diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index 9dd7df2..b487c13 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -46,6 +46,7 @@ hiera_classes:
   - timezone
 
 profiles::ntp::client::ntp_role: 'roles::infra::ntp::server'
+profiles::ntp::client::use_ntp: 'region'
 profiles::ntp::client::peers:
   - 0.pool.ntp.org
   - 1.pool.ntp.org
diff --git a/site/profiles/manifests/base.pp b/site/profiles/manifests/base.pp
index fb463d6..5d30011 100644
--- a/site/profiles/manifests/base.pp
+++ b/site/profiles/manifests/base.pp
@@ -6,20 +6,6 @@ class profiles::base (
   # install the vault ca first
   include profiles::pki::vaultca
 
-  # manage package repositories
-  case $facts['os']['family'] {
-    'RedHat': {
-      include profiles::yum::global
-      include profiles::firewall::firewalld
-    }
-    'Debian': {
-      include profiles::apt::global
-    }
-    default: {
-      fail("Unsupported OS family ${facts['os']['family']}")
-    }
-  }
-
   # manage the puppet agent
   include profiles::puppet::agent
 
@@ -29,6 +15,7 @@ class profiles::base (
   }
 
   # include the base profiles
+  include profiles::base::repos
   include profiles::packages
   include profiles::base::facts
   include profiles::base::motd
@@ -63,4 +50,10 @@ class profiles::base (
 
   # include classes from hiera
   lookup('hiera_classes', Array[String], 'unique').include
+
+  # specifc ordering constraints
+  Class['profiles::pki::vaultca']
+  -> Class['profiles::base::repos']
+  -> Class['profiles::packages']
+
 }
diff --git a/site/profiles/manifests/base/repos.pp b/site/profiles/manifests/base/repos.pp
new file mode 100644
index 0000000..8d3223f
--- /dev/null
+++ b/site/profiles/manifests/base/repos.pp
@@ -0,0 +1,16 @@
+# profiles::base::repos
+class profiles::base::repos {
+  # manage package repositories
+  case $facts['os']['family'] {
+    'RedHat': {
+      include profiles::yum::global
+      include profiles::firewall::firewalld
+    }
+    'Debian': {
+      include profiles::apt::global
+    }
+    default: {
+      fail("Unsupported OS family ${facts['os']['family']}")
+    }
+  }
+}
diff --git a/site/profiles/manifests/dns/base.pp b/site/profiles/manifests/dns/base.pp
index dcb43af..e22e964 100644
--- a/site/profiles/manifests/dns/base.pp
+++ b/site/profiles/manifests/dns/base.pp
@@ -32,8 +32,8 @@ class profiles::dns::base (
 
   # include resolvconf class
   class { 'profiles::dns::resolvconf':
-    nameservers    => $nameserver_array,
-    search_domains => $search_array,
+    nameservers    => sort($nameserver_array),
+    search_domains => sort($search_array),
   }
 
   # export dns records for client
diff --git a/site/profiles/manifests/ntp/client.pp b/site/profiles/manifests/ntp/client.pp
index e3c90a7..c09cff2 100644
--- a/site/profiles/manifests/ntp/client.pp
+++ b/site/profiles/manifests/ntp/client.pp
@@ -11,6 +11,11 @@ class profiles::ntp::client (
     'running',
     'stopped'
   ]         $wait_ensure = 'running',
+  Enum[
+    'all',
+    'region',
+    'country'
+  ]         $use_ntp     = 'all',
   Boolean   $client_only = true,
 ) {
 
@@ -18,23 +23,25 @@ class profiles::ntp::client (
   # through the profiles::ntp::server class.
   if $client_only {
 
-    # if ntp_role is set, find all hosts matching that enc_role
-    if $ntp_role == undef {
-      $ntpserver_array = $peers
-    }else{
-      $ntpserver_array = query_nodes("enc_role='${ntp_role}'", 'networking.fqdn')
+    $ntpserver_array = $ntp_role ? {
+      undef   => $peers,
+      default => $use_ntp ? {
+        'all'     => query_nodes("enc_role='${ntp_role}'", 'networking.fqdn'),
+        'region'  => query_nodes("enc_role='${ntp_role}' and region=${facts['region']}", 'networking.fqdn'),
+        'country' => query_nodes("enc_role='${ntp_role}' and country=${facts['country']}", 'networking.fqdn'),
+      }
     }
 
     # Define the client configuration based on OS family
     if $facts['os']['family'] == 'RedHat' {
       class { 'chrony':
-        servers     => $ntpserver_array,
+        servers     => sort($ntpserver_array),
         wait_enable => $wait_enable,
         wait_ensure => $wait_ensure,
       }
     } else {
       class { 'chrony':
-        servers    => $ntpserver_array,
+        servers    => sort($ntpserver_array),
       }
     }
   }
diff --git a/site/profiles/manifests/proxmox/params.pp b/site/profiles/manifests/proxmox/params.pp
index 2a4844e..d520f45 100644
--- a/site/profiles/manifests/proxmox/params.pp
+++ b/site/profiles/manifests/proxmox/params.pp
@@ -23,7 +23,8 @@ class profiles::proxmox::params (
     'proxmox-ve',
     'postfix',
     'open-iscsi',
-    'frr-pythontools'
+    'frr-pythontools',
+    'ksm-control-daemon'
   ],
   Array   $pve_packages_remove    = [
     'os-prober',