diff --git a/.zuul.yaml b/.zuul.yaml
new file mode 100644
index 0000000000..68fa1f751b
--- /dev/null
+++ b/.zuul.yaml
@@ -0,0 +1,37 @@
+- job:
+    name: puppet-beaker-rspec-infra-system-config
+    parent: puppet-beaker-rspec-infra
+    vars:
+      project_src_dir: "{{ zuul.project.src_dir }}/modules/openstack_project"
+
+- job:
+    name: puppet-beaker-rspec-infra-centos-7-system-config
+    parent: puppet-beaker-rspec-centos-7-infra
+    vars:
+      project_src_dir: "{{ zuul.project.src_dir }}/modules/openstack_project"
+
+- job:
+    name: puppet-beaker-rspec-puppet-4-infra-system-config
+    parent: puppet-beaker-rspec-puppet-4-infra
+    vars:
+      project_src_dir: "{{ zuul.project.src_dir }}/modules/openstack_project"
+
+- job:
+    name: puppet-beaker-rspec-puppet-4-centos-7-infra-system-config
+    parent: puppet-beaker-rspec-puppet-4-infra
+    vars:
+      project_src_dir: "{{ zuul.project.src_dir }}/modules/openstack_project"
+
+- project:
+    check:
+      jobs:
+        - puppet-beaker-rspec-infra-system-config
+        - puppet-beaker-rspec-infra-centos-7-system-config
+        - puppet-beaker-rspec-puppet-4-infra-system-config:
+            voting: false
+        - puppet-beaker-rspec-puppet-4-centos-7-infra-system-config:
+            voting: false
+    gate:
+      jobs:
+        - puppet-beaker-rspec-infra-system-config
+        - puppet-beaker-rspec-infra-centos-7-system-config
diff --git a/Gemfile b/Gemfile
index e350f810c5..019213ae22 100644
--- a/Gemfile
+++ b/Gemfile
@@ -1,9 +1,15 @@
 source 'https://rubygems.org'
 
+if File.exists?('/home/zuul/src/git.openstack.org/openstack-infra/puppet-openstack_infra_spec_helper')
+  gem_checkout_method = {:path => '/home/zuul/src/git.openstack.org/openstack-infra/puppet-openstack_infra_spec_helper'}
+else
+  gem_checkout_method = {:git => 'https://git.openstack.org/openstack-infra/puppet-openstack_infra_spec_helper'}
+end
+gem_checkout_method[:require] = false
+
 group :development, :test, :system_tests do
   gem 'puppet-openstack_infra_spec_helper',
-      :git     => 'https://git.openstack.org/openstack-infra/puppet-openstack_infra_spec_helper',
-      :require => false
+      gem_checkout_method
 end
 
 # vim:ft=ruby
diff --git a/modules/openstack_project/Gemfile b/modules/openstack_project/Gemfile
new file mode 120000
index 0000000000..2e432fab9e
--- /dev/null
+++ b/modules/openstack_project/Gemfile
@@ -0,0 +1 @@
+../../Gemfile
\ No newline at end of file
diff --git a/modules/openstack_project/metadata.json b/modules/openstack_project/metadata.json
new file mode 100644
index 0000000000..46af576adb
--- /dev/null
+++ b/modules/openstack_project/metadata.json
@@ -0,0 +1,11 @@
+{
+  "name": "openstackinfra-openstack_project",
+  "version": "0.0.1",
+  "author": "Openstack CI",
+  "summary": "Puppet module for openstack_project",
+  "license": "Apache 2.0",
+  "source": "git://git.openstack.org/openstack-infra/system-config.git",
+  "project_page": "http://docs.openstack.org/infra/system-config/",
+  "issues_url": "https://storyboard.openstack.org/#!/project/778",
+  "dependencies": []
+}
diff --git a/modules/openstack_project/spec/acceptance/basic_spec.rb b/modules/openstack_project/spec/acceptance/basic_spec.rb
new file mode 100755
index 0000000000..786c4f075a
--- /dev/null
+++ b/modules/openstack_project/spec/acceptance/basic_spec.rb
@@ -0,0 +1,90 @@
+require 'puppet-openstack_infra_spec_helper/spec_helper_acceptance'
+
+describe 'openstack_project::server' do
+
+  def pp_path
+    base_path = File.dirname(__FILE__)
+    File.join(base_path, 'fixtures')
+  end
+
+  def puppet_manifest
+    manifest_path = File.join(pp_path, 'default.pp')
+    File.read(manifest_path)
+  end
+
+  def postconditions_puppet_manifest
+    manifest_path = File.join(pp_path, 'postconditions.pp')
+    File.read(manifest_path)
+  end
+
+  before(:all) do
+    # The ssh_authorized_key resource uses the key comment as a universal
+    # identifier, so if a user's key is already in root's authorized keys, it
+    # conflicts with adding the key for the user itself. Move root's key list
+    # aside temporarily.
+    shell('mv /root/.ssh/authorized_keys /root/.ssh/authorized_keys.bak')
+    # epel is needed to install exim
+    if os[:family] == 'redhat'
+      shell('yum-config-manager --enable epel')
+    end
+  end
+
+  it 'should work with no errors' do
+    apply_manifest(puppet_manifest, catch_failures: true)
+  end
+
+  it 'should be idempotent' do
+    apply_manifest(puppet_manifest, catch_changes: true)
+  end
+
+  it 'should turn root ssh back on' do
+    apply_manifest(postconditions_puppet_manifest, catch_failures: true)
+    shell('mv /root/.ssh/authorized_keys.bak /root/.ssh/authorized_keys')
+  end
+
+  ['mordred',
+   'corvus',
+   'clarkb',
+   'fungi',
+   'jhesketh',
+   'yolanda',
+   'pabelanger',
+   'rcarrillocruz',
+   'ianw',
+   'shrews',
+   'dmsimard',
+   'frickler'].each do |user|
+    describe user(user) do
+      it { should exist }
+    end
+  end
+
+  ['slukjanov', 'elizabeth', 'nibz'].each do |user|
+    describe user(user) do
+      it { should_not exist }
+    end
+  end
+
+  exim = os[:family] == 'ubuntu' ? 'exim4' : 'exim'
+  ntp = os[:family] == 'ubuntu' ? 'ntp' : 'ntpd'
+  services = ['rsyslog', 'unbound', exim, 'snmpd', ntp]
+  if os[:family] == 'ubuntu'
+    services.push('openafs-client')
+  end
+  services.each do |service|
+    describe service(service) do
+      it { should be_running }
+    end
+  end
+
+  describe command('iptables -S') do
+    its(:stdout) { should contain('-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT') }
+    its(:stdout) { should contain('-A openstack-INPUT -s 172.99.116.215/32 -p udp -m udp --dport 161 -j ACCEPT') }
+    its(:stdout) { should contain('-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT') }
+    its(:stdout) { should contain('-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT') }
+    its(:stdout) { should contain('-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 29418 -j ACCEPT') }
+    its(:stdout) { should contain('-A openstack-INPUT -p tcp -m tcp --dport 29418 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 100 --connlimit-mask 32 --connlimit-saddr -j REJECT --reject-with icmp-port-unreachable') }
+    its(:stdout) { should contain('-A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited') }
+  end
+
+end
diff --git a/modules/openstack_project/spec/acceptance/fixtures/default.pp b/modules/openstack_project/spec/acceptance/fixtures/default.pp
new file mode 100644
index 0000000000..bdf3f04206
--- /dev/null
+++ b/modules/openstack_project/spec/acceptance/fixtures/default.pp
@@ -0,0 +1,12 @@
+$iptables_rules = ['-p tcp --syn --dport 29418 -m connlimit --connlimit-above 100 -j REJECT']
+$manage_afs = $::operatingsystem ? {
+  'CentOS' => false,
+  default  => true
+}
+
+class { 'openstack_project::server':
+  iptables_public_tcp_ports => [80, 443, 29418],
+  iptables_rules6           => $iptables_rules,
+  iptables_rules4           => $iptables_rules,
+  afs                       => $manage_afs,
+}
diff --git a/modules/openstack_project/spec/acceptance/fixtures/postconditions.pp b/modules/openstack_project/spec/acceptance/fixtures/postconditions.pp
new file mode 100644
index 0000000000..ba75282e9f
--- /dev/null
+++ b/modules/openstack_project/spec/acceptance/fixtures/postconditions.pp
@@ -0,0 +1,6 @@
+# Turn root ssh back on, otherwise we can't post logs
+class { 'ssh':
+  trusted_ssh_type   => 'address',
+  trusted_ssh_source => '23.253.245.198,2001:4800:7818:101:3c21:a454:23ed:4072',
+  permit_root_login  => 'yes',
+}
diff --git a/modules/openstack_project/spec/acceptance/nodesets/default.yml b/modules/openstack_project/spec/acceptance/nodesets/default.yml
new file mode 100644
index 0000000000..3bb3e62648
--- /dev/null
+++ b/modules/openstack_project/spec/acceptance/nodesets/default.yml
@@ -0,0 +1,11 @@
+HOSTS:
+  ubuntu-server-1404-x64:
+    roles:
+      - master
+    platform: ubuntu-14.04-amd64
+    box: puppetlabs/ubuntu-14.04-64-nocm
+    box_url: https://vagrantcloud.com/puppetlabs/ubuntu-14.04-64-nocm
+    hypervisor: vagrant
+CONFIG:
+  log_level: debug
+  type: git
diff --git a/modules/openstack_project/spec/acceptance/nodesets/nodepool-centos7.yml b/modules/openstack_project/spec/acceptance/nodesets/nodepool-centos7.yml
new file mode 100644
index 0000000000..c55287420c
--- /dev/null
+++ b/modules/openstack_project/spec/acceptance/nodesets/nodepool-centos7.yml
@@ -0,0 +1,10 @@
+HOSTS:
+  centos-70-x64:
+    roles:
+      - master
+    platform: el-7-x86_64
+    hypervisor: none
+    ip: 127.0.0.1
+CONFIG:
+  type: foss
+  set_env: false
diff --git a/modules/openstack_project/spec/acceptance/nodesets/nodepool-trusty.yml b/modules/openstack_project/spec/acceptance/nodesets/nodepool-trusty.yml
new file mode 100644
index 0000000000..9fc624e24a
--- /dev/null
+++ b/modules/openstack_project/spec/acceptance/nodesets/nodepool-trusty.yml
@@ -0,0 +1,10 @@
+HOSTS:
+  ubuntu-14.04-amd64:
+    roles:
+      - master
+    platform: ubuntu-14.04-amd64
+    hypervisor: none
+    ip: 127.0.0.1
+CONFIG:
+  type: foss
+  set_env: false
diff --git a/modules/openstack_project/spec/acceptance/nodesets/nodepool-xenial.yml b/modules/openstack_project/spec/acceptance/nodesets/nodepool-xenial.yml
new file mode 100644
index 0000000000..99dd318778
--- /dev/null
+++ b/modules/openstack_project/spec/acceptance/nodesets/nodepool-xenial.yml
@@ -0,0 +1,10 @@
+HOSTS:
+  ubuntu-16.04-amd64:
+    roles:
+      - master
+    platform: ubuntu-16.04-amd64
+    hypervisor: none
+    ip: 127.0.0.1
+CONFIG:
+  type: foss
+  set_env: false