diff --git a/.zuul.yaml b/.zuul.yaml
index 61ac9575d4..4984146f58 100644
--- a/.zuul.yaml
+++ b/.zuul.yaml
@@ -22,6 +22,26 @@
     vars:
       project_src_dir: "{{ zuul.project.src_dir }}/modules/openstack_project"
 
+- job:
+    name: system-config-run-base
+    nodeset:
+      nodes:
+        - name: bridge.openstack.org
+          label: ubuntu-bionic
+        - name: trusty
+          label: ubuntu-trusty
+        - name: xenial
+          label: ubuntu-xenial
+        - name: bionic
+          label: ubuntu-bionic
+        - name: centos7
+          label: centos-7
+    pre-run: playbooks/zuul/run-base-pre.yaml
+    run: playbooks/zuul/run-base.yaml
+    files:
+      - playbooks/.*
+      - roles/.*
+
 - project:
     check:
       jobs:
@@ -29,6 +49,7 @@
         - puppet-beaker-rspec-infra-centos-7-system-config
         - puppet-beaker-rspec-puppet-4-infra-system-config
         - puppet-beaker-rspec-puppet-4-centos-7-infra-system-config
+        - system-config-run-base
     gate:
       jobs:
         - puppet-beaker-rspec-infra-system-config
diff --git a/playbooks/roles/base-server/defaults/main.yaml b/playbooks/roles/base-server/defaults/main.yaml
index e5189dd8f4..570a19838f 100644
--- a/playbooks/roles/base-server/defaults/main.yaml
+++ b/playbooks/roles/base-server/defaults/main.yaml
@@ -1,5 +1,6 @@
 bastion_ipv4: 23.253.245.198,23.253.234.219
 bastion_ipv6: 2001:4800:7818:101:3c21:a454:23ed:4072,2001:4800:7817:103:be76:4eff:fe04:5a1d
+bastion_public_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSLlN41ftgxkNeUi/kATYPwMPjJdMaSbgokSb9PSkRPZE7GeNai60BCfhu+ky8h5eMe70Bpwb7mQ7GAtHGXPNU1SRBPhMuVN9EYrQbt5KSiwuiTXtQHsWyYrSKtB+XGbl2PhpMQ/TPVtFoL5usxu/MYaakVkCEbt5IbPYNg88/NKPixicJuhi0qsd+l1X1zoc1+Fn87PlwMoIgfLIktwaL8hw9mzqr+pPcDIjCFQQWnjqJVEObOcMstBT20XwKj/ymiH+6p123nnlIHilACJzXhmIZIZO+EGkNF7KyXpcBSfv9efPI+VCE2TOv/scJFdEHtDFkl2kdUBYPC0wQ92rp puppet-remote-2014-09-15
 base_packages:
   - at
   - git
diff --git a/playbooks/roles/base-server/tasks/main.yaml b/playbooks/roles/base-server/tasks/main.yaml
index c31b014260..2ccbf01ca1 100644
--- a/playbooks/roles/base-server/tasks/main.yaml
+++ b/playbooks/roles/base-server/tasks/main.yaml
@@ -36,8 +36,7 @@
     state: present
     user: root
     exclusive: yes
-    key: |
-      ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSLlN41ftgxkNeUi/kATYPwMPjJdMaSbgokSb9PSkRPZE7GeNai60BCfhu+ky8h5eMe70Bpwb7mQ7GAtHGXPNU1SRBPhMuVN9EYrQbt5KSiwuiTXtQHsWyYrSKtB+XGbl2PhpMQ/TPVtFoL5usxu/MYaakVkCEbt5IbPYNg88/NKPixicJuhi0qsd+l1X1zoc1+Fn87PlwMoIgfLIktwaL8hw9mzqr+pPcDIjCFQQWnjqJVEObOcMstBT20XwKj/ymiH+6p123nnlIHilACJzXhmIZIZO+EGkNF7KyXpcBSfv9efPI+VCE2TOv/scJFdEHtDFkl2kdUBYPC0wQ92rp puppet-remote-2014-09-15
+    key: "{{ bastion_public_key }}"
     key_options: |
       from="{{ bastion_ipv4 }},{{ bastion_ipv6 }},localhost"
 
diff --git a/playbooks/zuul/run-base-pre.yaml b/playbooks/zuul/run-base-pre.yaml
new file mode 100644
index 0000000000..3f74a35928
--- /dev/null
+++ b/playbooks/zuul/run-base-pre.yaml
@@ -0,0 +1,5 @@
+- hosts: all
+  roles:
+    - ensure-tox
+    - multi-node-known-hosts
+    - copy-build-sshkey
diff --git a/playbooks/zuul/run-base.yaml b/playbooks/zuul/run-base.yaml
new file mode 100644
index 0000000000..f1caf79f96
--- /dev/null
+++ b/playbooks/zuul/run-base.yaml
@@ -0,0 +1,51 @@
+- import_playbook: ../bridge.yaml
+  vars:
+    root_rsa_key: "{{ lookup('file', zuul.executor.work_root + '/' + zuul.build + '_id_rsa') }}"
+
+- hosts: bridge.openstack.org
+  become: true
+  tasks:
+    - name: Write inventory on bridge
+      include_role:
+        name: write-inventory
+      vars:
+        write_inventory_dest: /etc/ansible/hosts/inventory.yaml
+        write_inventory_exclude_hostvars:
+          - ansible_user
+    - name: Update ansible.cfg to use job inventory
+      ini_file:
+        path: /etc/ansible/ansible.cfg
+        section: defaults
+        option: inventory
+        value: /etc/ansible/hosts/inventory.yaml
+    - name: Set up /opt/system-config repo
+      git:
+        repo: /home/zuul/src/git.openstack.org/openstack-infra/system-config
+        dest: /opt/system-config
+        force: yes
+    - name: Make host_vars directory
+      file:
+        path: "/etc/ansible/hosts/host_vars"
+        state: directory
+    - name: Make group_vars directory
+      file:
+        path: "/etc/ansible/hosts/group_vars"
+        state: directory
+    - name: Write hostvars files
+      vars:
+        bastion_ipv4: "{{ nodepool['public_ipv4'] }}"
+        bastion_ipv6: "{{ nodepool['public_ipv6'] }}"
+        bastion_public_key: "{{ lookup('file', zuul.executor.work_root + '/' + zuul.build + '_id_rsa.pub') }}"
+      template:
+        src: "templates/{{ item }}.j2"
+        dest: "/etc/ansible/hosts/{{ item }}"
+      loop:
+        - group_vars/all.yaml
+    - name: Run base.yaml
+      command: ansible-playbook /home/zuul/src/git.openstack.org/openstack-infra/system-config/playbooks/base.yaml
+    - name: Run testinfra to validate configuration
+      include_role:
+        name: tox
+      vars:
+        tox_envlist: testinfra
+        tox_extra_args: testinfra/test_base.py
diff --git a/playbooks/zuul/templates/group_vars/all.yaml.j2 b/playbooks/zuul/templates/group_vars/all.yaml.j2
new file mode 100644
index 0000000000..42d75091d7
--- /dev/null
+++ b/playbooks/zuul/templates/group_vars/all.yaml.j2
@@ -0,0 +1,10 @@
+# If the bastion ipv4 or v6 addresses aren't available (because this
+# job runs in an environment without them) just fall back to the
+# defaults for the real bridge.
+{% if bastion_ipv4 %}
+bastion_ipv4: {{ bastion_ipv4 }}
+{% endif %}
+{% if bastion_ipv6 %}
+bastion_ipv6: {{ bastion_ipv6 }}
+{% endif %}
+bastion_public_key: {{ bastion_public_key }}
diff --git a/test-requirements.txt b/test-requirements.txt
index 7e91d8cd73..069a94eccb 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -7,3 +7,7 @@ PyYAML>=3.10.0 # MIT
 ansible-lint
 openstacksdk
 zuul-sphinx>=0.2.3
+testinfra
+# pytest-xdist is a plugin for pytest which allows parallel execution,
+# used by testinfra
+pytest-xdist
diff --git a/testinfra/test_base.py b/testinfra/test_base.py
new file mode 100644
index 0000000000..2b0909f0f9
--- /dev/null
+++ b/testinfra/test_base.py
@@ -0,0 +1,23 @@
+# Copyright 2018 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+def test_exim_is_installed(host):
+    if host.system_info.distribution in ['ubuntu', 'debian']:
+        exim = host.package("exim4-base")
+    else:
+        exim = host.package("exim")
+    assert exim.is_installed
+
+    cmd = host.run("exim -bt root")
+    assert cmd.rc == 0
diff --git a/tox.ini b/tox.ini
index ea8a97d99e..2af1468850 100644
--- a/tox.ini
+++ b/tox.ini
@@ -29,6 +29,9 @@ commands = {posargs}
 deps = -r{toxinidir}/doc/requirements.txt
 commands = sphinx-build -W -E -b html doc/source doc/build/html
 
+[testenv:testinfra]
+commands = py.test -n 5 --connection=ansible --ansible-inventory=/etc/ansible/hosts/inventory.yaml --hosts=all -v {posargs}
+
 [flake8]
 show-source = True
 exclude = .tox,.eggs