diff --git a/gerrit/.gitignore b/gerrit/.gitignore
new file mode 100644
index 0000000..dc67b26
--- /dev/null
+++ b/gerrit/.gitignore
@@ -0,0 +1 @@
+/secure.config
\ No newline at end of file
diff --git a/gerrit/Dockerfile b/gerrit/Dockerfile
new file mode 100644
index 0000000..943aa5f
--- /dev/null
+++ b/gerrit/Dockerfile
@@ -0,0 +1,22 @@
+FROM gerritcodereview/gerrit:3.4.1
+
+USER root
+
+#ADD https://github.com/davido/gerrit-oauth-provider/releases/download/v3.0.0/gerrit-oauth-provider.jar /var/gerrit/plugins/gerrit-oauth-provider.jar
+ADD https://gerrit-ci.gerritforge.com/job/plugin-oauth-bazel-master-stable-3.4/lastSuccessfulBuild/artifact/bazel-bin/plugins/oauth/oauth.jar /var/gerrit/plugins/gerrit-oauth-provider.jar
+#ADD https://gerrit-ci.gerritforge.com/job/plugin-gitblit-bazel-master/8/artifact/bazel-bin/plugins/gitblit/gitblit.jar  /var/gerrit/plugins/gitblit.jar
+ADD https://github.com/tomaswolf/gerrit-gitblit-plugin/releases/download/v3.2.171.0/gitblit-plugin-3.2.171.0.jar /var/gerrit/plugins/gitblit.jar
+#ADD https://gerrit-ci.gerritforge.com/job/plugin-its-phabricator-bazel-stable-2.15/14/artifact/bazel-genfiles/plugins/its-phabricator/its-phabricator.jar /var/gerrit/plugins/its-phabricator.jar
+ADD https://gerrit-ci.gerritforge.com/job/plugin-serviceuser-bazel-master-stable-3.4/lastSuccessfulBuild/artifact/bazel-bin/plugins/serviceuser/serviceuser.jar /var/gerrit/plugins/serviceuser.jar
+ADD https://gerrit-ci.gerritforge.com/job/plugin-lfs-bazel-master-stable-3.4/lastSuccessfulBuild/artifact/bazel-bin/plugins/lfs/lfs.jar /var/gerrit/plugins/lfs.jar
+ADD https://gerrit-ci.gerritforge.com/job/plugin-ref-protection-bazel-master-stable-3.4/lastSuccessfulBuild/artifact/bazel-bin/plugins/ref-protection/ref-protection.jar /var/gerrit/plugins/ref-protection.jar
+#ADD https://gerrit-ci.gerritforge.com/job/plugin-x-docs-bazel-stable-2.15/8/artifact/bazel-genfiles/plugins/x-docs/x-docs.jar /var/gerrit/plugins/x-docs.jar
+ADD https://gerrit-ci.gerritforge.com/job/plugin-rename-project-bazel-master-stable-3.4/lastSuccessfulBuild/artifact/bazel-bin/plugins/rename-project/rename-project.jar /var/gerrit/plugins/rename-project.jar
+ADD https://gerrit-ci.gerritforge.com/job/plugin-admin-console-bazel-master-stable-3.4/lastSuccessfulBuild/artifact/bazel-bin/plugins/admin-console/admin-console.jar /var/gerrit/plugins/admin-console.jar
+ADD https://gerrit-ci.gerritforge.com/job/plugin-github-mvn-stable-3.4/lastSuccessfulBuild/artifact/github-plugin/target/github-plugin-3.4.0-rc0.jar /var/gerrit/plugins/github.jar
+ADD https://gerrit-ci.gerritforge.com/job/plugin-github-mvn-stable-3.4/lastSuccessfulBuild/artifact/github-oauth/target/github-oauth-3.4.0-rc0.jar /var/gerrit/lib/github-oauth.jar
+
+RUN chown gerrit /var/gerrit/plugins/* /var/gerrit/lib/*
+
+USER gerrit
+CMD /var/gerrit/bin/gerrit.sh run
diff --git a/gerrit/gerrit-k8s.yaml b/gerrit/gerrit-k8s.yaml
new file mode 100644
index 0000000..92d5966
--- /dev/null
+++ b/gerrit/gerrit-k8s.yaml
@@ -0,0 +1,334 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: gerrit-http
+  namespace: mulk
+  labels:
+    name: gerrit-http
+    k8s-app: gerrit
+spec:
+  selector:
+    name: gerrit
+  type: ClusterIP
+  ports:
+   - name: http
+     port: 80
+     targetPort: http
+     protocol: TCP
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: gerrit-ssh
+  namespace: mulk
+  labels:
+    name: gerrit-ssh
+    k8s-app: gerrit
+spec:
+  selector:
+    name: gerrit
+  type: NodePort
+  ports:
+   - name: ssh
+     port: 22
+     targetPort: ssh
+     protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: gerrit
+  namespace: mulk
+  labels:
+    name: gerrit
+    k8s-app: gerrit
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    kubernetes.io/ingress.class: nginx
+spec:
+  rules:
+  - host: gerrit.benkard.de
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: gerrit-http
+            port:
+              number: 80
+  tls:
+  - hosts:
+    - gerrit.benkard.de
+    secretName: gerrit-tls
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: gerrit
+  namespace: mulk
+  labels:
+    name: gerrit
+    k8s-app: gerrit
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      k8s-app: gerrit
+      name: gerrit
+  template:
+    metadata:
+      labels:
+        name: gerrit
+        k8s-app: gerrit
+    spec:
+      imagePullSecrets:
+        - name: portus-token
+      volumes:
+        - name: index-data
+          persistentVolumeClaim:
+            claimName: gerrit-index-data
+        - name: git-data
+          persistentVolumeClaim:
+            claimName: gerrit-git-data
+        - name: cache-data
+          emptyDir: {}
+        - name: etc-data
+          persistentVolumeClaim:
+            claimName: gerrit-etc-data
+        - name: config
+          configMap:
+            name: gerrit-config
+        - name: secure-config
+          secret:
+            secretName: gerrit-secrets
+        - name: github-secrets
+          secret:
+            secretName: github-secrets
+            defaultMode: 0444
+      #initContainers:
+      #  - name: reindex
+      #    image: docker.benkard.de/mulk/gerrit:3.4.1-4
+      #    command:
+      #      - java
+      #      - -jar
+      #      - /var/gerrit/bin/gerrit.war
+      #      - reindex
+      #      - -d
+      #      - /var/gerrit
+      #    env:
+      #      - name: _JAVA_OPTIONS
+      #        value: -Xmx300m -XX:MaxMetaspaceSize=150m -XX:+CMSClassUnloadingEnabled -Djava.net.preferIPv4Stack=true -Djava.net.preferIPv4Addresses=true -XX:+UnlockExperimentalVMOptions -XX:+UseSerialGC -XX:+UseCompressedOops -XX:+AlwaysPreTouch -XX:+ScavengeBeforeFullGC -XX:+DisableExplicitGC
+      #    volumeMounts:
+      #      - name: index-data
+      #        mountPath: /var/gerrit/index
+      #      - name: git-data
+      #        mountPath: /var/gerrit/git
+      #      - name: cache-data
+      #        mountPath: /var/gerrit/cache
+      #      - name: etc-data
+      #        mountPath: /var/gerrit/etc
+      #      - name: secure-config
+      #        mountPath: /var/gerrit/etc/secure.config
+      #        readOnly: true
+      #        subPath: secure.config
+      #      - name: config
+      #        mountPath: /var/gerrit/etc/gerrit.config
+      #        readOnly: true
+      #        subPath: gerrit.config
+      containers:
+        - name: master
+          image: docker.benkard.de/mulk/gerrit:3.4.1-2
+
+          # for running `init`:
+          #
+          #   java -jar /var/gerrit/bin/gerrit.war init -d /var/gerrit
+          #
+          # or the H2 console:
+          #
+          #   cd
+          #   curl -O https://repo1.maven.org/maven2/com/h2database/h2/1.4.200/h2-1.4.200.jar
+          #   java -jar h2-1.4.200.jar -url jdbc:h2:/var/gerrit/db/account_patch_reviews
+          #
+          #tty: true
+          #stdin: true
+          #command:
+          #  - /bin/cat
+
+          resources:
+            limits:
+              cpu: 2000m
+              memory: 600Mi
+            requests:
+              cpu: 10m
+              memory: 300Mi
+          env:
+            - name: _JAVA_OPTIONS
+              value: -Xmx300m -XX:MaxMetaspaceSize=150m -XX:+CMSClassUnloadingEnabled -Djava.net.preferIPv4Stack=true -Djava.net.preferIPv4Addresses=true -XX:+UnlockExperimentalVMOptions -XX:+UseSerialGC -XX:+UseCompressedOops -XX:+AlwaysPreTouch -XX:+ScavengeBeforeFullGC -XX:+DisableExplicitGC
+            - name: CANONICAL_WEB_URL
+              value: https://gerrit.benkard.de/
+          volumeMounts:
+            - name: index-data
+              mountPath: /var/gerrit/index
+            - name: git-data
+              mountPath: /var/gerrit/git
+            - name: cache-data
+              mountPath: /var/gerrit/cache
+            - name: etc-data
+              mountPath: /var/gerrit/etc
+            - name: secure-config
+              mountPath: /var/gerrit/etc/secure.config
+              readOnly: true
+              subPath: secure.config
+            - name: github-secrets
+              mountPath: /var/gerrit/.ssh
+              readOnly: true
+            #- name: config
+            #  mountPath: /var/gerrit/etc/gerrit.config
+            #  readOnly: true
+            #  subPath: gerrit.config
+          ports:
+            - containerPort: 8080
+              name: http
+              protocol: TCP
+            - containerPort: 29418
+              name: ssh
+              protocol: TCP
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: gerrit-config
+  namespace: mulk
+  labels:
+    name: gerrit
+    k8s-app: gerrit
+data:
+  gerrit.config: |
+    [gerrit]
+      basePath = git
+      canonicalWebUrl = https://gerrit.benkard.de/
+      serverId = 4f1749e7-9b7f-449e-acf9-5e80b87f8173
+    
+    [user]
+      email = gerrit@benkard.de
+
+    [database]
+      type = postgresql
+      hostname = postgresql.system
+      database = gerrit
+      username = gerrit
+    
+    [index]
+      type = LUCENE
+    
+    [auth]
+      type = OAUTH
+      gitBasicAuth = false
+      gitBasicAuthPolicy = HTTP
+    
+    [oauth]
+      allowRegisterNewEmail = true
+
+    [plugin "gerrit-oauth-provider-keycloak-oauth"]
+      root-url = https://login.benkard.de
+      client-id = gerrit
+      realm = master
+
+    [receiveemail]
+      protocol = imap
+      host = mail.benkard.de
+      encryption = tls
+      username = gerrit@benkard.de
+      fetchInterval = 1m
+      enableImapIdle = true
+    
+    [sendemail]
+      smtpServer = mail.benkard.de
+      smtpServerPort = 587
+      from = MIXED
+      smtpUser = gerrit@benkard.de
+      importance = low
+      replyToAddress = gerrit@benkard.de
+      smtpEncryption = tls
+    
+    [sshd]
+      listenAddress = *:29418
+    
+    [httpd]
+      listenUrl = proxy-https://*:8080/
+    
+    [cache]
+      directory = cache
+    
+    [container]
+      user = root
+
+    [receive]
+      enableSignedPush = false
+
+    [noteDb "changes"]
+      autoMigrate = true
+
+    [github]
+      url = https://github.com
+      apiUrl = https://api.github.com
+      clientId = 062b430799c664e10928
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: gerrit-git-data
+  namespace: mulk
+  labels:
+    name: gerrit
+    k8s-app: gerrit
+  annotations:
+    volume.beta.kubernetes.io/storage-provisioner: rancher.io/local-path
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 20Mi
+  storageClassName: local-path
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: gerrit-etc-data
+  namespace: mulk
+  labels:
+    name: gerrit
+    k8s-app: gerrit
+  annotations:
+    volume.beta.kubernetes.io/storage-provisioner: rancher.io/local-path
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 20Mi
+  storageClassName: local-path
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: gerrit-index-data
+  namespace: mulk
+  labels:
+    name: gerrit
+    k8s-app: gerrit
+  annotations:
+    volume.beta.kubernetes.io/storage-provisioner: rancher.io/local-path
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 20Mi
+  storageClassName: local-path
+---