diff --git a/.gitignore b/.gitignore
index dade81e..ea90996 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,5 @@
 Gemfile.lock
 .bundled_gems/
+log/
+junit/
+.vagrant/
diff --git a/spec/acceptance/basic_spec.rb b/spec/acceptance/basic_spec.rb
new file mode 100644
index 0000000..9350968
--- /dev/null
+++ b/spec/acceptance/basic_spec.rb
@@ -0,0 +1,31 @@
+require 'spec_helper_acceptance'
+
+describe 'puppet-cgit module' do
+  def pp_path
+    base_path = File.dirname(__FILE__)
+    File.join(base_path, 'fixtures')
+  end
+
+  def preconditions_puppet_module
+    module_path = File.join(pp_path, 'preconditions.pp')
+    File.read(module_path)
+  end
+
+  def default_puppet_module
+    module_path = File.join(pp_path, 'default.pp')
+    File.read(module_path)
+  end
+
+  before(:all) do
+    apply_manifest(preconditions_puppet_module, catch_failures: true)
+  end
+
+  it 'should work with no errors' do
+    apply_manifest(default_puppet_module, catch_failures: true)
+  end
+
+  it 'should be idempotent' do
+    apply_manifest(default_puppet_module, catch_failures: true)
+    apply_manifest(default_puppet_module, catch_changes: true)
+  end
+end
diff --git a/spec/acceptance/files_spec.rb b/spec/acceptance/files_spec.rb
new file mode 100644
index 0000000..39e1f51
--- /dev/null
+++ b/spec/acceptance/files_spec.rb
@@ -0,0 +1,100 @@
+require 'spec_helper_acceptance'
+
+describe 'required files', :if => ['fedora', 'redhat'].include?(os[:family]) do
+  required_directories = [
+    file('/home/cgit'),
+    file('/var/lib/git'),
+  ]
+
+  required_directories.each do |directory|
+    describe directory do
+      it { should be_directory }
+      it { should be_owned_by 'cgit' }
+      it { should be_grouped_into 'cgit' }
+    end
+  end
+
+  required_directories = [
+    file('/var/www/cgit'),
+    file('/var/www/cgit/static'),
+  ]
+
+  required_directories.each do |directory|
+    describe directory do
+      it { should be_directory }
+      it { should be_owned_by 'root' }
+      it { should be_grouped_into 'root' }
+    end
+  end
+
+  describe file('/usr/lib/systemd/system/git-daemon.socket'), :if => ['fedora', 'redhat'].include?(os[:family]) && os[:release] >= '7' do
+    it { should be_file }
+    it { should be_owned_by 'root' }
+    it { should be_grouped_into 'root' }
+    its(:content) { should match 'ListenStream=9418' }
+  end
+
+  describe file('/usr/lib/systemd/system/git-daemon@.service'), :if => ['fedora', 'redhat'].include?(os[:family]) && os[:release] >= '7' do
+    it { should be_file }
+    it { should be_owned_by 'root' }
+    it { should be_grouped_into 'root' }
+    its(:content) { should match 'Wants=git-daemon.socket' }
+  end
+
+  describe file('/etc/init.d/git-daemon'), :if => ['fedora', 'redhat'].include?(os[:family]) && os[:release] < '7' do
+    it { should be_file }
+    it { should be_owned_by 'root' }
+    it { should be_grouped_into 'root' }
+    its(:content) { should match 'DAEMON=/usr/libexec/git-core/git-daemon' }
+    its(:content) { should match 'PORT=9418' }
+  end
+
+  describe file('/etc/pki/tls/certs/localhost.pem') do
+    it { should be_file }
+    it { should be_owned_by 'root' }
+    it { should be_grouped_into 'root' }
+  end
+
+  describe file('/etc/pki/tls/private/localhost.key') do
+    it { should be_file }
+    it { should be_owned_by 'root' }
+    it { should be_grouped_into 'root' }
+  end
+
+  describe file('/etc/cgitrc') do
+    it { should be_file }
+    it { should be_owned_by 'root' }
+    it { should be_grouped_into 'root' }
+    its(:content) { should match 'clone-prefix=git://git.openstack.org https://git.openstack.org' }
+  end
+
+  describe file('/var/lib/git/.ssh/authorized_keys') do
+    it { should be_file }
+    it { should be_owned_by 'git' }
+    it { should be_mode '640' } # Authorized keys file should have a restrict permission
+    its(:content) { should match 'ssh-key 1a2b3c4d5e' }
+  end
+
+  describe file('/etc/httpd/conf/httpd.conf') do
+    it { should be_file }
+    it { should be_owned_by 'root' }
+    it { should be_grouped_into 'root' }
+    its(:content) { should match 'Listen 80' }
+  end
+
+  describe file('/etc/httpd/conf.d/ssl.conf') do
+    it { should be_file }
+    it { should be_owned_by 'root' }
+    it { should be_grouped_into 'root' }
+    its(:content) { should match 'Listen 443' }
+  end
+end
+
+describe 'required files', :if => ['debian', 'ubuntu'].include?(os[:family]) do
+  describe file('/etc/rsyslog.d/haproxy.conf') do
+    it { should be_file }
+    it { should be_owned_by 'root' }
+    it { should be_grouped_into 'root' }
+    its(:content) { should match 'local0.*  /var/log/haproxy.log' }
+  end
+end
diff --git a/spec/acceptance/fixtures/behindproxy.pp b/spec/acceptance/fixtures/behindproxy.pp
new file mode 100644
index 0000000..79c399c
--- /dev/null
+++ b/spec/acceptance/fixtures/behindproxy.pp
@@ -0,0 +1,24 @@
+if ($::osfamily == 'RedHat') {
+  class { '::cgit':
+    vhost_name             => 'localhost',
+    serveradmin            => 'webmaster@localhost',
+    ssl_cert_file_contents => file('/etc/ssl/certs/ssl-cert-snakeoil.pem'),
+    ssl_cert_file          => '/etc/pki/tls/certs/localhost.pem',
+    ssl_key_file_contents  => file('/etc/ssl/private/ssl-cert-snakeoil.key'),
+    ssl_key_file           => '/etc/pki/tls/private/localhost.key',
+    manage_cgitrc          => true,
+    behind_proxy           => true,
+    cgitrc_settings        => {
+      'clone-prefix' => 'git://git.openstack.org https://git.openstack.org',
+      'root-title'   => 'OpenStack git repository browser',
+    },
+  } -> class { '::cgit::ssh':
+    manage_home     => false,
+    authorized_keys => [
+      'ssh-key 1a2b3c4d5e',
+    ],
+  } -> exec { 'reload systemd to have ports updated':
+    command => '/bin/systemctl daemon-reload',
+  }
+}
+
diff --git a/spec/acceptance/fixtures/default.pp b/spec/acceptance/fixtures/default.pp
new file mode 100644
index 0000000..eec914b
--- /dev/null
+++ b/spec/acceptance/fixtures/default.pp
@@ -0,0 +1,26 @@
+if ($::osfamily == 'RedHat') {
+  class { '::cgit':
+    vhost_name             => 'localhost',
+    serveradmin            => 'webmaster@localhost',
+    ssl_cert_file_contents => file('/etc/ssl/certs/ssl-cert-snakeoil.pem'),
+    ssl_cert_file          => '/etc/pki/tls/certs/localhost.pem',
+    ssl_key_file_contents  => file('/etc/ssl/private/ssl-cert-snakeoil.key'),
+    ssl_key_file           => '/etc/pki/tls/private/localhost.key',
+    manage_cgitrc          => true,
+    cgitrc_settings        => {
+      'clone-prefix' => 'git://git.openstack.org https://git.openstack.org',
+      'root-title'   => 'OpenStack git repository browser',
+    },
+  } -> class { '::cgit::ssh':
+    manage_home     => false,
+    authorized_keys => [
+      'ssh-key 1a2b3c4d5e',
+    ],
+  }
+} elsif ($::osfamily == 'Debian') {
+  class { '::cgit::lb':
+    balancer_member_names => [ 'local' ],
+    balancer_member_ips   => [ '127.0.0.1' ],
+  }
+}
+
diff --git a/spec/acceptance/fixtures/preconditions.pp b/spec/acceptance/fixtures/preconditions.pp
new file mode 100644
index 0000000..e91ea2e
--- /dev/null
+++ b/spec/acceptance/fixtures/preconditions.pp
@@ -0,0 +1,33 @@
+# Installing ssl-cert in order to get snakeoil certs
+if ($::osfamily == 'RedHat' and $::operatingsystemmajrelease == '7') {
+  exec { 'creates self-signed certificate directory':
+    path    => '/usr/bin',
+    command => 'mkdir -p /etc/ssl/certs',
+    creates => '/etc/ssl/certs',
+  } -> exec { 'creates self-signed certificate key directory':
+    path    => '/usr/bin',
+    command => 'mkdir -p /etc/ssl/private',
+    creates => '/etc/ssl/private',
+  } -> exec { 'creates self-signed certificate':
+    path    => '/usr/bin',
+    command => 'openssl req \
+                        -new \
+                        -newkey rsa:2048 \
+                        -days 365 \
+                        -nodes \
+                        -x509 \
+                        -subj "/C=US/ST=California/L=San Francisco/O=Dis/CN=localhost" \
+                        -keyout /etc/ssl/private/ssl-cert-snakeoil.key \
+                        -out /etc/ssl/certs/ssl-cert-snakeoil.pem',
+    creates => ['/etc/ssl/certs/cgit.key', '/etc/cgit/ssl/cgit.crt'],
+  }
+
+  package { 'policycoreutils-python':
+    ensure => present,
+  }
+}
+elsif ($::osfamily == 'Debian') {
+  package { 'ssl-cert':
+    ensure => present,
+  }
+}
diff --git a/spec/acceptance/packages_spec.rb b/spec/acceptance/packages_spec.rb
new file mode 100644
index 0000000..2f21134
--- /dev/null
+++ b/spec/acceptance/packages_spec.rb
@@ -0,0 +1,29 @@
+require 'spec_helper_acceptance'
+
+describe 'required os packages', :if => ['fedora', 'redhat'].include?(os[:family]) do
+  required_packages = [
+    package('mod_ldap'),
+    package('cgit'),
+    package('git-daemon'),
+    package('highlight'),
+  ]
+
+  required_packages.each do |package|
+    describe package do
+      it { should be_installed }
+    end
+  end
+end
+
+describe 'required os packages', :if => ['debian', 'ubuntu'].include?(os[:family]) do
+  required_packages = [
+    package('socat'),
+    package('lsof'),
+  ]
+
+  required_packages.each do |package|
+    describe package do
+      it { should be_installed }
+    end
+  end
+end
diff --git a/spec/acceptance/selinux_spec.rb b/spec/acceptance/selinux_spec.rb
new file mode 100644
index 0000000..900fd83
--- /dev/null
+++ b/spec/acceptance/selinux_spec.rb
@@ -0,0 +1,16 @@
+require 'spec_helper_acceptance'
+
+describe 'selinux', :if => ['fedora', 'redhat'].include?(os[:family]) do
+  describe selinux do
+    it { should be_permissive }
+  end
+
+  describe command('getsebool httpd_enable_cgi') do
+    its(:stdout) { should match 'httpd_enable_cgi --> on' }
+  end
+
+  describe command('semanage port --list') do
+    its(:stdout) { should match 'http_port_t' }
+    its(:stdout) { should match 'git_port_t' }
+  end
+end
diff --git a/spec/acceptance/services_spec.rb b/spec/acceptance/services_spec.rb
new file mode 100644
index 0000000..55fc449
--- /dev/null
+++ b/spec/acceptance/services_spec.rb
@@ -0,0 +1,103 @@
+require 'spec_helper_acceptance'
+
+describe 'cgit server', :if => ['fedora', 'redhat'].include?(os[:family]) do
+  describe 'running web server' do
+    describe command('curl http://localhost/cgit') do
+      its(:stdout) { should match 'OpenStack git repository browser' }
+    end
+
+    describe command('curl --insecure https://localhost/cgit') do
+      its(:stdout) { should match 'OpenStack git repository browser' }
+    end
+
+    describe port(80) do
+      it { should be_listening }
+    end
+
+    describe port(443) do
+      it { should be_listening }
+    end
+
+    describe port(9418) do
+      it { should be_listening }
+    end
+
+    describe service('httpd') do
+      it { should be_enabled }
+      it { should be_running }
+    end
+  end
+
+  describe service('git-daemon.socket'), :if => ['fedora', 'redhat'].include?(os[:family]) && os[:release] >= '7' do
+    it { should be_enabled }
+    it { should be_running }
+  end
+
+  describe service('git-daemon'), :if => ['fedora', 'redhat'].include?(os[:family]) && os[:release] < '7' do
+    it { should be_enabled }
+    it { should be_running }
+  end
+end
+
+describe 'cgit server behind proxy', :if => ['fedora', 'redhat'].include?(os[:family]) do
+  before(:all) do
+    behind_proxy_manifest = File.join(File.dirname(__FILE__), 'fixtures', 'behindproxy.pp')
+    apply_manifest(File.read(behind_proxy_manifest), catch_failures: true)
+  end
+
+  describe 'running web server' do
+    describe command('curl http://localhost:8080/cgit') do
+      its(:stdout) { should match 'OpenStack git repository browser' }
+    end
+
+    describe command('curl --insecure https://localhost:4443/cgit') do
+      its(:stdout) { should match 'OpenStack git repository browser' }
+    end
+
+    describe port(8080) do
+      it { should be_listening }
+    end
+
+    describe port(4443) do
+      it { should be_listening }
+    end
+
+    describe port(29418) do
+      it { should be_listening }
+    end
+
+    describe service('httpd') do
+      it { should be_enabled }
+      it { should be_running }
+    end
+  end
+
+  describe service('git-daemon.socket'), :if => ['fedora', 'redhat'].include?(os[:family]) && os[:release] >= '7' do
+    it { should be_enabled }
+    it { should be_running }
+  end
+
+  describe service('git-daemon'), :if => ['fedora', 'redhat'].include?(os[:family]) && os[:release] < '7' do
+    it { should be_enabled }
+    it { should be_running }
+  end
+end
+
+describe 'cgit loadbalancer', :if => ['debian', 'ubuntu'].include?(os[:family]) do
+  describe port(80) do
+    it { should be_listening }
+  end
+
+  describe port(443) do
+    it { should be_listening }
+  end
+
+  describe port(9418) do
+    it { should be_listening }
+  end
+
+  describe service('haproxy') do
+    it { should be_enabled }
+    it { should be_running }
+  end
+end
diff --git a/spec/acceptance/users_spec.rb b/spec/acceptance/users_spec.rb
new file mode 100644
index 0000000..724a7ca
--- /dev/null
+++ b/spec/acceptance/users_spec.rb
@@ -0,0 +1,21 @@
+require 'spec_helper_acceptance'
+
+describe 'required users and groups', :if => ['fedora', 'redhat'].include?(os[:family]) do
+  describe user('cgit') do
+    it { should exist }
+    it { should belong_to_group 'cgit' }
+  end
+
+  describe group('cgit') do
+    it { should exist }
+  end
+
+  describe user('git') do
+    it { should exist }
+    it { should belong_to_group 'git' }
+  end
+
+  describe group('git') do
+    it { should exist }
+  end
+end