diff --git a/conf/example.gitolite.rc b/conf/example.gitolite.rc
index 24e52a5..272d618 100644
--- a/conf/example.gitolite.rc
+++ b/conf/example.gitolite.rc
@@ -89,6 +89,8 @@ $GIT_PATH="";
 
 $GL_BIG_CONFIG = 0;
 $GL_NO_DAEMON_NO_GITWEB = 0;
+$GL_NO_CREATE_REPOS = 0;
+$GL_NO_SETUP_AUTHKEYS = 0;
 
 # ----------------------------------------------------------------------
 #                   SECURITY SENSITIVE SETTINGS
diff --git a/doc/big-config.mkd b/doc/big-config.mkd
index 278c152..c70b866 100644
--- a/doc/big-config.mkd
+++ b/doc/big-config.mkd
@@ -4,7 +4,7 @@ In this document:
 
   * <a href="#when_why_do_we_need_it_">when/why do we need it?</a>
   * <a href="#how_do_we_use_it_">how do we use it?</a>
-  * <a href="#summary_of_settings_in_RC_file">summary of settings in RC file</a>
+  * <a href="#other_optimisations">other optimisations</a>
   * <a href="#what_are_the_downsides_">what are the downsides?</a>
   * <a href="#extra_coolness_usergroups_and_LDAP_similar_tools">(extra coolness) usergroups and LDAP/similar tools</a>
 
@@ -107,8 +107,9 @@ Just set
 
     $GL_BIG_CONFIG = 1;
 
-in the `~/.gitolite.rc` file on the server.  When you do that, and push this
-configuration, the compiled file looks like this:
+in the `~/.gitolite.rc` file on the server (see next section for more
+variables).  When you do that, and push this configuration, the compiled file
+looks like this:
 
     %repos = (
       '@wbr' => {
@@ -142,23 +143,38 @@ configuration, the compiled file looks like this:
 That's a lot smaller, and allows orders of magintude more repos and groups to
 be supported.
 
-<a name="summary_of_settings_in_RC_file"></a>
+<a name="other_optimisations"></a>
 
-### summary of settings in RC file
+### other optimisations
 
-The default RC file contains the following lines:
+The default RC file contains the following lines (we've already discussed the
+first one):
 
     $GL_BIG_CONFIG = 0;
     $GL_NO_DAEMON_NO_GITWEB = 0;
+    $GL_NO_CREATE_REPOS = 0;
+    $GL_NO_SETUP_AUTHKEYS = 0;
 
-The first setting means that by default, big-config is off; you can change it
-to 1 to enable it.
+`GL_NO_DAEMON_NO_GITWEB` is a very useful optimisation that you *must* enable
+if you *do* have a large number of repositories, and do *not* use gitolite's
+support for gitweb or git-daemon access (see "[easier to specify gitweb
+description and gitweb/daemon access][gw]" for details).  This will save a lot
+of time when you push the gitolite-admin repo with changes.  This variable
+also control whether "git config" lines (such as `config hooks.emailprefix =
+"[gitolite]"`) will be processed or not.
 
-The second is a very useful optimisation that you *must* enable if you *do*
-have a large number of repositories, and do *not* use gitolite's support for
-gitweb or git-daemon access (see "[easier to specify gitweb description and
-gitweb/daemon access][gw]" for details).  This will save a lot of time when
-you push the gitolite-admin repo with changes.
+Setting this is relatively harmless to a normal installation, unlike the next
+two variables :-)  `GL_NO_CREATE_REPOS` and `GL_NO_SETUP_AUTHKEYS` are meant
+for installations where some backend system already exists that does all the
+actual repo creation, and all the authentication setup (ssh auth keys),
+respectively.
+
+Summary: Please **leave those two variables alone** unless you're initials are
+"JK" ;-)
+
+Also note that using all 3 of the `GL_NO_*` variables will result in
+*everything* after the config compile being skipped.  In other words, gitolite
+is being used **only** for its access control language.
 
 [gw]: http://github.com/sitaramc/gitolite/blob/pu/doc/3-faq-tips-etc.mkd#gitweb
 
diff --git a/src/gl-compile-conf b/src/gl-compile-conf
index f0b27fa..d9577c8 100755
--- a/src/gl-compile-conf
+++ b/src/gl-compile-conf
@@ -52,7 +52,7 @@ $Data::Dumper::Sortkeys = 1;
 open STDOUT, ">", "/dev/null" if (@ARGV and shift eq '-q');
 
 # these are set by the "rc" file
-our ($GL_ADMINDIR, $GL_CONF, $GL_KEYDIR, $GL_CONF_COMPILED, $REPO_BASE, $REPO_UMASK, $PROJECTS_LIST, $GIT_PATH, $GL_WILDREPOS, $GL_GITCONFIG_KEYS, $GL_PACKAGE_HOOKS, $GL_BIG_CONFIG, $GL_NO_DAEMON_NO_GITWEB);
+our ($GL_ADMINDIR, $GL_CONF, $GL_KEYDIR, $GL_CONF_COMPILED, $REPO_BASE, $REPO_UMASK, $PROJECTS_LIST, $GIT_PATH, $GL_WILDREPOS, $GL_GITCONFIG_KEYS, $GL_PACKAGE_HOOKS, $GL_BIG_CONFIG, $GL_NO_DAEMON_NO_GITWEB, $GL_NO_CREATE_REPOS, $GL_NO_SETUP_AUTHKEYS);
 # and these are set by gitolite.pm
 our ($REPONAME_PATT, $REPOPATT_PATT, $USERNAME_PATT, $AUTH_COMMAND, $AUTH_OPTIONS, $ABRT, $WARN);
 
@@ -395,12 +395,15 @@ print $compiled_fh Data::Dumper->Dump([\%groups], [qw(*groups)]) if $GL_BIG_CONF
 close $compiled_fh or die "$ABRT close compiled-conf failed: $!\n";
 
 # ----------------------------------------------------------------------------
-#       any new repos to be created?
+#       (that ends the config file compiler and write)
 # ----------------------------------------------------------------------------
 
-# modern gits allow cloning from an empty repo, so we just create it
+# ----------------------------------------------------------------------------
+#       what's the git version?
+# ----------------------------------------------------------------------------
+
+# we don't like stuff older than 1.6.2
 
-# but it turns out not everyone has "modern" gits :)
 my $git_version = `git --version`;
 die "
     *** ERROR ***
@@ -418,11 +421,22 @@ die "\n\t\t***** AAARGH! *****\n" .
     "\tthe newer features, please upgrade.\n"
     if $git_version < 10602;     # that's 1.6.2 to you
 
+
+
+# ----------------------------------------------------------------------------
+# the rest of this program can be "switched off"; see doc/big-config.mkd for
+# details.
+# ----------------------------------------------------------------------------
+
+# ----------------------------------------------------------------------------
+#       any new repos to be created?
+# ----------------------------------------------------------------------------
+
 # repo-base needs to be an absolute path for this loop to work right
 # so if it was not already absolute, prefix $HOME.
 my $repo_base_abs = ( $REPO_BASE =~ m(^/) ? $REPO_BASE : "$ENV{HOME}/$REPO_BASE" );
 
-{
+unless ($GL_NO_CREATE_REPOS) {
     wrap_chdir("$repo_base_abs");
 
     # autocreate repos.  Start with the ones that are normal repos in %repos
@@ -460,6 +474,10 @@ my $repo_base_abs = ( $REPO_BASE =~ m(^/) ? $REPO_BASE : "$ENV{HOME}/$REPO_BASE"
 #       update repo configurations
 # ----------------------------------------------------------------------------
 
+# no gating required for this.  If you don't have any "config" lines it won't
+# run anyway.  An example of a config line could be:
+#   config hooks.emailprefix = "[foo]"
+
 for my $repo (keys %repo_config) {
     wrap_chdir("$repo_base_abs/$repo.git");
     while ( my ($key, $value) = each(%{ $repo_config{$repo} }) ) {
@@ -540,6 +558,9 @@ unless ($GL_NO_DAEMON_NO_GITWEB) {
 #       "compile" ssh authorized_keys
 # ----------------------------------------------------------------------------
 
+# NOTE: for now we assume that setting up authkeys is the LAST thing we do!
+exit 0 if $GL_NO_SETUP_AUTHKEYS;
+
 my $authkeys_fh = wrap_open( "<", $ENV{HOME} . "/.ssh/authorized_keys",
     "\tFor security reasons, gitolite will not *create* this file if it does\n" .
     "\tnot already exist.  Please see the \"admin\" document for details\n");
@@ -620,3 +641,7 @@ system("cat $ENV{HOME}/.ssh/authorized_keys > $ENV{HOME}/.ssh/old_authkeys");
 system("cat $ENV{HOME}/.ssh/new_authkeys > $ENV{HOME}/.ssh/authorized_keys")
     and die "couldn't write authkeys file\n";
 system("rm  $ENV{HOME}/.ssh/new_authkeys");
+
+# NOTE: if you're adding code here that is unrelated to setting up authkeys,
+# remember that control may not reach here if a sysadm has set
+# GL_NO_SETUP_AUTHKEYS in the rc file.