diff --git a/hosts b/hosts
index 09db448..4508e11 100644
--- a/hosts
+++ b/hosts
@@ -113,6 +113,8 @@ pyrocufflink-dns
 [public-web]
 web0.pyrocufflink.blue
 
+[pxe]
+
 [pyrocufflink]
 build0-amd64.pyrocufflink.blue
 burp1.pyrocufflink.blue
diff --git a/pxe.yml b/pxe.yml
new file mode 100644
index 0000000..ff55bec
--- /dev/null
+++ b/pxe.yml
@@ -0,0 +1,6 @@
+- hosts: pxe
+  roles:
+  - role: pxe
+    tags: pxe
+  - role: netboot/jenkins-agent
+    tags: netboot/jenkins-agent
diff --git a/roles/pxe/meta/main.yml b/roles/pxe/meta/main.yml
new file mode 100644
index 0000000..e6e8658
--- /dev/null
+++ b/roles/pxe/meta/main.yml
@@ -0,0 +1,5 @@
+dependencies:
+- role: tftp
+  tags: tftp
+- role: nbd-server
+  tags: nbd
diff --git a/roles/pxe/tasks/main.yml b/roles/pxe/tasks/main.yml
new file mode 100644
index 0000000..5772f0f
--- /dev/null
+++ b/roles/pxe/tasks/main.yml
@@ -0,0 +1,36 @@
+- name: ensure pxeadmins group exists
+  group:
+    name: pxeadmins
+    state: present
+  tags:
+  - group
+
+- name: ensure pxeadmins can write to tftpboot directory
+  acl:
+    path: /var/lib/tftpboot
+    entity: pxeadmins
+    etype: group
+    permissions: rwX
+    recursive: True
+    default: '{{ item == "default" }}'
+    state: present
+  loop:
+  - default
+  - current
+  tags:
+  - permissions
+
+- name: ensure pxeadmins can write to nbd directory
+  acl:
+    path: /var/lib/nbd
+    entity: pxeadmins
+    etype: group
+    permissions: rwX
+    recursive: True
+    default: '{{ item == "default" }}'
+    state: present
+  loop:
+  - default
+  - current
+  tags:
+  - permissions