diff --git a/.gitignore b/.gitignore
index 498e85d..8578ace 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
 vault.key
 ekumen/
+.bundle/
diff --git a/.rspec b/.rspec
new file mode 100644
index 0000000..16f9cdb
--- /dev/null
+++ b/.rspec
@@ -0,0 +1,2 @@
+--color
+--format documentation
diff --git a/Gemfile b/Gemfile
new file mode 100644
index 0000000..99a6a46
--- /dev/null
+++ b/Gemfile
@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+source 'https://gems.sutty.nl'
+
+gem 'rake'
+gem 'rubocop'
+gem 'rubocop-rake'
+gem 'serverspec'
+
+group :development do
+  gem 'pry'
+end
diff --git a/Gemfile.lock b/Gemfile.lock
new file mode 100644
index 0000000..2d34048
--- /dev/null
+++ b/Gemfile.lock
@@ -0,0 +1,79 @@
+GEM
+  remote: https://gems.sutty.nl/
+  specs:
+    ast (2.4.2)
+    coderay (1.1.3)
+    diff-lcs (1.5.0)
+    json (2.6.2-x86_64-linux-musl)
+    method_source (1.0.0)
+    multi_json (1.15.0)
+    net-scp (3.0.0)
+      net-ssh (>= 2.6.5, < 7.0.0)
+    net-ssh (6.1.0)
+    net-telnet (0.1.1)
+    parallel (1.22.1)
+    parser (3.1.2.0)
+      ast (~> 2.4.1)
+    pry (0.14.1)
+      coderay (~> 1.1)
+      method_source (~> 1.0)
+    rainbow (3.1.1)
+    rake (13.0.6)
+    regexp_parser (2.5.0)
+    rexml (3.2.5)
+    rspec (3.11.0)
+      rspec-core (~> 3.11.0)
+      rspec-expectations (~> 3.11.0)
+      rspec-mocks (~> 3.11.0)
+    rspec-core (3.11.0)
+      rspec-support (~> 3.11.0)
+    rspec-expectations (3.11.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.11.0)
+    rspec-its (1.3.0)
+      rspec-core (>= 3.0.0)
+      rspec-expectations (>= 3.0.0)
+    rspec-mocks (3.11.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.11.0)
+    rspec-support (3.11.0)
+    rubocop (1.31.1)
+      json (~> 2.3)
+      parallel (~> 1.10)
+      parser (>= 3.1.0.0)
+      rainbow (>= 2.2.2, < 4.0)
+      regexp_parser (>= 1.8, < 3.0)
+      rexml (>= 3.2.5, < 4.0)
+      rubocop-ast (>= 1.18.0, < 2.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (>= 1.4.0, < 3.0)
+    rubocop-ast (1.18.0)
+      parser (>= 3.1.1.0)
+    rubocop-rake (0.6.0)
+      rubocop (~> 1.0)
+    ruby-progressbar (1.11.0)
+    serverspec (2.42.0)
+      multi_json
+      rspec (~> 3.0)
+      rspec-its
+      specinfra (~> 2.72)
+    sfl (2.3)
+    specinfra (2.83.2)
+      net-scp
+      net-ssh (>= 2.7)
+      net-telnet (= 0.1.1)
+      sfl
+    unicode-display_width (2.2.0)
+
+PLATFORMS
+  x86_64-linux-musl
+
+DEPENDENCIES
+  pry
+  rake
+  rubocop
+  rubocop-rake
+  serverspec
+
+BUNDLED WITH
+   2.2.2
diff --git a/Makefile b/Makefile
index 4b2e025..1898233 100644
--- a/Makefile
+++ b/Makefile
@@ -22,3 +22,6 @@ encrypt-string: vault.key
 vault.key:
 	@echo Creating a vault password on $@.  Keep this file safe!
 	@echo -n "$(password)" > $@
+
+test:
+	haini.sh bundle exec rake spec:all
diff --git a/Rakefile b/Rakefile
new file mode 100644
index 0000000..dc44a66
--- /dev/null
+++ b/Rakefile
@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+require 'rake'
+require 'rspec/core/rake_task'
+require 'yaml'
+require 'pry'
+
+ansible_inventory = YAML.safe_load(File.read('./inventory.yml'))
+ansible_groups = ansible_inventory.keys
+
+ansible_groups.each do |group|
+  ansible_inventory[group]['hosts'] ||= {}
+  ansible_inventory[group]['hosts'].tap do |hosts|
+    hosts.each_pair do |host, _vars|
+      host_vars = File.join('host_vars', "#{host}.yml")
+
+      if File.exist? host_vars
+        hosts[host] = YAML.safe_load(File.read(host_vars))
+      else
+        puts "Warning: #{host_vars} doesn't exist"
+      end
+    end
+  end
+end
+
+task spec: 'spec:all'
+task default: :spec
+
+namespace :spec do
+  desc 'Run serverspec'
+  task all: (ansible_groups.map do |group|
+    "#{group}:all"
+  end)
+
+  ansible_groups.each do |group|
+    short_names = ansible_inventory[group]['hosts'].map do |_, vars|
+      [vars['ekumen'], vars['ansible_host']]
+    end.to_h
+
+    namespace group.to_sym do
+      desc "Run serverspec on #{group}"
+      task all: short_names.keys
+
+      short_names.each_key do |name|
+        desc "Run serverspec on #{group}:#{name}"
+        RSpec::Core::RakeTask.new(name) do |t|
+          ENV['TARGET_HOST'] = short_names[name]
+
+          puts "Running serverspec on #{group}:#{name}"
+          t.pattern = "spec/{base,#{group}}/*_spec.rb"
+        end
+      end
+    end
+  end
+end
diff --git a/spec/base/ekumen_spec.rb b/spec/base/ekumen_spec.rb
new file mode 100644
index 0000000..1444a71
--- /dev/null
+++ b/spec/base/ekumen_spec.rb
@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe package('tinc') do
+  it { should be_installed }
+end
+
+describe service('tincd') do
+  it { should be_enabled }
+  it { should be_running }
+end
+
+describe port(65_000) do
+  it { should be_listening }
+end
diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
new file mode 100644
index 0000000..cece1d7
--- /dev/null
+++ b/spec/spec_helper.rb
@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+require 'serverspec'
+require 'net/ssh'
+
+host = ENV['TARGET_HOST']
+options = Net::SSH::Config.for(host)
+
+options[:user] ||= 'root'
+options[:forward_agent] = true
+options[:auth_methods] = %w[publickey]
+
+set :backend, :ssh
+set :host, options[:host_name] || host
+set :ssh_options, options
+set :disable_sudo, true
+set :env, LANG: 'C.UTF-8', LC_MESSAGES: 'C'