diff --git a/.gitignore b/.gitignore
index 2c33b92..ebd11f5 100644
--- a/.gitignore
+++ b/.gitignore
@@ -9,3 +9,5 @@ chef.tar.gz
 .rvmrc
 chef/site-cookbooks/rubygems/files/default/rubygems.org*
 chef/data_bags/secrets/*
+.kitchen/
+.kitchen.local.yml
diff --git a/.kitchen.yml b/.kitchen.yml
new file mode 100644
index 0000000..5c1be5d
--- /dev/null
+++ b/.kitchen.yml
@@ -0,0 +1,56 @@
+---
+driver:
+  name: vagrant
+
+provisioner:
+  name: chef_solo
+
+platforms:
+  - name: ubuntu-12.04
+
+suites:
+  - name: base
+    run_list: ["role[base]", "role[vagrant]"]
+    roles_path: "chef/roles"
+    data_bags_path: "chef/data_bags"
+  - name: dbmaster
+    run_list: ["role[db_master]", "role[vagrant]"]
+    roles_path: "chef/roles"
+    data_bags_path: "chef/data_bags"
+    attributes:
+  - name: app
+    run_list: ["role[app]", "role[vagrant]"]
+    roles_path: "chef/roles"
+    data_bags_path: "chef/data_bags"
+    attributes:
+      application:
+        name: 'rubygems'
+        rails_env: vagrant
+        rails_root: "/applications/rubygems/staging"
+        server_names:
+          - "vagrant.rubygems.org"
+        use_ssl: true
+        force_ssl: true
+        ssl_key: rubygems.org.key
+        ssl_cert: rubygems.org.crt
+        app_server:
+          name: unicorn
+          concurrency: 4
+  - name: balancer
+    run_list: ["role[balancer]", "role[vagrant]"]
+    roles_path: "chef/roles"
+    data_bags_path: "chef/data_bags"
+    attributes:
+      application:
+        name: 'rubygems'
+        rails_env: vagrant
+        rails_root: "/applications/rubygems/staging"
+        server_names:
+          - "vagrant.rubygems.org"
+        use_ssl: true
+        force_ssl: true
+        ssl_key: rubygems.org.key
+        ssl_cert: rubygems.org.crt
+        app_server:
+          name: unicorn
+          concurrency: 4
diff --git a/Gemfile b/Gemfile
index fd87878..156ac73 100644
--- a/Gemfile
+++ b/Gemfile
@@ -6,3 +6,8 @@ gem 'fpm',            '~> 0.3'
 gem 'knife-solo',     '~> 0.3'
 gem 'rubocop',        '~> 0.14'
 gem 'berkshelf',      '~> 2'
+
+group :integration do
+  gem 'test-kitchen'
+  gem 'kitchen-vagrant'
+end
diff --git a/Gemfile.lock b/Gemfile.lock
index ba823ef..477faf5 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -106,6 +106,8 @@ GEM
     i18n (0.6.9)
     ipaddress (0.8.0)
     json (1.7.7)
+    kitchen-vagrant (0.15.0)
+      test-kitchen (~> 1.0)
     knife-solo (0.4.0)
       chef (>= 10.12)
       erubis (~> 2.7.0)
@@ -126,6 +128,8 @@ GEM
     multi_json (1.8.2)
     multipart-post (1.2.0)
     net-http-persistent (2.9)
+    net-scp (1.2.1)
+      net-ssh (>= 2.6.5)
     net-ssh (2.7.0)
     net-ssh-gateway (1.2.0)
       net-ssh (>= 2.6.5)
@@ -180,6 +184,7 @@ GEM
       powerpack (~> 0.0.6)
       rainbow (>= 1.1.4)
     rubyntlm (0.1.1)
+    safe_yaml (1.0.3)
     savon (0.9.5)
       akami (~> 1.0)
       builder (>= 2.1.2)
@@ -191,6 +196,12 @@ GEM
     slop (3.4.6)
     solve (0.8.2)
     systemu (2.5.2)
+    test-kitchen (1.2.1)
+      mixlib-shellout (~> 1.2)
+      net-scp (~> 1.1)
+      net-ssh (~> 2.7)
+      safe_yaml (~> 1.0)
+      thor (~> 0.18)
     thor (0.18.1)
     timers (2.0.0)
       hitimes
@@ -221,5 +232,7 @@ DEPENDENCIES
   chef (~> 10.18)
   foodcritic (~> 3.0)
   fpm (~> 0.3)
+  kitchen-vagrant
   knife-solo (~> 0.3)
   rubocop (~> 0.14)
+  test-kitchen
diff --git a/chef/roles/vagrant.rb b/chef/roles/vagrant.rb
index 1f890dc..d2f24dc 100644
--- a/chef/roles/vagrant.rb
+++ b/chef/roles/vagrant.rb
@@ -1,13 +1,23 @@
 name "vagrant"
 description "The base vagrant role with a few overrides"
 
+run_list(
+  "recipe[rubygems::purge_denyhosts]"
+)
+
 override_attributes(
   "authorization" => {
     "sudo" => {
       "passwordless" => true
     }
   },
+  "denyhosts" => {
+    "allowed_hosts" => ["10.0.2.2"]
+  },
   "sudo" => {
     "add_vagrant" => true
+  },
+  "nginx" => {
+    "log_dir" => "/var/log/nginx"
   }
 )
diff --git a/chef/site-cookbooks/rubygems/metadata.rb b/chef/site-cookbooks/rubygems/metadata.rb
index 97d4f61..0169747 100644
--- a/chef/site-cookbooks/rubygems/metadata.rb
+++ b/chef/site-cookbooks/rubygems/metadata.rb
@@ -15,6 +15,7 @@
 recipe 'rubygems::monit',                 'Configure monit logs and monitors'
 recipe 'rubygems::nginx_source',          'Installs nginx from our pre-build package'
 recipe 'rubygems::papertrail',            'Configures rsyslog to send logs to Papertrail'
+recipe 'rubygems::purge_denyhosts',       'Purges all blocked hosts'
 recipe 'rubygems::rails',                 'Main app recipe'
 recipe 'rubygems::rails_nginx',           'nginx config for app server'
 recipe 'rubygems::stat-update',           'Installs stat-update from pre-built package'
diff --git a/chef/site-cookbooks/rubygems/recipes/purge_denyhosts.rb b/chef/site-cookbooks/rubygems/recipes/purge_denyhosts.rb
new file mode 100644
index 0000000..15277e5
--- /dev/null
+++ b/chef/site-cookbooks/rubygems/recipes/purge_denyhosts.rb
@@ -0,0 +1,23 @@
+#
+# Cookbook Name:: rubygems
+# Recipe:: purge_denyhosts
+#
+
+node.default['denyhosts']['work_dir'] = '/var/lib/denyhosts'
+
+%w(hosts hosts-restricted hosts-root hosts-valid user-hosts).each do |filename|
+  file File.join(node['denyhosts']['work_dir'], filename) do
+    content ''
+    notifies :restart, 'service[denyhosts]'
+  end
+end
+
+ruby_block "purge /etc/hosts.deny" do
+  block do
+    file = ::Chef::Util::FileEdit.new('/etc/hosts.deny')
+    file.search_file_delete_line(/^[^#|\s]/)
+    file.write_file
+  end
+  only_if { ::File.exists?('/etc/hosts.deny') }
+  notifies :restart, 'service[denyhosts]'
+end
diff --git a/test/integration/app/serverspec/spec_helper.rb b/test/integration/app/serverspec/spec_helper.rb
new file mode 100644
index 0000000..7cd08ba
--- /dev/null
+++ b/test/integration/app/serverspec/spec_helper.rb
@@ -0,0 +1,5 @@
+require 'serverspec'
+
+include Serverspec::Helper::Exec
+include Serverspec::Helper::DetectOS
+include Serverspec::Helper::Properties
diff --git a/test/integration/app/serverspec/stat-update_spec.rb b/test/integration/app/serverspec/stat-update_spec.rb
new file mode 100644
index 0000000..ae21645
--- /dev/null
+++ b/test/integration/app/serverspec/stat-update_spec.rb
@@ -0,0 +1,9 @@
+require 'spec_helper'
+
+describe 'rubygems::stat-update' do
+
+  describe package('stat-update') do
+    it { should be_installed }
+  end
+
+end
diff --git a/test/integration/base/serverspec/default_spec.rb b/test/integration/base/serverspec/default_spec.rb
new file mode 100644
index 0000000..82a4444
--- /dev/null
+++ b/test/integration/base/serverspec/default_spec.rb
@@ -0,0 +1,5 @@
+require 'spec_helper'
+
+describe 'rubygems::default' do
+
+end
diff --git a/test/integration/base/serverspec/spec_helper.rb b/test/integration/base/serverspec/spec_helper.rb
new file mode 100644
index 0000000..7cd08ba
--- /dev/null
+++ b/test/integration/base/serverspec/spec_helper.rb
@@ -0,0 +1,5 @@
+require 'serverspec'
+
+include Serverspec::Helper::Exec
+include Serverspec::Helper::DetectOS
+include Serverspec::Helper::Properties
diff --git a/test/integration/base/serverspec/system_ruby_spec.rb b/test/integration/base/serverspec/system_ruby_spec.rb
new file mode 100644
index 0000000..5f1c31e
--- /dev/null
+++ b/test/integration/base/serverspec/system_ruby_spec.rb
@@ -0,0 +1,13 @@
+require 'spec_helper'
+
+describe 'rubygems::system_ruby' do
+
+  describe package('ruby1.9.1-full') do
+    it { should be_installed }
+  end
+
+  describe command('ruby -v') do
+    it { should return_stdout(/ruby 1\.9\.3p0/) }
+  end
+
+end
diff --git a/test/integration/base/serverspec/users_spec.rb b/test/integration/base/serverspec/users_spec.rb
new file mode 100644
index 0000000..6ae38d3
--- /dev/null
+++ b/test/integration/base/serverspec/users_spec.rb
@@ -0,0 +1,33 @@
+require 'spec_helper'
+
+describe 'rubygems::users' do
+
+  describe user('deploy') do
+    it { should exist }
+  end
+
+  describe group('sysadmin') do
+    it { should exist }
+  end
+
+  describe user('dwradcliffe') do
+    it { should exist }
+    it { should belong_to_group 'sysadmin' }
+  end
+
+  describe user('evan') do
+    it { should exist }
+    it { should belong_to_group 'sysadmin' }
+  end
+
+  describe user('samkottler') do
+    it { should exist }
+    it { should belong_to_group 'sysadmin' }
+  end
+
+  describe user('qrush') do
+    it { should exist }
+    it { should belong_to_group 'sysadmin' }
+  end
+
+end
diff --git a/test/integration/dbmaster/serverspec/postgresql_spec.rb b/test/integration/dbmaster/serverspec/postgresql_spec.rb
new file mode 100644
index 0000000..9cfc8bf
--- /dev/null
+++ b/test/integration/dbmaster/serverspec/postgresql_spec.rb
@@ -0,0 +1,18 @@
+require 'spec_helper'
+
+describe 'postgresql' do
+
+  describe package('postgresql-9.2') do
+    it { should be_installed }
+  end
+
+  describe command('psql --version') do
+    it { should return_stdout(/9.2.8/) }
+  end
+
+  describe service('postgresql') do
+    it { should be_enabled }
+    it { should be_running }
+  end
+
+end
diff --git a/test/integration/dbmaster/serverspec/spec_helper.rb b/test/integration/dbmaster/serverspec/spec_helper.rb
new file mode 100644
index 0000000..7cd08ba
--- /dev/null
+++ b/test/integration/dbmaster/serverspec/spec_helper.rb
@@ -0,0 +1,5 @@
+require 'serverspec'
+
+include Serverspec::Helper::Exec
+include Serverspec::Helper::DetectOS
+include Serverspec::Helper::Properties
diff --git a/vendor/cache/kitchen-vagrant-0.15.0.gem b/vendor/cache/kitchen-vagrant-0.15.0.gem
new file mode 100644
index 0000000..35e23fd
Binary files /dev/null and b/vendor/cache/kitchen-vagrant-0.15.0.gem differ
diff --git a/vendor/cache/net-scp-1.2.1.gem b/vendor/cache/net-scp-1.2.1.gem
new file mode 100644
index 0000000..edd8530
Binary files /dev/null and b/vendor/cache/net-scp-1.2.1.gem differ
diff --git a/vendor/cache/safe_yaml-1.0.3.gem b/vendor/cache/safe_yaml-1.0.3.gem
new file mode 100644
index 0000000..a023a58
Binary files /dev/null and b/vendor/cache/safe_yaml-1.0.3.gem differ
diff --git a/vendor/cache/test-kitchen-1.2.1.gem b/vendor/cache/test-kitchen-1.2.1.gem
new file mode 100644
index 0000000..efa03d6
Binary files /dev/null and b/vendor/cache/test-kitchen-1.2.1.gem differ