diff --git a/roles/add-build-sshkey/README.rst b/roles/add-build-sshkey/README.rst
new file mode 100644
index 000000000..995a48b14
--- /dev/null
+++ b/roles/add-build-sshkey/README.rst
@@ -0,0 +1,13 @@
+Generate and install a build-local SSH key on all hosts
+
+This role is intended to be run on the Zuul Executor at the start of
+every job.  It generates an SSH keypair and installs the public key in
+the authorized_keys file of every host in the inventory.  It then
+removes all keys from this job's SSH agent so that the original key
+used to log into all of the hosts is no longer accessible, then adds
+the newly generated private key.
+
+Role Variables
+
+zuul_temp_ssh_key
+  Where to put the newly-generated SSH private key.
diff --git a/roles/add-build-sshkey/tasks/create-key-and-replace.yaml b/roles/add-build-sshkey/tasks/create-key-and-replace.yaml
new file mode 100644
index 000000000..87ddbbe72
--- /dev/null
+++ b/roles/add-build-sshkey/tasks/create-key-and-replace.yaml
@@ -0,0 +1,20 @@
+- name: Create Temp SSH key
+  command: ssh-keygen -t rsa -b 1024 -N '' -f {{ zuul_temp_ssh_key }}
+  delegate_to: localhost
+
+- name: Distribute it to all nodes
+  authorized_key:
+    user: "{{ ansible_ssh_user }}"
+    state: present
+    key: "{{ lookup('file', zuul_temp_ssh_key + '.pub') }}"
+
+- name: Remove all keys from local agent
+  command: ssh-add -D
+  delegate_to: localhost
+
+- name: Add back temp key
+  command: ssh-add {{ zuul_temp_ssh_key }}
+  delegate_to: localhost
+
+- name: Verify we can still SSH to all nodes
+  ping:
diff --git a/roles/add-build-sshkey/tasks/main.yaml b/roles/add-build-sshkey/tasks/main.yaml
new file mode 100644
index 000000000..3ffd79110
--- /dev/null
+++ b/roles/add-build-sshkey/tasks/main.yaml
@@ -0,0 +1,10 @@
+- name: Check to see if ssh key was already created for this build
+  stat:
+    path: "{{ zuul_temp_ssh_key }}"
+  register: zuul_temp_ssh_key_stat
+  delegate_to: localhost
+  failed_when: false
+
+- name: Create a new key in workspace based on build UUID
+  include: create-key-and-replace.yaml
+  when: zuul_temp_ssh_key_stat is defined
diff --git a/roles/add-build-sshkey/vars/main.yml b/roles/add-build-sshkey/vars/main.yml
new file mode 100644
index 000000000..58092cb5b
--- /dev/null
+++ b/roles/add-build-sshkey/vars/main.yml
@@ -0,0 +1 @@
+zuul_temp_ssh_key: "{{ zuul.executor.src_root }}/../{{ zuul.uuid }}_id_rsa"
diff --git a/roles/prepare-workspace/README.rst b/roles/prepare-workspace/README.rst
new file mode 100644
index 000000000..10ea71857
--- /dev/null
+++ b/roles/prepare-workspace/README.rst
@@ -0,0 +1,7 @@
+Prepare remote workspaces
+
+This role is intended to run before any other role in a Zuul job.
+
+It starts the Zuul console streamer on every host in the inventory,
+and then copies the prepared source repos to the working directory on
+every host.
diff --git a/roles/prepare-workspace/tasks/main.yaml b/roles/prepare-workspace/tasks/main.yaml
new file mode 100644
index 000000000..bb30c358a
--- /dev/null
+++ b/roles/prepare-workspace/tasks/main.yaml
@@ -0,0 +1,9 @@
+# TODO(pabelanger): Handle cleanup on static nodes
+- name: Start zuul_console daemon.
+  zuul_console:
+
+- name: Synchronize src repos to workspace directory.
+  synchronize:
+    dest: .
+    src: "{{ zuul.executor.src_root }}"
+  no_log: true
diff --git a/roles/remove-build-sshkey/README.rst b/roles/remove-build-sshkey/README.rst
new file mode 100644
index 000000000..a06fb27c2
--- /dev/null
+++ b/roles/remove-build-sshkey/README.rst
@@ -0,0 +1,9 @@
+Remove the per-build SSH key from all hosts
+
+The complement to `add-build-sshkey`.  It removes the build's SSH key
+from the authorized_keys files of all remote hosts.
+
+Role Variables
+
+zuul_temp_ssh_key
+  Where the per-build SSH private key was stored.
diff --git a/roles/remove-build-sshkey/tasks/main.yml b/roles/remove-build-sshkey/tasks/main.yml
new file mode 100644
index 000000000..c7a3375b5
--- /dev/null
+++ b/roles/remove-build-sshkey/tasks/main.yml
@@ -0,0 +1,5 @@
+- name: Remove the build SSH key from all nodes
+  authorized_key:
+    user: "{{ ansible_ssh_user }}"
+    key: "{{ lookup('file', zuul_temp_ssh_key + '.pub') }}"
+    state: absent
diff --git a/roles/remove-build-sshkey/vars/main.yml b/roles/remove-build-sshkey/vars/main.yml
new file mode 100644
index 000000000..58092cb5b
--- /dev/null
+++ b/roles/remove-build-sshkey/vars/main.yml
@@ -0,0 +1 @@
+zuul_temp_ssh_key: "{{ zuul.executor.src_root }}/../{{ zuul.uuid }}_id_rsa"
diff --git a/roles/upload-logs/README.rst b/roles/upload-logs/README.rst
new file mode 100644
index 000000000..c6491ae0e
--- /dev/null
+++ b/roles/upload-logs/README.rst
@@ -0,0 +1,8 @@
+Upload logs to a static webserver
+
+This uploads logs to a static webserver using SSH.
+
+Role Variables
+
+zuul_logserver_root
+  The root path to the logs on the logserver.
diff --git a/roles/upload-logs/tasks/main.yaml b/roles/upload-logs/tasks/main.yaml
new file mode 100644
index 000000000..4df9506c4
--- /dev/null
+++ b/roles/upload-logs/tasks/main.yaml
@@ -0,0 +1,22 @@
+- name: Set log path for a change
+  when: zuul.change is defined
+  set_fact:
+    log_path: "{{ zuul.change[-2:] }}/{{ zuul.change }}/{{ zuul.patchset }}/{{ zuul.pipeline }}/{{ zuul.job }}/{{ zuul.uuid[:7] }}"
+
+- name: Set log path for a ref update
+  when: zuul.newrev is defined
+  set_fact:
+    log_path: "{{ zuul.newrev[-2:] }}/{{ zuul.newrev }}/{{ zuul.pipeline }}/{{ zuul.job }}/{{ zuul.uuid[:7] }}"
+
+- name: Create log directories
+  file:
+    path: "{{zuul_logserver_root}}{{ log_path }}"
+    state: directory
+    recurse: yes
+    mode: 0775
+
+- name: Upload logs to log server
+  synchronize:
+    src: "{{ zuul.executor.log_root }}/"
+    dest: "{{zuul_logserver_root}}{{ log_path }}/"
+  no_log: true
diff --git a/roles/upload-logs/vars/main.yaml b/roles/upload-logs/vars/main.yaml
new file mode 100644
index 000000000..4b6a10130
--- /dev/null
+++ b/roles/upload-logs/vars/main.yaml
@@ -0,0 +1 @@
+zuul_logserver_root: /srv/static/logs