diff --git a/.zuul.yaml b/.zuul.yaml
new file mode 100644
index 0000000..d064d49
--- /dev/null
+++ b/.zuul.yaml
@@ -0,0 +1,41 @@
+- project:
+    check:
+      jobs:
+        - novajoin-functional:
+            voting: false
+
+- job:
+    name: novajoin-functional
+    description: |
+      Run functional tests for novajoin.
+    parent: devstack-tox-base
+    nodeset: devstack-single-node-centos-7
+    pre-run: playbooks/functional/pre.yaml
+    run: playbooks/functional/run.yaml
+    post-run: playbooks/functional/post.yaml
+    vars:
+      devstack_services:
+        # FreeIPA is using Apache with TLS
+        tls-proxy: false
+        # Disable Swift services
+        s-account: false
+        s-container: false
+        s-object: false
+        s-proxy: false
+        # Disable Cinder services
+        c-api: false
+        c-bak: false
+        c-sch: false
+        c-vol: false
+        cinder: false
+    group-vars:
+      # This job runs single node, but for completeness:
+      subnode:
+        devstack_services:
+          # FreeIPA is using Apache with TLS
+          tls-proxy: false
+          # Disable Swift services
+          # s-*: false
+          # Disable Cinder services
+          c-bak: false
+          c-vol: false
diff --git a/README.rst b/README.rst
index a151bfc..9c3fc06 100644
--- a/README.rst
+++ b/README.rst
@@ -38,10 +38,14 @@ Package Requirements
 Beyond those packages normally installed by Openstack, these are also
 required::
 
-    {free}ipa-python
+  python-ipalib
+  python-ipaclient
 
-These may be pip-installable but as of March 2017 it has only been
-extensively tested with real packages installed on RHEL/CentOS/Fedora.
+These may be pip-installable but still require other system packages
+like `krb5-devel` to be present and may not be compatible with your
+FreeIPA installation, so it is best to install them with your system
+package manager. Functional tests are configured to run against
+system packages found on RHEL/CentOS/Fedora.
 
 
 Configuration
diff --git a/bindep.txt b/bindep.txt
new file mode 100644
index 0000000..41fa95d
--- /dev/null
+++ b/bindep.txt
@@ -0,0 +1,5 @@
+# System distribution package dependencies
+# This is used by bindep: sudo [apt-get | yum] install $(bindep -b)
+
+python-ipalib
+python-ipaclient
diff --git a/playbooks/functional/post.yaml b/playbooks/functional/post.yaml
new file mode 100644
index 0000000..2e23a9d
--- /dev/null
+++ b/playbooks/functional/post.yaml
@@ -0,0 +1,33 @@
+- hosts: all
+  tasks:
+
+    - name: Make ipaserver-install log readable
+      file:
+        path: "/var/log/ipaserver-install.log"
+        mode: 0644
+      become: true
+      failed_when: false
+
+    - name: Collect ipaserver-install logs
+      synchronize:
+        dest: "{{ zuul.executor.log_root }}"
+        mode: pull
+        src: "/var/log/ipaserver-install.log"
+        verify_host: true
+      failed_when: false
+
+    - name: Collect novajoin-install logs
+      synchronize:
+        dest: "{{ zuul.executor.log_root }}"
+        mode: pull
+        src: "/var/log/novajoin-install.log"
+        verify_host: true
+      failed_when: false
+
+    - name: Collect novajoin logs
+      synchronize:
+        dest: "{{ zuul.executor.log_root }}"
+        mode: pull
+        src: "/var/log/novajoin"
+        verify_host: true
+      failed_when: false
diff --git a/playbooks/functional/pre.yaml b/playbooks/functional/pre.yaml
new file mode 100644
index 0000000..9cfa5df
--- /dev/null
+++ b/playbooks/functional/pre.yaml
@@ -0,0 +1,27 @@
+- hosts: all
+  tasks:
+
+    - name: Change hostname in /etc/hosts
+      replace:
+        path: /etc/hosts
+        regexp: '{{ ansible_hostname }}'
+        replace: '{{ ansible_hostname }}.example.test {{ ansible_hostname }}'
+      become: true
+
+    - name: Remove 127.0.1.1 from /etc/hosts
+      lineinfile:
+        path: /etc/hosts
+        regexp: '127\.0\.1\.1'
+        state: absent
+      become: true
+
+    - name: Remove controller from /etc/hosts
+      lineinfile:
+        path: /etc/hosts
+        regexp: 'controller'
+        state: absent
+      become: true
+
+    - name: Change hostname
+      command: 'hostnamectl set-hostname {{ ansible_hostname }}.example.test'
+      become: true
diff --git a/playbooks/functional/run.yaml b/playbooks/functional/run.yaml
new file mode 100644
index 0000000..5a814a2
--- /dev/null
+++ b/playbooks/functional/run.yaml
@@ -0,0 +1,12 @@
+- hosts: all
+  roles:
+    - run-devstack
+    - configure-freeipa
+    - role: bindep
+      bindep_profile: test
+      bindep_dir: "{{ zuul_work_dir }}"
+    - configure-novajoin
+    - download-centos
+    - test-setup
+    - ensure-tox
+    - tox
diff --git a/roles/configure-freeipa/tasks/main.yaml b/roles/configure-freeipa/tasks/main.yaml
new file mode 100644
index 0000000..d1a33c5
--- /dev/null
+++ b/roles/configure-freeipa/tasks/main.yaml
@@ -0,0 +1,59 @@
+- name: Find Paramiko ssh_gss.py
+  command: python -c "from paramiko import ssh_gss; print(ssh_gss.__file__.rstrip('c'))"
+  register: ssh_gss_file
+
+- name: Patch Paramiko (https://github.com/paramiko/paramiko/pull/1311)
+  replace:
+    path: '{{ ssh_gss_file.stdout }}'
+    regexp: 'GSS_EXCEPTIONS = \(gssapi.GSSException,\)'
+    replace: 'GSS_EXCEPTIONS = ()'
+  become: true
+
+- name: Patch Paramiko (https://github.com/paramiko/paramiko/pull/1311)
+  replace:
+    path: '{{ ssh_gss_file.stdout }}'
+    regexp: 'GSS_AUTH_AVAILABLE = True'
+    replace: 'GSS_AUTH_AVAILABLE = False'
+  become: true
+
+- name: Uninstall urllib3 to fix later conflict with python-urllib3 system package
+  pip:
+    name: urllib3
+    state: absent
+  become: true
+
+- name: Install FreeIPA
+  package:
+    name: ipa-server-dns
+    state: present
+  become: true
+
+- name: check if mod_nss is installed
+  package:
+    name: mod_nss
+    state: present
+  check_mode: true
+  ignore_errors: yes
+  register: mod_nss_check
+
+- name: Remove mod_ssl config which conflicts with FreeIPA
+  file:
+    path: /etc/httpd/conf.d/ssl.conf
+    state: absent
+  become: true
+  when: not mod_nss_check.changed
+
+- name: Stop unbound
+  systemd:
+    name: unbound
+    state: stopped
+  become: true
+
+- name: Configure FreeIPA
+  command: >
+    ipa-server-install -U -r EXAMPLE.TEST
+    -p password -a password --hostname {{ ansible_hostname }}.example.test
+    --ip-address={{ ansible_default_ipv4.address }} --setup-dns --no-reverse
+    --forwarder={{ unbound_primary_nameserver_v4 | default('1.1.1.1') }}
+    --forwarder={{ unbound_secondary_nameserver_v4 | default('8.8.8.8') }}
+  become: true
diff --git a/roles/configure-novajoin/tasks/main.yaml b/roles/configure-novajoin/tasks/main.yaml
new file mode 100644
index 0000000..7e7ae6b
--- /dev/null
+++ b/roles/configure-novajoin/tasks/main.yaml
@@ -0,0 +1,55 @@
+- name: Build novajoin
+  command: python setup.py build
+  args:
+    chdir: '{{ zuul.project.src_dir }}'
+
+- name: Install novajoin
+  command: python setup.py install
+  args:
+    chdir: '{{ zuul.project.src_dir }}'
+  become: true
+
+- name: Configure novajoin
+  shell: >
+    source /opt/stack/devstack/openrc admin admin &&
+    novajoin-install --debug --principal admin --password password
+    --user stack --nova-password secretservice
+    --keystone-auth-url http://127.0.0.1/identity
+  args:
+    executable: /bin/bash
+  become: true
+
+- name: Create novajoin log directory
+  file:
+    path: /var/log/novajoin
+    state: directory
+    owner: stack
+  become: true
+
+- name: Start novajoin-server
+  shell: nohup novajoin-server --debug </dev/null >/dev/null 2>&1 &
+  become: true
+  become_user: stack
+
+- name: Start novajoin-notify
+  shell: nohup novajoin-notify --debug </dev/null >/dev/null 2>&1 &
+  become: true
+  become_user: stack
+
+- name: Restart nova services
+  command: systemctl restart devstack@n-*
+  become: true
+
+- name: Set FreeIPA DNS in demo private-subnet
+  shell: >
+    source /opt/stack/devstack/openrc demo demo &&
+    openstack subnet set --no-dns-nameservers private-subnet &&
+    openstack subnet set --dns-nameserver {{ ansible_default_ipv4.address }} private-subnet
+  args:
+    executable: /bin/bash
+
+- name: Chmod /etc/novajoin/krb5.keytab for use by tests
+  file:
+    path: /etc/novajoin/krb5.keytab
+    mode: 0644
+  become: true
diff --git a/roles/download-centos/tasks/main.yaml b/roles/download-centos/tasks/main.yaml
new file mode 100644
index 0000000..7ea27e5
--- /dev/null
+++ b/roles/download-centos/tasks/main.yaml
@@ -0,0 +1,16 @@
+- name: Download image
+  get_url:
+    url: https://cloud.centos.org/centos/7/images/CentOS-7-x86_64-GenericCloud.qcow2.xz
+    dest: /tmp/centos-image.qcow2.xz
+
+- name: Extract image
+  command: unxz /tmp/centos-image.qcow2.xz
+
+- name: Add centos-image to Glance
+  shell: >
+    source /opt/stack/devstack/openrc admin admin &&
+    openstack image create --disk-format qcow2 --container-format bare
+    --public --file /tmp/centos-image.qcow2 centos-image
+  args:
+    executable: /bin/bash
+  become: true
diff --git a/tox.ini b/tox.ini
index 6c58567..94bb66a 100644
--- a/tox.ini
+++ b/tox.ini
@@ -69,7 +69,7 @@ envdir = {toxworkdir}/pep8
 commands = oslo-config-generator --config-file=files/novajoin-config-generator.conf
 
 [testenv:functional]
-basepython = python3
+sitepackages = true
 deps = -r{toxinidir}/test-requirements.txt
 setenv =
     OS_TEST_PATH={toxinidir}/novajoin/tests/functional