diff --git a/site-modules/profile/manifests/jenkins/worker.pp b/site-modules/profile/manifests/jenkins/agent/docker.pp
similarity index 73%
rename from site-modules/profile/manifests/jenkins/worker.pp
rename to site-modules/profile/manifests/jenkins/agent/docker.pp
index 141c56ae..234b28e4 100644
--- a/site-modules/profile/manifests/jenkins/worker.pp
+++ b/site-modules/profile/manifests/jenkins/agent/docker.pp
@@ -1,16 +1,15 @@
-class profile::jenkins::worker {
+class profile::jenkins::agent::docker {
   include profile::docker
-  include profile::jenkins::service
 
   exec {'add jenkins user to docker group':
     path    => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
     command => 'gpasswd -a jenkins docker',
     onlyif  => 'getent passwd jenkins',
     unless  => 'getent group docker | cut -d: -f4 | grep -qE \'(^|,)jenkins(,|$)\'',
     require => [
       Package['docker-ce'],
-      Package['jenkins'],
+      User['jenkins'],
     ],
-    notify  => Service['jenkins'],
+    tag     => 'reload_jenkins',
   }
 }
diff --git a/site-modules/profile/manifests/jenkins/base.pp b/site-modules/profile/manifests/jenkins/base.pp
new file mode 100644
index 00000000..f7d66510
--- /dev/null
+++ b/site-modules/profile/manifests/jenkins/base.pp
@@ -0,0 +1,22 @@
+class profile::jenkins::base {
+  group {'jenkins':
+    system => true,
+  }
+  -> user {'jenkins':
+    system => true,
+    gid    => 'jenkins',
+    home   => '/var/lib/jenkins',
+  }
+  -> file {'/var/lib/jenkins':
+    ensure => 'directory',
+    mode   => '0755',
+    owner  => 'jenkins',
+    group  => 'jenkins',
+  }
+  file {'/usr/share/jenkins':
+    ensure => 'directory',
+    mode   => '0755',
+    owner  => 'root',
+    group  => 'root',
+  }
+}
diff --git a/site-modules/profile/manifests/jenkins/service.pp b/site-modules/profile/manifests/jenkins/service.pp
index c9b6a3b5..351989ee 100644
--- a/site-modules/profile/manifests/jenkins/service.pp
+++ b/site-modules/profile/manifests/jenkins/service.pp
@@ -1,12 +1,19 @@
 class profile::jenkins::service {
   include profile::jenkins::apt_config
+  include profile::jenkins::base
 
   package {'jenkins':
     ensure  => present,
-    require => Apt::Source['jenkins'],
+    require => [
+      Apt::Source['jenkins'],
+      User['jenkins'],
+      Group['jenkins'],
+    ],
   }
   -> service {'jenkins':
     ensure => running,
     enable => true,
   }
+
+  Exec <| tag == 'reload_jenkins' |> ~> Service['jenkins']
 }
diff --git a/site-modules/role/manifests/swh_ci_server.pp b/site-modules/role/manifests/swh_ci_server.pp
index 947002c9..6592ed49 100644
--- a/site-modules/role/manifests/swh_ci_server.pp
+++ b/site-modules/role/manifests/swh_ci_server.pp
@@ -1,9 +1,7 @@
 class role::swh_ci_server inherits role::swh_ci {
   # Restore backups for ci server
   include profile::dar::client
 
   include profile::jenkins::server
-
-  # single node setup for now
-  include profile::jenkins::worker
+  include profile::jenkins::agent::docker
 }