diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index ad6c16f..e29cf0c 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -3,16 +3,10 @@ lookup_options:
   hiera_classes:
     merge:
       strategy: deep
-  profiles::packages::install:
+  profiles::packages::include:
     merge:
       strategy: deep
-  profiles::packages::install_exclude:
-    merge:
-      strategy: deep
-  profiles::packages::remove:
-    merge:
-      strategy: deep
-  profiles::packages::remove_exclude:
+  profiles::packages::exclude:
     merge:
       strategy: deep
   profiles::pki::vault::alt_names:
@@ -172,59 +166,71 @@ profiles::consul::client::node_rules:
     segment: ''
     disposition: read
 
-profiles::packages::install:
-  - bash-completion
-  - bzip2
-  - ccze
-  - curl
-  - dstat
-  - expect
-  - gcc
-  - gzip
-  - git
-  - htop
-  - inotify-tools
-  - iotop
-  - jq
-  - lz4
-  - mtr
-  - ncdu
-  - neovim
-  - p7zip
-  - pbzip2
-  - pigz
-  - pv
-  - python3.11
-  - rsync
-  - screen
-  - socat
-  - strace
-  - sysstat
-  - tar
-  - tmux
-  - traceroute
-  - unzip
-  - vim
-  - vnstat
-  - wget
-  - zsh
-  - zstd
-
-profiles::packages::remove:
-  - iwl100-firmware
-  - iwl1000-firmware
-  - iwl105-firmware
-  - iwl135-firmware
-  - iwl2000-firmware
-  - iwl2030-firmware
-  - iwl3160-firmware
-  - iwl5000-firmware
-  - iwl5150-firmware
-  - iwl6000-firmware
-  - iwl6000g2a-firmware
-  - iwl6050-firmware
-  - iwl7260-firmware
-  - puppet7-release
+profiles::packages::include:
+  bash-completion: {}
+  bzip2: {}
+  ccze: {}
+  curl: {}
+  dstat: {}
+  expect: {}
+  gcc: {}
+  gzip: {}
+  git: {}
+  htop: {}
+  inotify-tools: {}
+  iotop: {}
+  jq: {}
+  lz4: {}
+  mtr: {}
+  ncdu: {}
+  neovim: {}
+  p7zip: {}
+  pbzip2: {}
+  pigz: {}
+  pv: {}
+  python3.11: {}
+  rsync: {}
+  screen: {}
+  socat: {}
+  strace: {}
+  sysstat: {}
+  tar: {}
+  tmux: {}
+  traceroute: {}
+  unzip: {}
+  vim: {}
+  vnstat: {}
+  wget: {}
+  zsh: {}
+  zstd: {}
+  iwl100-firmware:
+    ensure: absent
+  iwl1000-firmware:
+    ensure: absent
+  iwl105-firmware:
+    ensure: absent
+  iwl135-firmware:
+    ensure: absent
+  iwl2000-firmware:
+    ensure: absent
+  iwl2030-firmware:
+    ensure: absent
+  iwl3160-firmware:
+    ensure: absent
+  iwl5000-firmware:
+    ensure: absent
+  iwl5150-firmware:
+    ensure: absent
+  iwl6000-firmware:
+    ensure: absent
+  iwl6000g2a-firmware:
+    ensure: absent
+  iwl6050-firmware:
+    ensure: absent
+  iwl7260-firmware:
+    ensure: absent
+  puppet7-release:
+    ensure: absent
 
 profiles::base::scripts::scripts:
   puppet: puppetwrapper.py
diff --git a/hieradata/os/AlmaLinux/all_releases.yaml b/hieradata/os/AlmaLinux/all_releases.yaml
index ef1ac42..8ac3c3c 100644
--- a/hieradata/os/AlmaLinux/all_releases.yaml
+++ b/hieradata/os/AlmaLinux/all_releases.yaml
@@ -8,12 +8,12 @@ profiles::puppet::agent::puppet_version: '7.26.0'
 hiera_include:
   - profiles::almalinux::base
 
-profiles::packages::install:
-  - lzo
-  - network-scripts
-  - policycoreutils
-  - unar
-  - xz
+profiles::packages::include:
+  lzo: {}
+  network-scripts: {}
+  policycoreutils: {}
+  unar: {}
+  xz: {}
 
 lm-sensors::package: lm_sensors
 
diff --git a/hieradata/os/Debian/all_releases.yaml b/hieradata/os/Debian/all_releases.yaml
index 04e4212..2028db9 100644
--- a/hieradata/os/Debian/all_releases.yaml
+++ b/hieradata/os/Debian/all_releases.yaml
@@ -6,10 +6,10 @@ profiles::apt::puppet7::mirror: http://apt.puppetlabs.com
 profiles::apt::puppet7::repo: puppet7
 profiles::pki::vaultca::ca_cert-path: /usr/local/share/ca-certificates/
 
-profiles::packages::install:
-  - lzop
-  - python3.11-venv
-  - xz-utils
+profiles::packages::include:
+  lzop: {}
+  python3.11-venv: {}
+  xz-utils: {}
 
 lm-sensors::package: lm-sensors
 networking::nwmgr_dns_none: false
diff --git a/hieradata/roles/infra.yaml b/hieradata/roles/infra.yaml
index 8c2ae06..94e1fd5 100644
--- a/hieradata/roles/infra.yaml
+++ b/hieradata/roles/infra.yaml
@@ -1,6 +1,6 @@
 ---
-profiles::packages::install:
-  - policycoreutils
+profiles::packages::include:
+  policycoreutils: {}
 
 puppetdb::master::config::create_puppet_service_resource: false
 #puppetdb::master::config::puppetdb_host: "%{lookup('profiles::puppet::puppetdb::puppetdb_host')}"
diff --git a/hieradata/roles/infra/cobbler/server.yaml b/hieradata/roles/infra/cobbler/server.yaml
index 42dbef9..441fd47 100644
--- a/hieradata/roles/infra/cobbler/server.yaml
+++ b/hieradata/roles/infra/cobbler/server.yaml
@@ -1,15 +1,15 @@
 ---
-profiles::packages::install:
-  - cobbler
-  - cobbler3.2-web
-  - httpd
-  - syslinux
-  - dnf-plugins-core
-  - debmirror
-  - pykickstart
-  - fence-agents
-  - selinux-policy-devel
-  - ipxe-bootimgs
+profiles::packages::include:
+  cobbler: {}
+  cobbler3.2-web: {}
+  httpd: {}
+  syslinux: {}
+  dnf-plugins-core: {}
+  debmirror: {}
+  pykickstart: {}
+  fence-agents: {}
+  selinux-policy-devel: {}
+  ipxe-bootimgs: {}
 
 profiles::pki::vault::alt_names:
   - cobbler.main.unkin.net
diff --git a/hieradata/roles/infra/puppet.yaml b/hieradata/roles/infra/puppet.yaml
index 6ae5977..028acf6 100644
--- a/hieradata/roles/infra/puppet.yaml
+++ b/hieradata/roles/infra/puppet.yaml
@@ -1,3 +1,3 @@
 ---
-profiles::packages::install:
-  - puppetserver
+profiles::packages::include:
+  puppetserver: {}
diff --git a/hieradata/roles/infra/reposync/syncer.yaml b/hieradata/roles/infra/reposync/syncer.yaml
index f893a5b..a33550c 100644
--- a/hieradata/roles/infra/reposync/syncer.yaml
+++ b/hieradata/roles/infra/reposync/syncer.yaml
@@ -1,6 +1,6 @@
 ---
-profiles::packages::install:
-  - createrepo
+profiles::packages::include:
+  createrepo: {}
 
 profiles::pki::vault::alt_names:
   - repos.main.unkin.net
diff --git a/hieradata/virtual/physical.yaml b/hieradata/virtual/physical.yaml
index 75630e7..edee18f 100644
--- a/hieradata/virtual/physical.yaml
+++ b/hieradata/virtual/physical.yaml
@@ -1,3 +1,3 @@
 ---
-profiles::packages::install:
-  - "%{hiera('lm-sensors::package')}"
+profiles::packages::include:
+  "%{hiera('lm-sensors::package')}": {}
diff --git a/site/profiles/manifests/firstrun/packages.pp b/site/profiles/manifests/firstrun/packages.pp
index 5bcc6d4..fbf05a9 100644
--- a/site/profiles/manifests/firstrun/packages.pp
+++ b/site/profiles/manifests/firstrun/packages.pp
@@ -1,5 +1,7 @@
 # profiles::firstrun::packages
-class profiles::firstrun::packages {
+class profiles::firstrun::packages (
+  Hash $manage = lookup('profiles::packages::include'),
+) {
   # include the correct package repositories, define the install_packages exec
   case $facts['os']['family'] {
     'RedHat': {
@@ -15,8 +17,13 @@ class profiles::firstrun::packages {
     }
   }
 
+  # filter out packages with 'ensure' set to 'absent'
+  $packages_to_install = $manage.filter |$package, $options| {
+    !($options['ensure'] and $options['ensure'] == 'absent')
+  }
+
   # get all the packages to install, and convert into a space separated list
-  $packages = hiera_array('profiles::packages::install', [])
+  $packages = $packages_to_install.keys
   $package_list = $packages.join(' ')
 
   # install all the packages
diff --git a/site/profiles/manifests/packages.pp b/site/profiles/manifests/packages.pp
index ca43908..dc61d52 100644
--- a/site/profiles/manifests/packages.pp
+++ b/site/profiles/manifests/packages.pp
@@ -1,23 +1,19 @@
 # This class manages the installation of packages for the base profile
 #
 # Parameters:
-# - $install: An array of package names to be installed
-# - $remove: An array of package names to be removed
+# - $include: A hash of package names to be managed
+# - $exclude: An array of package names to be removed from managed hash
 #
 class profiles::packages (
-  Array $install         = [],
-  Array $install_exclude = [],
-  Array $remove          = [],
-  Array $remove_exclude  = [],
+  Hash $include = {},
+  Array[String] $exclude = [],
 ) {
 
-  # Filter out excluded packages
-  $install_real = $install.filter |$item| { !$install_exclude.any |$exclude_item| { $exclude_item == $item } }
-  $remove_real = $remove.filter |$item| { !$remove_exclude.any |$exclude_item| { $exclude_item == $item } }
+  # Filter the include hash to remove the packages listed in exclude
+  $filtered_include = filter($include) |$key, $value| {
+    !($key in $exclude)
+  }
 
-  # Ensure packages to install are installed
-  ensure_packages($install_real, {'ensure' => 'present'})
-
-  # Ensure packages to remove are absent
-  ensure_packages($remove_real, {'ensure' => 'absent'})
+  # Manage packages
+  ensure_packages($filtered_include)
 }