diff --git a/vars/applyConfigPolicy.groovy b/vars/applyConfigPolicy.groovy
new file mode 100644
index 0000000..17c7278
--- /dev/null
+++ b/vars/applyConfigPolicy.groovy
@@ -0,0 +1,104 @@
+import groovy.transform.Field
+
+@Field
+def DOCKER_ARGS = '''\
+-v /etc/ssh/ssh_known_hosts:/etc/ssh/ssh_known_hosts:ro
+'''
+
+def call(rw_limit, stages) {
+    properties([
+        pipelineTriggers([cron('H H * * *')])
+    ])
+
+    timeout(time: 1, unit: 'HOURS') {
+        lock('cfgpol') {
+            node {
+                checkout scm
+                docker.build("configpolicy", 'ci').inside(DOCKER_ARGS) {
+                    withEnv(["KRB5CCNAME=${WORKSPACE}/.krb5cc"]) {
+                        try {
+                            stageKinit()
+                            stageRemountRW(rw_limit)
+                            generateStages(stages)
+                            stageRemountRO(rw_limit)
+                        } catch (err) {
+                            postFailure(err)
+                        } finally {
+                            postCleanup()
+                        }
+                    }
+                }
+            }
+        }
+    }
+}
+
+def stageKinit() {
+    stage('kinit') {
+        withCredentials([file(
+            credentialsId: 'keytab-jenkins@pyrocufflink.blue',
+            variable: 'KEYTAB'
+        )]) {
+            sh 'kinit -kt "${KEYTAB}" jenkins@PYROCUFFLINK.BLUE'
+        }
+        withCredentials([file(
+            credentialsId: 'vault-jenkins@pyrocufflink.blue',
+            variable: 'SUDO_PASS_FILE'
+        )]) {
+            sh 'cp "${SUDO_PASS_FILE}" group_vars/pyrocufflink/sudo-pass'
+        }
+    }
+}
+
+
+def stageRemountRW(limit) {
+    stage('Remount R/W') {
+        ansiblePlaybook \
+            playbook: 'remount.yml',
+            limit: limit,
+            become: true,
+            vaultCredentialsId: 'ansible-vault',
+            extraVars: [
+                remount_state: 'rw',
+            ]
+    }
+}
+
+def generateStages(stages) {
+    stages.each { name, playbooks ->
+        stage(name) {
+            playbooks.each { playbook -> 
+                ansiblePlaybook \
+                    playbook: playbook,
+                    become: true,
+                    vaultCredentialsId: 'ansible-vault',
+                    extras: '--diff'
+            }
+        }
+    }
+}
+
+def stageRemountRO(limit) {
+    stage('Remount R/O') {
+        ansiblePlaybook \
+            playbook: 'remount.yml',
+            limit: limit,
+            become: true,
+            vaultCredentialsId: 'ansible-vault',
+            extras: '--diff'
+    }
+}
+
+def postCleanup() {
+    sh 'kdestroy'
+    sh 'find . -name sudo-pass -delete'
+}
+
+def postFailure(err) {
+    currentBuild.result = 'FAILURE'
+    emailext \
+        to: 'gyrfalcon@ebonfire.com',
+        subject: '$DEFAULT_SUBJECT',
+        body: '$DEFAULT_CONTENT'
+    error "${err}"
+}