diff --git a/playbooks/inventory/group_vars/all.yml b/playbooks/inventory/group_vars/all.yml
index 6a0f7a6471..1a3bd7671b 100644
--- a/playbooks/inventory/group_vars/all.yml
+++ b/playbooks/inventory/group_vars/all.yml
@@ -35,6 +35,7 @@ pip_links:
 ## OpenStack source options
 # URL for the frozen internal openstack repo.
 repo_server_port: 8181
+repo_pkg_cache_enabled: true
 openstack_repo_url: "http://{{ internal_lb_vip_address }}:{{ repo_server_port }}"
 openstack_repo_git_url: "git://{{ internal_lb_vip_address }}"
 
diff --git a/playbooks/repo-server.yml b/playbooks/repo-server.yml
index 6d45587c0c..e5680ca456 100644
--- a/playbooks/repo-server.yml
+++ b/playbooks/repo-server.yml
@@ -44,3 +44,22 @@
         - "rsyslog-client"
   vars:
     is_metal: "{{ properties.is_metal|default(false) }}"
+
+- name: Setup package manager proxy
+  hosts: all:!repo_all
+  tasks:
+    - name: Drop apt package manager proxy
+      copy:
+        content: 'Acquire::http { Proxy "http://{{ internal_lb_vip_address }}:3142"; };'
+        dest: "/etc/apt/apt.conf.d/00apt-cacher-proxy"
+      when:
+        - ansible_os_family == 'Debian'
+        - repo_pkg_cache_enabled | bool
+    - name: Drop apt package manager proxy
+      lineinfile:
+        line: 'proxy=http://{{ internal_lb_vip_address }}:3142'
+        dest: "/etc/yum.conf"
+      when:
+        - ansible_os_family == 'RedHat'
+        - repo_pkg_cache_enabled | bool
+
diff --git a/playbooks/vars/configs/haproxy_config.yml b/playbooks/vars/configs/haproxy_config.yml
index 13f93daf7e..12466183b3 100644
--- a/playbooks/vars/configs/haproxy_config.yml
+++ b/playbooks/vars/configs/haproxy_config.yml
@@ -47,6 +47,19 @@ haproxy_default_services:
       haproxy_balance_type: http
       haproxy_backend_options:
         - "httpchk HEAD /"
+  - service:
+      haproxy_service_name: repo_cache
+      haproxy_backend_nodes: "{{ [groups['repo_all'][0]] | default([]) }}"  # list expected
+      haproxy_backup_nodes: "{{ groups['repo_all'][1:] | default([]) }}"
+      haproxy_ssl: "{{ haproxy_ssl }}"
+      haproxy_port: 3142
+      haproxy_balance_type: http
+      haproxy_backend_options:
+        - "httpchk HEAD /acng-report.html"
+      haproxy_whitelist_networks:
+        - 192.168.0.0/16
+        - 172.16.0.0/12
+        - 10.0.0.0/8
   - service:
       haproxy_service_name: glance_api
       haproxy_backend_nodes: "{{ groups['glance_api'] | default([]) }}"
diff --git a/releasenotes/notes/haproxy-package-cache-backend-da096228387bc1f4.yaml b/releasenotes/notes/haproxy-package-cache-backend-da096228387bc1f4.yaml
new file mode 100644
index 0000000000..a0ee71d536
--- /dev/null
+++ b/releasenotes/notes/haproxy-package-cache-backend-da096228387bc1f4.yaml
@@ -0,0 +1,13 @@
+---
+features:
+  - The repo server will now be used as a package manager
+    cache.
+upgrade:
+  - Haproxy has a new backend to support using the repo
+    server nodes as a package manager cache. The new backend
+    is called "repo_cache" and uses port "3142" and a single
+    active node. All other nodes within the pool are backups
+    and will be promoted if the active node goes down.
+    Default ACLs have been created to lock down the port's
+    availability to only internal networks originating from
+    an RFC1918 address.