diff --git a/nodepool/elements/jenkins-slave/extra-data.d/20-jenkins-user b/nodepool/elements/jenkins-slave/extra-data.d/20-jenkins-user
new file mode 100755
index 0000000000..b8df4b348d
--- /dev/null
+++ b/nodepool/elements/jenkins-slave/extra-data.d/20-jenkins-user
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+if [ ${DIB_DEBUG_TRACE:-0} -gt 0 ]; then
+    set -x
+fi
+set -eu
+set -o pipefail
+
+# TODO(pabelanger): Once we complete remove puppet from our diskimages, we
+# should also remove our default SSH key. Since only 3rdparty CI system would be
+# using this element moving forward, it doesn't make sense to bake in our
+# default key.
+NODEPOOL_SSH_KEY=${NODEPOOL_SSH_KEY:-AAAAB3NzaC1yc2EAAAADAQABAAABAQC6WutNHfM+YdnjeNFeaIpvxqt+9aDn95Ykpmc+fASSjlDZJtOrueH3ch/v08wkE4WQKg03i+t8VonqEwMGmApYA3VzFsURUQbxzlSz5kHlBQSqgz5JTwUmnt1RH5sePL5pkuJ6JgqJ8PxJod6fiD7YDjaKJW/wBzXGnGg2EkgqrkBQXYL4hyaPuSwsQF0Gdwg3QFqXl+R/GrM6FscUkkJzbjqGKI2GhLT8mf2BIMEAiMFhF5Wl4FFrbvhTfPfW+9VdcsiMxCXaxp00n1x1+Y7OqR5AZ/id0Lkz9ZoFVGS901OB/L4xXrvUtI2y+kIYeF6hxfmAl/zhY0eWzwo9lDPz}
+
+if [ -z $NODEPOOL_SSH_KEY ]; then
+    die "Can not find public key for jenkins user!"
+fi
+
+# save the public key inside the chroot
+echo "ssh-rsa $NODEPOOL_SSH_KEY" > $TMP_HOOKS_PATH/jenkins-user-ssh-public-key
diff --git a/nodepool/elements/jenkins-slave/install.d/20-jenkins-slave b/nodepool/elements/jenkins-slave/install.d/20-jenkins-slave
new file mode 100755
index 0000000000..8cd6cbdaa8
--- /dev/null
+++ b/nodepool/elements/jenkins-slave/install.d/20-jenkins-slave
@@ -0,0 +1,35 @@
+#!/bin/bash
+
+if [ ${DIB_DEBUG_TRACE:-0} -gt 0 ]; then
+    set -x
+fi
+set -eu
+set -o pipefail
+
+groupadd jenkins
+useradd -g jenkins -m jenkins
+
+# this was copied from outside the chroot by extras.d
+_pub_key=/tmp/in_target.d/jenkins-user-ssh-public-key
+if [ ! -f $_pub_key ]; then
+    die "Can not find Jenkins public key!"
+fi
+
+mkdir /home/jenkins/.ssh
+chmod 700 /home/jenkins/.ssh
+
+cp $_pub_key /home/jenkins/.ssh/authorized_keys
+chmod 644 /home/jenkins/.ssh/authorized_keys
+
+cat > /home/jenkins/.gitconfig <<EOF
+[user]
+    name = OpenStack Jenkins
+    email = jenkins@openstack.org
+    signingkey = jenkins@openstack.org
+[gitreview]
+    rebase = false
+    username = jenkins
+EOF
+
+# cleanup everything to the right owner
+chown -R jenkins:jenkins /home/jenkins
diff --git a/nodepool/elements/nodepool-base/element-deps b/nodepool/elements/nodepool-base/element-deps
index 4f8df81254..1b4c1839e6 100644
--- a/nodepool/elements/nodepool-base/element-deps
+++ b/nodepool/elements/nodepool-base/element-deps
@@ -1,3 +1,4 @@
+jenkins-slave
 package-installs
 pip-and-virtualenv
 puppet