Merge branch 'sam/gerrit-production'

14 files changed, 582 insertions, 24 deletions

diff --git a/README.mdwn b/README.mdwn
index c4a23628..f678e8de 100644
--- a/README.mdwn
+++ b/README.mdwn
@@ -197,6 +197,12 @@ https://docs.djangoproject.com/en/1.7/howto/deployment/checklist/
 
 To deploy to production:
 
+    nova volume-create \
+        --display-name gerrit-volume \
+        --display-description 'Gerrit volume' \
+        --volume-type Ceph \
+        100
+
     morph build baserock_gerrit/gerrit-system-x86_64.morph
     morph deploy baserock_gerrit/baserock_gerrit.morph
 
@@ -205,26 +211,32 @@ To deploy to production:
         --flavor 'dc1.2x4.40' \
         --image baserock_gerrit \
         --nic net-id=d079fa3e-2558-4bcb-ad5a-279040c202b5,v4-fixed-ip=192.168.222.69 \
+        --security-groups default,gerrit,git-server,web-server
         --user-data baserock-ops-team.cloud-config
 
-    nova volume-create \
-        --display-name gerrit-volume \
-        --display-description 'Gerrit volume' \
-        --volume-type Ceph \
-        100
     nova volume-attach gerrit.baserock.org <volume-id> /dev/vdb
 
-    # Download the JRE -- this implies that you accept the 'Oracle Binary Code
-    # License Agreement for Java SE'. Visit Make sure you use the latest
-    # version of Java, don't copy-paste this commandline directly ;)
-    # 
-    # See: http://www.oracle.com/technetwork/java/javase/downloads/index.html
+Accept the license and download the latest Java Runtime Environment from
+http://www.oracle.com/technetwork/java/javase/downloads/server-jre8-downloads-2133154.html
+
+Accept the license and download the latest Java Cryptography Extensions from
+http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
+
+Save these two files in the baserock_gerrit/ folder. The instance-config.yml
+Ansible playbook will upload them to the new system.
+
+    # Don't copy-paste this! Use the Oracle website instead!
     wget --no-cookies --no-check-certificate \
-        --header "Cookie: gpw_e24=http%3A%2F%2Fwww.oracle.com%2F; oraclelicense=accept-securebackup-cookie" \
-        "http://download.oracle.com/otn-pub/java/jdk/8u31-b13/server-jre-8u31-linux-x64.tar.gz" 
+         --header "Cookie: gpw_e24=http%3A%2F%2Fwww.oracle.com%2F; oraclelicense=accept-securebackup-cookie" \
+         "http://download.oracle.com/otn-pub/java/jdk/8u40-b25/server-jre-8u40-linux-x64.tar.gz" 
+    wget --no-cookies --no-check-certificate \
+          --header "Cookie: gpw_e24=http%3A%2F%2Fwww.oracle.com%2F; oraclelicense=accept-securebackup-cookie" \
+          "http://download.oracle.com/otn-pub/java/jce/8/jce_policy-8.zip"
 
     ansible-playbook -i hosts baserock_gerrit/instance-config.yml
 
+#### Access control
+
 Now, log into the new Gerrit instance with your OpenID. Make sure you're the
 first one to have registered, and you will automatically have been added to the
 Administrators group.
@@ -232,8 +244,101 @@ Administrators group.
 You can add more users into the Administrators group later on using the [gerrit
 set-members] command, or the web interface.
 
+Go to the settings page, 'HTTP Password' and generate a HTTP password for
+yourself. You'll need it in the next step. The password can take a long time to
+appear for some reason, or it might not work at all. Click off the page and
+come back to it and it might suddenly have appeared. I've not investigated why
+this happens.
+
+Generate the SSH keys you need, if you don't have them.
+
+    mkdir -p keys
+    ssh-keygen -t rsa -b 4096 -C 'lorry@gerrit.baserock.org' -N '' -f keys/lorry-gerrit.key
+
+Now set up the Gerrit access configuration. You'll need to have cloned 
+<https://github.com/ssssam/ansible-gerrit> alongside infrastructure.git, and ran
+`make` in that directory. You'll also need 'pygerrit' installed somewhere
+Python can find it.
+
+    export GERRIT_URL=http://gerrit.baserock.org
+    export GERRIT_ADMIN_USERNAME=your username
+    export GERRIT_ADMIN_PASSWORD=your generated HTTP password
+
+    ANSIBLE_LIBRARY=../ansible-gerrit \
+    ansible-playbook baserock_gerrit/gerrit-access-config.yml
+
+As well as creating all the groups and initial users in the new Gerrit
+instance, Ansible should update the file baserock_gerrit/All-Projects/groups,
+which will be needed in the next step.
+
+    git clone ssh://$GERRIT_ADMIN_USERNAME@gerrit.baserock.org:29418/All-Projects.git /tmp/All-Projects
+    cp -a baserock_gerrit/All-Projects/*  /tmp/All-Projects
+    cd /tmp/All-Projects
+    git checkout -b config
+    git commit -a -m "Set up initial access controls."
+    git push origin config:refs/meta/config
+    cd -
+
 [gerrit set-members]: https://gerrit-documentation.storage.googleapis.com/Documentation/2.9.4/cmd-set-members.html
 
+#### Mirroring
+
+Run:
+
+    ansible-playbook -i hosts baserock_gerrit/instance-mirroring-config.yml
+
+Now clone the lorry-controller configuration repository, commit the
+configuration file to it, and push.
+
+    git clone ssh://$GERRIT_ADMIN_USERNAME@gerrit.baserock.org:29418/local-config/lorries.git /tmp/lorries
+    cp baserock_gerrit/lorry-controller.conf /tmp/lorries
+    cd /tmp/lorries
+    git checkout -b master
+    git add .
+    git commit -m "Add initial Lorry Controller mirroring configuration"
+    git push origin master
+    cd -
+
+Now SSH in as 'root' to gerrit.baserock.org, tunnelling the lorry-controller
+webapp's port to your local machine:
+
+    ssh -L 12765:localhost:12765 root@gerrit.baserock.org
+
+Visit <http://localhost/1.0/status-html>. You should see the lorry-controller
+status page. Click 'Re-read configuration', if there are any errors in the
+configuration it'll tell you. If not, it should start mirroring stuff from
+your Trove.
+
+Create a Gitano account on the Trove you want to push changes to for the Gerrit
+user. The `instance-config.yml` Ansible playbook will have generated an SSH
+key. Do this on the Gerrit instance.
+
+    ssh git@git.baserock.org user add gerrit "gerrit.baserock.org" gerrit@baserock.org
+    ssh git@git.baserock.org as gerrit sshkey add main < ~gerrit/.ssh/id_rsa.pub
+
+Add the user to the necessary -writers groups, so they can push updates to the
+repos. The 'replication.config' file controls what the gerrit-replication plugin
+tries to push. By default force-push is disabled and only 'master' and tags are
+pushed.
+
+    ssh git@git.baserock.org group adduser baserock-writers gerrit
+
+Add the host key of the remote trove.
+
+    sudo -u gerrit sh -c 'ssh-keyscan git.baserock.org >> ~gerrit/.ssh/known_hosts'
+
+Check the account is working.
+
+    sudo -u gerrit ssh git@git.baserock.org whoami
+
+Now enable the gerrit-replication plugin, check that it's now in the list of
+plugins, and manually start a replication cycle. You should see log output from
+the final SSH command showing any errors.
+
+    ssh $GERRIT_ADMIN_USERNAME@gerrit.baserock.org -p 29418 gerrit plugin enable replication
+    ssh $GERRIT_ADMIN_USERNAME@gerrit.baserock.org -p 29418 gerrit plugin ls
+    ssh $GERRIT_ADMIN_USERNAME@gerrit.baserock.org -p 29418 replication start --all --wait
+
 ### Storyboard
 
 We use a slightly adapted version of
diff --git a/baserock_gerrit/All-Projects/groups b/baserock_gerrit/All-Projects/groups
new file mode 100644
index 00000000..da2baa74
--- /dev/null
+++ b/baserock_gerrit/All-Projects/groups
@@ -0,0 +1,16 @@
+# UUID                                  	Group Name
+#
+global:Anonymous-Users                  	Anonymous Users
+global:Project-Owners                   	Project Owners
+global:Registered-Users                 	Registered Users
+
+# This file is filled in with the other group IDs by the
+# gerrit-access-config.yml Ansible playbook.
+b660c33b68509db9dbd9578ae00035da90c0d5eb	Administrators
+8e467a11f116bb716a65ac85e28bf09ebfeb0d63	Non-Interactive Users
+898d9c4232b8fcac6a3b128f7264c5d4c8b1eead	Developers
+b8fc45c681b94669fe3fa965c48d5221a515a3a6	Mergers
+8c788c828285c3dd0a8c1cc152de6735085def9f	Mirroring Tools
+a7a9cc6639bd943e47da0d20b39267a08b43cd91	Release Team
+d643abb0ad6e9d5ac33093af5cd3a3d4e484d95d	Reviewers
+cea6c19a08e11b74e63a567e050bec2c6eeb14dc	Testers
diff --git a/baserock_gerrit/All-Projects/project.config b/baserock_gerrit/All-Projects/project.config
new file mode 100644
index 00000000..0b16b280
--- /dev/null
+++ b/baserock_gerrit/All-Projects/project.config
@@ -0,0 +1,105 @@
+# Top-level access controls for projects on Baserock Gerrit.
+
+# These can be overridden by a project's own project.config file. They are also
+# overridden by the config of a project's parent repo, if it is set to something
+# other than the default parent project 'All-Projects'.
+
+# Useful references:
+#
+#   https://gerrit-documentation.storage.googleapis.com/Documentation/2.11/access-control.html
+#   https://git.openstack.org/cgit/openstack-infra/system-config/tree/doc/source/gerrit.rst
+
+[project]
+	description = Access inherited by all other projects.
+
+[receive]
+	requireContributorAgreement = false
+	requireSignedOffBy = false
+	requireChangeId = true
+
+[submit]
+	mergeContent = true
+
+[capability]
+	administrateServer = group Administrators
+	priority = batch group Non-Interactive Users
+	streamEvents = group Non-Interactive Users
+
+	createProject = group Mirroring Tools
+
+# Everyone can read everything.
+[access "refs/*"]
+	read = group Administrators
+	read = group Anonymous Users
+
+
+# Developers can propose changes. All 'Registered Users' are 'Developers'.
+[access "refs/for/refs/*"]
+	push       = group Developers
+	pushMerge  = group Developers
+
+
+[access "refs/heads/*"]
+	forgeAuthor       = group Developers
+	rebase            = group Developers
+	label-Code-Review = -2..+2 group Mergers
+	submit            = group Mergers
+	label-Code-Review = -1..+1 group Reviewers
+#	label-Verified    = -1..+1 group Testers
+
+	create            = group Administrators
+	forgeCommitter    = group Administrators
+	push              = group Administrators
+	create            = group Project Owners
+	forgeCommitter    = group Project Owners
+	push              = group Project Owners
+
+	create            = group Mirroring Tools
+	forgeAuthor       = group Mirroring Tools
+	forgeCommitter    = group Mirroring Tools
+	push              = +force group Mirroring Tools
+
+[access "refs/tags/*"]
+	pushTag        = group Release Team
+	pushSignedTag  = group Release Team
+
+	pushTag        = group Administrators
+	pushSignedTag  = group Administrators
+	pushTag        = group Project Owners
+	pushSignedTag  = group Project Owners
+
+	create         = group Mirroring Tools
+	forgeAuthor    = group Mirroring Tools
+	forgeCommitter = group Mirroring Tools
+	push           = +force group Mirroring Tools
+	pushTag        = +force group Mirroring Tools
+	pushSignedTag  = +force group Mirroring Tools
+
+
+# Changing project configuration is allowed for Administrators only. (In theory
+# anyone who owns a project can change its permissions, but right now all
+# projects should be owned by the Administrators group).
+[access "refs/meta/config"]
+	exclusiveGroupPermissions = read
+
+	read = group Administrators
+	push = group Administrators
+	read = group Project Owners
+	push = group Project Owners
+
+[label "Code-Review"]
+	function = MaxWithBlock
+	copyMinScore = true
+	value = -2 Do not merge
+	value = -1 This patch needs further work before it can be merged
+	value =  0 No score
+	value = +1 Looks good to me, but someone else must approve
+	value = +2 Looks good to me, approved
+
+# Disabled for now, because there is no automated test tool hooked up to our
+# Gerrit yet.
+#[label "Verified"]
+#	function = MaxWithBlock
+#	value = -1 Failed
+#	value =  0 No score
+#	value = +1 Verified
diff --git a/baserock_gerrit/gerrit-access-config.yml b/baserock_gerrit/gerrit-access-config.yml
new file mode 100644
index 00000000..d17df33e
--- /dev/null
+++ b/baserock_gerrit/gerrit-access-config.yml
@@ -0,0 +1,151 @@
+# Baserock Gerrit access controls, and predefined users, groups and projects.
+#
+# This Ansible playbook requires the ansible-gerrit modules:
+#
+#   https://www.github.com/ssssam/ansible-gerrit
+#
+# These modules depend on pygerrit:
+#
+#   https://www.github.com/sonyxperiadev/pygerrit/
+
+#   -
+- hosts: localhost
+  tasks:
+    # System groups:
+    #   - Anonymous Users
+    #   - Change Owner
+    #   - Project Owners
+    #   - Registered Users
+
+    # Prefined groups:
+    #   - Administrators
+    #   - Non-Interactive Users
+
+    - gerrit_group:
+        name: Administrators
+      register: administrators_group
+
+    - gerrit_group:
+        name: Non-Interactive Users
+      register: non_interactive_users_group
+
+    # The 'owner' of a group defines who can modify that group. Users
+    # who are in the 'owner' group for a group 'Groupies' can add and remove
+    # people (and other groups) from 'Groupies' and can change the name,
+    # description and owner of 'Groupies.' Since we don't want the
+    # names, descriptions or owners of these predefined groups being
+    # changed, they are all left owned by the Administrators group.
+
+    - gerrit_group:
+        name: Developers
+        description: Registered users who choose to submit changes for consideration.
+        owner: Administrators
+        included_groups:
+            - Registered Users
+      register: developers_group
+
+    # Right now all Mergers are in the Release Team by default.
+    - gerrit_group:
+        name: Release Team
+        description: Developers who can tag releases
+        owner: Administrators
+        included_groups:
+            - Mergers
+      register: release_team_group
+
+    - gerrit_group:
+        name: Mergers
+        description: Developers who can trigger the actual merging of a change.
+        owner: Administrators
+      register: mergers_group
+
+    - gerrit_group:
+        name: Mirroring Tools
+        description: Programs that pull changes from external repositories into Gerrit's Git server
+        owner: Administrators
+      register: mirroring_tools_group
+
+    - gerrit_group:
+        name: Reviewers
+        description: Registered users who choose to give +1 / -1 reviews to proposed changes.
+        owner: Administrators
+        included_groups:
+            - Registered Users
+      register: reviewers_group
+
+    - gerrit_group:
+        name: Testers
+        description: Testers that can give +1 / -1 Verified to proposed changes.
+        owner: Administrators
+      register: testers_group
+
+    # Non-interactive accounts.
+
+    - gerrit_account:
+        username: firehose
+        fullname: Firehose integration bot
+        email: firehose@baserock.org
+        groups:
+            - Non-Interactive Users
+            - Developers
+        #ssh_key: xx
+
+    - gerrit_account:
+        username: lorry
+        fullname: Lorry mirroring service
+        email: lorry@baserock.org
+        groups:
+            - Mirroring Tools
+            - Non-Interactive Users
+        # FIXME: ansible-gerrit module should be able to handle a filename
+        # here, instead of needing this hack to read the contents.
+        ssh_key: "{{ lookup('file', '../keys/lorry-gerrit.key.pub') }}"
+
+    - gerrit_account:
+        username: mason
+        fullname: Mason automated tester
+        email: mason@baserock.org
+        groups:
+            - Non-Interactive Users
+            - Testers
+        #ssh_key: xx
+
+    # It'd make more sense to do this in the mirroring-config.yml file, but
+    # then the admin would need to supply their Gerrit credentials to that
+    # playbook too (which is more tricky, because it doesn't run on
+    # 'localhost').
+    - name: repo to hold Lorry Controller mirroring configuration
+      gerrit_project:
+        name: local-config/lorries
+        description: Configuration for Lorry for mirroring from Trove
+
+    - name: create 'groups' mapping required by Gerrit
+      lineinfile:
+        create: yes
+        dest: All-Projects/groups
+        line: "{{ item.group_info.id }}\t{{ item.group_info.name }}"
+      with_items:
+          - "{{ administrators_group }}"
+          - "{{ non_interactive_users_group }}"
+          - "{{ developers_group }}"
+          - "{{ mergers_group }}"
+          - "{{ mirroring_tools_group }}"
+          - "{{ release_team_group }}"
+          - "{{ reviewers_group }}"
+          - "{{ testers_group }}"
+
+# it'd be nice if this module existed... but it doesn't right now. You'll have
+# to commit the files manually.
+#
+#    - name: push access configuration for all repos
+#      git_commit_in_branch:
+#        repo: ssh://{{ env.GERRIT_ADMIN_USERNAME }}@{{ env.GERRIT_URL}}:29418/All-Projects
+#        ref: refs/meta/config
+#        source: All-Projects
+#        committer_name: Baserock Gerrit configuration scripts
+#        committer_email: admin@baserock.org
+#        commit_message: >
+#            Update global configuration.
+#
+#            This commit was made by an Ansible playbook living in
+#            git://git.baserock.org/baserock/baserock/infrastructure.
diff --git a/baserock_gerrit/gerrit-system-x86_64.morph b/baserock_gerrit/gerrit-system-x86_64.morph
index 176c8430..0fd2c910 100644
--- a/baserock_gerrit/gerrit-system-x86_64.morph
+++ b/baserock_gerrit/gerrit-system-x86_64.morph
@@ -8,31 +8,56 @@ description: |
   are downloaded from the web and installed on first-boot by the configuration
   management scripts.
 
-  So this system is really just a Baserock base system plus Ansible.
+  So this system is really just a Baserock base system plus
+  Ansible and some extras.
 arch: x86_64
 strata:
 - name: build-essential
   morph: strata/build-essential.morph
 - name: core
   morph: strata/core.morph
-- name: foundation
-  morph: strata/foundation.morph
-- name: lvm
-  morph: strata/lvm.morph
+- name: python-core
+  morph: strata/python-core.morph
 - name: bsp-x86_64-generic
   morph: strata/bsp-x86_64-generic.morph
+- name: foundation
+  morph: strata/foundation.morph
 - name: cloudinit-support
   morph: strata/cloudinit-support.morph
+
+- name: lvm
+  morph: strata/lvm.morph
+
+- name: python-common
+  morph: strata/python-common.morph
 - name: ansible
   morph: strata/ansible.morph
+
+# lighttpd is needed for Lorry Controller. Gerrit uses its own web server.
+#
+# pcre-utils is a dependency of lighttpd.
+# python-cliapp and python-wsgi are needed for lorry-controller.
+- name: pcre-utils
+  morph: strata/pcre-utils.morph
+- name: lighttpd-server
+  morph: strata/lighttpd-server.morph
+- name: python-cliapp
+  morph: strata/python-cliapp.morph
+- name: python-wsgi
+  morph: strata/python-wsgi.morph
 - name: lorry
   morph: strata/lorry.morph
 - name: lorry-controller
   morph: strata/lorry-controller.morph
-# FIXME: 'tools' is needed purely because mkfs.ext4 resides there.
-# Which doesn't make much sense really.
+
+- name: gerrit-tools
+  morph: baserock_gerrit/gerrit-tools.morph
+
+# FIXME: 'tools' is needed mainly because rsync lives there and we need
+# rsync for upgrades using system-version-manager.
 - name: tools
   morph: strata/tools.morph
+
 configuration-extensions:
 - set-hostname
 - add-config-files
diff --git a/baserock_gerrit/gerrit-tools.morph b/baserock_gerrit/gerrit-tools.morph
new file mode 100644
index 00000000..69aa493b
--- /dev/null
+++ b/baserock_gerrit/gerrit-tools.morph
@@ -0,0 +1,10 @@
+name: gerrit-tools
+kind: stratum
+description: Tools for use with Gerrit
+build-depends:
+- morph: strata/python-common.morph
+chunks:
+- name: pygerrit
+  repo: github:sonyxperiadev/pygerrit
+  ref: daad8e23d9bbcd8a2bc565497be50a3cc29dae6b
+  unpetrify-ref: master
diff --git a/baserock_gerrit/gerrit.config b/baserock_gerrit/gerrit.config
index c2257eaa..249fde8e 100644
--- a/baserock_gerrit/gerrit.config
+++ b/baserock_gerrit/gerrit.config
@@ -21,3 +21,9 @@
 	directory = cache
 [user]
 	email = "gerrit@baserock.org"
+
+# It seems like a bad idea to enable remote administration of plugins, but
+# there is absolutely no information available on how to do 'local'
+# administration of Gerrit plugins, so we can't really avoid it.
+[plugins]
+	allowRemoteAdmin = true
diff --git a/baserock_gerrit/instance-config.yml b/baserock_gerrit/instance-config.yml
index 77de7722..f9317278 100644
--- a/baserock_gerrit/instance-config.yml
+++ b/baserock_gerrit/instance-config.yml
@@ -12,10 +12,10 @@
     GERRIT_VERSION: 2.9.4
 
     # Download from http://www.oracle.com/technetwork/java/javase/downloads/server-jre8-downloads-2133154.html
-    JRE_FILE: server-jre-8u31-linux-x64.tar.gz
+    JRE_FILE: server-jre-8u40-linux-x64.tar.gz
     # This path should correspond to where the JRE ends up if you extract the
     # downloaded tarball in /opt.
-    JRE_DIR: /opt/jdk1.8.0_31
+    JRE_DIR: /opt/jdk1.8.0_40
 
     # Download from http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
     JCE_FILE: jce_policy-8.zip
@@ -24,12 +24,15 @@
   vars_files:
     - ../database/baserock_gerrit.database_password.yml
   tasks:
-
     - name: add gerrit user
-      user: name=gerrit shell=/bin/false
+      user:
+        name: gerrit
+        shell: /bin/false
+        generate_ssh_key: yes
+        ssh_key_comment: gerrit@baserock.org
 
     - name: unpack the Java Runtime Environment
-      unarchive: src=/root/{{ JRE_FILE }} dest=/opt owner=root group=root creates={{ JRE_DIR }}
+      unarchive: src={{ JRE_FILE }} dest=/opt owner=root group=root creates={{ JRE_DIR }}
 
     # The Java Cryptography Extensions are needed in order to enable all SSH
     # ciphers, due to US export restrictions.
@@ -58,6 +61,11 @@
     - name: initialise Gerrit application directory
       command: "{{ run_gerrit }} init -d /srv/gerrit creates=/srv/gerrit/etc/gerrit.config"
 
+    - name: extract gerrit-replication plugin
+      shell: unzip /opt/gerrit/gerrit-{{ GERRIT_VERSION}}.war WEB-INF/plugins/replication.jar -p > /srv/gerrit/plugins/replication.jar
+      args:
+        creates: /srv/gerrit/plugins/replication.jar
+
     - name: download extra Java libraries
       get_url:
         url: "{{ item }}"
diff --git a/baserock_gerrit/instance-mirroring-config.yml b/baserock_gerrit/instance-mirroring-config.yml
new file mode 100644
index 00000000..6864f7c7
--- /dev/null
+++ b/baserock_gerrit/instance-mirroring-config.yml
@@ -0,0 +1,49 @@
+- hosts: gerrit.baserock.org
+  gather_facts: no
+  sudo: yes
+  tasks:
+    - name: Lorry user
+      user: name=lorry comment="Lorry mirroring service"
+
+    # Ansible can generate a new SSH key for Lorry when we add the user,
+    # but it seems tricky to then extract this and add it to the 'lorry' Gerrit
+    # user.
+    - name: SSH private key for Lorry user
+      copy: src=../keys/lorry-gerrit.key dest=~/.ssh/id_rsa mode=600
+      sudo_user: lorry
+
+    - name: SSH public key for Lorry user
+      copy: src=../keys/lorry-gerrit.key.pub dest=~/.ssh/id_rsa.pub mode=644
+      sudo_user: lorry
+
+    - name: directory in /etc for Lorry Controller system configuration
+      file: dest=/etc/lorry-controller state=directory
+
+    - name: Lorry tool configuration
+      copy: src=lorry.conf dest=/etc/lorry.conf
+
+    - name: Lorry Controller system configuration
+      copy:
+        src=lorry-controller/{{ item }}
+        dest=/etc/lorry-controller/{{ item }}
+      with_items:
+        - minion.conf
+        - webapp.conf
+
+    - name: enable and restart core lorry controller services.
+      service: name={{ item }} enabled=yes state=started
+      with_items:
+        - lighttpd-lorry-controller-webapp.service
+        - lorry-controller-minion@1.service
+
+    - name: enable lorry-controller scheduled activity timers
+      service: name={{ item }} enabled=yes
+      with_items:
+        - lorry-controller-ls-troves.timer
+        - lorry-controller-readconf.timer
+        - lorry-controller-remove-ghost-jobs.timer
+        - lorry-controller-remove-old-jobs.timer
+        - lorry-controller-status.timer
+
+    - name: gerrit-replication configuration
+      copy: src=replication.config dest=/srv/gerrit/etc
diff --git a/baserock_gerrit/lorry-controller.conf b/baserock_gerrit/lorry-controller.conf
new file mode 100644
index 00000000..88965f0f
--- /dev/null
+++ b/baserock_gerrit/lorry-controller.conf
@@ -0,0 +1,29 @@
+[
+    {
+        "type": "trove",
+
+        "trovehost": "git.baserock.org",
+        "protocol": "http",
+
+        "prefixmap": {
+            "baserock": "baserock",
+            "delta": "delta"
+        },
+
+        "ignore": [
+            "baserock/baserock/documentation",
+            "baserock/baserock/jenkins-config",
+            "baserock/baserock/lorries",
+            "baserock/baserock/morph-cache-server",
+            "baserock/baserock/morphs",
+            "baserock/baserock/remo",
+            "baserock/local-config/*",
+            "baserock/site/*",
+            "baserock/tests/*",
+            "delta/*"
+        ],
+
+        "ls-interval": "4H",
+        "interval": "2M"
+    }
+]
diff --git a/baserock_gerrit/lorry-controller/minion.conf b/baserock_gerrit/lorry-controller/minion.conf
new file mode 100644
index 00000000..99abdba8
--- /dev/null
+++ b/baserock_gerrit/lorry-controller/minion.conf
@@ -0,0 +1,6 @@
+[config]
+log = syslog
+log-level = debug
+webapp-host = localhost
+webapp-port = 12765
+webapp-timeout = 3600
diff --git a/baserock_gerrit/lorry-controller/webapp.conf b/baserock_gerrit/lorry-controller/webapp.conf
new file mode 100644
index 00000000..dde0d0f6
--- /dev/null
+++ b/baserock_gerrit/lorry-controller/webapp.conf
@@ -0,0 +1,13 @@
+[config]
+log = /home/lorry/webapp.log
+log-max = 100M
+log-keep = 0
+log-level = debug
+statedb = /home/lorry/webapp.db
+configuration-directory = /home/lorry/confgit
+status-html = /home/lorry/lc-status.html
+wsgi = yes
+debug-port = 12765
+templates = /usr/share/lorry-controller/templates
+confgit-url = http://localhost:8080/local-config/lorries
+git-server-type = gerrit
diff --git a/baserock_gerrit/lorry.conf b/baserock_gerrit/lorry.conf
new file mode 100644
index 00000000..03c1177b
--- /dev/null
+++ b/baserock_gerrit/lorry.conf
@@ -0,0 +1,8 @@
+[config]
+mirror-base-url-push = ssh://lorry@localhost:29418/
+bundle = never
+tarball = never
+working-area = /home/lorry/working-area
+verbose = yes
+log = /dev/stdout
+log-level = debug
diff --git a/baserock_gerrit/replication.config b/baserock_gerrit/replication.config
new file mode 100644
index 00000000..fab59c14
--- /dev/null
+++ b/baserock_gerrit/replication.config
@@ -0,0 +1,27 @@
+# Configuration for gerrit-replication plugin.
+#
+# This handles pushing changes from gerrit.baserock.org to git.baserock.org.
+
+[remote "trove"]
+  url = ssh://git@git.baserock.org/${name}.git
+
+  # Disable force-pushing and only sync 'master' and tags.
+  #
+  # This will probably prove annoying and we'll need to mirror more branches in
+  # future. But right now there are hundreds of personal branches and I want to
+  # avoid potential push errors for branches we don't care about.
+  push = refs/heads/master:refs/heads/master
+  push = refs/tags/*:refs/tags/*
+
+  createMissingRepositories = false
+  replicatePermissions = false
+
+  # What to sync: this is a regexp that must match the whole project name.
+  projects = ^baserock/.*$
+
+  # If true, gerrit-replication will remove remote branches that are absent in
+  # the trove. This is a bit dangerous, but necessary if we are to make gerrit
+  # the 'master'. Note that if you set 'authGroup', branches that are not
+  # visible to the configured authorisation group will also be removed. So do
+  # not set 'authGroup' to anything.
+  mirror = false