diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index eab58f7..9d5eab5 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -30,6 +30,12 @@ lookup_options:
   haproxy::backend:
     merge:
       strategy: deep
+  sudo::configs:
+    merge:
+      strategy: deep
+  profiles::base::groups::local:
+    merge:
+      strategy: deep
 
 facts_path: '/opt/puppetlabs/facter/facts.d'
 
@@ -59,7 +65,6 @@ profiles::packages::install:
   - iotop
   - jq
   - lz4
-  - lzo
   - mtr
   - ncdu
   - neovim
@@ -79,7 +84,6 @@ profiles::packages::install:
   - vim
   - vnstat
   - wget
-  - xz
   - zsh
   - zstd
 
@@ -111,6 +115,19 @@ profiles::puppet::client::usecacheonfailure: false
 prometheus::node_exporter::export_scrape_job: true
 prometheus::systemd_exporter::export_scrape_job: true
 
+profiles::base::groups::local:
+  admins:
+    ensure: present
+    gid: 10000
+    allowdupe: false
+    forcelocal: true
+
+sudo::configs:
+  admins:
+    priority: 10
+    content: |
+      %admins ALL=(ALL) NOPASSWD: ALL
+
 profiles::accounts::sysadmin::sshkeys:
   - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ8SRLlPiDylBpdWR9LpvPg4fDVD+DZst4yRPFwMMhta4mnB1H9XuvZkptDhXywWQ7QIcqa2WbhCen0OQJCtwn3s7EYtacmF5MxmwBYocPoK2AArGuh6NA9rwTdLrPdzhZ+gwe88PAzRLNzjm0ZBR+mA9saMbPJdqpKp0AWeAM8QofRQAWuCzQg9i0Pn1KDMvVDRHCZof4pVlHSTyHNektq4ifovn0zhKC8jD/cYu95mc5ftBbORexpGiQWwQ3HZw1IBe0ZETB1qPIPwsoJpt3suvMrL6T2//fcIIUE3TcyJKb/yhztja4TZs5jT8370G/vhlT70He0YPxqHub8ZfBv0khlkY93VBWYpNGJwM1fVqlw7XbfBNdOuJivJac8eW317ZdiDnKkBTxapThpPG3et9ib1HoPGKRsd/fICzNz16h2R3tddSdihTFL+bmTCa6Lo+5t5uRuFjQvhSLSgO2/gRAprc3scYOB4pY/lxOFfq3pU2VvSJtRgLNEYMUYKk= ben@unkin.net
 
diff --git a/hieradata/os/AlmaLinux/all_releases.yaml b/hieradata/os/AlmaLinux/all_releases.yaml
index e883c29..62f35d0 100644
--- a/hieradata/os/AlmaLinux/all_releases.yaml
+++ b/hieradata/os/AlmaLinux/all_releases.yaml
@@ -7,5 +7,8 @@ profiles::yum::ovirt::baseurl: https://repos.main.unkin.net/centos
 profiles::firewall::firewalld::ensure_package: 'absent'
 profiles::firewall::firewalld::ensure_service: 'stopped'
 profiles::firewall::firewalld::enable_service: false
-
 profiles::puppet::agent::puppet_version: '7.26.0'
+
+profiles::packages::install:
+  - lzo
+  - xz
diff --git a/hieradata/os/Debian/all_releases.yaml b/hieradata/os/Debian/all_releases.yaml
index aa8a5bf..bfcaaee 100644
--- a/hieradata/os/Debian/all_releases.yaml
+++ b/hieradata/os/Debian/all_releases.yaml
@@ -1,7 +1,12 @@
 # hieradata/os/debian/all_releases.yaml
 ---
-profiles::apt::base::mirrorurl: http://debian.mirror.digitalpacific.com.au/debian
+profiles::apt::base::mirrorurl: http://repos.main.unkin.net/debian
 profiles::apt::base::secureurl: http://security.debian.org/debian-security
 profiles::apt::puppet7::mirror: http://apt.puppetlabs.com
 profiles::apt::puppet7::repo: puppet7
-profiles::apt::puppet7::dist: bullseye
+profiles::pki::vaultca::ca_cert-path: /usr/local/share/ca-certificates/
+
+profiles::packages::install:
+  - lzop
+  - python3.11-venv
+  - xz-utils
diff --git a/site/profiles/manifests/accounts/sysadmin.pp b/site/profiles/manifests/accounts/sysadmin.pp
index 0c21bf7..f766f31 100644
--- a/site/profiles/manifests/accounts/sysadmin.pp
+++ b/site/profiles/manifests/accounts/sysadmin.pp
@@ -7,9 +7,10 @@ class profiles::accounts::sysadmin(
     username   => 'sysadmin',
     uid        => 1000,
     gid        => 1000,
-    groups     => ['adm', 'wheel', 'systemd-journal'],
+    groups     => ['adm', 'admins', 'systemd-journal'],
     sshkeys    => $sshkeys,
     sudo_rules => ['sysadmin ALL=(ALL) NOPASSWD:ALL'],
     password   => $password,
+    require    => Group['admins'],
   }
 }
diff --git a/site/profiles/manifests/apt/puppet7.pp b/site/profiles/manifests/apt/puppet7.pp
index e9e336f..6424efe 100644
--- a/site/profiles/manifests/apt/puppet7.pp
+++ b/site/profiles/manifests/apt/puppet7.pp
@@ -30,27 +30,17 @@ class profiles::apt::puppet7 (
   Array[String] $managed_repos,
   String        $mirror,
   String        $repo,
-  String        $dist,
 ) {
 
   $codename = $facts['os']['distro']['codename']
 
   if 'puppet7' in $managed_repos {
-    $puppet_source = "${mirror}/${repo}-release-${dist}.deb"
-
-    # Install the puppet release using dpkg
-    package { "${repo}-${dist}":
-      ensure   => installed,
-      name     => "${repo}-release",
-      provider => dpkg,
-      source   => $puppet_source,
-    }
 
     # deb http://apt.puppet.com bullseye puppet7
     apt::source { 'puppet7':
       location => $mirror,
       repos    => $repo,
-      release  => $dist,
+      release  => $codename,
       include  => {
         'src' => false,
         'deb' => true,
diff --git a/site/profiles/manifests/base.pp b/site/profiles/manifests/base.pp
index 647b5ea..65bf0cb 100644
--- a/site/profiles/manifests/base.pp
+++ b/site/profiles/manifests/base.pp
@@ -34,6 +34,7 @@ class profiles::base (
   include profiles::base::motd
   include profiles::base::scripts
   include profiles::base::hosts
+  include profiles::base::groups
   include profiles::accounts::sysadmin
   include profiles::ntp::client
   include profiles::dns::base
diff --git a/site/profiles/manifests/base/groups.pp b/site/profiles/manifests/base/groups.pp
new file mode 100644
index 0000000..56d9237
--- /dev/null
+++ b/site/profiles/manifests/base/groups.pp
@@ -0,0 +1,12 @@
+# profiles::base::groups
+# simple group management
+class profiles::base::groups (
+  Hash $local = {},
+) {
+  $local.each |$group, $data| {
+    group { $group:
+      name => $group,
+      *    => $data,
+    }
+  }
+}
diff --git a/site/profiles/manifests/pki/vault.pp b/site/profiles/manifests/pki/vault.pp
index 7008085..e680383 100644
--- a/site/profiles/manifests/pki/vault.pp
+++ b/site/profiles/manifests/pki/vault.pp
@@ -23,12 +23,26 @@ class profiles::pki::vault (
   $alt_names_file = "${base_path}/alt_names"
 
   # ensure the base directory exists
-  file { $base_path:
+  file { '/etc/pki':
     ensure => directory,
     owner  => 'root',
     group  => 'root',
     mode   => '0755',
   }
+  file { '/etc/pki/tls':
+    ensure  => directory,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0755',
+    require => File['/etc/pki']
+  }
+  file { $base_path:
+    ensure  => directory,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0755',
+    require => File['/etc/pki/tls']
+  }
 
   # alt_names_file contents
   $alt_names_content = concat($effective_alt_names, $effective_ip_sans)
@@ -40,6 +54,7 @@ class profiles::pki::vault (
     group   => 'root',
     mode    => '0644',
     content => join($alt_names_content, "\n"),
+    require => File[$base_path]
   }
 
   # compare the sorted arrays of altnames from disk (fact) vs what is intended (this run)
diff --git a/site/profiles/manifests/pki/vaultca.pp b/site/profiles/manifests/pki/vaultca.pp
index 856459f..9ebc067 100644
--- a/site/profiles/manifests/pki/vaultca.pp
+++ b/site/profiles/manifests/pki/vaultca.pp
@@ -30,7 +30,7 @@ class profiles::pki::vaultca {
   # Execute the system command to update the CA trust store
   exec { 'update_ca_trust_store':
     command     => $update_ca_cert_command,
-    path        => ['/bin', '/usr/bin'],
+    path        => ['/bin', '/usr/bin', 'sbin', '/usr/sbin'],
     refreshonly => true,
     require     => File[$ca_cert_target_path],
   }
diff --git a/site/profiles/manifests/puppet/agent.pp b/site/profiles/manifests/puppet/agent.pp
index 8cb1696..c911f0d 100644
--- a/site/profiles/manifests/puppet/agent.pp
+++ b/site/profiles/manifests/puppet/agent.pp
@@ -4,12 +4,6 @@ class profiles::puppet::agent (
   String $puppet_version      = 'latest',
 ) {
 
-  # Ensure the puppet-agent package is installed and locked to a specific version
-  package { 'puppet-agent':
-    ensure  => $puppet_version,
-    require => Class['profiles::yum::puppet7'],
-  }
-
   # if puppet-version is anything other than latest, set a versionlock
   $puppet_versionlock_ensure = $puppet_version ? {
     'latest' => 'absent',
@@ -19,9 +13,29 @@ class profiles::puppet::agent (
     'latest' => undef,
     default  => $puppet_version,
   }
-  yum::versionlock{'puppet-agent':
-    ensure  => $puppet_versionlock_ensure,
-    version => $puppet_versionlock_version,
+
+  case $facts['os']['family'] {
+    'RedHat': {
+      # Ensure the puppet-agent package is installed and locked to a specific version
+      package { 'puppet-agent':
+        ensure  => $puppet_version,
+        require => Class['profiles::yum::puppet7'],
+      }
+
+      # versionlock puppet-agent
+      yum::versionlock{'puppet-agent':
+        ensure  => $puppet_versionlock_ensure,
+        version => $puppet_versionlock_version,
+      }
+    }
+    'Debian': {
+      # Ensure the puppet-agent package is installed and locked to a specific version
+      package { 'puppet-agent':
+        ensure  => $puppet_version,
+        require => Class['profiles::apt::puppet7'],
+      }
+    }
+    default: {}
   }
 
   # Ensure the puppet service is running