diff --git a/ansible/playbooks/init-rocky-bugzilla.yml b/ansible/playbooks/init-rocky-bugzilla.yml
index ce73147..f5cc2bb 100644
--- a/ansible/playbooks/init-rocky-bugzilla.yml
+++ b/ansible/playbooks/init-rocky-bugzilla.yml
@@ -3,6 +3,11 @@
 - name: Configure MantisBT
   hosts: "bugtracker"
   become: true
+  vars_files:
+  - vars/common.yml
+  - vars/vaults/encpass.yml
+  - vars/vaults/mantis.yml
+  - vars/mantis.yml
 
   handlers:
     - import_tasks: handlers/main.yml
@@ -20,11 +25,31 @@
         success_msg: "We are not able to run on this node"
         fail_msg: "/etc/no-ansible exists - skipping run on this node"
 
+  roles:
+    - role: rockylinux.ipagetcert
+      state: present
+
   tasks:
     - name: Deploy Mantis
       import_tasks: tasks/mantis.yml
 
   post_tasks:
+    - name: Open firewalld ports
+      ansible.posix.firewalld:
+        service: "{{ item }}"
+        permanent: true
+        immediate: true
+        state: enabled
+      with_items:
+        - http
+        - https
+
+    - name: Ensure httpd is enabled and running
+      service:
+        name: httpd
+        enabled: true
+        state: started
+
     - name: Touching run file that ansible has ran here
       file:
         path: /var/log/ansible.run
diff --git a/ansible/playbooks/tasks/mantis.yml b/ansible/playbooks/tasks/mantis.yml
index 4aaa4cf..202b8ff 100644
--- a/ansible/playbooks/tasks/mantis.yml
+++ b/ansible/playbooks/tasks/mantis.yml
@@ -32,6 +32,11 @@
     mode: '0644'
     remote_src: true
 
+- name: Generate crypto salt
+  shell: "cat /dev/urandom | head -c 64 | base64 --wrap=0"
+  changed_when: "1 != 1"
+  register: cryptosalt_string
+
 - name: Configure mantis
   template:
     src: "var/www/mantis/config/config_inc.php.j2"
@@ -40,6 +45,22 @@
     group: apache
     mode: '0640'
 
+- name: Deploy plugins from Mantis GitHub
+  git:
+    repo: "https://github.com/mantisbt-plugins/{{ item }}.git"
+    dest: "/var/www/mantisbt-{{ mantis_version }}/plugins/{{ item }}"
+    update: true
+    version: master
+  with_items:
+    - Snippets
+
+- name: Deploy custom libravatar plugin
+  git:
+    repo: "https://github.com/nazunalika/mantisbt-libravatar.git"
+    dest: "/var/www/mantisbt-{{ mantis_version }}/plugins/Libravatar"
+    update: true
+    version: main
+
 - name: Configure httpd
   template:
     src: "etc/httpd/conf.d/mantis.conf.j2"
@@ -47,3 +68,25 @@
     owner: root
     group: root
     mode: '0644'
+
+- name: Database import template
+  template:
+    src: "tmp/mantis_import.sql.j2"
+    dest: "/tmp/mantis_import.sql.j2"
+    owner: root
+    group: root
+    mode: '0600'
+
+# We will need to generate this
+# name: Import database if required
+# community.general.postgresql_db:
+#   name: "{{ mantis_db_name }}"
+#   target: /tmp/mantis_import.sql
+#   owner: "{{ mantis_db_user }}"
+#   state: restore
+#   login_host: "{{ mantis_db_host }}"
+#   login_user: "{{ mantis_db_user }}"
+#   login_password: "{{ mantis_db_pass }}"
+
+- name: Patch up some pages
+  import_tasks: mantispatch.yml
diff --git a/ansible/playbooks/tasks/mantispatch.yml b/ansible/playbooks/tasks/mantispatch.yml
new file mode 100644
index 0000000..0e4a4b8
--- /dev/null
+++ b/ansible/playbooks/tasks/mantispatch.yml
@@ -0,0 +1,25 @@
+---
+# Patch up various pieces of mantis to customize it. We do not rely on local
+# bug tracker accounts. We are doing regex instead of just replacing the
+# file as a whole. Should make it easier to deal with upgrades in theory.
+- name: Change signup_page.php to Account Services
+  replace:
+    path: "/var/www/mantisbt-{{ mantis_version }}/{{ item }}"
+    regexp: 'signup_page.php'
+    replace: 'https://accounts.rockylinux.org'
+  with_items:
+    - core/print_api.php
+    - lost_pwd_page.php
+    - login_page.php
+
+- name: Change special signup_page.php reference
+  replace:
+    path: "/var/www/mantisbt-{{ mantis_version }}/core/layout_api.php"
+    regexp: "' . helper_mantis_url( 'signup_page.php' ) . '"
+    replace: 'https://accounts.rockylinux.org'
+
+- name: Remove LDAP from checks for signup button
+  lineinfile:
+    path: "/var/www/mantisbt-{{ mantis_version }}/login_page.php"
+    state: absent
+    regex: 'LDAP != config_get_global'
diff --git a/ansible/playbooks/templates/tmp/mantis_import.sql.j2 b/ansible/playbooks/templates/tmp/mantis_import.sql.j2
new file mode 100644
index 0000000..b7db254
--- /dev/null
+++ b/ansible/playbooks/templates/tmp/mantis_import.sql.j2
@@ -0,0 +1 @@
+# Empty
diff --git a/ansible/playbooks/templates/var/www/mantis/config/config_inc.php.j2 b/ansible/playbooks/templates/var/www/mantis/config/config_inc.php.j2
index ec78437..f224283 100644
--- a/ansible/playbooks/templates/var/www/mantis/config/config_inc.php.j2
+++ b/ansible/playbooks/templates/var/www/mantis/config/config_inc.php.j2
@@ -1,5 +1,5 @@
 <?php
-$g_hostname               = 'build-a-box.labs.angelsofclockwork.net';
+$g_hostname               = '{{ mantis_db_host }}';
 $g_db_type                = 'pgsql';
 $g_database_name          = '{{ mantis_db_name }}';
 $g_db_username            = '{{ mantis_db_user }}';
@@ -7,13 +7,14 @@ $g_db_password            = '{{ mantis_db_pass }}';
 
 $g_default_timezone       = 'UTC';
 
-$g_crypto_master_salt     = 'DDQF2sdgdPycpzfWNSOt4KelQlz7h0kb9HHxaUFpYXk=';
+$g_crypto_master_salt     = '{{ cryptosalt_string.stdout }}';
 
 # Added
 $g_login_method          = 'LDAP';
 $g_ldap_server           = '{{ rocky_ipaserver_lb }}';
+$g_ldap_port             = '389';
 $g_ldap_root_dn          = '{{ rocky_ldap_user_basedn }}';
-$g_ldap_organization     = '(objectClass=posixAccount)';
+#$g_ldap_organization     = '(objectClass=posixAccount)';
 $g_ldap_protocol_version = 3;
 $g_ldap_network_timeout  = 30;
 $g_ldap_follow_referrals = ON;
@@ -32,9 +33,14 @@ $g_allow_file_upload     = ON;
 $g_file_upload_method    = DATABASE; # or DISK
 $g_dropzone_enabled      = ON;
 $g_show_realname         = ON;
+$g_show_avatar           = ON;
 $g_allowed_files         = 'log,patch,txt';
-$g_disallowed_files      = 'exe,tar,tgz,tar.gz,pl,sh';
+$g_disallowed_files      = 'exe,pl,sh,py,c,cpp,rar,zip,rpm';
 $g_window_title          = 'Rocky Bugzilla';
-$g_allow_signup          = OFF;
+$g_allow_signup          = ON;
 $g_allow_anonymous_login = ON;
 $g_anonymous_account     = 'anonymous';
+$g_enable_email_notification = ON;
+
+# Cookie problems
+$g_allow_permanent_cookie = OFF;
diff --git a/ansible/playbooks/vars/mantis.yml b/ansible/playbooks/vars/mantis.yml
index 0b0f52c..5b12fb8 100644
--- a/ansible/playbooks/vars/mantis.yml
+++ b/ansible/playbooks/vars/mantis.yml
@@ -1,7 +1,7 @@
 ---
 # mantis vars
-mantis_version: 2.24.2
-mantis_checksum: "sha256:c1b483c8395a0fb1249bcc50ada203db584d819f4f6f606b1d1eec42c5205cb8"
+mantis_version: 2.25.0
+mantis_checksum: "sha256:d8973d3677ecb2ccbfee95e2267b3128049fbdcc59aa1f007686a342d93a4c0a"
 mantis_pkg:
   - php
   - php-ldap
@@ -11,8 +11,21 @@ mantis_pkg:
   - php-mbstring
   - php-curl
   - openldap
-mantis_db_name: mantis
+  - php-json
+mantis_db_host: db.rockylinux.org
+mantis_db_name: mantisdb
 mantis_db_user: mantis
-#mantis_db_pass: ThisIsNotThePassword!
-mantis_binder_user: "uid=mantis_binder,cn=sysaccounts,cn=etc,dc=rockylinux,dc=org"
-#mantis_binder_pass: ThisIsNotThePassword!
+mantis_binder_user: "{{ rocky_ldap_bind_dn }}"
+mantis_binder_pass: "{{ rocky_ldap_bind_pw }}"
+
+# Vault
+# mantis_db_pass: ThisIsNotThePassword!
+
+ipa_getcert_requested_hostnames:
+  - name: "{{ ansible_fqdn }}"
+    owner: apache
+    key_location: "/etc/pki/tls/private/bugs.rockylinux.org.key"
+    cert_location: "/etc/pki/tls/certs/bugs.rockylinux.org.crt"
+    postcmd: "/bin/systemctl reload httpd"
+    cnames:
+      - "bugs.rockylinux.org"
diff --git a/ansible/roles/requirements.yml b/ansible/roles/requirements.yml
index 3cad738..c72f35f 100644
--- a/ansible/roles/requirements.yml
+++ b/ansible/roles/requirements.yml
@@ -34,6 +34,7 @@ roles:
     src: https://git.rockylinux.org/infrastructure/public/ansible/ansible-role-wikijs.git
     scm: git
     version: develop
+  - name: riemers.gitlab-runner
 
 collections:
   # freeipa