure koji ca certificates are installed
+  copy:
+    src={{ item }}
+    dest={{ koji_client_dir }}/{{ item|basename }}
+    owner={{ koji_client_user }}
+    group={{ koji_client_group }}
+    mode={{ koji_client_config_mode }}
+  with_fileglob:
+  - certs/koji//{{ koji_client_id }}/*.crt
+- name: ensure koji hub server ca certificate is trusted
+  copy:
+    src={{ item }}
+    dest=/etc/pki/ca-trust/source/anchors/koji-hub.crt
+    mode=0644
+  with_fileglob:
+  - certs/koji/{{ koji_client_id }}/serverca.crt
+  notify: update ca trust
+- name: ensure koji client certificate is installed
+  copy:
+    src={{ item }}
+    dest={{ koji_client_dir }}/client.pem
+    owner={{ koji_client_user }}
+    group={{ koji_client_group }}
+    mode={{ koji_client_cert_mode }}
+  with_fileglob:
+  - certs/koji/{{ koji_client_id }}/client.pem
diff --git a/roles/koji-client/templates/config.j2 b/roles/koji-client/templates/config.j2
new file mode 100644
index 0000000..80e9f0a
--- /dev/null
+++ b/roles/koji-client/templates/config.j2
@@ -0,0 +1,11 @@
+[koji]
+server = {{ kojihub_url }}
+weburl = {{ kojiweb_url }}
+topurl = {{ kojifiles_url }}
+
+authtype = ssl
+cert = ~/.koji/client.pem
+ca = ~/.koji/clientca.crt
+serverca = ~/.koji/serverca.crt
+
+anon_retry = yes