diff --git a/README.md b/README.md
index 2fead8d..2c24f7d 100644
--- a/README.md
+++ b/README.md
@@ -1 +1,20 @@
-# infra
+# Prepare
+install prerequired ansible 2.6+ and python modules
+```sh
+apt-get install ansible python-module-proxmoxer python-module-jmespath python-module-netaddr
+```
+
+init submodules and pull infra-conf repository
+```sh
+export CONF_URI="http://gogs.srt/BaseALT/infra-conf.git"
+git submodule update --init --recursive
+git subtree add --prefix=vars/conf "${CONF_URI}" master
+ssh-add ~/.ssh/robot_key
+```
+
+do not forget to add robot ssh-key and clone passdb
+
+deploy desired stack
+```sh
+./infra.sh test-env test-stack
+```
diff --git a/infra.sh b/infra.sh
new file mode 100755
index 0000000..7d8ab35
--- /dev/null
+++ b/infra.sh
@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+if [ -z ${SSH_AUTH_SOCK+x} ]; then
+    echo "SSH_AUTH_SOCK is undefined" >&2
+    echo "you need a ssh-agent to deploy via $0" >&2
+    exit 1
+fi
+
+env="$1"; shift
+stack="$1"; shift
+
+export PASSWORD_STORE_DIR=~/.pass/alt
+export PASSWORD_STORE_GIT=~/.pass/alt
+
+(umask 0077 && pass ansible/vault-pass/$env > ./.pass-$env)
+mkdir -p .tmp
+# extract robot_key
+rm -f .tmp/robot_key; pass infra/robot_key > .tmp/robot_key
+chmod 400 .tmp/robot_key
+# add robot_key to the ssh agent
+ssh-add .tmp/robot_key
+
+touch .tmp/ssh_config
+ANSIBLE_FORCE_COLOR=1 \
+ ansible-playbook -e env_name=$env -e stack_name=$stack --vault-id $env@.pass-$env $@ provision.yml | tee $env-$stack-provision.log
+if [[ -f ${env}-${stack}-apps.yml ]]; then
+ ANSIBLE_FORCE_COLOR=1 \
+  ansible-playbook -i .tmp/ansible_hosts -e env_name=$env -e stack_name=$stack --vault-id $env@.pass-$env $@ ${env}-${stack}-apps.yml | tee $env-$stack-apps.log
+else
+ echo "playbook ${env}-${stack}-apps.yml was not found" >2
+ exit 1
+fi