diff --git a/deploy-samba.groovy b/deploy-samba.groovy
new file mode 100644
index 0000000..f018f83
--- /dev/null
+++ b/deploy-samba.groovy
@@ -0,0 +1,124 @@
+def baseName = 'deploy'
+def stackPrefix = 'jenkins'
+def stacks = ['samba-1x3',
+	      'samba-3x3',
+	      'samba-sisyphus-1x3',
+	      'samba-sisyphus-3x3']
+def infraRepo = 'https://github.com/altlinuxteam/infra.git'
+def infraBranch = 'master'
+def confRepo = 'http://gogs.srt/BaseALT/infra-conf.git'
+def confBranch = 'master'
+
+stacks.each { s ->
+    def jobName = "${baseName}-${s}"
+    job(jobName) {
+	label('nix && small')
+	logRotator(-1, 10, -1, 10)
+	parameters {
+	    stringParam('ENV', 'test', 'infra environment name')
+	    stringParam('STACK', "${stackPrefix}-${s}", 'infra stack name')
+	    stringParam('TASKS', '', 'comma separated tasks list to add as additional repos')
+	    choiceParam('DEPLOY_MODE', ['deploy', 'redeploy', 'destroy'], '')
+	}
+	multiscm {
+	    git {
+		remote {
+		    name('origin')
+		    url(infraRepo)
+		}
+		branch(infraBranch)
+		extensions {
+		    submoduleOptions {
+			disable(false)
+			tracking(true)
+		    }
+		}
+	    }
+	    git {
+		remote {
+		    name('origin')
+		    url(confRepo)
+		}
+		branch(confBranch)
+		extensions {
+		    relativeTargetDirectory('vars/conf')
+		}
+	    }
+	}
+	wrappers {
+	    colorizeOutput()
+	    timestamps()
+	    credentialsBinding {
+		string('VAULT_KEY', 'vault-test-key')
+	    }
+	    sshAgent('robot_key', 'jenkins-gogs')
+	}
+	steps {
+	    shell('''#!/usr/bin/env bash
+set -euo pipefail
+set -x
+mkdir -p .tmp/
+echo ${VAULT_KEY} > .tmp/.pass-${ENV}
+chmod 600 .tmp/.pass-${ENV}
+
+if [[ -n "${TASKS+x}" ]]; then
+	sed -ie "s/apt_sources_from_tasks:.*/apt_sources_from_tasks: [$TASKS]/" \
+    vars/conf/stacks/$STACK/apps.yml
+fi
+'''.stripIndent())
+
+		    shell('''#!/usr/bin/env bash
+set -euo pipefail
+set -x
+rm -f .script
+cat <<'EOF' >.script
+#!/usr/bin/env bash
+set -euo pipefail
+set -x
+
+export ANSIBLE_FORCE_COLOR=1
+export PYTHONUNBUFFERED=1
+
+params=""
+
+if [[ "${DEPLOY_MODE}" == "redeploy" ]]; then
+  params="$params -e redeploy_all=yes"
+elif [[ "${DEPLOY_MODE}" == "destroy" ]]; then
+  params="$params -e destroy_all=yes"
+fi
+
+ansible-playbook \
+  -e env_name=$ENV \
+  -e stack_name=$STACK \
+  --vault-id $ENV@.tmp/.pass-$ENV \
+  $params provision.yml
+
+if [[ "${DEPLOY_MODE}" != "destroy" ]]; then
+ansible-playbook -i .tmp/ansible_hosts \
+  -e env_name=$ENV \
+  -e stack_name=$STACK \
+  --vault-id $ENV@.tmp/.pass-$ENV \
+  $ENV-$STACK-apps.yml
+fi
+EOF
+chmod +x .script
+'''.stripIndent())
+
+	    shell('''#!/usr/bin/env bash
+set -euo pipefail
+set -x
+rm -rf .tmp/*
+nix-shell --run ./.script
+'''.stripIndent())
+	}
+
+	publishers {
+	    archiveArtifacts {
+		pattern('.tmp/ssh_config')
+		pattern('.tmp/domain_config')
+		pattern("vars/conf/stacks/${stackPrefix}-${s}/**")
+		onlyIfSuccessful(false)
+	    }
+	}
+    }
+}