diff --git a/.fixtures.yml b/.fixtures.yml
index 34bf88cd..193e0054 100644
--- a/.fixtures.yml
+++ b/.fixtures.yml
@@ -3,13 +3,23 @@ fixtures:
   repositories:
     inifile: 'https://github.com/puppetlabs/puppetlabs-inifile.git'
     stdlib: 'https://github.com/puppetlabs/puppetlabs-stdlib.git'
-    postgresql: 'https://github.com/puppetlabs/puppet-postgresql.git'
-    firewall: 'https://github.com/puppetlabs/puppetlabs-firewall.git'
     apt: 'https://github.com/puppetlabs/puppetlabs-apt.git'
     concat: 'https://github.com/puppetlabs/puppetlabs-concat.git'
-    file_concat: 'https://github.com/electrical/puppet-lib-file_concat.git'
     systemd: 'https://github.com/camptocamp/puppet-systemd.git'
-    cron: 'https://github.com/voxpupuli/puppet-cron.git'
+    provision: 'https://github.com/puppetlabs/provision.git'
+    puppet_agent: 'https://github.com/puppetlabs/puppetlabs-puppet_agent.git'
+    facts: 'https://github.com/puppetlabs/puppetlabs-facts.git'
     cron_core: 'https://github.com/puppetlabs/puppetlabs-cron_core.git'
     yumrepo_core: 'https://github.com/puppetlabs/puppetlabs-yumrepo_core.git'
     augeas_core: 'https://github.com/puppetlabs/puppetlabs-augeas_core.git'
+    postgresql: 'https://github.com/puppetlabs/puppetlabs-postgresql.git'
+    firewall: 'https://github.com/puppetlabs/puppetlabs-firewall.git'
+  forge_modules:
+    postgresql:
+      repo: 'puppetlabs/postgresql'
+      ref: "9.2.0"
+    firewall:
+      repo: 'puppetlabs/firewall'
+      ref: "6.0.0"
+  symlinks:
+    puppetdb: '#{source_dir}'
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
new file mode 100644
index 00000000..1983ccc0
--- /dev/null
+++ b/.github/workflows/ci.yml
@@ -0,0 +1,22 @@
+name: "ci"
+
+on:
+  pull_request:
+    branches:
+      - "main"
+    paths-ignore:
+      - '**.md'
+      - 'examples/**'
+      - 'LICENSE'
+      - 'CODEOWNERS'
+      - 'AUTHORS'
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  Spec:
+    uses: ./.github/workflows/module_ci.yml
+    secrets: inherit
diff --git a/.github/workflows/module_ci.yml b/.github/workflows/module_ci.yml
new file mode 100644
index 00000000..96d9cf3c
--- /dev/null
+++ b/.github/workflows/module_ci.yml
@@ -0,0 +1,86 @@
+# This is a generic workflow for Puppet module CI operations.
+name: "Module CI"
+
+on:
+  workflow_call:
+    inputs:
+      runs_on:
+        description: "The operating system used for the runner."
+        required: false
+        default: "ubuntu-latest"
+        type: "string"
+      flags:
+        description: "Additional flags to pass to matrix_from_metadata_v2."
+        required: false
+        default: ''
+        type: "string"
+
+jobs:
+  setup_matrix:
+    name: "Setup Test Matrix"
+    runs-on: ${{ inputs.runs_on }}
+    outputs:
+      spec_matrix: ${{ steps.get-matrix.outputs.spec_matrix }}
+
+    steps:
+
+      - name: "Checkout"
+        uses: "actions/checkout@v4"
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: "Setup ruby"
+        uses: "ruby/setup-ruby@v1"
+        with:
+          ruby-version: "2.7"
+          bundler-cache: true
+
+      - name: "Bundle environment"
+        run: |
+          echo ::group::bundler environment
+          bundle env
+          echo ::endgroup::
+
+      - name: Setup Spec Test Matrix
+        id: get-matrix
+        run: |
+          bundle exec matrix_from_metadata_v2 ${{ inputs.flags }}
+
+  spec:
+    name: "Spec tests (Puppet: ${{matrix.puppet_version}}, Ruby Ver: ${{matrix.ruby_version}})"
+    needs: "setup_matrix"
+    runs-on: ${{ inputs.runs_on }}
+    strategy:
+      fail-fast: false
+      matrix: ${{ fromJson( needs.setup_matrix.outputs.spec_matrix ) }}
+
+    env:
+      PUPPET_GEM_VERSION: ${{ matrix.puppet_version }}
+      FACTER_GEM_VERSION: 'https://github.com/puppetlabs/facter#main'  # why is this set?
+
+    steps:
+      - name: "Checkout"
+        uses: "actions/checkout@v4"
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: "Setup ruby"
+        uses: "ruby/setup-ruby@v1"
+        with:
+          ruby-version: ${{matrix.ruby_version}}
+          bundler-cache: true
+
+      - name: "Bundle environment"
+        run: |
+          echo ::group::bundler environment
+          bundle env
+          echo ::endgroup::
+
+      - name: "Run Static & Syntax Tests"
+        run: |
+          bundle exec rake syntax lint metadata_lint check:symlinks check:git_ignore check:dot_underscore check:test_file rubocop
+          bundle exec dependency-checker metadata.json || true # temporarily allow to fail
+
+      - name: "Run tests"
+        run: |
+          bundle exec rake parallel_spec
diff --git a/.gitignore b/.gitignore
index 2767022c..3f155121 100644
--- a/.gitignore
+++ b/.gitignore
@@ -16,7 +16,7 @@
 /log/
 /pkg/
 /spec/fixtures/manifests/
-/spec/fixtures/modules/
+/spec/fixtures/modules/*
 /tmp/
 /vendor/
 /convert_report.txt
@@ -25,3 +25,4 @@
 .project
 .envrc
 /inventory.yaml
+/spec/fixtures/litmus_inventory.yaml
diff --git a/.pdkignore b/.pdkignore
index e6215cd0..fe5cdba3 100644
--- a/.pdkignore
+++ b/.pdkignore
@@ -16,7 +16,7 @@
 /log/
 /pkg/
 /spec/fixtures/manifests/
-/spec/fixtures/modules/
+/spec/fixtures/modules/*
 /tmp/
 /vendor/
 /convert_report.txt
@@ -25,18 +25,26 @@
 .project
 .envrc
 /inventory.yaml
-/appveyor.yml
+/spec/fixtures/litmus_inventory.yaml
 /.fixtures.yml
 /Gemfile
 /.gitattributes
+/.github/
 /.gitignore
-/.gitlab-ci.yml
 /.pdkignore
+/.puppet-lint.rc
 /Rakefile
 /rakelib/
 /.rspec
-/.rubocop.yml
-/.travis.yml
+/..yml
 /.yardopts
 /spec/
 /.vscode/
+/.sync.yml
+/.devcontainer/
+/.*.yml
+/pdk.yaml
+/.pmtignore
+/.git*
+/.editorconfig
+/provision.yaml
diff --git a/.puppet-lint.rc b/.puppet-lint.rc
index cc96ece0..b4372aaf 100644
--- a/.puppet-lint.rc
+++ b/.puppet-lint.rc
@@ -1 +1,5 @@
 --relative
+--no-parameter_types-check
+--no-parameter_documentation-check
+--no-documentation-check
+--no-140chars-check
diff --git a/.rspec_parallel b/.rspec_parallel
new file mode 100644
index 00000000..e4d136b7
--- /dev/null
+++ b/.rspec_parallel
@@ -0,0 +1 @@
+--format progress
diff --git a/.rubocop.yml b/.rubocop.yml
index 5307849e..043ef9d1 100644
--- a/.rubocop.yml
+++ b/.rubocop.yml
@@ -1,12 +1,13 @@
 ---
 require:
+- rubocop-performance
 - rubocop-rspec
-- rubocop-i18n
 AllCops:
   DisplayCopNames: true
-  TargetRubyVersion: '2.1'
+  TargetRubyVersion: '2.6'
   Include:
-  - "./**/*.rb"
+  - "**/*.rb"
+  - "**/*.rake"
   Exclude:
   - bin/*
   - ".vendor/**/*"
@@ -18,16 +19,10 @@ AllCops:
   - "**/Puppetfile"
   - "**/Vagrantfile"
   - "**/Guardfile"
-Metrics/LineLength:
+  NewCops: enable
+Layout/LineLength:
   Description: People have wide screens, use them.
   Max: 200
-GetText:
-  Enabled: false
-GetText/DecorateString:
-  Description: We don't want to decorate test output.
-  Exclude:
-  - spec/**/*
-  Enabled: false
 RSpec/BeforeAfterAll:
   Description: Beware of using after(:all) as it may cause state to leak between tests.
     A necessary evil in acceptance testing.
@@ -36,14 +31,13 @@ RSpec/BeforeAfterAll:
 RSpec/HookArgument:
   Description: Prefer explicit :each argument, matching existing module's style
   EnforcedStyle: each
+RSpec/DescribeSymbol:
+  Exclude:
+  - spec/unit/facter/**/*.rb
 Style/BlockDelimiters:
   Description: Prefer braces for chaining. Mostly an aesthetical choice. Better to
     be consistent then.
   EnforcedStyle: braces_for_chaining
-Style/BracesAroundHashParameters:
-  Description: Braces are required by Ruby 2.7. Cop removed from RuboCop v0.80.0.
-    See https://github.com/rubocop-hq/rubocop/pull/7643
-  Enabled: true
 Style/ClassAndModuleChildren:
   Description: Compact style reduces the required amount of indentation.
   EnforcedStyle: compact
@@ -72,7 +66,7 @@ Style/TrailingCommaInArguments:
   Description: Prefer always trailing comma on multiline argument lists. This makes
     diffs, and re-ordering nicer.
   EnforcedStyleForMultiline: comma
-Style/TrailingCommaInLiteral:
+Style/TrailingCommaInArrayLiteral:
   Description: Prefer always trailing comma on multiline literals. This makes diffs,
     and re-ordering nicer.
   EnforcedStyleForMultiline: comma
@@ -87,26 +81,176 @@ Style/Documentation:
   - spec/**/*
 Style/WordArray:
   EnforcedStyle: brackets
+Performance/AncestorsInclude:
+  Enabled: true
+Performance/BigDecimalWithNumericArgument:
+  Enabled: true
+Performance/BlockGivenWithExplicitBlock:
+  Enabled: true
+Performance/CaseWhenSplat:
+  Enabled: true
+Performance/ConstantRegexp:
+  Enabled: true
+Performance/MethodObjectAsBlock:
+  Enabled: true
+Performance/RedundantSortBlock:
+  Enabled: true
+Performance/RedundantStringChars:
+  Enabled: true
+Performance/ReverseFirst:
+  Enabled: true
+Performance/SortReverse:
+  Enabled: true
+Performance/Squeeze:
+  Enabled: true
+Performance/StringInclude:
+  Enabled: true
+Performance/Sum:
+  Enabled: true
 Style/CollectionMethods:
   Enabled: true
 Style/MethodCalledOnDoEndBlock:
   Enabled: true
 Style/StringMethods:
   Enabled: true
-GetText/DecorateFunctionMessage:
+Bundler/GemFilename:
   Enabled: false
-GetText/DecorateStringFormattingUsingInterpolation:
+Bundler/InsecureProtocolSource:
   Enabled: false
-GetText/DecorateStringFormattingUsingPercent:
+Capybara/CurrentPathExpectation:
+  Enabled: false
+Capybara/VisibilityMatcher:
+  Enabled: false
+Gemspec/DuplicatedAssignment:
+  Enabled: false
+Gemspec/OrderedDependencies:
+  Enabled: false
+Gemspec/RequiredRubyVersion:
+  Enabled: false
+Gemspec/RubyVersionGlobalsUsage:
+  Enabled: false
+Layout/ArgumentAlignment:
+  Enabled: false
+Layout/BeginEndAlignment:
+  Enabled: false
+Layout/ClosingHeredocIndentation:
+  Enabled: false
+Layout/EmptyComment:
+  Enabled: false
+Layout/EmptyLineAfterGuardClause:
+  Enabled: false
+Layout/EmptyLinesAroundArguments:
+  Enabled: false
+Layout/EmptyLinesAroundAttributeAccessor:
   Enabled: false
 Layout/EndOfLine:
   Enabled: false
-Layout/IndentHeredoc:
+Layout/FirstArgumentIndentation:
+  Enabled: false
+Layout/HashAlignment:
+  Enabled: false
+Layout/HeredocIndentation:
+  Enabled: false
+Layout/LeadingEmptyLines:
+  Enabled: false
+Layout/SpaceAroundMethodCallOperator:
+  Enabled: false
+Layout/SpaceInsideArrayLiteralBrackets:
+  Enabled: false
+Layout/SpaceInsideReferenceBrackets:
+  Enabled: false
+Lint/BigDecimalNew:
+  Enabled: false
+Lint/BooleanSymbol:
+  Enabled: false
+Lint/ConstantDefinitionInBlock:
+  Enabled: false
+Lint/DeprecatedOpenSSLConstant:
+  Enabled: false
+Lint/DisjunctiveAssignmentInConstructor:
+  Enabled: false
+Lint/DuplicateElsifCondition:
+  Enabled: false
+Lint/DuplicateRequire:
+  Enabled: false
+Lint/DuplicateRescueException:
+  Enabled: false
+Lint/EmptyConditionalBody:
+  Enabled: false
+Lint/EmptyFile:
+  Enabled: false
+Lint/ErbNewArguments:
+  Enabled: false
+Lint/FloatComparison:
+  Enabled: false
+Lint/HashCompareByIdentity:
+  Enabled: false
+Lint/IdentityComparison:
+  Enabled: false
+Lint/InterpolationCheck:
+  Enabled: false
+Lint/MissingCopEnableDirective:
+  Enabled: false
+Lint/MixedRegexpCaptureTypes:
+  Enabled: false
+Lint/NestedPercentLiteral:
+  Enabled: false
+Lint/NonDeterministicRequireOrder:
+  Enabled: false
+Lint/OrderedMagicComments:
+  Enabled: false
+Lint/OutOfRangeRegexpRef:
+  Enabled: false
+Lint/RaiseException:
+  Enabled: false
+Lint/RedundantCopEnableDirective:
+  Enabled: false
+Lint/RedundantRequireStatement:
+  Enabled: false
+Lint/RedundantSafeNavigation:
+  Enabled: false
+Lint/RedundantWithIndex:
+  Enabled: false
+Lint/RedundantWithObject:
+  Enabled: false
+Lint/RegexpAsCondition:
+  Enabled: false
+Lint/ReturnInVoidContext:
+  Enabled: false
+Lint/SafeNavigationConsistency:
+  Enabled: false
+Lint/SafeNavigationWithEmpty:
+  Enabled: false
+Lint/SelfAssignment:
+  Enabled: false
+Lint/SendWithMixinArgument:
+  Enabled: false
+Lint/ShadowedArgument:
+  Enabled: false
+Lint/StructNewOverride:
+  Enabled: false
+Lint/ToJSON:
+  Enabled: false
+Lint/TopLevelReturnWithArgument:
+  Enabled: false
+Lint/TrailingCommaInAttributeDeclaration:
+  Enabled: false
+Lint/UnreachableLoop:
+  Enabled: false
+Lint/UriEscapeUnescape:
+  Enabled: false
+Lint/UriRegexp:
+  Enabled: false
+Lint/UselessMethodDefinition:
+  Enabled: false
+Lint/UselessTimes:
   Enabled: false
 Metrics/AbcSize:
   Enabled: false
 Metrics/BlockLength:
   Enabled: false
+Metrics/BlockNesting:
+  Enabled: false
 Metrics/ClassLength:
   Enabled: false
 Metrics/CyclomaticComplexity:
@@ -119,19 +263,463 @@ Metrics/ParameterLists:
   Enabled: false
 Metrics/PerceivedComplexity:
   Enabled: false
+Migration/DepartmentName:
+  Enabled: false
+Naming/AccessorMethodName:
+  Enabled: false
+Naming/BlockParameterName:
+  Enabled: false
+Naming/HeredocDelimiterCase:
+  Enabled: false
+Naming/HeredocDelimiterNaming:
+  Enabled: false
+Naming/MemoizedInstanceVariableName:
+  Enabled: false
+Naming/MethodParameterName:
+  Enabled: false
+Naming/RescuedExceptionsVariableName:
+  Enabled: false
+Naming/VariableNumber:
+  Enabled: false
+Performance/BindCall:
+  Enabled: false
+Performance/DeletePrefix:
+  Enabled: false
+Performance/DeleteSuffix:
+  Enabled: false
+Performance/InefficientHashSearch:
+  Enabled: false
+Performance/UnfreezeString:
+  Enabled: false
+Performance/UriDefaultParser:
+  Enabled: false
+RSpec/Be:
+  Enabled: false
+RSpec/Capybara/FeatureMethods:
+  Enabled: false
+RSpec/ContainExactly:
+  Enabled: false
+RSpec/ContextMethod:
+  Enabled: false
+RSpec/ContextWording:
+  Enabled: false
 RSpec/DescribeClass:
   Enabled: false
+RSpec/EmptyHook:
+  Enabled: false
+RSpec/EmptyLineAfterExample:
+  Enabled: false
+RSpec/EmptyLineAfterExampleGroup:
+  Enabled: false
+RSpec/EmptyLineAfterHook:
+  Enabled: false
 RSpec/ExampleLength:
   Enabled: false
-RSpec/MessageExpectation:
+RSpec/ExampleWithoutDescription:
+  Enabled: false
+RSpec/ExpectChange:
+  Enabled: false
+RSpec/ExpectInHook:
+  Enabled: false
+RSpec/FactoryBot/AttributeDefinedStatically:
+  Enabled: false
+RSpec/FactoryBot/CreateList:
+  Enabled: false
+RSpec/FactoryBot/FactoryClassName:
+  Enabled: false
+RSpec/HooksBeforeExamples:
+  Enabled: false
+RSpec/ImplicitBlockExpectation:
+  Enabled: false
+RSpec/ImplicitSubject:
+  Enabled: false
+RSpec/LeakyConstantDeclaration:
+  Enabled: false
+RSpec/LetBeforeExamples:
+  Enabled: false
+RSpec/MatchArray:
+  Enabled: false
+RSpec/MissingExampleGroupArgument:
   Enabled: false
 RSpec/MultipleExpectations:
   Enabled: false
+RSpec/MultipleMemoizedHelpers:
+  Enabled: false
+RSpec/MultipleSubjects:
+  Enabled: false
 RSpec/NestedGroups:
   Enabled: false
-Style/AsciiComments:
+RSpec/PredicateMatcher:
+  Enabled: false
+RSpec/ReceiveCounts:
+  Enabled: false
+RSpec/ReceiveNever:
+  Enabled: false
+RSpec/RepeatedExampleGroupBody:
+  Enabled: false
+RSpec/RepeatedExampleGroupDescription:
+  Enabled: false
+RSpec/RepeatedIncludeExample:
+  Enabled: false
+RSpec/ReturnFromStub:
+  Enabled: false
+RSpec/SharedExamples:
+  Enabled: false
+RSpec/StubbedMock:
+  Enabled: false
+RSpec/UnspecifiedException:
+  Enabled: false
+RSpec/VariableDefinition:
+  Enabled: false
+RSpec/VoidExpect:
+  Enabled: false
+RSpec/Yield:
+  Enabled: false
+Security/Open:
+  Enabled: false
+Style/AccessModifierDeclarations:
+  Enabled: false
+Style/AccessorGrouping:
+  Enabled: false
+Style/BisectedAttrAccessor:
+  Enabled: false
+Style/CaseLikeIf:
+  Enabled: false
+Style/ClassEqualityComparison:
+  Enabled: false
+Style/ColonMethodDefinition:
+  Enabled: false
+Style/CombinableLoops:
+  Enabled: false
+Style/CommentedKeyword:
+  Enabled: false
+Style/Dir:
+  Enabled: false
+Style/DoubleCopDisableDirective:
+  Enabled: false
+Style/EmptyBlockParameter:
+  Enabled: false
+Style/EmptyLambdaParameter:
+  Enabled: false
+Style/Encoding:
+  Enabled: false
+Style/EvalWithLocation:
+  Enabled: false
+Style/ExpandPathArguments:
+  Enabled: false
+Style/ExplicitBlockArgument:
+  Enabled: false
+Style/ExponentialNotation:
+  Enabled: false
+Style/FloatDivision:
+  Enabled: false
+Style/FrozenStringLiteralComment:
+  Enabled: false
+Style/GlobalStdStream:
+  Enabled: false
+Style/HashAsLastArrayItem:
+  Enabled: false
+Style/HashLikeCase:
+  Enabled: false
+Style/HashTransformKeys:
+  Enabled: false
+Style/HashTransformValues:
   Enabled: false
 Style/IfUnlessModifier:
   Enabled: false
+Style/KeywordParametersOrder:
+  Enabled: false
+Style/MinMax:
+  Enabled: false
+Style/MixinUsage:
+  Enabled: false
+Style/MultilineWhenThen:
+  Enabled: false
+Style/NegatedUnless:
+  Enabled: false
+Style/NumericPredicate:
+  Enabled: false
+Style/OptionalBooleanParameter:
+  Enabled: false
+Style/OrAssignment:
+  Enabled: false
+Style/RandomWithOffset:
+  Enabled: false
+Style/RedundantAssignment:
+  Enabled: false
+Style/RedundantCondition:
+  Enabled: false
+Style/RedundantConditional:
+  Enabled: false
+Style/RedundantFetchBlock:
+  Enabled: false
+Style/RedundantFileExtensionInRequire:
+  Enabled: false
+Style/RedundantRegexpCharacterClass:
+  Enabled: false
+Style/RedundantRegexpEscape:
+  Enabled: false
+Style/RedundantSelfAssignment:
+  Enabled: false
+Style/RedundantSort:
+  Enabled: false
+Style/RescueStandardError:
+  Enabled: false
+Style/SingleArgumentDig:
+  Enabled: false
+Style/SlicingWithRange:
+  Enabled: false
+Style/SoleNestedConditional:
+  Enabled: false
+Style/StderrPuts:
+  Enabled: false
+Style/StringConcatenation:
+  Enabled: false
+Style/Strip:
+  Enabled: false
 Style/SymbolProc:
   Enabled: false
+Style/TrailingBodyOnClass:
+  Enabled: false
+Style/TrailingBodyOnMethodDefinition:
+  Enabled: false
+Style/TrailingBodyOnModule:
+  Enabled: false
+Style/TrailingCommaInHashLiteral:
+  Enabled: false
+Style/TrailingMethodEndStatement:
+  Enabled: false
+Style/UnpackFirst:
+  Enabled: false
+Capybara/MatchStyle:
+  Enabled: false
+Capybara/NegationMatcher:
+  Enabled: false
+Capybara/SpecificActions:
+  Enabled: false
+Capybara/SpecificFinders:
+  Enabled: false
+Capybara/SpecificMatcher:
+  Enabled: false
+Gemspec/DeprecatedAttributeAssignment:
+  Enabled: false
+Gemspec/DevelopmentDependencies:
+  Enabled: false
+Gemspec/RequireMFA:
+  Enabled: false
+Layout/LineContinuationLeadingSpace:
+  Enabled: false
+Layout/LineContinuationSpacing:
+  Enabled: false
+Layout/LineEndStringConcatenationIndentation:
+  Enabled: false
+Layout/SpaceBeforeBrackets:
+  Enabled: false
+Lint/AmbiguousAssignment:
+  Enabled: false
+Lint/AmbiguousOperatorPrecedence:
+  Enabled: false
+Lint/AmbiguousRange:
+  Enabled: false
+Lint/ConstantOverwrittenInRescue:
+  Enabled: false
+Lint/DeprecatedConstants:
+  Enabled: false
+Lint/DuplicateBranch:
+  Enabled: false
+Lint/DuplicateMagicComment:
+  Enabled: false
+Lint/DuplicateRegexpCharacterClassElement:
+  Enabled: false
+Lint/EmptyBlock:
+  Enabled: false
+Lint/EmptyClass:
+  Enabled: false
+Lint/EmptyInPattern:
+  Enabled: false
+Lint/IncompatibleIoSelectWithFiberScheduler:
+  Enabled: false
+Lint/LambdaWithoutLiteralBlock:
+  Enabled: false
+Lint/NoReturnInBeginEndBlocks:
+  Enabled: false
+Lint/NonAtomicFileOperation:
+  Enabled: false
+Lint/NumberedParameterAssignment:
+  Enabled: false
+Lint/OrAssignmentToConstant:
+  Enabled: false
+Lint/RedundantDirGlobSort:
+  Enabled: false
+Lint/RefinementImportMethods:
+  Enabled: false
+Lint/RequireRangeParentheses:
+  Enabled: false
+Lint/RequireRelativeSelfPath:
+  Enabled: false
+Lint/SymbolConversion:
+  Enabled: false
+Lint/ToEnumArguments:
+  Enabled: false
+Lint/TripleQuotes:
+  Enabled: false
+Lint/UnexpectedBlockArity:
+  Enabled: false
+Lint/UnmodifiedReduceAccumulator:
+  Enabled: false
+Lint/UselessRescue:
+  Enabled: false
+Lint/UselessRuby2Keywords:
+  Enabled: false
+Metrics/CollectionLiteralLength:
+  Enabled: false
+Naming/BlockForwarding:
+  Enabled: false
+Performance/CollectionLiteralInLoop:
+  Enabled: false
+Performance/ConcurrentMonotonicTime:
+  Enabled: false
+Performance/MapCompact:
+  Enabled: false
+Performance/RedundantEqualityComparisonBlock:
+  Enabled: false
+Performance/RedundantSplitRegexpArgument:
+  Enabled: false
+Performance/StringIdentifierArgument:
+  Enabled: false
+RSpec/BeEq:
+  Enabled: false
+RSpec/BeNil:
+  Enabled: false
+RSpec/ChangeByZero:
+  Enabled: false
+RSpec/ClassCheck:
+  Enabled: false
+RSpec/DuplicatedMetadata:
+  Enabled: false
+RSpec/ExcessiveDocstringSpacing:
+  Enabled: false
+RSpec/FactoryBot/ConsistentParenthesesStyle:
+  Enabled: false
+RSpec/FactoryBot/FactoryNameStyle:
+  Enabled: false
+RSpec/FactoryBot/SyntaxMethods:
+  Enabled: false
+RSpec/IdenticalEqualityAssertion:
+  Enabled: false
+RSpec/NoExpectationExample:
+  Enabled: false
+RSpec/PendingWithoutReason:
+  Enabled: false
+RSpec/Rails/AvoidSetupHook:
+  Enabled: false
+RSpec/Rails/HaveHttpStatus:
+  Enabled: false
+RSpec/Rails/InferredSpecType:
+  Enabled: false
+RSpec/Rails/MinitestAssertions:
+  Enabled: false
+RSpec/Rails/TravelAround:
+  Enabled: false
+RSpec/RedundantAround:
+  Enabled: false
+RSpec/SkipBlockInsideExample:
+  Enabled: false
+RSpec/SortMetadata:
+  Enabled: false
+RSpec/SubjectDeclaration:
+  Enabled: false
+RSpec/VerifiedDoubleReference:
+  Enabled: false
+Security/CompoundHash:
+  Enabled: false
+Security/IoMethods:
+  Enabled: false
+Style/ArgumentsForwarding:
+  Enabled: false
+Style/ArrayIntersect:
+  Enabled: false
+Style/CollectionCompact:
+  Enabled: false
+Style/ComparableClamp:
+  Enabled: false
+Style/ConcatArrayLiterals:
+  Enabled: false
+Style/DirEmpty:
+  Enabled: false
+Style/DocumentDynamicEvalDefinition:
+  Enabled: false
+Style/EmptyHeredoc:
+  Enabled: false
+Style/EndlessMethod:
+  Enabled: false
+Style/EnvHome:
+  Enabled: false
+Style/FetchEnvVar:
+  Enabled: false
+Style/FileEmpty:
+  Enabled: false
+Style/FileRead:
+  Enabled: false
+Style/FileWrite:
+  Enabled: false
+Style/HashConversion:
+  Enabled: false
+Style/HashExcept:
+  Enabled: false
+Style/IfWithBooleanLiteralBranches:
+  Enabled: false
+Style/InPatternThen:
+  Enabled: false
+Style/MagicCommentFormat:
+  Enabled: false
+Style/MapCompactWithConditionalBlock:
+  Enabled: false
+Style/MapToHash:
+  Enabled: false
+Style/MapToSet:
+  Enabled: false
+Style/MinMaxComparison:
+  Enabled: false
+Style/MultilineInPatternThen:
+  Enabled: false
+Style/NegatedIfElseCondition:
+  Enabled: false
+Style/NestedFileDirname:
+  Enabled: false
+Style/NilLambda:
+  Enabled: false
+Style/NumberedParameters:
+  Enabled: false
+Style/NumberedParametersLimit:
+  Enabled: false
+Style/ObjectThen:
+  Enabled: false
+Style/OpenStructUse:
+  Enabled: false
+Style/OperatorMethodCall:
+  Enabled: false
+Style/QuotedSymbols:
+  Enabled: false
+Style/RedundantArgument:
+  Enabled: false
+Style/RedundantConstantBase:
+  Enabled: false
+Style/RedundantDoubleSplatHashBraces:
+  Enabled: false
+Style/RedundantEach:
+  Enabled: false
+Style/RedundantHeredocDelimiterQuotes:
+  Enabled: false
+Style/RedundantInitialize:
+  Enabled: false
+Style/RedundantSelfAssignmentBranch:
+  Enabled: false
+Style/RedundantStringEscape:
+  Enabled: false
+Style/SelectByRegexp:
+  Enabled: false
+Style/StringChars:
+  Enabled: false
+Style/SwapValues:
+  Enabled: false
diff --git a/.sync.yml b/.sync.yml
index c6ff6c37..4c5e0c81 100644
--- a/.sync.yml
+++ b/.sync.yml
@@ -1,14 +1,26 @@
-Gemfile:
-  required:
-    ':system_tests':
-      - gem: 'puppet-module-posix-system-r#{minor_version}'
-        platforms: ruby
-      - gem: 'puppet-module-win-system-r#{minor_version}'
-        platforms:
-          - mswin
-          - mingw
-          - x64_mingw
-      - gem: 'nokogiri'
-        platforms: ruby
-      - gem: 'serverspec'
-        platforms: ruby
+---
+.rubocop.yml:
+  default_configs:
+    AllCops:
+      NewCops: enable
+      Include:
+        - '**/*.rake'
+.pdkignore:
+  paths:
+    - /.*.yml
+    - /pdk.yaml
+    - /.pmtignore
+    - /.git*
+    - /.editorconfig
+    - /provision.yaml
+Rakefile:
+  default_disabled_lint_checks:
+    - parameter_types
+    - parameter_documentation
+    - documentation
+    - 140chars
+spec/default_facts.yml:
+  unmanaged: true
+spec/spec_helper.rb:
+  coverage_report: true
+  minimum_code_coverage_percentage: 100
diff --git a/.travis.yml b/.travis.yml
deleted file mode 100644
index 0aaaef2b..00000000
--- a/.travis.yml
+++ /dev/null
@@ -1,53 +0,0 @@
----
-os: linux
-dist: xenial
-language: ruby
-cache: bundler
-before_install:
-  - bundle -v
-  - rm -f Gemfile.lock
-  - "# Update system gems if requested. This is useful to temporarily workaround troubles in the test runner"
-  - "# See https://github.com/puppetlabs/pdk-templates/commit/705154d5c437796b821691b707156e1b056d244f for an example of how this was used"
-  - "# Ignore exit code of SIGPIPE'd yes to not fail with shell's pipefail set"
-  - '[ -z "$RUBYGEMS_VERSION" ] || (yes || true) | gem update --system $RUBYGEMS_VERSION'
-  - gem --version
-  - bundle -v
-script:
-  - 'bundle exec rake $CHECK'
-bundler_args: --without system_tests
-rvm:
-  - 2.5.7
-stages:
-  - static
-  - spec
-  - acceptance
-  -
-    if: tag =~ ^v\d
-    name: deploy
-jobs:
-  fast_finish: true
-  include:
-    -
-      env: CHECK="check:symlinks check:git_ignore check:dot_underscore check:test_file rubocop syntax lint metadata_lint"
-      stage: static
-    -
-      env: PUPPET_GEM_VERSION="~> 5.0" CHECK=parallel_spec
-      rvm: 2.4.5
-      stage: spec
-    -
-      env: PUPPET_GEM_VERSION="~> 6.0" CHECK=parallel_spec
-      rvm: 2.5.7
-      stage: spec
-    -
-      env: PUPPET_GEM_VERSION="~> 7.0" CHECK=parallel_spec
-      rvm: 2.7.2
-      stage: spec
-    -
-      env: DEPLOY_TO_FORGE=yes
-      stage: deploy
-branches:
-  only:
-    - master
-    - /^v\d/
-notifications:
-  email: false
diff --git a/Gemfile b/Gemfile
index 0d3a975d..ca0e773e 100644
--- a/Gemfile
+++ b/Gemfile
@@ -13,27 +13,37 @@ def location_for(place_or_version, fake_version = nil)
   end
 end
 
-ruby_version_segments = Gem::Version.new(RUBY_VERSION.dup).segments
-minor_version = ruby_version_segments[0..1].join('.')
-
 group :development do
-  gem "fast_gettext", '1.1.0',                                   require: false if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new('2.1.0')
-  gem "fast_gettext",                                            require: false if Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.1.0')
-  gem "json_pure", '<= 2.0.1',                                   require: false if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new('2.0.0')
-  gem "json", '= 1.8.1',                                         require: false if Gem::Version.new(RUBY_VERSION.dup) == Gem::Version.new('2.1.9')
-  gem "json", '= 2.0.4',                                         require: false if Gem::Requirement.create('~> 2.4.2').satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
-  gem "json", '= 2.1.0',                                         require: false if Gem::Requirement.create(['>= 2.5.0', '< 2.7.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
-  gem "rb-readline", '= 0.5.5',                                  require: false, platforms: [:mswin, :mingw, :x64_mingw]
-  gem "puppet-module-posix-default-r#{minor_version}", '~> 0.4', require: false, platforms: [:ruby]
-  gem "puppet-module-posix-dev-r#{minor_version}", '~> 0.4',     require: false, platforms: [:ruby]
-  gem "puppet-module-win-default-r#{minor_version}", '~> 0.4',   require: false, platforms: [:mswin, :mingw, :x64_mingw]
-  gem "puppet-module-win-dev-r#{minor_version}", '~> 0.4',       require: false, platforms: [:mswin, :mingw, :x64_mingw]
+  gem "json", '= 2.1.0',                         require: false if Gem::Requirement.create(['>= 2.5.0', '< 2.7.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
+  gem "json", '= 2.3.0',                         require: false if Gem::Requirement.create(['>= 2.7.0', '< 3.0.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
+  gem "json", '= 2.5.1',                         require: false if Gem::Requirement.create(['>= 3.0.0', '< 3.0.5']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
+  gem "json", '= 2.6.1',                         require: false if Gem::Requirement.create(['>= 3.1.0', '< 3.1.3']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
+  gem "json", '= 2.6.3',                         require: false if Gem::Requirement.create(['>= 3.2.0', '< 4.0.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
+  gem "racc", '~> 1.4.0',                        require: false if Gem::Requirement.create(['>= 2.7.0', '< 3.0.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
+  gem "voxpupuli-puppet-lint-plugins", '~> 5.0', require: false
+  gem "facterdb", '~> 1.18',                     require: false
+  gem "metadata-json-lint", '~> 3.0',            require: false
+  gem "puppetlabs_spec_helper", '~> 6.0',        require: false
+  gem "rspec-puppet-facts", '~> 2.0',            require: false
+  gem "codecov", '~> 0.2',                       require: false
+  gem "dependency_checker", '~> 1.0.0',          require: false
+  gem "parallel_tests", '= 3.12.1',              require: false
+  gem "pry", '~> 0.10',                          require: false
+  gem "simplecov-console", '~> 0.5',             require: false
+  gem "puppet-debugger", '~> 1.0',               require: false
+  gem "rubocop", '= 1.48.1',                     require: false
+  gem "rubocop-performance", '= 1.16.0',         require: false
+  gem "rubocop-rspec", '= 2.19.0',               require: false
+  gem "puppet-strings", '~> 4.0',                require: false
+  gem "rb-readline", '= 0.5.5',                  require: false, platforms: [:mswin, :mingw, :x64_mingw]
 end
 group :system_tests do
-  gem "puppet-module-posix-system-r#{minor_version}", '~> 0.5', require: false, platforms: [:ruby]
-  gem "puppet-module-win-system-r#{minor_version}",  '~> 0.5',  require: false, platforms: [:mswin, :mingw, :x64_mingw]
-  gem "nokogiri",                                     require: false, platforms: [:ruby]
-  gem "serverspec",                                   require: false, platforms: [:ruby]
+  gem "puppet_litmus", '~> 1.0', require: false, platforms: [:ruby, :x64_mingw]
+  gem "serverspec", '~> 2.41',   require: false
+end
+group :release_prep do
+  gem "puppet-strings", '~> 4.0',         require: false
+  gem "puppetlabs_spec_helper", '~> 6.0', require: false
 end
 
 puppet_version = ENV['PUPPET_GEM_VERSION']
@@ -50,16 +60,6 @@ gems['puppet'] = location_for(puppet_version)
 gems['facter'] = location_for(facter_version) if facter_version
 gems['hiera'] = location_for(hiera_version) if hiera_version
 
-if Gem.win_platform? && puppet_version =~ %r{^(file:///|git://)}
-  # If we're using a Puppet gem on Windows which handles its own win32-xxx gem
-  # dependencies (>= 3.5.0), set the maximum versions (see PUP-6445).
-  gems['win32-dir'] =      ['<= 0.4.9', require: false]
-  gems['win32-eventlog'] = ['<= 0.6.5', require: false]
-  gems['win32-process'] =  ['<= 0.7.5', require: false]
-  gems['win32-security'] = ['<= 0.2.5', require: false]
-  gems['win32-service'] =  ['0.8.8', require: false]
-end
-
 gems.each do |gem_name, gem_params|
   gem gem_name, *gem_params
 end
diff --git a/REFERENCE.md b/REFERENCE.md
new file mode 100644
index 00000000..78149e3f
--- /dev/null
+++ b/REFERENCE.md
@@ -0,0 +1,3538 @@
+# Reference
+
+<!-- DO NOT EDIT: This document was generated by Puppet Strings -->
+
+## Table of Contents
+
+### Classes
+
+* [`puppetdb`](#puppetdb): All in one class for setting up a PuppetDB instance. See README.md for more details.
+* [`puppetdb::database::postgresql`](#puppetdb--database--postgresql): Class for creating the PuppetDB postgresql database. See README.md for more information.
+* [`puppetdb::database::ssl_configuration`](#puppetdb--database--ssl_configuration): Class for configuring SSL connection for the PuppetDB postgresql database. See README.md for more information.
+* [`puppetdb::globals`](#puppetdb--globals): Global configuration class for PuppetDB. See README.md for more details.
+* [`puppetdb::master::config`](#puppetdb--master--config): Manage puppet configuration. See README.md for more details.
+* [`puppetdb::master::puppetdb_conf`](#puppetdb--master--puppetdb_conf): Manage the puppetdb.conf file on the puppeet master. See README.md for more details.
+* [`puppetdb::master::report_processor`](#puppetdb--master--report_processor): Manage the installation of the report processor on the master. See README.md for more details.
+* [`puppetdb::master::routes`](#puppetdb--master--routes): Manages the routes configuration file on the master. See README.md for more details.
+* [`puppetdb::master::storeconfigs`](#puppetdb--master--storeconfigs): This class configures the puppet master to enable storeconfigs and to use puppetdb as the storeconfigs backend. See README.md for more detail
+* [`puppetdb::params`](#puppetdb--params): PRIVATE CLASS - do not use directly  The puppetdb default configuration settings.
+* [`puppetdb::server`](#puppetdb--server): Class to configure a PuppetDB server. See README.md for more details.
+* [`puppetdb::server::command_processing`](#puppetdb--server--command_processing): PRIVATE CLASS - do not use directly
+* [`puppetdb::server::database`](#puppetdb--server--database): PRIVATE CLASS - do not use directly
+* [`puppetdb::server::firewall`](#puppetdb--server--firewall): PRIVATE CLASS - do not use directly
+* [`puppetdb::server::global`](#puppetdb--server--global): PRIVATE CLASS - do not use directly
+* [`puppetdb::server::jetty`](#puppetdb--server--jetty): PRIVATE CLASS - do not use directly
+* [`puppetdb::server::puppetdb`](#puppetdb--server--puppetdb): PRIVATE CLASS - do not use directly
+* [`puppetdb::server::read_database`](#puppetdb--server--read_database): PRIVATE CLASS - do not use directly
+* [`puppetdb::server::validate_db`](#puppetdb--server--validate_db): This validates a database connection. See README.md for more details.
+* [`puppetdb::server::validate_read_db`](#puppetdb--server--validate_read_db): This validates a database connection. See README.md for more details.
+
+### Defined types
+
+* [`puppetdb::database::default_read_grant`](#puppetdb--database--default_read_grant): Private class. Grant read permissions to $database_read_only_username by default, for new tables created by $database_username.
+* [`puppetdb::database::postgresql_ssl_rules`](#puppetdb--database--postgresql_ssl_rules): Private class for configuring the pg_ident.conf and pg_hba.conf files
+* [`puppetdb::database::read_grant`](#puppetdb--database--read_grant): Private class. Grant read-only permissions to $database_read_only_username for all objects in $schema of $database_name
+* [`puppetdb::database::read_only_user`](#puppetdb--database--read_only_user)
+
+### Resource types
+
+* [`puppetdb_conn_validator`](#puppetdb_conn_validator): Verify that a connection can be successfully established between a node and the puppetdb server.  Its primary use is as a precondition to pre
+
+### Functions
+
+* [`puppetdb::create_subsetting_resource_hash`](#puppetdb--create_subsetting_resource_hash)
+* [`puppetdb::flatten_java_args`](#puppetdb--flatten_java_args)
+
+### Data types
+
+* [`Puppetdb::Ttl`](#Puppetdb--Ttl)
+
+### Tasks
+
+* [`lxd_exp`](#lxd_exp): Provision/Tear down a machine on LXD
+
+## Classes
+
+### <a name="puppetdb"></a>`puppetdb`
+
+All in one class for setting up a PuppetDB instance. See README.md for more
+details.
+
+#### Parameters
+
+The following parameters are available in the `puppetdb` class:
+
+* [`listen_address`](#-puppetdb--listen_address)
+* [`listen_port`](#-puppetdb--listen_port)
+* [`disable_cleartext`](#-puppetdb--disable_cleartext)
+* [`open_listen_port`](#-puppetdb--open_listen_port)
+* [`ssl_listen_address`](#-puppetdb--ssl_listen_address)
+* [`ssl_listen_port`](#-puppetdb--ssl_listen_port)
+* [`disable_ssl`](#-puppetdb--disable_ssl)
+* [`open_ssl_listen_port`](#-puppetdb--open_ssl_listen_port)
+* [`ssl_dir`](#-puppetdb--ssl_dir)
+* [`ssl_set_cert_paths`](#-puppetdb--ssl_set_cert_paths)
+* [`ssl_cert_path`](#-puppetdb--ssl_cert_path)
+* [`ssl_key_path`](#-puppetdb--ssl_key_path)
+* [`ssl_key_pk8_path`](#-puppetdb--ssl_key_pk8_path)
+* [`ssl_ca_cert_path`](#-puppetdb--ssl_ca_cert_path)
+* [`ssl_deploy_certs`](#-puppetdb--ssl_deploy_certs)
+* [`ssl_key`](#-puppetdb--ssl_key)
+* [`ssl_cert`](#-puppetdb--ssl_cert)
+* [`ssl_ca_cert`](#-puppetdb--ssl_ca_cert)
+* [`ssl_protocols`](#-puppetdb--ssl_protocols)
+* [`postgresql_ssl_on`](#-puppetdb--postgresql_ssl_on)
+* [`postgresql_ssl_folder`](#-puppetdb--postgresql_ssl_folder)
+* [`postgresql_ssl_cert_path`](#-puppetdb--postgresql_ssl_cert_path)
+* [`postgresql_ssl_key_path`](#-puppetdb--postgresql_ssl_key_path)
+* [`postgresql_ssl_ca_cert_path`](#-puppetdb--postgresql_ssl_ca_cert_path)
+* [`cipher_suites`](#-puppetdb--cipher_suites)
+* [`migrate`](#-puppetdb--migrate)
+* [`manage_dbserver`](#-puppetdb--manage_dbserver)
+* [`manage_database`](#-puppetdb--manage_database)
+* [`manage_package_repo`](#-puppetdb--manage_package_repo)
+* [`postgres_version`](#-puppetdb--postgres_version)
+* [`database`](#-puppetdb--database)
+* [`database_host`](#-puppetdb--database_host)
+* [`database_port`](#-puppetdb--database_port)
+* [`database_username`](#-puppetdb--database_username)
+* [`database_password`](#-puppetdb--database_password)
+* [`database_name`](#-puppetdb--database_name)
+* [`manage_db_password`](#-puppetdb--manage_db_password)
+* [`jdbc_ssl_properties`](#-puppetdb--jdbc_ssl_properties)
+* [`database_listen_address`](#-puppetdb--database_listen_address)
+* [`database_validate`](#-puppetdb--database_validate)
+* [`database_embedded_path`](#-puppetdb--database_embedded_path)
+* [`node_ttl`](#-puppetdb--node_ttl)
+* [`node_purge_ttl`](#-puppetdb--node_purge_ttl)
+* [`report_ttl`](#-puppetdb--report_ttl)
+* [`facts_blacklist`](#-puppetdb--facts_blacklist)
+* [`gc_interval`](#-puppetdb--gc_interval)
+* [`node_purge_gc_batch_limit`](#-puppetdb--node_purge_gc_batch_limit)
+* [`log_slow_statements`](#-puppetdb--log_slow_statements)
+* [`conn_max_age`](#-puppetdb--conn_max_age)
+* [`conn_keep_alive`](#-puppetdb--conn_keep_alive)
+* [`conn_lifetime`](#-puppetdb--conn_lifetime)
+* [`puppetdb_package`](#-puppetdb--puppetdb_package)
+* [`puppetdb_service`](#-puppetdb--puppetdb_service)
+* [`puppetdb_service_status`](#-puppetdb--puppetdb_service_status)
+* [`puppetdb_user`](#-puppetdb--puppetdb_user)
+* [`puppetdb_group`](#-puppetdb--puppetdb_group)
+* [`puppetdb_server`](#-puppetdb--puppetdb_server)
+* [`read_database`](#-puppetdb--read_database)
+* [`read_database_host`](#-puppetdb--read_database_host)
+* [`read_database_port`](#-puppetdb--read_database_port)
+* [`read_database_username`](#-puppetdb--read_database_username)
+* [`read_database_password`](#-puppetdb--read_database_password)
+* [`read_database_name`](#-puppetdb--read_database_name)
+* [`manage_read_db_password`](#-puppetdb--manage_read_db_password)
+* [`read_database_jdbc_ssl_properties`](#-puppetdb--read_database_jdbc_ssl_properties)
+* [`read_database_validate`](#-puppetdb--read_database_validate)
+* [`read_log_slow_statements`](#-puppetdb--read_log_slow_statements)
+* [`read_conn_max_age`](#-puppetdb--read_conn_max_age)
+* [`read_conn_keep_alive`](#-puppetdb--read_conn_keep_alive)
+* [`read_conn_lifetime`](#-puppetdb--read_conn_lifetime)
+* [`confdir`](#-puppetdb--confdir)
+* [`vardir`](#-puppetdb--vardir)
+* [`manage_firewall`](#-puppetdb--manage_firewall)
+* [`java_args`](#-puppetdb--java_args)
+* [`merge_default_java_args`](#-puppetdb--merge_default_java_args)
+* [`max_threads`](#-puppetdb--max_threads)
+* [`command_threads`](#-puppetdb--command_threads)
+* [`concurrent_writes`](#-puppetdb--concurrent_writes)
+* [`store_usage`](#-puppetdb--store_usage)
+* [`temp_usage`](#-puppetdb--temp_usage)
+* [`disable_update_checking`](#-puppetdb--disable_update_checking)
+* [`certificate_whitelist_file`](#-puppetdb--certificate_whitelist_file)
+* [`certificate_whitelist`](#-puppetdb--certificate_whitelist)
+* [`database_max_pool_size`](#-puppetdb--database_max_pool_size)
+* [`read_database_max_pool_size`](#-puppetdb--read_database_max_pool_size)
+* [`automatic_dlo_cleanup`](#-puppetdb--automatic_dlo_cleanup)
+* [`cleanup_timer_interval`](#-puppetdb--cleanup_timer_interval)
+* [`dlo_max_age`](#-puppetdb--dlo_max_age)
+* [`java_bin`](#-puppetdb--java_bin)
+
+##### <a name="-puppetdb--listen_address"></a>`listen_address`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::listen_address`
+
+##### <a name="-puppetdb--listen_port"></a>`listen_port`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::listen_port`
+
+##### <a name="-puppetdb--disable_cleartext"></a>`disable_cleartext`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::disable_cleartext`
+
+##### <a name="-puppetdb--open_listen_port"></a>`open_listen_port`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::open_listen_port`
+
+##### <a name="-puppetdb--ssl_listen_address"></a>`ssl_listen_address`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::ssl_listen_address`
+
+##### <a name="-puppetdb--ssl_listen_port"></a>`ssl_listen_port`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::ssl_listen_port`
+
+##### <a name="-puppetdb--disable_ssl"></a>`disable_ssl`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::disable_ssl`
+
+##### <a name="-puppetdb--open_ssl_listen_port"></a>`open_ssl_listen_port`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::open_ssl_listen_port`
+
+##### <a name="-puppetdb--ssl_dir"></a>`ssl_dir`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::ssl_dir`
+
+##### <a name="-puppetdb--ssl_set_cert_paths"></a>`ssl_set_cert_paths`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::ssl_set_cert_paths`
+
+##### <a name="-puppetdb--ssl_cert_path"></a>`ssl_cert_path`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::ssl_cert_path`
+
+##### <a name="-puppetdb--ssl_key_path"></a>`ssl_key_path`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::ssl_key_path`
+
+##### <a name="-puppetdb--ssl_key_pk8_path"></a>`ssl_key_pk8_path`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::ssl_key_pk8_path`
+
+##### <a name="-puppetdb--ssl_ca_cert_path"></a>`ssl_ca_cert_path`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::ssl_ca_cert_path`
+
+##### <a name="-puppetdb--ssl_deploy_certs"></a>`ssl_deploy_certs`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::ssl_deploy_certs`
+
+##### <a name="-puppetdb--ssl_key"></a>`ssl_key`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::ssl_key`
+
+##### <a name="-puppetdb--ssl_cert"></a>`ssl_cert`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::ssl_cert`
+
+##### <a name="-puppetdb--ssl_ca_cert"></a>`ssl_ca_cert`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::ssl_ca_cert`
+
+##### <a name="-puppetdb--ssl_protocols"></a>`ssl_protocols`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::ssl_protocols`
+
+##### <a name="-puppetdb--postgresql_ssl_on"></a>`postgresql_ssl_on`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::postgresql_ssl_on`
+
+##### <a name="-puppetdb--postgresql_ssl_folder"></a>`postgresql_ssl_folder`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::postgresql_ssl_folder`
+
+##### <a name="-puppetdb--postgresql_ssl_cert_path"></a>`postgresql_ssl_cert_path`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::postgresql_ssl_cert_path`
+
+##### <a name="-puppetdb--postgresql_ssl_key_path"></a>`postgresql_ssl_key_path`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::postgresql_ssl_key_path`
+
+##### <a name="-puppetdb--postgresql_ssl_ca_cert_path"></a>`postgresql_ssl_ca_cert_path`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::postgresql_ssl_ca_cert_path`
+
+##### <a name="-puppetdb--cipher_suites"></a>`cipher_suites`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::cipher_suites`
+
+##### <a name="-puppetdb--migrate"></a>`migrate`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::migrate`
+
+##### <a name="-puppetdb--manage_dbserver"></a>`manage_dbserver`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::manage_dbserver`
+
+##### <a name="-puppetdb--manage_database"></a>`manage_database`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::manage_database`
+
+##### <a name="-puppetdb--manage_package_repo"></a>`manage_package_repo`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::manage_pg_repo`
+
+##### <a name="-puppetdb--postgres_version"></a>`postgres_version`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::postgres_version`
+
+##### <a name="-puppetdb--database"></a>`database`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::database`
+
+##### <a name="-puppetdb--database_host"></a>`database_host`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::database_host`
+
+##### <a name="-puppetdb--database_port"></a>`database_port`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::database_port`
+
+##### <a name="-puppetdb--database_username"></a>`database_username`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::database_username`
+
+##### <a name="-puppetdb--database_password"></a>`database_password`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::database_password`
+
+##### <a name="-puppetdb--database_name"></a>`database_name`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::database_name`
+
+##### <a name="-puppetdb--manage_db_password"></a>`manage_db_password`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::manage_db_password`
+
+##### <a name="-puppetdb--jdbc_ssl_properties"></a>`jdbc_ssl_properties`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::jdbc_ssl_properties`
+
+##### <a name="-puppetdb--database_listen_address"></a>`database_listen_address`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::postgres_listen_addresses`
+
+##### <a name="-puppetdb--database_validate"></a>`database_validate`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::database_validate`
+
+##### <a name="-puppetdb--database_embedded_path"></a>`database_embedded_path`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::database_embedded_path`
+
+##### <a name="-puppetdb--node_ttl"></a>`node_ttl`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::node_ttl`
+
+##### <a name="-puppetdb--node_purge_ttl"></a>`node_purge_ttl`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::node_purge_ttl`
+
+##### <a name="-puppetdb--report_ttl"></a>`report_ttl`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::report_ttl`
+
+##### <a name="-puppetdb--facts_blacklist"></a>`facts_blacklist`
+
+Data type: `Optional[Array]`
+
+
+
+Default value: `$puppetdb::params::facts_blacklist`
+
+##### <a name="-puppetdb--gc_interval"></a>`gc_interval`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::gc_interval`
+
+##### <a name="-puppetdb--node_purge_gc_batch_limit"></a>`node_purge_gc_batch_limit`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::node_purge_gc_batch_limit`
+
+##### <a name="-puppetdb--log_slow_statements"></a>`log_slow_statements`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::log_slow_statements`
+
+##### <a name="-puppetdb--conn_max_age"></a>`conn_max_age`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::conn_max_age`
+
+##### <a name="-puppetdb--conn_keep_alive"></a>`conn_keep_alive`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::conn_keep_alive`
+
+##### <a name="-puppetdb--conn_lifetime"></a>`conn_lifetime`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::conn_lifetime`
+
+##### <a name="-puppetdb--puppetdb_package"></a>`puppetdb_package`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::puppetdb_package`
+
+##### <a name="-puppetdb--puppetdb_service"></a>`puppetdb_service`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::puppetdb_service`
+
+##### <a name="-puppetdb--puppetdb_service_status"></a>`puppetdb_service_status`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::puppetdb_service_status`
+
+##### <a name="-puppetdb--puppetdb_user"></a>`puppetdb_user`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::puppetdb_user`
+
+##### <a name="-puppetdb--puppetdb_group"></a>`puppetdb_group`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::puppetdb_group`
+
+##### <a name="-puppetdb--puppetdb_server"></a>`puppetdb_server`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::puppetdb_server`
+
+##### <a name="-puppetdb--read_database"></a>`read_database`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::read_database`
+
+##### <a name="-puppetdb--read_database_host"></a>`read_database_host`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::read_database_host`
+
+##### <a name="-puppetdb--read_database_port"></a>`read_database_port`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::read_database_port`
+
+##### <a name="-puppetdb--read_database_username"></a>`read_database_username`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::read_database_username`
+
+##### <a name="-puppetdb--read_database_password"></a>`read_database_password`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::read_database_password`
+
+##### <a name="-puppetdb--read_database_name"></a>`read_database_name`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::read_database_name`
+
+##### <a name="-puppetdb--manage_read_db_password"></a>`manage_read_db_password`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::manage_read_db_password`
+
+##### <a name="-puppetdb--read_database_jdbc_ssl_properties"></a>`read_database_jdbc_ssl_properties`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::read_database_jdbc_ssl_properties`
+
+##### <a name="-puppetdb--read_database_validate"></a>`read_database_validate`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::read_database_validate`
+
+##### <a name="-puppetdb--read_log_slow_statements"></a>`read_log_slow_statements`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::read_log_slow_statements`
+
+##### <a name="-puppetdb--read_conn_max_age"></a>`read_conn_max_age`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::read_conn_max_age`
+
+##### <a name="-puppetdb--read_conn_keep_alive"></a>`read_conn_keep_alive`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::read_conn_keep_alive`
+
+##### <a name="-puppetdb--read_conn_lifetime"></a>`read_conn_lifetime`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::read_conn_lifetime`
+
+##### <a name="-puppetdb--confdir"></a>`confdir`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::confdir`
+
+##### <a name="-puppetdb--vardir"></a>`vardir`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::vardir`
+
+##### <a name="-puppetdb--manage_firewall"></a>`manage_firewall`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::manage_firewall`
+
+##### <a name="-puppetdb--java_args"></a>`java_args`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::java_args`
+
+##### <a name="-puppetdb--merge_default_java_args"></a>`merge_default_java_args`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::merge_default_java_args`
+
+##### <a name="-puppetdb--max_threads"></a>`max_threads`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::max_threads`
+
+##### <a name="-puppetdb--command_threads"></a>`command_threads`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::command_threads`
+
+##### <a name="-puppetdb--concurrent_writes"></a>`concurrent_writes`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::concurrent_writes`
+
+##### <a name="-puppetdb--store_usage"></a>`store_usage`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::store_usage`
+
+##### <a name="-puppetdb--temp_usage"></a>`temp_usage`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::temp_usage`
+
+##### <a name="-puppetdb--disable_update_checking"></a>`disable_update_checking`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::disable_update_checking`
+
+##### <a name="-puppetdb--certificate_whitelist_file"></a>`certificate_whitelist_file`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::certificate_whitelist_file`
+
+##### <a name="-puppetdb--certificate_whitelist"></a>`certificate_whitelist`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::certificate_whitelist`
+
+##### <a name="-puppetdb--database_max_pool_size"></a>`database_max_pool_size`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::database_max_pool_size`
+
+##### <a name="-puppetdb--read_database_max_pool_size"></a>`read_database_max_pool_size`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::read_database_max_pool_size`
+
+##### <a name="-puppetdb--automatic_dlo_cleanup"></a>`automatic_dlo_cleanup`
+
+Data type: `Boolean`
+
+
+
+Default value: `$puppetdb::params::automatic_dlo_cleanup`
+
+##### <a name="-puppetdb--cleanup_timer_interval"></a>`cleanup_timer_interval`
+
+Data type: `String[1]`
+
+
+
+Default value: `$puppetdb::params::cleanup_timer_interval`
+
+##### <a name="-puppetdb--dlo_max_age"></a>`dlo_max_age`
+
+Data type: `Integer[1]`
+
+
+
+Default value: `$puppetdb::params::dlo_max_age`
+
+##### <a name="-puppetdb--java_bin"></a>`java_bin`
+
+Data type: `Optional[Stdlib::Absolutepath]`
+
+
+
+Default value: `$puppetdb::params::java_bin`
+
+### <a name="puppetdb--database--postgresql"></a>`puppetdb::database::postgresql`
+
+Class for creating the PuppetDB postgresql database. See README.md for more
+information.
+
+#### Parameters
+
+The following parameters are available in the `puppetdb::database::postgresql` class:
+
+* [`listen_addresses`](#-puppetdb--database--postgresql--listen_addresses)
+* [`puppetdb_server`](#-puppetdb--database--postgresql--puppetdb_server)
+* [`database_name`](#-puppetdb--database--postgresql--database_name)
+* [`database_username`](#-puppetdb--database--postgresql--database_username)
+* [`database_password`](#-puppetdb--database--postgresql--database_password)
+* [`database_port`](#-puppetdb--database--postgresql--database_port)
+* [`manage_database`](#-puppetdb--database--postgresql--manage_database)
+* [`manage_server`](#-puppetdb--database--postgresql--manage_server)
+* [`manage_package_repo`](#-puppetdb--database--postgresql--manage_package_repo)
+* [`postgres_version`](#-puppetdb--database--postgresql--postgres_version)
+* [`postgresql_ssl_on`](#-puppetdb--database--postgresql--postgresql_ssl_on)
+* [`postgresql_ssl_key_path`](#-puppetdb--database--postgresql--postgresql_ssl_key_path)
+* [`postgresql_ssl_cert_path`](#-puppetdb--database--postgresql--postgresql_ssl_cert_path)
+* [`postgresql_ssl_ca_cert_path`](#-puppetdb--database--postgresql--postgresql_ssl_ca_cert_path)
+* [`read_database_username`](#-puppetdb--database--postgresql--read_database_username)
+* [`read_database_password`](#-puppetdb--database--postgresql--read_database_password)
+* [`read_database_host`](#-puppetdb--database--postgresql--read_database_host)
+
+##### <a name="-puppetdb--database--postgresql--listen_addresses"></a>`listen_addresses`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::database_host`
+
+##### <a name="-puppetdb--database--postgresql--puppetdb_server"></a>`puppetdb_server`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::puppetdb_server`
+
+##### <a name="-puppetdb--database--postgresql--database_name"></a>`database_name`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::database_name`
+
+##### <a name="-puppetdb--database--postgresql--database_username"></a>`database_username`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::database_username`
+
+##### <a name="-puppetdb--database--postgresql--database_password"></a>`database_password`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::database_password`
+
+##### <a name="-puppetdb--database--postgresql--database_port"></a>`database_port`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::database_port`
+
+##### <a name="-puppetdb--database--postgresql--manage_database"></a>`manage_database`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::manage_database`
+
+##### <a name="-puppetdb--database--postgresql--manage_server"></a>`manage_server`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::manage_dbserver`
+
+##### <a name="-puppetdb--database--postgresql--manage_package_repo"></a>`manage_package_repo`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::manage_pg_repo`
+
+##### <a name="-puppetdb--database--postgresql--postgres_version"></a>`postgres_version`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::postgres_version`
+
+##### <a name="-puppetdb--database--postgresql--postgresql_ssl_on"></a>`postgresql_ssl_on`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::postgresql_ssl_on`
+
+##### <a name="-puppetdb--database--postgresql--postgresql_ssl_key_path"></a>`postgresql_ssl_key_path`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::postgresql_ssl_key_path`
+
+##### <a name="-puppetdb--database--postgresql--postgresql_ssl_cert_path"></a>`postgresql_ssl_cert_path`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::postgresql_ssl_cert_path`
+
+##### <a name="-puppetdb--database--postgresql--postgresql_ssl_ca_cert_path"></a>`postgresql_ssl_ca_cert_path`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::postgresql_ssl_ca_cert_path`
+
+##### <a name="-puppetdb--database--postgresql--read_database_username"></a>`read_database_username`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::read_database_username`
+
+##### <a name="-puppetdb--database--postgresql--read_database_password"></a>`read_database_password`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::read_database_password`
+
+##### <a name="-puppetdb--database--postgresql--read_database_host"></a>`read_database_host`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::read_database_host`
+
+### <a name="puppetdb--database--ssl_configuration"></a>`puppetdb::database::ssl_configuration`
+
+Class for configuring SSL connection for the PuppetDB postgresql database. See README.md for more
+information.
+
+#### Parameters
+
+The following parameters are available in the `puppetdb::database::ssl_configuration` class:
+
+* [`database_name`](#-puppetdb--database--ssl_configuration--database_name)
+* [`database_username`](#-puppetdb--database--ssl_configuration--database_username)
+* [`read_database_username`](#-puppetdb--database--ssl_configuration--read_database_username)
+* [`read_database_host`](#-puppetdb--database--ssl_configuration--read_database_host)
+* [`puppetdb_server`](#-puppetdb--database--ssl_configuration--puppetdb_server)
+* [`postgresql_ssl_key_path`](#-puppetdb--database--ssl_configuration--postgresql_ssl_key_path)
+* [`postgresql_ssl_cert_path`](#-puppetdb--database--ssl_configuration--postgresql_ssl_cert_path)
+* [`postgresql_ssl_ca_cert_path`](#-puppetdb--database--ssl_configuration--postgresql_ssl_ca_cert_path)
+* [`create_read_user_rule`](#-puppetdb--database--ssl_configuration--create_read_user_rule)
+
+##### <a name="-puppetdb--database--ssl_configuration--database_name"></a>`database_name`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::database_name`
+
+##### <a name="-puppetdb--database--ssl_configuration--database_username"></a>`database_username`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::database_username`
+
+##### <a name="-puppetdb--database--ssl_configuration--read_database_username"></a>`read_database_username`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::read_database_username`
+
+##### <a name="-puppetdb--database--ssl_configuration--read_database_host"></a>`read_database_host`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::read_database_host`
+
+##### <a name="-puppetdb--database--ssl_configuration--puppetdb_server"></a>`puppetdb_server`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::puppetdb_server`
+
+##### <a name="-puppetdb--database--ssl_configuration--postgresql_ssl_key_path"></a>`postgresql_ssl_key_path`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::postgresql_ssl_key_path`
+
+##### <a name="-puppetdb--database--ssl_configuration--postgresql_ssl_cert_path"></a>`postgresql_ssl_cert_path`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::postgresql_ssl_cert_path`
+
+##### <a name="-puppetdb--database--ssl_configuration--postgresql_ssl_ca_cert_path"></a>`postgresql_ssl_ca_cert_path`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::postgresql_ssl_ca_cert_path`
+
+##### <a name="-puppetdb--database--ssl_configuration--create_read_user_rule"></a>`create_read_user_rule`
+
+Data type: `Any`
+
+
+
+Default value: `false`
+
+### <a name="puppetdb--globals"></a>`puppetdb::globals`
+
+Global configuration class for PuppetDB. See README.md for more details.
+
+#### Parameters
+
+The following parameters are available in the `puppetdb::globals` class:
+
+* [`version`](#-puppetdb--globals--version)
+* [`database`](#-puppetdb--globals--database)
+* [`puppet_confdir`](#-puppetdb--globals--puppet_confdir)
+
+##### <a name="-puppetdb--globals--version"></a>`version`
+
+Data type: `Any`
+
+
+
+Default value: `'present'`
+
+##### <a name="-puppetdb--globals--database"></a>`database`
+
+Data type: `Any`
+
+
+
+Default value: `'postgres'`
+
+##### <a name="-puppetdb--globals--puppet_confdir"></a>`puppet_confdir`
+
+Data type: `Stdlib::Absolutepath`
+
+
+
+Default value: `$settings::confdir`
+
+### <a name="puppetdb--master--config"></a>`puppetdb::master::config`
+
+Manage puppet configuration. See README.md for more details.
+
+#### Parameters
+
+The following parameters are available in the `puppetdb::master::config` class:
+
+* [`puppetdb_server`](#-puppetdb--master--config--puppetdb_server)
+* [`puppetdb_port`](#-puppetdb--master--config--puppetdb_port)
+* [`puppetdb_disable_ssl`](#-puppetdb--master--config--puppetdb_disable_ssl)
+* [`masterless`](#-puppetdb--master--config--masterless)
+* [`puppetdb_soft_write_failure`](#-puppetdb--master--config--puppetdb_soft_write_failure)
+* [`manage_routes`](#-puppetdb--master--config--manage_routes)
+* [`manage_storeconfigs`](#-puppetdb--master--config--manage_storeconfigs)
+* [`enable_storeconfigs`](#-puppetdb--master--config--enable_storeconfigs)
+* [`manage_report_processor`](#-puppetdb--master--config--manage_report_processor)
+* [`manage_config`](#-puppetdb--master--config--manage_config)
+* [`create_puppet_service_resource`](#-puppetdb--master--config--create_puppet_service_resource)
+* [`strict_validation`](#-puppetdb--master--config--strict_validation)
+* [`enable_reports`](#-puppetdb--master--config--enable_reports)
+* [`puppet_confdir`](#-puppetdb--master--config--puppet_confdir)
+* [`puppet_conf`](#-puppetdb--master--config--puppet_conf)
+* [`terminus_package`](#-puppetdb--master--config--terminus_package)
+* [`puppet_service_name`](#-puppetdb--master--config--puppet_service_name)
+* [`puppetdb_startup_timeout`](#-puppetdb--master--config--puppetdb_startup_timeout)
+* [`test_url`](#-puppetdb--master--config--test_url)
+* [`restart_puppet`](#-puppetdb--master--config--restart_puppet)
+
+##### <a name="-puppetdb--master--config--puppetdb_server"></a>`puppetdb_server`
+
+Data type: `Any`
+
+
+
+Default value: `fact('networking.fqdn')`
+
+##### <a name="-puppetdb--master--config--puppetdb_port"></a>`puppetdb_port`
+
+Data type: `Any`
+
+
+
+Default value:
+
+```puppet
+defined(Class['puppetdb']) ? {
+    true    => $puppetdb::disable_ssl ? {
+      true => 8080,
+      default => 8081,
+    },
+    default => 8081
+```
+
+##### <a name="-puppetdb--master--config--puppetdb_disable_ssl"></a>`puppetdb_disable_ssl`
+
+Data type: `Any`
+
+
+
+Default value:
+
+```puppet
+defined(Class['puppetdb']) ? {
+    true    => $puppetdb::disable_ssl,
+    default => false
+```
+
+##### <a name="-puppetdb--master--config--masterless"></a>`masterless`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::masterless`
+
+##### <a name="-puppetdb--master--config--puppetdb_soft_write_failure"></a>`puppetdb_soft_write_failure`
+
+Data type: `Any`
+
+
+
+Default value: `false`
+
+##### <a name="-puppetdb--master--config--manage_routes"></a>`manage_routes`
+
+Data type: `Any`
+
+
+
+Default value: `true`
+
+##### <a name="-puppetdb--master--config--manage_storeconfigs"></a>`manage_storeconfigs`
+
+Data type: `Any`
+
+
+
+Default value: `true`
+
+##### <a name="-puppetdb--master--config--enable_storeconfigs"></a>`enable_storeconfigs`
+
+Data type: `Any`
+
+
+
+Default value: `true`
+
+##### <a name="-puppetdb--master--config--manage_report_processor"></a>`manage_report_processor`
+
+Data type: `Any`
+
+
+
+Default value: `false`
+
+##### <a name="-puppetdb--master--config--manage_config"></a>`manage_config`
+
+Data type: `Any`
+
+
+
+Default value: `true`
+
+##### <a name="-puppetdb--master--config--create_puppet_service_resource"></a>`create_puppet_service_resource`
+
+Data type: `Any`
+
+
+
+Default value: `true`
+
+##### <a name="-puppetdb--master--config--strict_validation"></a>`strict_validation`
+
+Data type: `Any`
+
+
+
+Default value: `true`
+
+##### <a name="-puppetdb--master--config--enable_reports"></a>`enable_reports`
+
+Data type: `Any`
+
+
+
+Default value: `false`
+
+##### <a name="-puppetdb--master--config--puppet_confdir"></a>`puppet_confdir`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::puppet_confdir`
+
+##### <a name="-puppetdb--master--config--puppet_conf"></a>`puppet_conf`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::puppet_conf`
+
+##### <a name="-puppetdb--master--config--terminus_package"></a>`terminus_package`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::terminus_package`
+
+##### <a name="-puppetdb--master--config--puppet_service_name"></a>`puppet_service_name`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::puppet_service_name`
+
+##### <a name="-puppetdb--master--config--puppetdb_startup_timeout"></a>`puppetdb_startup_timeout`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::puppetdb_startup_timeout`
+
+##### <a name="-puppetdb--master--config--test_url"></a>`test_url`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::test_url`
+
+##### <a name="-puppetdb--master--config--restart_puppet"></a>`restart_puppet`
+
+Data type: `Any`
+
+
+
+Default value: `true`
+
+### <a name="puppetdb--master--puppetdb_conf"></a>`puppetdb::master::puppetdb_conf`
+
+Manage the puppetdb.conf file on the puppeet master. See README.md for more
+details.
+
+#### Parameters
+
+The following parameters are available in the `puppetdb::master::puppetdb_conf` class:
+
+* [`server`](#-puppetdb--master--puppetdb_conf--server)
+* [`port`](#-puppetdb--master--puppetdb_conf--port)
+* [`soft_write_failure`](#-puppetdb--master--puppetdb_conf--soft_write_failure)
+* [`puppet_confdir`](#-puppetdb--master--puppetdb_conf--puppet_confdir)
+* [`legacy_terminus`](#-puppetdb--master--puppetdb_conf--legacy_terminus)
+
+##### <a name="-puppetdb--master--puppetdb_conf--server"></a>`server`
+
+Data type: `Any`
+
+
+
+Default value: `'localhost'`
+
+##### <a name="-puppetdb--master--puppetdb_conf--port"></a>`port`
+
+Data type: `Any`
+
+
+
+Default value: `'8081'`
+
+##### <a name="-puppetdb--master--puppetdb_conf--soft_write_failure"></a>`soft_write_failure`
+
+Data type: `Any`
+
+
+
+Default value:
+
+```puppet
+$puppetdb::disable_ssl ? {
+    true => true,
+    default => false
+```
+
+##### <a name="-puppetdb--master--puppetdb_conf--puppet_confdir"></a>`puppet_confdir`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::puppet_confdir`
+
+##### <a name="-puppetdb--master--puppetdb_conf--legacy_terminus"></a>`legacy_terminus`
+
+Data type: `Any`
+
+
+
+Default value:
+
+```puppet
+$puppetdb::params::terminus_package ? {
+    /(puppetdb-terminus)/ => true,
+    default               => false
+```
+
+### <a name="puppetdb--master--report_processor"></a>`puppetdb::master::report_processor`
+
+Manage the installation of the report processor on the master. See README.md
+for more details.
+
+#### Parameters
+
+The following parameters are available in the `puppetdb::master::report_processor` class:
+
+* [`puppet_conf`](#-puppetdb--master--report_processor--puppet_conf)
+* [`masterless`](#-puppetdb--master--report_processor--masterless)
+* [`enable`](#-puppetdb--master--report_processor--enable)
+
+##### <a name="-puppetdb--master--report_processor--puppet_conf"></a>`puppet_conf`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::puppet_conf`
+
+##### <a name="-puppetdb--master--report_processor--masterless"></a>`masterless`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::masterless`
+
+##### <a name="-puppetdb--master--report_processor--enable"></a>`enable`
+
+Data type: `Any`
+
+
+
+Default value: `false`
+
+### <a name="puppetdb--master--routes"></a>`puppetdb::master::routes`
+
+Manages the routes configuration file on the master. See README.md for more
+details.
+
+#### Parameters
+
+The following parameters are available in the `puppetdb::master::routes` class:
+
+* [`puppet_confdir`](#-puppetdb--master--routes--puppet_confdir)
+* [`masterless`](#-puppetdb--master--routes--masterless)
+* [`routes`](#-puppetdb--master--routes--routes)
+
+##### <a name="-puppetdb--master--routes--puppet_confdir"></a>`puppet_confdir`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::puppet_confdir`
+
+##### <a name="-puppetdb--master--routes--masterless"></a>`masterless`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::masterless`
+
+##### <a name="-puppetdb--master--routes--routes"></a>`routes`
+
+Data type: `Any`
+
+
+
+Default value: `undef`
+
+### <a name="puppetdb--master--storeconfigs"></a>`puppetdb::master::storeconfigs`
+
+This class configures the puppet master to enable storeconfigs and to use
+puppetdb as the storeconfigs backend. See README.md for more details.
+
+#### Parameters
+
+The following parameters are available in the `puppetdb::master::storeconfigs` class:
+
+* [`puppet_conf`](#-puppetdb--master--storeconfigs--puppet_conf)
+* [`masterless`](#-puppetdb--master--storeconfigs--masterless)
+* [`enable`](#-puppetdb--master--storeconfigs--enable)
+
+##### <a name="-puppetdb--master--storeconfigs--puppet_conf"></a>`puppet_conf`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::puppet_conf`
+
+##### <a name="-puppetdb--master--storeconfigs--masterless"></a>`masterless`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::masterless`
+
+##### <a name="-puppetdb--master--storeconfigs--enable"></a>`enable`
+
+Data type: `Any`
+
+
+
+Default value: `true`
+
+### <a name="puppetdb--params"></a>`puppetdb::params`
+
+PRIVATE CLASS - do not use directly
+
+The puppetdb default configuration settings.
+
+### <a name="puppetdb--server"></a>`puppetdb::server`
+
+Class to configure a PuppetDB server. See README.md for more details.
+
+#### Parameters
+
+The following parameters are available in the `puppetdb::server` class:
+
+* [`listen_address`](#-puppetdb--server--listen_address)
+* [`listen_port`](#-puppetdb--server--listen_port)
+* [`disable_cleartext`](#-puppetdb--server--disable_cleartext)
+* [`open_listen_port`](#-puppetdb--server--open_listen_port)
+* [`ssl_listen_address`](#-puppetdb--server--ssl_listen_address)
+* [`ssl_listen_port`](#-puppetdb--server--ssl_listen_port)
+* [`disable_ssl`](#-puppetdb--server--disable_ssl)
+* [`open_ssl_listen_port`](#-puppetdb--server--open_ssl_listen_port)
+* [`ssl_dir`](#-puppetdb--server--ssl_dir)
+* [`ssl_set_cert_paths`](#-puppetdb--server--ssl_set_cert_paths)
+* [`ssl_cert_path`](#-puppetdb--server--ssl_cert_path)
+* [`ssl_key_path`](#-puppetdb--server--ssl_key_path)
+* [`ssl_key_pk8_path`](#-puppetdb--server--ssl_key_pk8_path)
+* [`ssl_ca_cert_path`](#-puppetdb--server--ssl_ca_cert_path)
+* [`ssl_deploy_certs`](#-puppetdb--server--ssl_deploy_certs)
+* [`ssl_key`](#-puppetdb--server--ssl_key)
+* [`ssl_cert`](#-puppetdb--server--ssl_cert)
+* [`ssl_ca_cert`](#-puppetdb--server--ssl_ca_cert)
+* [`ssl_protocols`](#-puppetdb--server--ssl_protocols)
+* [`postgresql_ssl_on`](#-puppetdb--server--postgresql_ssl_on)
+* [`cipher_suites`](#-puppetdb--server--cipher_suites)
+* [`migrate`](#-puppetdb--server--migrate)
+* [`database`](#-puppetdb--server--database)
+* [`database_host`](#-puppetdb--server--database_host)
+* [`database_port`](#-puppetdb--server--database_port)
+* [`database_username`](#-puppetdb--server--database_username)
+* [`database_password`](#-puppetdb--server--database_password)
+* [`database_name`](#-puppetdb--server--database_name)
+* [`manage_db_password`](#-puppetdb--server--manage_db_password)
+* [`jdbc_ssl_properties`](#-puppetdb--server--jdbc_ssl_properties)
+* [`database_validate`](#-puppetdb--server--database_validate)
+* [`database_embedded_path`](#-puppetdb--server--database_embedded_path)
+* [`node_ttl`](#-puppetdb--server--node_ttl)
+* [`node_purge_ttl`](#-puppetdb--server--node_purge_ttl)
+* [`report_ttl`](#-puppetdb--server--report_ttl)
+* [`facts_blacklist`](#-puppetdb--server--facts_blacklist)
+* [`gc_interval`](#-puppetdb--server--gc_interval)
+* [`node_purge_gc_batch_limit`](#-puppetdb--server--node_purge_gc_batch_limit)
+* [`log_slow_statements`](#-puppetdb--server--log_slow_statements)
+* [`conn_max_age`](#-puppetdb--server--conn_max_age)
+* [`conn_keep_alive`](#-puppetdb--server--conn_keep_alive)
+* [`conn_lifetime`](#-puppetdb--server--conn_lifetime)
+* [`puppetdb_package`](#-puppetdb--server--puppetdb_package)
+* [`puppetdb_service`](#-puppetdb--server--puppetdb_service)
+* [`puppetdb_service_status`](#-puppetdb--server--puppetdb_service_status)
+* [`puppetdb_user`](#-puppetdb--server--puppetdb_user)
+* [`puppetdb_group`](#-puppetdb--server--puppetdb_group)
+* [`read_database`](#-puppetdb--server--read_database)
+* [`read_database_host`](#-puppetdb--server--read_database_host)
+* [`read_database_port`](#-puppetdb--server--read_database_port)
+* [`read_database_username`](#-puppetdb--server--read_database_username)
+* [`read_database_password`](#-puppetdb--server--read_database_password)
+* [`read_database_name`](#-puppetdb--server--read_database_name)
+* [`manage_read_db_password`](#-puppetdb--server--manage_read_db_password)
+* [`read_database_jdbc_ssl_properties`](#-puppetdb--server--read_database_jdbc_ssl_properties)
+* [`read_database_validate`](#-puppetdb--server--read_database_validate)
+* [`read_log_slow_statements`](#-puppetdb--server--read_log_slow_statements)
+* [`read_conn_max_age`](#-puppetdb--server--read_conn_max_age)
+* [`read_conn_keep_alive`](#-puppetdb--server--read_conn_keep_alive)
+* [`read_conn_lifetime`](#-puppetdb--server--read_conn_lifetime)
+* [`confdir`](#-puppetdb--server--confdir)
+* [`vardir`](#-puppetdb--server--vardir)
+* [`manage_firewall`](#-puppetdb--server--manage_firewall)
+* [`manage_database`](#-puppetdb--server--manage_database)
+* [`java_args`](#-puppetdb--server--java_args)
+* [`merge_default_java_args`](#-puppetdb--server--merge_default_java_args)
+* [`max_threads`](#-puppetdb--server--max_threads)
+* [`command_threads`](#-puppetdb--server--command_threads)
+* [`concurrent_writes`](#-puppetdb--server--concurrent_writes)
+* [`store_usage`](#-puppetdb--server--store_usage)
+* [`temp_usage`](#-puppetdb--server--temp_usage)
+* [`disable_update_checking`](#-puppetdb--server--disable_update_checking)
+* [`certificate_whitelist_file`](#-puppetdb--server--certificate_whitelist_file)
+* [`certificate_whitelist`](#-puppetdb--server--certificate_whitelist)
+* [`database_max_pool_size`](#-puppetdb--server--database_max_pool_size)
+* [`read_database_max_pool_size`](#-puppetdb--server--read_database_max_pool_size)
+* [`automatic_dlo_cleanup`](#-puppetdb--server--automatic_dlo_cleanup)
+* [`cleanup_timer_interval`](#-puppetdb--server--cleanup_timer_interval)
+* [`dlo_max_age`](#-puppetdb--server--dlo_max_age)
+* [`java_bin`](#-puppetdb--server--java_bin)
+
+##### <a name="-puppetdb--server--listen_address"></a>`listen_address`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::listen_address`
+
+##### <a name="-puppetdb--server--listen_port"></a>`listen_port`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::listen_port`
+
+##### <a name="-puppetdb--server--disable_cleartext"></a>`disable_cleartext`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::disable_cleartext`
+
+##### <a name="-puppetdb--server--open_listen_port"></a>`open_listen_port`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::open_listen_port`
+
+##### <a name="-puppetdb--server--ssl_listen_address"></a>`ssl_listen_address`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::ssl_listen_address`
+
+##### <a name="-puppetdb--server--ssl_listen_port"></a>`ssl_listen_port`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::ssl_listen_port`
+
+##### <a name="-puppetdb--server--disable_ssl"></a>`disable_ssl`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::disable_ssl`
+
+##### <a name="-puppetdb--server--open_ssl_listen_port"></a>`open_ssl_listen_port`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::open_ssl_listen_port`
+
+##### <a name="-puppetdb--server--ssl_dir"></a>`ssl_dir`
+
+Data type: `Stdlib::Absolutepath`
+
+
+
+Default value: `$puppetdb::params::ssl_dir`
+
+##### <a name="-puppetdb--server--ssl_set_cert_paths"></a>`ssl_set_cert_paths`
+
+Data type: `Boolean`
+
+
+
+Default value: `$puppetdb::params::ssl_set_cert_paths`
+
+##### <a name="-puppetdb--server--ssl_cert_path"></a>`ssl_cert_path`
+
+Data type: `Stdlib::Absolutepath`
+
+
+
+Default value: `$puppetdb::params::ssl_cert_path`
+
+##### <a name="-puppetdb--server--ssl_key_path"></a>`ssl_key_path`
+
+Data type: `Stdlib::Absolutepath`
+
+
+
+Default value: `$puppetdb::params::ssl_key_path`
+
+##### <a name="-puppetdb--server--ssl_key_pk8_path"></a>`ssl_key_pk8_path`
+
+Data type: `Stdlib::Absolutepath`
+
+
+
+Default value: `$puppetdb::params::ssl_key_pk8_path`
+
+##### <a name="-puppetdb--server--ssl_ca_cert_path"></a>`ssl_ca_cert_path`
+
+Data type: `Stdlib::Absolutepath`
+
+
+
+Default value: `$puppetdb::params::ssl_ca_cert_path`
+
+##### <a name="-puppetdb--server--ssl_deploy_certs"></a>`ssl_deploy_certs`
+
+Data type: `Boolean`
+
+
+
+Default value: `$puppetdb::params::ssl_deploy_certs`
+
+##### <a name="-puppetdb--server--ssl_key"></a>`ssl_key`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::ssl_key`
+
+##### <a name="-puppetdb--server--ssl_cert"></a>`ssl_cert`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::ssl_cert`
+
+##### <a name="-puppetdb--server--ssl_ca_cert"></a>`ssl_ca_cert`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::ssl_ca_cert`
+
+##### <a name="-puppetdb--server--ssl_protocols"></a>`ssl_protocols`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::ssl_protocols`
+
+##### <a name="-puppetdb--server--postgresql_ssl_on"></a>`postgresql_ssl_on`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::postgresql_ssl_on`
+
+##### <a name="-puppetdb--server--cipher_suites"></a>`cipher_suites`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::cipher_suites`
+
+##### <a name="-puppetdb--server--migrate"></a>`migrate`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::migrate`
+
+##### <a name="-puppetdb--server--database"></a>`database`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::database`
+
+##### <a name="-puppetdb--server--database_host"></a>`database_host`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::database_host`
+
+##### <a name="-puppetdb--server--database_port"></a>`database_port`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::database_port`
+
+##### <a name="-puppetdb--server--database_username"></a>`database_username`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::database_username`
+
+##### <a name="-puppetdb--server--database_password"></a>`database_password`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::database_password`
+
+##### <a name="-puppetdb--server--database_name"></a>`database_name`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::database_name`
+
+##### <a name="-puppetdb--server--manage_db_password"></a>`manage_db_password`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::manage_db_password`
+
+##### <a name="-puppetdb--server--jdbc_ssl_properties"></a>`jdbc_ssl_properties`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::jdbc_ssl_properties`
+
+##### <a name="-puppetdb--server--database_validate"></a>`database_validate`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::database_validate`
+
+##### <a name="-puppetdb--server--database_embedded_path"></a>`database_embedded_path`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::database_embedded_path`
+
+##### <a name="-puppetdb--server--node_ttl"></a>`node_ttl`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::node_ttl`
+
+##### <a name="-puppetdb--server--node_purge_ttl"></a>`node_purge_ttl`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::node_purge_ttl`
+
+##### <a name="-puppetdb--server--report_ttl"></a>`report_ttl`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::report_ttl`
+
+##### <a name="-puppetdb--server--facts_blacklist"></a>`facts_blacklist`
+
+Data type: `Optional[Array]`
+
+
+
+Default value: `$puppetdb::params::facts_blacklist`
+
+##### <a name="-puppetdb--server--gc_interval"></a>`gc_interval`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::gc_interval`
+
+##### <a name="-puppetdb--server--node_purge_gc_batch_limit"></a>`node_purge_gc_batch_limit`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::node_purge_gc_batch_limit`
+
+##### <a name="-puppetdb--server--log_slow_statements"></a>`log_slow_statements`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::log_slow_statements`
+
+##### <a name="-puppetdb--server--conn_max_age"></a>`conn_max_age`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::conn_max_age`
+
+##### <a name="-puppetdb--server--conn_keep_alive"></a>`conn_keep_alive`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::conn_keep_alive`
+
+##### <a name="-puppetdb--server--conn_lifetime"></a>`conn_lifetime`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::conn_lifetime`
+
+##### <a name="-puppetdb--server--puppetdb_package"></a>`puppetdb_package`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::puppetdb_package`
+
+##### <a name="-puppetdb--server--puppetdb_service"></a>`puppetdb_service`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::puppetdb_service`
+
+##### <a name="-puppetdb--server--puppetdb_service_status"></a>`puppetdb_service_status`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::puppetdb_service_status`
+
+##### <a name="-puppetdb--server--puppetdb_user"></a>`puppetdb_user`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::puppetdb_user`
+
+##### <a name="-puppetdb--server--puppetdb_group"></a>`puppetdb_group`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::puppetdb_group`
+
+##### <a name="-puppetdb--server--read_database"></a>`read_database`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::read_database`
+
+##### <a name="-puppetdb--server--read_database_host"></a>`read_database_host`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::read_database_host`
+
+##### <a name="-puppetdb--server--read_database_port"></a>`read_database_port`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::read_database_port`
+
+##### <a name="-puppetdb--server--read_database_username"></a>`read_database_username`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::read_database_username`
+
+##### <a name="-puppetdb--server--read_database_password"></a>`read_database_password`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::read_database_password`
+
+##### <a name="-puppetdb--server--read_database_name"></a>`read_database_name`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::read_database_name`
+
+##### <a name="-puppetdb--server--manage_read_db_password"></a>`manage_read_db_password`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::manage_read_db_password`
+
+##### <a name="-puppetdb--server--read_database_jdbc_ssl_properties"></a>`read_database_jdbc_ssl_properties`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::read_database_jdbc_ssl_properties`
+
+##### <a name="-puppetdb--server--read_database_validate"></a>`read_database_validate`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::read_database_validate`
+
+##### <a name="-puppetdb--server--read_log_slow_statements"></a>`read_log_slow_statements`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::read_log_slow_statements`
+
+##### <a name="-puppetdb--server--read_conn_max_age"></a>`read_conn_max_age`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::read_conn_max_age`
+
+##### <a name="-puppetdb--server--read_conn_keep_alive"></a>`read_conn_keep_alive`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::read_conn_keep_alive`
+
+##### <a name="-puppetdb--server--read_conn_lifetime"></a>`read_conn_lifetime`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::read_conn_lifetime`
+
+##### <a name="-puppetdb--server--confdir"></a>`confdir`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::confdir`
+
+##### <a name="-puppetdb--server--vardir"></a>`vardir`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::vardir`
+
+##### <a name="-puppetdb--server--manage_firewall"></a>`manage_firewall`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::manage_firewall`
+
+##### <a name="-puppetdb--server--manage_database"></a>`manage_database`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::manage_database`
+
+##### <a name="-puppetdb--server--java_args"></a>`java_args`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::java_args`
+
+##### <a name="-puppetdb--server--merge_default_java_args"></a>`merge_default_java_args`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::merge_default_java_args`
+
+##### <a name="-puppetdb--server--max_threads"></a>`max_threads`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::max_threads`
+
+##### <a name="-puppetdb--server--command_threads"></a>`command_threads`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::command_threads`
+
+##### <a name="-puppetdb--server--concurrent_writes"></a>`concurrent_writes`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::concurrent_writes`
+
+##### <a name="-puppetdb--server--store_usage"></a>`store_usage`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::store_usage`
+
+##### <a name="-puppetdb--server--temp_usage"></a>`temp_usage`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::temp_usage`
+
+##### <a name="-puppetdb--server--disable_update_checking"></a>`disable_update_checking`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::disable_update_checking`
+
+##### <a name="-puppetdb--server--certificate_whitelist_file"></a>`certificate_whitelist_file`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::certificate_whitelist_file`
+
+##### <a name="-puppetdb--server--certificate_whitelist"></a>`certificate_whitelist`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::certificate_whitelist`
+
+##### <a name="-puppetdb--server--database_max_pool_size"></a>`database_max_pool_size`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::database_max_pool_size`
+
+##### <a name="-puppetdb--server--read_database_max_pool_size"></a>`read_database_max_pool_size`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::read_database_max_pool_size`
+
+##### <a name="-puppetdb--server--automatic_dlo_cleanup"></a>`automatic_dlo_cleanup`
+
+Data type: `Boolean`
+
+
+
+Default value: `$puppetdb::params::automatic_dlo_cleanup`
+
+##### <a name="-puppetdb--server--cleanup_timer_interval"></a>`cleanup_timer_interval`
+
+Data type: `String[1]`
+
+
+
+Default value: `$puppetdb::params::cleanup_timer_interval`
+
+##### <a name="-puppetdb--server--dlo_max_age"></a>`dlo_max_age`
+
+Data type: `Integer[1]`
+
+
+
+Default value: `$puppetdb::params::dlo_max_age`
+
+##### <a name="-puppetdb--server--java_bin"></a>`java_bin`
+
+Data type: `Optional[Stdlib::Absolutepath]`
+
+
+
+Default value: `$puppetdb::params::java_bin`
+
+### <a name="puppetdb--server--command_processing"></a>`puppetdb::server::command_processing`
+
+PRIVATE CLASS - do not use directly
+
+#### Parameters
+
+The following parameters are available in the `puppetdb::server::command_processing` class:
+
+* [`command_threads`](#-puppetdb--server--command_processing--command_threads)
+* [`concurrent_writes`](#-puppetdb--server--command_processing--concurrent_writes)
+* [`store_usage`](#-puppetdb--server--command_processing--store_usage)
+* [`temp_usage`](#-puppetdb--server--command_processing--temp_usage)
+* [`confdir`](#-puppetdb--server--command_processing--confdir)
+
+##### <a name="-puppetdb--server--command_processing--command_threads"></a>`command_threads`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::command_threads`
+
+##### <a name="-puppetdb--server--command_processing--concurrent_writes"></a>`concurrent_writes`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::concurrent_writes`
+
+##### <a name="-puppetdb--server--command_processing--store_usage"></a>`store_usage`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::store_usage`
+
+##### <a name="-puppetdb--server--command_processing--temp_usage"></a>`temp_usage`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::temp_usage`
+
+##### <a name="-puppetdb--server--command_processing--confdir"></a>`confdir`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::confdir`
+
+### <a name="puppetdb--server--database"></a>`puppetdb::server::database`
+
+PRIVATE CLASS - do not use directly
+
+#### Parameters
+
+The following parameters are available in the `puppetdb::server::database` class:
+
+* [`database`](#-puppetdb--server--database--database)
+* [`database_host`](#-puppetdb--server--database--database_host)
+* [`database_port`](#-puppetdb--server--database--database_port)
+* [`database_username`](#-puppetdb--server--database--database_username)
+* [`database_password`](#-puppetdb--server--database--database_password)
+* [`database_name`](#-puppetdb--server--database--database_name)
+* [`manage_db_password`](#-puppetdb--server--database--manage_db_password)
+* [`jdbc_ssl_properties`](#-puppetdb--server--database--jdbc_ssl_properties)
+* [`database_validate`](#-puppetdb--server--database--database_validate)
+* [`database_embedded_path`](#-puppetdb--server--database--database_embedded_path)
+* [`node_ttl`](#-puppetdb--server--database--node_ttl)
+* [`node_purge_ttl`](#-puppetdb--server--database--node_purge_ttl)
+* [`report_ttl`](#-puppetdb--server--database--report_ttl)
+* [`facts_blacklist`](#-puppetdb--server--database--facts_blacklist)
+* [`gc_interval`](#-puppetdb--server--database--gc_interval)
+* [`node_purge_gc_batch_limit`](#-puppetdb--server--database--node_purge_gc_batch_limit)
+* [`log_slow_statements`](#-puppetdb--server--database--log_slow_statements)
+* [`conn_max_age`](#-puppetdb--server--database--conn_max_age)
+* [`conn_keep_alive`](#-puppetdb--server--database--conn_keep_alive)
+* [`conn_lifetime`](#-puppetdb--server--database--conn_lifetime)
+* [`confdir`](#-puppetdb--server--database--confdir)
+* [`puppetdb_user`](#-puppetdb--server--database--puppetdb_user)
+* [`puppetdb_group`](#-puppetdb--server--database--puppetdb_group)
+* [`database_max_pool_size`](#-puppetdb--server--database--database_max_pool_size)
+* [`migrate`](#-puppetdb--server--database--migrate)
+* [`postgresql_ssl_on`](#-puppetdb--server--database--postgresql_ssl_on)
+* [`ssl_cert_path`](#-puppetdb--server--database--ssl_cert_path)
+* [`ssl_key_pk8_path`](#-puppetdb--server--database--ssl_key_pk8_path)
+* [`ssl_ca_cert_path`](#-puppetdb--server--database--ssl_ca_cert_path)
+
+##### <a name="-puppetdb--server--database--database"></a>`database`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::database`
+
+##### <a name="-puppetdb--server--database--database_host"></a>`database_host`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::database_host`
+
+##### <a name="-puppetdb--server--database--database_port"></a>`database_port`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::database_port`
+
+##### <a name="-puppetdb--server--database--database_username"></a>`database_username`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::database_username`
+
+##### <a name="-puppetdb--server--database--database_password"></a>`database_password`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::database_password`
+
+##### <a name="-puppetdb--server--database--database_name"></a>`database_name`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::database_name`
+
+##### <a name="-puppetdb--server--database--manage_db_password"></a>`manage_db_password`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::manage_db_password`
+
+##### <a name="-puppetdb--server--database--jdbc_ssl_properties"></a>`jdbc_ssl_properties`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::jdbc_ssl_properties`
+
+##### <a name="-puppetdb--server--database--database_validate"></a>`database_validate`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::database_validate`
+
+##### <a name="-puppetdb--server--database--database_embedded_path"></a>`database_embedded_path`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::database_embedded_path`
+
+##### <a name="-puppetdb--server--database--node_ttl"></a>`node_ttl`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::node_ttl`
+
+##### <a name="-puppetdb--server--database--node_purge_ttl"></a>`node_purge_ttl`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::node_purge_ttl`
+
+##### <a name="-puppetdb--server--database--report_ttl"></a>`report_ttl`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::report_ttl`
+
+##### <a name="-puppetdb--server--database--facts_blacklist"></a>`facts_blacklist`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::facts_blacklist`
+
+##### <a name="-puppetdb--server--database--gc_interval"></a>`gc_interval`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::gc_interval`
+
+##### <a name="-puppetdb--server--database--node_purge_gc_batch_limit"></a>`node_purge_gc_batch_limit`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::node_purge_gc_batch_limit`
+
+##### <a name="-puppetdb--server--database--log_slow_statements"></a>`log_slow_statements`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::log_slow_statements`
+
+##### <a name="-puppetdb--server--database--conn_max_age"></a>`conn_max_age`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::conn_max_age`
+
+##### <a name="-puppetdb--server--database--conn_keep_alive"></a>`conn_keep_alive`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::conn_keep_alive`
+
+##### <a name="-puppetdb--server--database--conn_lifetime"></a>`conn_lifetime`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::conn_lifetime`
+
+##### <a name="-puppetdb--server--database--confdir"></a>`confdir`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::confdir`
+
+##### <a name="-puppetdb--server--database--puppetdb_user"></a>`puppetdb_user`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::puppetdb_user`
+
+##### <a name="-puppetdb--server--database--puppetdb_group"></a>`puppetdb_group`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::puppetdb_group`
+
+##### <a name="-puppetdb--server--database--database_max_pool_size"></a>`database_max_pool_size`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::database_max_pool_size`
+
+##### <a name="-puppetdb--server--database--migrate"></a>`migrate`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::migrate`
+
+##### <a name="-puppetdb--server--database--postgresql_ssl_on"></a>`postgresql_ssl_on`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::postgresql_ssl_on`
+
+##### <a name="-puppetdb--server--database--ssl_cert_path"></a>`ssl_cert_path`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::ssl_cert_path`
+
+##### <a name="-puppetdb--server--database--ssl_key_pk8_path"></a>`ssl_key_pk8_path`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::ssl_key_pk8_path`
+
+##### <a name="-puppetdb--server--database--ssl_ca_cert_path"></a>`ssl_ca_cert_path`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::ssl_ca_cert_path`
+
+### <a name="puppetdb--server--firewall"></a>`puppetdb::server::firewall`
+
+PRIVATE CLASS - do not use directly
+
+#### Parameters
+
+The following parameters are available in the `puppetdb::server::firewall` class:
+
+* [`http_port`](#-puppetdb--server--firewall--http_port)
+* [`open_http_port`](#-puppetdb--server--firewall--open_http_port)
+* [`ssl_port`](#-puppetdb--server--firewall--ssl_port)
+* [`open_ssl_port`](#-puppetdb--server--firewall--open_ssl_port)
+
+##### <a name="-puppetdb--server--firewall--http_port"></a>`http_port`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::listen_port`
+
+##### <a name="-puppetdb--server--firewall--open_http_port"></a>`open_http_port`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::open_listen_port`
+
+##### <a name="-puppetdb--server--firewall--ssl_port"></a>`ssl_port`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::ssl_listen_port`
+
+##### <a name="-puppetdb--server--firewall--open_ssl_port"></a>`open_ssl_port`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::open_ssl_listen_port`
+
+### <a name="puppetdb--server--global"></a>`puppetdb::server::global`
+
+PRIVATE CLASS - do not use directly
+
+#### Parameters
+
+The following parameters are available in the `puppetdb::server::global` class:
+
+* [`vardir`](#-puppetdb--server--global--vardir)
+* [`confdir`](#-puppetdb--server--global--confdir)
+* [`puppetdb_group`](#-puppetdb--server--global--puppetdb_group)
+
+##### <a name="-puppetdb--server--global--vardir"></a>`vardir`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::vardir`
+
+##### <a name="-puppetdb--server--global--confdir"></a>`confdir`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::confdir`
+
+##### <a name="-puppetdb--server--global--puppetdb_group"></a>`puppetdb_group`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::puppetdb_group`
+
+### <a name="puppetdb--server--jetty"></a>`puppetdb::server::jetty`
+
+PRIVATE CLASS - do not use directly
+
+#### Parameters
+
+The following parameters are available in the `puppetdb::server::jetty` class:
+
+* [`listen_address`](#-puppetdb--server--jetty--listen_address)
+* [`listen_port`](#-puppetdb--server--jetty--listen_port)
+* [`disable_cleartext`](#-puppetdb--server--jetty--disable_cleartext)
+* [`ssl_listen_address`](#-puppetdb--server--jetty--ssl_listen_address)
+* [`ssl_listen_port`](#-puppetdb--server--jetty--ssl_listen_port)
+* [`disable_ssl`](#-puppetdb--server--jetty--disable_ssl)
+* [`ssl_set_cert_paths`](#-puppetdb--server--jetty--ssl_set_cert_paths)
+* [`ssl_cert_path`](#-puppetdb--server--jetty--ssl_cert_path)
+* [`ssl_key_path`](#-puppetdb--server--jetty--ssl_key_path)
+* [`ssl_ca_cert_path`](#-puppetdb--server--jetty--ssl_ca_cert_path)
+* [`ssl_protocols`](#-puppetdb--server--jetty--ssl_protocols)
+* [`cipher_suites`](#-puppetdb--server--jetty--cipher_suites)
+* [`confdir`](#-puppetdb--server--jetty--confdir)
+* [`max_threads`](#-puppetdb--server--jetty--max_threads)
+* [`puppetdb_user`](#-puppetdb--server--jetty--puppetdb_user)
+* [`puppetdb_group`](#-puppetdb--server--jetty--puppetdb_group)
+
+##### <a name="-puppetdb--server--jetty--listen_address"></a>`listen_address`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::listen_address`
+
+##### <a name="-puppetdb--server--jetty--listen_port"></a>`listen_port`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::listen_port`
+
+##### <a name="-puppetdb--server--jetty--disable_cleartext"></a>`disable_cleartext`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::disable_cleartext`
+
+##### <a name="-puppetdb--server--jetty--ssl_listen_address"></a>`ssl_listen_address`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::ssl_listen_address`
+
+##### <a name="-puppetdb--server--jetty--ssl_listen_port"></a>`ssl_listen_port`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::ssl_listen_port`
+
+##### <a name="-puppetdb--server--jetty--disable_ssl"></a>`disable_ssl`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::disable_ssl`
+
+##### <a name="-puppetdb--server--jetty--ssl_set_cert_paths"></a>`ssl_set_cert_paths`
+
+Data type: `Boolean`
+
+
+
+Default value: `$puppetdb::params::ssl_set_cert_paths`
+
+##### <a name="-puppetdb--server--jetty--ssl_cert_path"></a>`ssl_cert_path`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::ssl_cert_path`
+
+##### <a name="-puppetdb--server--jetty--ssl_key_path"></a>`ssl_key_path`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::ssl_key_path`
+
+##### <a name="-puppetdb--server--jetty--ssl_ca_cert_path"></a>`ssl_ca_cert_path`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::ssl_ca_cert_path`
+
+##### <a name="-puppetdb--server--jetty--ssl_protocols"></a>`ssl_protocols`
+
+Data type: `Optional[String]`
+
+
+
+Default value: `$puppetdb::params::ssl_protocols`
+
+##### <a name="-puppetdb--server--jetty--cipher_suites"></a>`cipher_suites`
+
+Data type: `Optional[String]`
+
+
+
+Default value: `$puppetdb::params::cipher_suites`
+
+##### <a name="-puppetdb--server--jetty--confdir"></a>`confdir`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::confdir`
+
+##### <a name="-puppetdb--server--jetty--max_threads"></a>`max_threads`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::max_threads`
+
+##### <a name="-puppetdb--server--jetty--puppetdb_user"></a>`puppetdb_user`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::puppetdb_user`
+
+##### <a name="-puppetdb--server--jetty--puppetdb_group"></a>`puppetdb_group`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::puppetdb_group`
+
+### <a name="puppetdb--server--puppetdb"></a>`puppetdb::server::puppetdb`
+
+PRIVATE CLASS - do not use directly
+
+#### Parameters
+
+The following parameters are available in the `puppetdb::server::puppetdb` class:
+
+* [`certificate_whitelist_file`](#-puppetdb--server--puppetdb--certificate_whitelist_file)
+* [`certificate_whitelist`](#-puppetdb--server--puppetdb--certificate_whitelist)
+* [`disable_update_checking`](#-puppetdb--server--puppetdb--disable_update_checking)
+* [`confdir`](#-puppetdb--server--puppetdb--confdir)
+* [`puppetdb_user`](#-puppetdb--server--puppetdb--puppetdb_user)
+* [`puppetdb_group`](#-puppetdb--server--puppetdb--puppetdb_group)
+
+##### <a name="-puppetdb--server--puppetdb--certificate_whitelist_file"></a>`certificate_whitelist_file`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::certificate_whitelist_file`
+
+##### <a name="-puppetdb--server--puppetdb--certificate_whitelist"></a>`certificate_whitelist`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::certificate_whitelist`
+
+##### <a name="-puppetdb--server--puppetdb--disable_update_checking"></a>`disable_update_checking`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::disable_update_checking`
+
+##### <a name="-puppetdb--server--puppetdb--confdir"></a>`confdir`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::confdir`
+
+##### <a name="-puppetdb--server--puppetdb--puppetdb_user"></a>`puppetdb_user`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::puppetdb_user`
+
+##### <a name="-puppetdb--server--puppetdb--puppetdb_group"></a>`puppetdb_group`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::puppetdb_group`
+
+### <a name="puppetdb--server--read_database"></a>`puppetdb::server::read_database`
+
+PRIVATE CLASS - do not use directly
+
+#### Parameters
+
+The following parameters are available in the `puppetdb::server::read_database` class:
+
+* [`read_database`](#-puppetdb--server--read_database--read_database)
+* [`read_database_host`](#-puppetdb--server--read_database--read_database_host)
+* [`read_database_port`](#-puppetdb--server--read_database--read_database_port)
+* [`read_database_username`](#-puppetdb--server--read_database--read_database_username)
+* [`read_database_password`](#-puppetdb--server--read_database--read_database_password)
+* [`read_database_name`](#-puppetdb--server--read_database--read_database_name)
+* [`manage_db_password`](#-puppetdb--server--read_database--manage_db_password)
+* [`jdbc_ssl_properties`](#-puppetdb--server--read_database--jdbc_ssl_properties)
+* [`database_validate`](#-puppetdb--server--read_database--database_validate)
+* [`log_slow_statements`](#-puppetdb--server--read_database--log_slow_statements)
+* [`conn_max_age`](#-puppetdb--server--read_database--conn_max_age)
+* [`conn_keep_alive`](#-puppetdb--server--read_database--conn_keep_alive)
+* [`conn_lifetime`](#-puppetdb--server--read_database--conn_lifetime)
+* [`confdir`](#-puppetdb--server--read_database--confdir)
+* [`puppetdb_user`](#-puppetdb--server--read_database--puppetdb_user)
+* [`puppetdb_group`](#-puppetdb--server--read_database--puppetdb_group)
+* [`database_max_pool_size`](#-puppetdb--server--read_database--database_max_pool_size)
+* [`postgresql_ssl_on`](#-puppetdb--server--read_database--postgresql_ssl_on)
+* [`ssl_cert_path`](#-puppetdb--server--read_database--ssl_cert_path)
+* [`ssl_key_pk8_path`](#-puppetdb--server--read_database--ssl_key_pk8_path)
+* [`ssl_ca_cert_path`](#-puppetdb--server--read_database--ssl_ca_cert_path)
+
+##### <a name="-puppetdb--server--read_database--read_database"></a>`read_database`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::read_database`
+
+##### <a name="-puppetdb--server--read_database--read_database_host"></a>`read_database_host`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::read_database_host`
+
+##### <a name="-puppetdb--server--read_database--read_database_port"></a>`read_database_port`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::read_database_port`
+
+##### <a name="-puppetdb--server--read_database--read_database_username"></a>`read_database_username`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::read_database_username`
+
+##### <a name="-puppetdb--server--read_database--read_database_password"></a>`read_database_password`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::read_database_password`
+
+##### <a name="-puppetdb--server--read_database--read_database_name"></a>`read_database_name`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::read_database_name`
+
+##### <a name="-puppetdb--server--read_database--manage_db_password"></a>`manage_db_password`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::manage_read_db_password`
+
+##### <a name="-puppetdb--server--read_database--jdbc_ssl_properties"></a>`jdbc_ssl_properties`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::read_database_jdbc_ssl_properties`
+
+##### <a name="-puppetdb--server--read_database--database_validate"></a>`database_validate`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::read_database_validate`
+
+##### <a name="-puppetdb--server--read_database--log_slow_statements"></a>`log_slow_statements`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::read_log_slow_statements`
+
+##### <a name="-puppetdb--server--read_database--conn_max_age"></a>`conn_max_age`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::read_conn_max_age`
+
+##### <a name="-puppetdb--server--read_database--conn_keep_alive"></a>`conn_keep_alive`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::read_conn_keep_alive`
+
+##### <a name="-puppetdb--server--read_database--conn_lifetime"></a>`conn_lifetime`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::read_conn_lifetime`
+
+##### <a name="-puppetdb--server--read_database--confdir"></a>`confdir`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::confdir`
+
+##### <a name="-puppetdb--server--read_database--puppetdb_user"></a>`puppetdb_user`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::puppetdb_user`
+
+##### <a name="-puppetdb--server--read_database--puppetdb_group"></a>`puppetdb_group`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::puppetdb_group`
+
+##### <a name="-puppetdb--server--read_database--database_max_pool_size"></a>`database_max_pool_size`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::read_database_max_pool_size`
+
+##### <a name="-puppetdb--server--read_database--postgresql_ssl_on"></a>`postgresql_ssl_on`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::postgresql_ssl_on`
+
+##### <a name="-puppetdb--server--read_database--ssl_cert_path"></a>`ssl_cert_path`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::ssl_cert_path`
+
+##### <a name="-puppetdb--server--read_database--ssl_key_pk8_path"></a>`ssl_key_pk8_path`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::ssl_key_pk8_path`
+
+##### <a name="-puppetdb--server--read_database--ssl_ca_cert_path"></a>`ssl_ca_cert_path`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::ssl_ca_cert_path`
+
+### <a name="puppetdb--server--validate_db"></a>`puppetdb::server::validate_db`
+
+This validates a database connection. See README.md for more details.
+
+#### Parameters
+
+The following parameters are available in the `puppetdb::server::validate_db` class:
+
+* [`database`](#-puppetdb--server--validate_db--database)
+* [`database_host`](#-puppetdb--server--validate_db--database_host)
+* [`database_port`](#-puppetdb--server--validate_db--database_port)
+* [`database_username`](#-puppetdb--server--validate_db--database_username)
+* [`database_password`](#-puppetdb--server--validate_db--database_password)
+* [`database_name`](#-puppetdb--server--validate_db--database_name)
+* [`jdbc_ssl_properties`](#-puppetdb--server--validate_db--jdbc_ssl_properties)
+
+##### <a name="-puppetdb--server--validate_db--database"></a>`database`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::database`
+
+##### <a name="-puppetdb--server--validate_db--database_host"></a>`database_host`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::database_host`
+
+##### <a name="-puppetdb--server--validate_db--database_port"></a>`database_port`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::database_port`
+
+##### <a name="-puppetdb--server--validate_db--database_username"></a>`database_username`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::database_username`
+
+##### <a name="-puppetdb--server--validate_db--database_password"></a>`database_password`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::database_password`
+
+##### <a name="-puppetdb--server--validate_db--database_name"></a>`database_name`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::database_name`
+
+##### <a name="-puppetdb--server--validate_db--jdbc_ssl_properties"></a>`jdbc_ssl_properties`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::jdbc_ssl_properties`
+
+### <a name="puppetdb--server--validate_read_db"></a>`puppetdb::server::validate_read_db`
+
+This validates a database connection. See README.md for more details.
+
+#### Parameters
+
+The following parameters are available in the `puppetdb::server::validate_read_db` class:
+
+* [`database`](#-puppetdb--server--validate_read_db--database)
+* [`database_host`](#-puppetdb--server--validate_read_db--database_host)
+* [`database_port`](#-puppetdb--server--validate_read_db--database_port)
+* [`database_username`](#-puppetdb--server--validate_read_db--database_username)
+* [`database_password`](#-puppetdb--server--validate_read_db--database_password)
+* [`database_name`](#-puppetdb--server--validate_read_db--database_name)
+* [`jdbc_ssl_properties`](#-puppetdb--server--validate_read_db--jdbc_ssl_properties)
+
+##### <a name="-puppetdb--server--validate_read_db--database"></a>`database`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::database`
+
+##### <a name="-puppetdb--server--validate_read_db--database_host"></a>`database_host`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::database_host`
+
+##### <a name="-puppetdb--server--validate_read_db--database_port"></a>`database_port`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::database_port`
+
+##### <a name="-puppetdb--server--validate_read_db--database_username"></a>`database_username`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::database_username`
+
+##### <a name="-puppetdb--server--validate_read_db--database_password"></a>`database_password`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::database_password`
+
+##### <a name="-puppetdb--server--validate_read_db--database_name"></a>`database_name`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::database_name`
+
+##### <a name="-puppetdb--server--validate_read_db--jdbc_ssl_properties"></a>`jdbc_ssl_properties`
+
+Data type: `Any`
+
+
+
+Default value: `$puppetdb::params::jdbc_ssl_properties`
+
+## Defined types
+
+### <a name="puppetdb--database--default_read_grant"></a>`puppetdb::database::default_read_grant`
+
+Private class. Grant read permissions to $database_read_only_username by default, for new tables created by
+$database_username.
+
+#### Parameters
+
+The following parameters are available in the `puppetdb::database::default_read_grant` defined type:
+
+* [`database_name`](#-puppetdb--database--default_read_grant--database_name)
+* [`schema`](#-puppetdb--database--default_read_grant--schema)
+* [`database_username`](#-puppetdb--database--default_read_grant--database_username)
+* [`database_read_only_username`](#-puppetdb--database--default_read_grant--database_read_only_username)
+
+##### <a name="-puppetdb--database--default_read_grant--database_name"></a>`database_name`
+
+Data type: `String`
+
+
+
+##### <a name="-puppetdb--database--default_read_grant--schema"></a>`schema`
+
+Data type: `String`
+
+
+
+##### <a name="-puppetdb--database--default_read_grant--database_username"></a>`database_username`
+
+Data type: `String`
+
+
+
+##### <a name="-puppetdb--database--default_read_grant--database_read_only_username"></a>`database_read_only_username`
+
+Data type: `String`
+
+
+
+### <a name="puppetdb--database--postgresql_ssl_rules"></a>`puppetdb::database::postgresql_ssl_rules`
+
+Private class for configuring the pg_ident.conf and pg_hba.conf files
+
+#### Parameters
+
+The following parameters are available in the `puppetdb::database::postgresql_ssl_rules` defined type:
+
+* [`database_name`](#-puppetdb--database--postgresql_ssl_rules--database_name)
+* [`database_username`](#-puppetdb--database--postgresql_ssl_rules--database_username)
+* [`puppetdb_server`](#-puppetdb--database--postgresql_ssl_rules--puppetdb_server)
+
+##### <a name="-puppetdb--database--postgresql_ssl_rules--database_name"></a>`database_name`
+
+Data type: `String`
+
+
+
+##### <a name="-puppetdb--database--postgresql_ssl_rules--database_username"></a>`database_username`
+
+Data type: `String`
+
+
+
+##### <a name="-puppetdb--database--postgresql_ssl_rules--puppetdb_server"></a>`puppetdb_server`
+
+Data type: `String`
+
+
+
+### <a name="puppetdb--database--read_grant"></a>`puppetdb::database::read_grant`
+
+Private class. Grant read-only permissions to $database_read_only_username for all objects in $schema of
+$database_name
+
+#### Parameters
+
+The following parameters are available in the `puppetdb::database::read_grant` defined type:
+
+* [`database_name`](#-puppetdb--database--read_grant--database_name)
+* [`schema`](#-puppetdb--database--read_grant--schema)
+* [`database_read_only_username`](#-puppetdb--database--read_grant--database_read_only_username)
+
+##### <a name="-puppetdb--database--read_grant--database_name"></a>`database_name`
+
+Data type: `String`
+
+
+
+##### <a name="-puppetdb--database--read_grant--schema"></a>`schema`
+
+Data type: `String`
+
+
+
+##### <a name="-puppetdb--database--read_grant--database_read_only_username"></a>`database_read_only_username`
+
+Data type: `String`
+
+
+
+### <a name="puppetdb--database--read_only_user"></a>`puppetdb::database::read_only_user`
+
+The puppetdb::database::read_only_user class.
+
+#### Parameters
+
+The following parameters are available in the `puppetdb::database::read_only_user` defined type:
+
+* [`read_database_username`](#-puppetdb--database--read_only_user--read_database_username)
+* [`database_name`](#-puppetdb--database--read_only_user--database_name)
+* [`database_owner`](#-puppetdb--database--read_only_user--database_owner)
+* [`password_hash`](#-puppetdb--database--read_only_user--password_hash)
+
+##### <a name="-puppetdb--database--read_only_user--read_database_username"></a>`read_database_username`
+
+Data type: `String`
+
+
+
+##### <a name="-puppetdb--database--read_only_user--database_name"></a>`database_name`
+
+Data type: `String`
+
+
+
+##### <a name="-puppetdb--database--read_only_user--database_owner"></a>`database_owner`
+
+Data type: `String`
+
+
+
+##### <a name="-puppetdb--database--read_only_user--password_hash"></a>`password_hash`
+
+Data type: `Variant[String, Boolean]`
+
+
+
+Default value: `false`
+
+## Resource types
+
+### <a name="puppetdb_conn_validator"></a>`puppetdb_conn_validator`
+
+Verify that a connection can be successfully established between a node
+and the puppetdb server.  Its primary use is as a precondition to
+prevent configuration changes from being applied if the puppetdb
+server cannot be reached, but it could potentially be used for other
+purposes such as monitoring.
+
+#### Properties
+
+The following properties are available in the `puppetdb_conn_validator` type.
+
+##### `ensure`
+
+Valid values: `present`, `absent`
+
+The basic property that the resource should be in.
+
+Default value: `present`
+
+#### Parameters
+
+The following parameters are available in the `puppetdb_conn_validator` type.
+
+* [`name`](#-puppetdb_conn_validator--name)
+* [`provider`](#-puppetdb_conn_validator--provider)
+* [`puppetdb_port`](#-puppetdb_conn_validator--puppetdb_port)
+* [`puppetdb_server`](#-puppetdb_conn_validator--puppetdb_server)
+* [`test_url`](#-puppetdb_conn_validator--test_url)
+* [`timeout`](#-puppetdb_conn_validator--timeout)
+* [`use_ssl`](#-puppetdb_conn_validator--use_ssl)
+
+##### <a name="-puppetdb_conn_validator--name"></a>`name`
+
+namevar
+
+An arbitrary name used as the identity of the resource.
+
+##### <a name="-puppetdb_conn_validator--provider"></a>`provider`
+
+The specific backend to use for this `puppetdb_conn_validator` resource. You will seldom need to specify this --- Puppet
+will usually discover the appropriate provider for your platform.
+
+##### <a name="-puppetdb_conn_validator--puppetdb_port"></a>`puppetdb_port`
+
+The port that the puppetdb server should be listening on.
+
+##### <a name="-puppetdb_conn_validator--puppetdb_server"></a>`puppetdb_server`
+
+The DNS name or IP address of the server where puppetdb should be running.
+
+##### <a name="-puppetdb_conn_validator--test_url"></a>`test_url`
+
+URL to use for testing if the PuppetDB database is up
+
+##### <a name="-puppetdb_conn_validator--timeout"></a>`timeout`
+
+The max number of seconds that the validator should wait before giving up and deciding that puppetdb is not running;
+defaults to 15 seconds.
+
+Default value: `15`
+
+##### <a name="-puppetdb_conn_validator--use_ssl"></a>`use_ssl`
+
+Whether the connection will be attempted using https
+
+Default value: `true`
+
+## Functions
+
+### <a name="puppetdb--create_subsetting_resource_hash"></a>`puppetdb::create_subsetting_resource_hash`
+
+Type: Ruby 4.x API
+
+The puppetdb::create_subsetting_resource_hash function.
+
+#### `puppetdb::create_subsetting_resource_hash(Hash $java_args, Any $params)`
+
+The puppetdb::create_subsetting_resource_hash function.
+
+Returns: `Any`
+
+##### `java_args`
+
+Data type: `Hash`
+
+
+
+##### `params`
+
+Data type: `Any`
+
+
+
+### <a name="puppetdb--flatten_java_args"></a>`puppetdb::flatten_java_args`
+
+Type: Ruby 4.x API
+
+The puppetdb::flatten_java_args function.
+
+#### `puppetdb::flatten_java_args(Optional[Hash] $java_args)`
+
+The puppetdb::flatten_java_args function.
+
+Returns: `String`
+
+##### `java_args`
+
+Data type: `Optional[Hash]`
+
+
+
+## Data types
+
+### <a name="Puppetdb--Ttl"></a>`Puppetdb::Ttl`
+
+The Puppetdb::Ttl data type.
+
+Alias of `Pattern[/^\d+(d|h|m|s|ms)$/]`
+
+## Tasks
+
+### <a name="lxd_exp"></a>`lxd_exp`
+
+Provision/Tear down a machine on LXD
+
+**Supports noop?** false
+
+#### Parameters
+
+##### `action`
+
+Data type: `Enum[provision, tear_down]`
+
+Action to perform, tear_down or provision
+
+##### `inventory`
+
+Data type: `Optional[String[1]]`
+
+Location of the inventory file
+
+##### `node_name`
+
+Data type: `Optional[String[1]]`
+
+The name of the node
+
+##### `platform`
+
+Data type: `Optional[String[1]]`
+
+Platform to provision, eg  ubuntu:14.04
+
+##### `vars`
+
+Data type: `Optional[String[1]]`
+
+YAML string of key/value pairs to add to the inventory vars section
+
diff --git a/Rakefile b/Rakefile
index cb7ed0cc..1763bb6a 100644
--- a/Rakefile
+++ b/Rakefile
@@ -1,11 +1,11 @@
 # frozen_string_literal: true
 
-require 'puppet_litmus/rake_tasks' if Bundler.rubygems.find_name('puppet_litmus').any?
+require 'bundler'
+require 'puppet_litmus/rake_tasks' if Gem.loaded_specs.key? 'puppet_litmus'
 require 'puppetlabs_spec_helper/rake_tasks'
 require 'puppet-syntax/tasks/puppet-syntax'
-require 'puppet_blacksmith/rake_tasks' if Bundler.rubygems.find_name('puppet-blacksmith').any?
-require 'github_changelog_generator/task' if Bundler.rubygems.find_name('github_changelog_generator').any?
-require 'puppet-strings/tasks' if Bundler.rubygems.find_name('puppet-strings').any?
+require 'github_changelog_generator/task' if Gem.loaded_specs.key? 'github_changelog_generator'
+require 'puppet-strings/tasks' if Gem.loaded_specs.key? 'puppet-strings'
 
 def changelog_user
   return unless Rake.application.top_level_tasks.include? "changelog"
@@ -41,8 +41,13 @@ def changelog_future_release
 end
 
 PuppetLint.configuration.send('disable_relative')
+PuppetLint.configuration.send('disable_parameter_types')
+PuppetLint.configuration.send('disable_parameter_documentation')
+PuppetLint.configuration.send('disable_documentation')
+PuppetLint.configuration.send('disable_140chars')
 
-if Bundler.rubygems.find_name('github_changelog_generator').any?
+
+if Gem.loaded_specs.key? 'github_changelog_generator'
   GitHubChangelogGenerator::RakeTask.new :changelog do |config|
     raise "Set CHANGELOG_GITHUB_TOKEN environment variable eg 'export CHANGELOG_GITHUB_TOKEN=valid_token_here'" if Rake.application.top_level_tasks.include? "changelog" and ENV['CHANGELOG_GITHUB_TOKEN'].nil?
     config.user = "#{changelog_user}"
@@ -52,7 +57,7 @@ if Bundler.rubygems.find_name('github_changelog_generator').any?
     config.header = "# Change log\n\nAll notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org)."
     config.add_pr_wo_labels = true
     config.issues = false
-    config.merge_prefix = "### UNCATEGORIZED PRS; GO LABEL THEM"
+    config.merge_prefix = "### UNCATEGORIZED PRS; LABEL THEM ON GITHUB"
     config.configure_sections = {
       "Changed" => {
         "prefix" => "### Changed",
@@ -60,11 +65,11 @@ if Bundler.rubygems.find_name('github_changelog_generator').any?
       },
       "Added" => {
         "prefix" => "### Added",
-        "labels" => ["feature", "enhancement"],
+        "labels" => ["enhancement", "feature"],
       },
       "Fixed" => {
         "prefix" => "### Fixed",
-        "labels" => ["bugfix"],
+        "labels" => ["bug", "documentation", "bugfix"],
       },
     }
   end
@@ -72,16 +77,15 @@ else
   desc 'Generate a Changelog from GitHub'
   task :changelog do
     raise <<EOM
-The changelog tasks depends on unreleased features of the github_changelog_generator gem.
+The changelog tasks depends on recent features of the github_changelog_generator gem.
 Please manually add it to your .sync.yml for now, and run `pdk update`:
 ---
 Gemfile:
   optional:
     ':development':
       - gem: 'github_changelog_generator'
-        git: 'https://github.com/skywinder/github-changelog-generator'
-        ref: '20ee04ba1234e9e83eb2ffb5056e23d641c7a018'
-        condition: "Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.2.2')"
+        version: '~> 1.15'
+        condition: "Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.3.0')"
 EOM
   end
 end
diff --git a/lib/puppet/util/puppetdb_validator.rb b/lib/puppet/util/puppetdb_validator.rb
index 8cd360d0..5cb966b7 100644
--- a/lib/puppet/util/puppetdb_validator.rb
+++ b/lib/puppet/util/puppetdb_validator.rb
@@ -63,6 +63,6 @@ def attempt_connection
     end
   rescue StandardError => e
     log_error(e.message)
-    return false
+    false
   end
 end
diff --git a/manifests/database/default_read_grant.pp b/manifests/database/default_read_grant.pp
index 80d798b1..fea87f96 100644
--- a/manifests/database/default_read_grant.pp
+++ b/manifests/database/default_read_grant.pp
@@ -1,12 +1,12 @@
 # Private class. Grant read permissions to $database_read_only_username by default, for new tables created by
 # $database_username.
-define puppetdb::database::default_read_grant(
+define puppetdb::database::default_read_grant (
   String $database_name,
   String $schema,
   String $database_username,
   String $database_read_only_username,
 ) {
-  postgresql_psql {"grant default select permission for ${database_read_only_username}":
+  postgresql_psql { "grant default select permission for ${database_read_only_username}":
     db      => $database_name,
     command => "ALTER DEFAULT PRIVILEGES
                   FOR USER \"${database_username}\"
@@ -23,7 +23,7 @@
                 AND nspname = '${schema}'",
   }
 
-  postgresql_psql {"grant default usage permission for ${database_read_only_username}":
+  postgresql_psql { "grant default usage permission for ${database_read_only_username}":
     db      => $database_name,
     command => "ALTER DEFAULT PRIVILEGES
                   FOR USER \"${database_username}\"
@@ -40,7 +40,7 @@
                 AND nspname = '${schema}'",
   }
 
-  postgresql_psql {"grant default execute permission for ${database_read_only_username}":
+  postgresql_psql { "grant default execute permission for ${database_read_only_username}":
     db      => $database_name,
     command => "ALTER DEFAULT PRIVILEGES
                   FOR USER \"${database_username}\"
diff --git a/manifests/database/postgresql.pp b/manifests/database/postgresql.pp
index 62da6464..00f8c42b 100644
--- a/manifests/database/postgresql.pp
+++ b/manifests/database/postgresql.pp
@@ -19,14 +19,13 @@
   $read_database_password      = $puppetdb::params::read_database_password,
   $read_database_host          = $puppetdb::params::read_database_host
 ) inherits puppetdb::params {
-
   if $manage_server {
-    class { '::postgresql::globals':
+    class { 'postgresql::globals':
       manage_package_repo => $manage_package_repo,
       version             => $postgres_version,
     }
     # get the pg server up and running
-    class { '::postgresql::server':
+    class { 'postgresql::server':
       ip_mask_allow_all_users => '0.0.0.0/0',
       listen_addresses        => $listen_addresses,
       port                    => scanf($database_port, '%i')[0],
@@ -35,7 +34,7 @@
     # We need to create the ssl connection for the read user, when
     # manage_database is set to true, or when read_database_host is defined.
     # Otherwise we don't create it.
-    if $manage_database or $read_database_host != undef{
+    if $manage_database or $read_database_host != undef {
       $create_read_user_rule = true
     } else {
       $create_read_user_rule = false
@@ -52,15 +51,14 @@
         postgresql_ssl_key_path     => $postgresql_ssl_key_path,
         postgresql_ssl_cert_path    => $postgresql_ssl_cert_path,
         postgresql_ssl_ca_cert_path => $postgresql_ssl_ca_cert_path,
-        create_read_user_rule       => $create_read_user_rule
+        create_read_user_rule       => $create_read_user_rule,
       }
     }
 
     # Only install pg_trgm extension, if database it is actually managed by the module
     if $manage_database {
-
       # get the pg contrib to use pg_trgm extension
-      class { '::postgresql::server::contrib': }
+      class { 'postgresql::server::contrib': }
 
       postgresql::server::extension { 'pg_trgm':
         database => $database_name,
@@ -97,7 +95,7 @@
       read_database_username => $read_database_username,
       database_name          => $database_name,
       password_hash          => postgresql::postgresql_password($read_database_username, $read_database_password),
-      database_owner         => $database_username
+      database_owner         => $database_username,
     }
 
     -> postgresql_psql { "grant ${read_database_username} role to ${database_username}":
diff --git a/manifests/database/postgresql_ssl_rules.pp b/manifests/database/postgresql_ssl_rules.pp
index 56b48395..a217d612 100644
--- a/manifests/database/postgresql_ssl_rules.pp
+++ b/manifests/database/postgresql_ssl_rules.pp
@@ -13,7 +13,7 @@
     address     => '0.0.0.0/0',
     auth_method => 'cert',
     order       => 0,
-    auth_option => "map=${identity_map_key} clientcert=1"
+    auth_option => "map=${identity_map_key} clientcert=1",
   }
 
   postgresql::server::pg_hba_rule { "Allow certificate mapped connections to ${database_name} as ${database_username} (ipv6)":
@@ -23,7 +23,7 @@
     address     => '::0/0',
     auth_method => 'cert',
     order       => 0,
-    auth_option => "map=${identity_map_key} clientcert=1"
+    auth_option => "map=${identity_map_key} clientcert=1",
   }
 
   postgresql::server::pg_ident_rule { "Map the SSL certificate of the server as a ${database_username} user":
diff --git a/manifests/database/ssl_configuration.pp b/manifests/database/ssl_configuration.pp
index 0d2473c6..a5c085e5 100644
--- a/manifests/database/ssl_configuration.pp
+++ b/manifests/database/ssl_configuration.pp
@@ -31,25 +31,25 @@
   postgresql::server::config_entry { 'ssl':
     ensure  => present,
     value   => 'on',
-    require => [File['postgres private key'], File['postgres public key']]
+    require => [File['postgres private key'], File['postgres public key']],
   }
 
   postgresql::server::config_entry { 'ssl_cert_file':
     ensure  => present,
     value   => "${postgresql::server::datadir}/server.crt",
-    require => [File['postgres private key'], File['postgres public key']]
+    require => [File['postgres private key'], File['postgres public key']],
   }
 
   postgresql::server::config_entry { 'ssl_key_file':
     ensure  => present,
     value   => "${postgresql::server::datadir}/server.key",
-    require => [File['postgres private key'], File['postgres public key']]
+    require => [File['postgres private key'], File['postgres public key']],
   }
 
   postgresql::server::config_entry { 'ssl_ca_file':
     ensure  => present,
     value   => $postgresql_ssl_ca_cert_path,
-    require => [File['postgres private key'], File['postgres public key']]
+    require => [File['postgres private key'], File['postgres public key']],
   }
 
   puppetdb::database::postgresql_ssl_rules { "Configure postgresql ssl rules for ${database_username}":
diff --git a/manifests/globals.pp b/manifests/globals.pp
index d28304a8..f703db60 100644
--- a/manifests/globals.pp
+++ b/manifests/globals.pp
@@ -3,10 +3,8 @@
   $version                      = 'present',
   $database                     = 'postgres',
   Stdlib::Absolutepath $puppet_confdir = $settings::confdir,
-  ) {
-
+) {
   if !(fact('os.family') in ['RedHat', 'Suse', 'Archlinux', 'Debian', 'OpenBSD', 'FreeBSD']) {
     fail("${module_name} does not support your osfamily ${fact('os.family')}")
   }
-
 }
diff --git a/manifests/init.pp b/manifests/init.pp
index c999441d..5160ed6b 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -91,8 +91,7 @@
   Integer[1] $dlo_max_age                  = $puppetdb::params::dlo_max_age,
   Optional[Stdlib::Absolutepath] $java_bin = $puppetdb::params::java_bin,
 ) inherits puppetdb::params {
-
-  class { '::puppetdb::server':
+  class { 'puppetdb::server':
     listen_address                    => $listen_address,
     listen_port                       => $listen_port,
     disable_cleartext                 => $disable_cleartext,
@@ -176,14 +175,15 @@
   }
 
   if ($database == 'postgres') {
-
     $database_before = str2bool($database_validate) ? {
-      false => Class['::puppetdb::server'],
-      default => [Class['::puppetdb::server'],
-                  Class['::puppetdb::server::validate_db']],
+      false => Class['puppetdb::server'],
+      default => [
+        Class['puppetdb::server'],
+        Class['puppetdb::server::validate_db']
+      ],
     }
 
-    class { '::puppetdb::database::postgresql':
+    class { 'puppetdb::database::postgresql':
       listen_addresses            => $database_listen_address,
       database_name               => $database_name,
       puppetdb_server             => $puppetdb_server,
@@ -201,7 +201,7 @@
       read_database_username      => $read_database_username,
       read_database_password      => $read_database_password,
       read_database_host          => $read_database_host,
-      before                      => $database_before
+      before                      => $database_before,
     }
   }
 }
diff --git a/manifests/master/config.pp b/manifests/master/config.pp
index 7463ed3e..eb9fb1d9 100644
--- a/manifests/master/config.pp
+++ b/manifests/master/config.pp
@@ -2,14 +2,14 @@
 class puppetdb::master::config (
   $puppetdb_server             = fact('networking.fqdn'),
   $puppetdb_port               = defined(Class['puppetdb']) ? {
-    true    => $::puppetdb::disable_ssl ? {
+    true    => $puppetdb::disable_ssl ? {
       true => 8080,
       default => 8081,
     },
     default => 8081,
   },
   $puppetdb_disable_ssl        = defined(Class['puppetdb']) ? {
-    true    => $::puppetdb::disable_ssl,
+    true    => $puppetdb::disable_ssl,
     default => false,
   },
   $masterless                  = $puppetdb::params::masterless,
@@ -30,7 +30,6 @@
   $test_url                    = $puppetdb::params::test_url,
   $restart_puppet              = true,
 ) inherits puppetdb::params {
-
   # **WARNING**: Ugly hack to work around a yum bug with metadata parsing. This
   # should not be copied, replicated or even looked at. In short, never rename
   # your packages...
@@ -66,7 +65,6 @@
   }
 
   if ($strict_validation) {
-
     # Validate the puppetdb connection.  If we can't connect to puppetdb then we
     # *must* not perform the other configuration steps, or else
 
@@ -192,5 +190,4 @@
       Class['puppetdb::master::report_processor'] ~> Service[$puppet_service_name]
     }
   }
-
 }
diff --git a/manifests/master/puppetdb_conf.pp b/manifests/master/puppetdb_conf.pp
index a3dd72fc..3cf8d706 100644
--- a/manifests/master/puppetdb_conf.pp
+++ b/manifests/master/puppetdb_conf.pp
@@ -12,8 +12,7 @@
     /(puppetdb-terminus)/ => true,
     default               => false,
   },
-  ) inherits puppetdb::params {
-
+) inherits puppetdb::params {
   Ini_setting {
     ensure  => present,
     section => 'main',
diff --git a/manifests/master/report_processor.pp b/manifests/master/report_processor.pp
index f97130bd..4002d596 100644
--- a/manifests/master/report_processor.pp
+++ b/manifests/master/report_processor.pp
@@ -5,7 +5,6 @@
   $masterless  = $puppetdb::params::masterless,
   $enable      = false
 ) inherits puppetdb::params {
-
   if $masterless {
     $puppet_conf_section = 'main'
   } else {
diff --git a/manifests/master/routes.pp b/manifests/master/routes.pp
index fcdda80a..87435b06 100644
--- a/manifests/master/routes.pp
+++ b/manifests/master/routes.pp
@@ -5,7 +5,6 @@
   $masterless     = $puppetdb::params::masterless,
   $routes         = undef,
 ) inherits puppetdb::params {
-
   if $masterless {
     $routes_real = {
       'apply' => {
@@ -16,8 +15,8 @@
         'facts'   => {
           'terminus' => 'facter',
           'cache'    => 'puppetdb_apply',
-        }
-      }
+        },
+      },
     }
   } elsif $routes {
     $routes_real = $routes
@@ -32,8 +31,8 @@
         'facts' => {
           'terminus' => 'puppetdb',
           'cache'    => $default_fact_cache,
-        }
-      }
+        },
+      },
     }
   }
 
diff --git a/manifests/master/storeconfigs.pp b/manifests/master/storeconfigs.pp
index cb46cc09..a547e517 100644
--- a/manifests/master/storeconfigs.pp
+++ b/manifests/master/storeconfigs.pp
@@ -5,7 +5,6 @@
   $masterless  = $puppetdb::params::masterless,
   $enable      = true,
 ) inherits puppetdb::params {
-
   if $masterless {
     $puppet_conf_section = 'main'
   } else {
diff --git a/manifests/params.pp b/manifests/params.pp
index a57afa7f..f813596e 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -208,7 +208,7 @@
 
   $certificate_whitelist_file = "${etcdir}/certificate-whitelist"
   # the default is free access for now
-  $certificate_whitelist      = [ ]
+  $certificate_whitelist      = []
   # change to this to only allow access by the puppet master by default:
   #$certificate_whitelist      = [ $::servername ]
 
diff --git a/manifests/server.pp b/manifests/server.pp
index b9def8af..6ec90c88 100644
--- a/manifests/server.pp
+++ b/manifests/server.pp
@@ -81,7 +81,6 @@
   Integer[1] $dlo_max_age                  = $puppetdb::params::dlo_max_age,
   Optional[Stdlib::Absolutepath] $java_bin = $puppetdb::params::java_bin,
 ) inherits puppetdb::params {
-
   # Apply necessary suffix if zero is specified.
   # Can we drop this in the next major release?
   if $node_ttl == '0' {
@@ -263,21 +262,21 @@
 
   if $postgresql_ssl_on {
     exec { $ssl_key_pk8_path:
-      path    => [ '/opt/puppetlabs/puppet/bin', $facts['path'] ],
+      path    => ['/opt/puppetlabs/puppet/bin', $facts['path']],
       command => "openssl pkcs8 -topk8 -inform PEM -outform DER -in ${ssl_key_path} -out ${ssl_key_pk8_path} -nocrypt",
       # Generate a .pk8 key if one doesn't exist or is older than the .pem input.
       # NOTE: bash file time checks, like -ot, can't always discern sub-second
       # differences.
       onlyif  => "test ! -e '${ssl_key_pk8_path}' -o '${ssl_key_pk8_path}' -ot '${ssl_key_path}'",
-      before  => File[$ssl_key_pk8_path]
+      before  => File[$ssl_key_pk8_path],
     }
 
     file { $ssl_key_pk8_path:
-      ensure => present,
+      ensure => file,
       owner  => $puppetdb_user,
       group  => $puppetdb_group,
       mode   => '0600',
-      notify => Service[$puppetdb_service]
+      notify => Service[$puppetdb_service],
     }
   }
 
@@ -324,7 +323,7 @@
             setting           => 'JAVA_ARGS',
             require           => Package[$puppetdb_package],
             notify            => Service[$puppetdb_service],
-          }))
+      }))
     } else {
       ini_setting { 'java_args':
         ensure  => present,
@@ -357,14 +356,14 @@
       # https://puppet.com/docs/puppetdb/5.2/maintain_and_tune.html#clean-up-the-dead-letter-office
       systemd::unit_file { 'puppetdb-dlo-cleanup.service':
         content => epp("${module_name}/puppetdb-DLO-cleanup.service.epp", {
-          'puppetdb_user'  => $puppetdb_user,
-          'puppetdb_group' => $puppetdb_group,
-          'vardir'         => $vardir,
-          'dlo_max_age'    => $dlo_max_age
+            'puppetdb_user'  => $puppetdb_user,
+            'puppetdb_group' => $puppetdb_group,
+            'vardir'         => $vardir,
+            'dlo_max_age'    => $dlo_max_age
         }),
       }
       -> systemd::unit_file { 'puppetdb-dlo-cleanup.timer':
-        content => epp("${module_name}/puppetdb-DLO-cleanup.timer.epp", {'cleanup_timer_interval' => $cleanup_timer_interval }),
+        content => epp("${module_name}/puppetdb-DLO-cleanup.timer.epp", { 'cleanup_timer_interval' => $cleanup_timer_interval }),
         enable  => true,
         active  => true,
       }
diff --git a/manifests/server/command_processing.pp b/manifests/server/command_processing.pp
index 6d05e562..7a3cd2a3 100644
--- a/manifests/server/command_processing.pp
+++ b/manifests/server/command_processing.pp
@@ -6,7 +6,6 @@
   $temp_usage        = $puppetdb::params::temp_usage,
   $confdir           = $puppetdb::params::confdir,
 ) inherits puppetdb::params {
-
   $config_ini = "${confdir}/config.ini"
 
   # Set the defaults
diff --git a/manifests/server/database.pp b/manifests/server/database.pp
index 12dff9ff..d541a1e4 100644
--- a/manifests/server/database.pp
+++ b/manifests/server/database.pp
@@ -30,7 +30,6 @@
   $ssl_key_pk8_path          = $puppetdb::params::ssl_key_pk8_path,
   $ssl_ca_cert_path          = $puppetdb::params::ssl_ca_cert_path
 ) inherits puppetdb::params {
-
   if str2bool($database_validate) {
     # Validate the database connection.  If we can't connect, we want to fail
     # and skip the rest of the configuration, so that we don't leave puppetdb
@@ -69,15 +68,13 @@
     path    => $database_ini,
     ensure  => present,
     section => 'database',
-    require => $ini_setting_require
+    require => $ini_setting_require,
   }
 
   if $database == 'embedded' {
-
     $classname = 'org.hsqldb.jdbcDriver'
     $subprotocol = 'hsqldb'
     $subname = "file:${database_embedded_path};hsqldb.tx=mvcc;sql.syntax_pgs=true"
-
   } elsif $database == 'postgres' {
     $classname = 'org.postgresql.Driver'
     $subprotocol = 'postgresql'
@@ -91,8 +88,7 @@
 
     $subname_default = "//${database_host}:${database_port}/${database_name}${database_suffix}"
 
-    if $postgresql_ssl_on and !empty($jdbc_ssl_properties)
-    {
+    if $postgresql_ssl_on and !empty($jdbc_ssl_properties) {
       fail("Variables 'postgresql_ssl_on' and 'jdbc_ssl_properties' can not be used at the same time!")
     }
 
diff --git a/manifests/server/global.pp b/manifests/server/global.pp
index f03f281f..874601a8 100644
--- a/manifests/server/global.pp
+++ b/manifests/server/global.pp
@@ -4,7 +4,6 @@
   $confdir        = $puppetdb::params::confdir,
   $puppetdb_group = $puppetdb::params::puppetdb_group,
 ) inherits puppetdb::params {
-
   $config_ini = "${confdir}/config.ini"
 
   file { $config_ini:
diff --git a/manifests/server/jetty.pp b/manifests/server/jetty.pp
index ea050faf..bb155ec3 100644
--- a/manifests/server/jetty.pp
+++ b/manifests/server/jetty.pp
@@ -17,7 +17,6 @@
   $puppetdb_user                  = $puppetdb::params::puppetdb_user,
   $puppetdb_group                 = $puppetdb::params::puppetdb_group,
 ) inherits puppetdb::params {
-
   $jetty_ini = "${confdir}/jetty.ini"
 
   file { $jetty_ini:
@@ -70,7 +69,6 @@
   }
 
   if $ssl_protocols {
-
     ini_setting { 'puppetdb_sslprotocols':
       ensure  => $ssl_setting_ensure,
       setting => 'ssl-protocols',
@@ -79,7 +77,6 @@
   }
 
   if $cipher_suites {
-
     ini_setting { 'puppetdb_cipher-suites':
       ensure  => $ssl_setting_ensure,
       setting => 'cipher-suites',
diff --git a/manifests/server/puppetdb.pp b/manifests/server/puppetdb.pp
index 54fa4d2d..b77e48a9 100644
--- a/manifests/server/puppetdb.pp
+++ b/manifests/server/puppetdb.pp
@@ -7,7 +7,6 @@
   $puppetdb_user              = $puppetdb::params::puppetdb_user,
   $puppetdb_group             = $puppetdb::params::puppetdb_group,
 ) inherits puppetdb::params {
-
   $puppetdb_ini = "${confdir}/puppetdb.ini"
 
   file { $puppetdb_ini:
@@ -31,7 +30,7 @@
   }
 
   # accept connections only from puppet master
-  ini_setting {'puppetdb-connections-from-master-only':
+  ini_setting { 'puppetdb-connections-from-master-only':
     ensure  => $certificate_whitelist_setting_ensure,
     section => 'puppetdb',
     setting => 'certificate-whitelist',
diff --git a/manifests/server/read_database.pp b/manifests/server/read_database.pp
index 688a74fe..e3407b7d 100644
--- a/manifests/server/read_database.pp
+++ b/manifests/server/read_database.pp
@@ -22,7 +22,6 @@
   $ssl_key_pk8_path       = $puppetdb::params::ssl_key_pk8_path,
   $ssl_ca_cert_path       = $puppetdb::params::ssl_ca_cert_path
 ) inherits puppetdb::params {
-
   if $read_database_host != undef {
     if str2bool($database_validate) {
       # Validate the database connection.  If we can't connect, we want to fail
@@ -78,18 +77,17 @@
 
       $subname_default = "//${read_database_host}:${read_database_port}/${read_database_name}${database_suffix}"
 
-      if $postgresql_ssl_on and !empty($jdbc_ssl_properties)
-      {
+      if $postgresql_ssl_on and !empty($jdbc_ssl_properties) {
         fail("Variables 'postgresql_ssl_on' and 'jdbc_ssl_properties' can not be used at the same time!")
       }
 
       if $postgresql_ssl_on {
         $subname = @("EOT"/L)
-        ${subname_default}?\
-        ssl=true&sslfactory=org.postgresql.ssl.LibPQFactory&\
-        sslmode=verify-full&sslrootcert=${ssl_ca_cert_path}&\
-        sslkey=${ssl_key_pk8_path}&sslcert=${ssl_cert_path}\
-        | EOT
+          ${subname_default}?\
+          ssl=true&sslfactory=org.postgresql.ssl.LibPQFactory&\
+          sslmode=verify-full&sslrootcert=${ssl_ca_cert_path}&\
+          sslkey=${ssl_key_pk8_path}&sslcert=${ssl_cert_path}\
+          | EOT
       } else {
         $subname = $subname_default
       }
diff --git a/manifests/server/validate_db.pp b/manifests/server/validate_db.pp
index cf2e5b41..faa06410 100644
--- a/manifests/server/validate_db.pp
+++ b/manifests/server/validate_db.pp
@@ -8,7 +8,6 @@
   $database_name       = $puppetdb::params::database_name,
   $jdbc_ssl_properties = $puppetdb::params::jdbc_ssl_properties,
 ) inherits puppetdb::params {
-
   # We don't need any validation for the embedded database, presumably.
   if (
     $database == 'postgres' and
diff --git a/manifests/server/validate_read_db.pp b/manifests/server/validate_read_db.pp
index d857676d..bbf19986 100644
--- a/manifests/server/validate_read_db.pp
+++ b/manifests/server/validate_read_db.pp
@@ -8,7 +8,6 @@
   $database_name       = $puppetdb::params::database_name,
   $jdbc_ssl_properties = $puppetdb::params::jdbc_ssl_properties,
 ) inherits puppetdb::params {
-
   # Currently we only support postgres
   if (
     $database == 'postgres' and
diff --git a/metadata.json b/metadata.json
index 7e8163d9..74f87905 100644
--- a/metadata.json
+++ b/metadata.json
@@ -75,7 +75,7 @@
     }
   ],
   "description": "Module for installing/configuring PuppetDB",
-  "pdk-version": "1.18.0",
-  "template-url": "https://github.com/puppetlabs/pdk-templates#1.18.0",
-  "template-ref": "tags/1.18.0-0-g095317c"
+  "pdk-version": "3.0.1",
+  "template-url": "https://github.com/puppetlabs/pdk-templates#3.0.1",
+  "template-ref": "tags/3.0.1-0-gd13288a"
 }
diff --git a/pdk.yaml b/pdk.yaml
new file mode 100644
index 00000000..4bef4bd0
--- /dev/null
+++ b/pdk.yaml
@@ -0,0 +1,2 @@
+---
+ignore: []
diff --git a/rakelib/common.rake b/rakelib/common.rake
new file mode 100644
index 00000000..a0054fa0
--- /dev/null
+++ b/rakelib/common.rake
@@ -0,0 +1,33 @@
+require 'dependency_checker'
+require 'metadata_json_lint'
+
+# PDK validate behaviors
+MetadataJsonLint.options.fail_on_warnings = true
+MetadataJsonLint.options.strict_license = true
+MetadataJsonLint.options.strict_puppet_version = true
+MetadataJsonLint.options.strict_dependencies = true
+
+PuppetLint.configuration.log_forat = '%{path}:%{line}:%{check}:%{KIND}:%{message}'
+PuppetLint.configuration.fail_on_warnings = true
+
+desc 'Run dependency-checker'
+task :metadata_deps do
+  dpc = DependencyChecker::Runner.new
+  dpc.resolve_from_files(['metadata.json'])
+  dpc.run
+  raise 'dependency checker failed' unless dpc.problems.zero?
+end
+
+# output task execution
+unless Rake.application.options.trace
+  setup = ->(task, *_args) do
+    puts "===> rake: #{task}"
+  end
+
+  task :log_hooker do
+    Rake::Task.tasks.reject { |t| t.to_s == 'log_hooker' }.each do |a_task|
+      a_task.actions.prepend(setup)
+    end
+  end
+  Rake.application.top_level_tasks.prepend(:log_hooker)
+end
diff --git a/spec/acceptance/basic_spec.rb b/spec/acceptance/basic_spec.rb
index a17cb9c9..d137456d 100644
--- a/spec/acceptance/basic_spec.rb
+++ b/spec/acceptance/basic_spec.rb
@@ -1,17 +1,28 @@
-require 'beaker-puppet'
-require 'beaker-pe'
 require 'spec_helper_acceptance'
 
 describe 'basic tests:' do
   it 'make sure we have copied the module across' do
     # No point diagnosing any more if the module wasn't copied properly
-    shell('ls /etc/puppetlabs/code/modules/puppetdb') do |r|
+    run_shell('ls /etc/puppetlabs/code/environments/production/modules/puppetdb') do |r|
       r.exit_code.should be_zero
-      r.stdout.should =~ %r{metadata\.json}
+      r.stdout.should contain 'metadata.json'
       r.stderr.should == ''
     end
   end
 
+  describe 'setup puppetserver' do
+    pp = <<-EOS
+      package { 'puppetserver': ensure => installed, } ->
+      exec { '/opt/puppetlabs/bin/puppetserver ca setup': creates => '/etc/puppetlabs/puppetserver/ca/ca_crt.pem', }
+      service { 'puppetserver': ensure => running, enable => true, }
+    EOS
+
+    it 'make sure it runs without error' do
+      apply_manifest(pp, catch_errors: true)
+      apply_manifest(pp, catch_changes: true)
+    end
+  end
+
   describe 'single node setup' do
     pp = <<-EOS
       # Single node setup
@@ -72,7 +83,7 @@ class { 'puppetdb::master::config':
       apply_manifest(pp, catch_errors: true)
       apply_manifest(pp, catch_changes: true)
 
-      shell('cat /etc/puppetlabs/puppet/puppet.conf') do |r|
+      run_shell('cat /etc/puppetlabs/puppet/puppet.conf') do |r|
         expect(r.stdout).to match(%r{^reports\s*=\s*([^,]+,)*puppetdb(,[^,]+)*$})
       end
     end
@@ -91,7 +102,7 @@ class { 'puppetdb::master::config':
       apply_manifest(pp, catch_errors: true)
       apply_manifest(pp, catch_changes: true)
 
-      shell('psql "postgresql://puppetdb-read:puppetdb-read@localhost/puppetdb" -c "create table tables(id int)" || true') do |r|
+      run_shell('psql "postgresql://puppetdb-read:puppetdb-read@localhost/puppetdb" -c "create table tables(id int)" || true') do |r|
         expect(r.stderr).to match(%r{^ERROR:  permission denied for schema public.*})
       end
     end
diff --git a/spec/default_facts.yml b/spec/default_facts.yml
deleted file mode 100644
index f777abfc..00000000
--- a/spec/default_facts.yml
+++ /dev/null
@@ -1,8 +0,0 @@
-# Use default_module_facts.yml for module specific facts.
-#
-# Facts specified here will override the values provided by rspec-puppet-facts.
----
-ipaddress: "172.16.254.254"
-ipaddress6: "FE80:0000:0000:0000:AAAA:AAAA:AAAA"
-is_pe: false
-macaddress: "AA:AA:AA:AA:AA:AA"
diff --git a/spec/defines/database/default_read_grant_spec.rb b/spec/defines/database/default_read_grant_spec.rb
new file mode 100644
index 00000000..8a8ee4a6
--- /dev/null
+++ b/spec/defines/database/default_read_grant_spec.rb
@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'puppetdb::database::default_read_grant' do
+  valid = {
+    'standard': {
+      database_name:               'puppetdb',
+      schema:                      'public',
+      database_username:           'puppetdb',
+      database_read_only_username: 'puppetdb-read',
+    }
+  }
+
+  invalid = {
+    'no params': {},
+    'without database_name': {
+      schema:                      'public',
+      database_username:           'puppetdb',
+      database_read_only_username: 'puppetdb-read',
+    }
+  }
+
+  let(:facts) { on_supported_os.take(1).first[1] }
+  let(:pre_condition) { 'include postgresql::server' }
+  let(:name) { title }
+  let(:args) { params }
+
+  context 'with valid parameters' do
+    valid.each do |name, params|
+      context name do
+        include_examples 'puppetdb::database::default_read_grant' do
+          let(:title) { name.to_s }
+          let(:params) { params }
+        end
+      end
+    end
+  end
+
+  context 'with invalid parameters' do
+    invalid.each do |name, params|
+      context name do
+        include_examples 'puppetdb::database::default_read_grant', Puppet::Error do
+          let(:title) { name.to_s }
+          let(:params) { params }
+        end
+      end
+    end
+  end
+end
diff --git a/spec/defines/database/postgresql_ssl_rules_spec.rb b/spec/defines/database/postgresql_ssl_rules_spec.rb
new file mode 100644
index 00000000..cce2e0d3
--- /dev/null
+++ b/spec/defines/database/postgresql_ssl_rules_spec.rb
@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+valid = {
+  'puppetdb-read': {
+    database_name:     'puppetdb',
+    database_username: 'monitor',
+    puppetdb_server:   'localhost',
+  },
+  'monitor': {
+    database_name:     'opensesame',
+    database_username: 'grover',
+    puppetdb_server:   'rainbow',
+  },
+}
+
+invalid = {
+  'no params': {},
+}
+
+describe 'puppetdb::database::postgresql_ssl_rules' do
+  let(:facts) { on_supported_os.take(1).first[1] }
+  let(:pre_condition) { 'include postgresql::server' }
+  let(:name) { title }
+  let(:args) { params }
+
+  valid.each do |name, params|
+    context "for valid #{name}" do
+      include_examples 'puppetdb::database::postgresql_ssl_rules' do
+        let(:title) { name.to_s }
+        let(:params) { params }
+      end
+    end
+  end
+
+  invalid.each do |name, params|
+    context "for invalid #{name}" do
+      include_examples 'puppetdb::database::postgresql_ssl_rules', Puppet::Error do
+        let(:title) { name.to_s }
+        let(:params) { params }
+      end
+    end
+  end
+end
diff --git a/spec/defines/database/read_grant_spec.rb b/spec/defines/database/read_grant_spec.rb
new file mode 100644
index 00000000..df8b54d8
--- /dev/null
+++ b/spec/defines/database/read_grant_spec.rb
@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+valid = {
+  'grant read on new objects from blah to blah': {
+    database_read_only_username: 'puppetdb-read',
+    database_name:               'puppetdb',
+    schema:                      'public',
+  },
+}
+
+invalid = {
+  'no params': {},
+}
+
+describe 'puppetdb::database::read_grant' do
+  let(:facts) { on_supported_os.take(1).first[1] }
+  let(:pre_condition) { 'include postgresql::server' }
+  let(:name) { title }
+  let(:args) { params }
+
+  valid.each do |name, params|
+    context "for valid #{name}" do
+      include_examples 'puppetdb::database::read_grant' do
+        let(:title) { name.to_s }
+        let(:params) { params }
+      end
+    end
+  end
+
+  invalid.each do |name, params|
+    context "for invalid #{name}" do
+      include_examples 'puppetdb::database::read_grant', Puppet::Error do
+        let(:title) { name.to_s }
+        let(:params) { params }
+      end
+    end
+  end
+end
diff --git a/spec/defines/database/read_only_user_spec.rb b/spec/defines/database/read_only_user_spec.rb
new file mode 100644
index 00000000..0efc059c
--- /dev/null
+++ b/spec/defines/database/read_only_user_spec.rb
@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+valid = {
+  'puppetdb-read': {
+    read_database_username: 'puppetdb-read',
+    database_name:          'puppetdb',
+    password_hash:          'blah',
+    database_owner:         'puppetdb',
+  },
+  'spectest': {
+    read_database_username: 'spectest-read',
+    database_name:          'spectest',
+    database_owner:         'spectest',
+  },
+}
+
+invalid = {
+  'no params': {},
+}
+
+describe 'puppetdb::database::read_only_user', type: :define do
+  let(:facts) { on_supported_os.take(1).first[1] }
+  let(:pre_condition) { 'include postgresql::server' }
+  let(:name) { title }
+  let(:args) { params }
+
+  valid.each do |name, params|
+    context "for valid #{name}" do
+      include_examples 'puppetdb::database::read_only_user' do
+        let(:title) { name.to_s }
+        let(:params) { params }
+      end
+    end
+  end
+
+  invalid.each do |name, params|
+    context "for invalid #{name}" do
+      include_examples 'puppetdb::database::read_only_user', Puppet::Error do
+        let(:title) { name.to_s }
+        let(:params) { params }
+      end
+    end
+  end
+end
diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
index d3778cac..61df2940 100644
--- a/spec/spec_helper.rb
+++ b/spec/spec_helper.rb
@@ -1,5 +1,9 @@
 # frozen_string_literal: true
 
+RSpec.configure do |c|
+  c.mock_with :rspec
+end
+
 require 'puppetlabs_spec_helper/module_spec_helper'
 require 'rspec-puppet-facts'
 
@@ -21,8 +25,8 @@
   next unless File.exist?(f) && File.readable?(f) && File.size?(f)
 
   begin
-    default_facts.merge!(YAML.safe_load(File.read(f), [], [], true))
-  rescue => e
+    default_facts.merge!(YAML.safe_load(File.read(f), permitted_classes: [], permitted_symbols: [], aliases: true))
+  rescue StandardError => e
     RSpec.configuration.reporter.message "WARNING: Unable to load #{f}: #{e}"
   end
 end
@@ -42,6 +46,19 @@
   end
   c.filter_run_excluding(bolt: true) unless ENV['GEM_BOLT']
   c.after(:suite) do
+    RSpec::Puppet::Coverage.report!(100)
+  end
+
+  # Filter backtrace noise
+  backtrace_exclusion_patterns = [
+    %r{spec_helper},
+    %r{gems},
+  ]
+
+  if c.respond_to?(:backtrace_exclusion_patterns)
+    c.backtrace_exclusion_patterns = backtrace_exclusion_patterns
+  elsif c.respond_to?(:backtrace_clean_patterns)
+    c.backtrace_clean_patterns = backtrace_exclusion_patterns
   end
 end
 
diff --git a/spec/spec_helper_acceptance.rb b/spec/spec_helper_acceptance.rb
index 0b734325..73a02388 100644
--- a/spec/spec_helper_acceptance.rb
+++ b/spec/spec_helper_acceptance.rb
@@ -1,136 +1,6 @@
-require 'beaker-rspec'
-require 'beaker-puppet'
-require 'beaker/puppet_install_helper'
-require 'beaker/module_install_helper'
+# frozen_string_literal: true
 
-def use_puppet4?
-  (ENV['PUPPET_INSTALL_VERSION'] =~ %r{^2016}) ? true : false
-end
+require 'puppet_litmus'
+PuppetLitmus.configure!
 
-def use_puppet5?
-  (ENV['BEAKER_PUPPET_COLLECTION'] =~ %r{^puppet5}) ? true : false
-end
-
-def use_puppet6?
-  (ENV['BEAKER_PUPPET_COLLECTION'] =~ %r{^puppet6}) ? true : false
-end
-
-def use_puppet7?
-  (ENV['BEAKER_PUPPET_COLLECTION'] =~ %r{^puppet7}) ? true : false
-end
-
-def build_url(platform)
-  if use_puppet4?
-    url4 = 'http://%{mngr}.puppetlabs.com/puppetlabs-release-pc1%{plat}'
-    case platform
-    when 'el' then url4 % { mngr: 'yum', plat: '-el-' }
-    when 'fedora' then url4 % { mngr: 'yum', plat: '-fedora-' }
-    when 'debian', 'ubuntu' then url4 % { mngr: 'apt', plat: '-' }
-    else
-      raise "build_url() called with unsupported platform '#{platform}'"
-    end
-  elsif use_puppet5?
-    url5 = 'http://%{mngr}.puppetlabs.com/%{dir}puppet5-release%{plat}'
-    case platform
-    when 'el' then url5 % { mngr: 'yum', dir: 'puppet5/', plat: '-el-' }
-    when 'fedora' then url5 % { mngr: 'yum', dir: 'puppet5/', plat: '-fedora-' }
-    when 'debian', 'ubuntu' then url5 % { mngr: 'apt', dir: '', plat: '-' }
-    else
-      raise "build_url() called with unsupported platform '#{platform}'"
-    end
-  elsif use_puppet6?
-    url6 = 'http://%{mngr}.puppetlabs.com/%{dir}puppet6-release%{plat}'
-    case platform
-    when 'el' then url6 % { mngr: 'yum', dir: 'puppet6/', plat: '-el-' }
-    when 'fedora' then url6 % { mngr: 'yum', dir: 'puppet6/', plat: '-fedora-' }
-    when 'debian', 'ubuntu' then url6 % { mngr: 'apt', dir: '', plat: '-' }
-    else
-      raise "build_url() called with unsupported platform '#{platform}'"
-    end
-  else
-    url7 = 'http://%{mngr}.puppetlabs.com/%{dir}puppet7-release%{plat}'
-    case platform
-    when 'el' then url7 % { mngr: 'yum', dir: 'puppet7/', plat: '-el-' }
-    when 'fedora' then url7 % { mngr: 'yum', dir: 'puppet7/', plat: '-fedora-' }
-    when 'debian', 'ubuntu' then url7 % { mngr: 'apt', dir: '', plat: '-' }
-    else
-      raise "build_url() called with unsupported platform '#{platform}'"
-    end
-  end
-end
-
-hosts.each do |host|
-  if host['platform'] =~ %r{debian}
-    on host, 'echo \'export PATH=/var/lib/gems/1.8/bin/:${PATH}\' >> ~/.bashrc'
-  end
-  # install_puppet
-  if host['platform'] =~ %r{el-(5|6|7|8)}
-    relver = Regexp.last_match(1)
-    on host, "rpm -ivh #{build_url('el')}#{relver}.noarch.rpm"
-    on host, 'yum install -y puppetserver'
-    on host, '/opt/puppetlabs/bin/puppetserver ca setup'
-
-    # TODO: we should probably be using the relatively new postgresql
-    # module settings manage_dnf_module on el8 when we are managing the postgresql
-    # database
-    if relver == '8'
-      on host, 'dnf install -y https://download.postgresql.org/pub/repos/yum/reporpms/EL-8-x86_64/pgdg-redhat-repo-latest.noarch.rpm'
-      on host, 'dnf -qy module disable postgresql'
-    end
-  elsif host['platform'] =~ %r{fedora-(\d+)}
-    relver = Regexp.last_match(1)
-    on host, "rpm -ivh #{build_url('fedora')}#{relver}.noarch.rpm"
-    on host, 'yum install -y puppetserver'
-  elsif host['platform'] =~ %r{(ubuntu|debian)}
-    unless host.check_for_package 'curl'
-      on host, 'apt-get install -y curl'
-    end
-    # For openjdk8
-    if host['platform'].version == '8' && !use_puppet4?
-      create_remote_file(host,
-                         '/etc/apt/sources.list.d/jessie-backports.list',
-                         'deb https://artifactory.delivery.puppetlabs.net/artifactory/debian_archive__remote/ jessie-backports main')
-      on host, 'apt-get -y -m update'
-      install_package(host, 'openjdk-8-jre-headless')
-    end
-    on host, 'apt-get install apt-transport-https --assume-yes'
-    on host, "curl -O #{build_url('debian')}$(lsb_release -c -s).deb"
-    if use_puppet4?
-      on host, 'dpkg -i puppetlabs-release-pc1-$(lsb_release -c -s).deb'
-    elsif use_puppet5?
-      on host, 'dpkg -i puppet5-release-$(lsb_release -c -s).deb'
-    elsif use_puppet6?
-      on host, 'dpkg -i puppet6-release-$(lsb_release -c -s).deb'
-    else
-      on host, 'dpkg -i puppet7-release-$(lsb_release -c -s).deb'
-    end
-    on host, 'apt-get -y -m update'
-    on host, 'apt-get install -y puppetserver'
-    on host, '/opt/puppetlabs/bin/puppetserver ca setup'
-  else
-    raise "install_puppet() called for unsupported platform '#{host['platform']}' on '#{host.name}'"
-  end
-end
-
-opts = { puppet_agent_version: 'latest' }
-opts[:puppet_collection] = if use_puppet5?
-                             'puppet5'
-                           elsif use_puppet6?
-                             'puppet6'
-                           elsif use_puppet7?
-                             'puppet7'
-                           end
-install_puppet_agent_on(hosts, opts) unless ENV['BEAKER_provision'] == 'no'
-install_ca_certs unless ENV['PUPPET_INSTALL_TYPE'] =~ %r{pe}i
-install_module_on(hosts)
-install_module_dependencies_on(hosts)
-
-RSpec.configure do |c|
-  # Readable test descriptions
-  c.formatter = :documentation
-  hosts.each do |host|
-    if host[:platform] =~ %r{el-7-x86_64} && host[:hypervisor] =~ %r{docker}
-      on(host, "sed -i '/nodocs/d' /etc/yum.conf")
-    end
-  end
-end
+require 'spec_helper_acceptance_local' if File.file?(File.join(File.dirname(__FILE__), 'spec_helper_acceptance_local.rb'))
diff --git a/spec/spec_helper_local.rb b/spec/spec_helper_local.rb
new file mode 100644
index 00000000..67e67859
--- /dev/null
+++ b/spec/spec_helper_local.rb
@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+include RspecPuppetFacts
+
+Dir['./spec/support/unit/**/*.rb'].sort.each { |f| require f }
+
+RSpec.configure do |c|
+  c.fail_if_no_examples = true
+  c.silence_filter_announcements = true
+
+  c.expect_with :rspec do |expectations|
+    expectations.include_chain_clauses_in_custom_matcher_descriptions = true
+  end
+end
diff --git a/spec/support/unit/facts.rb b/spec/support/unit/facts.rb
new file mode 100644
index 00000000..ca0dda60
--- /dev/null
+++ b/spec/support/unit/facts.rb
@@ -0,0 +1,28 @@
+# Rough conversion of grepping in the puppet source:
+# grep defaultfor lib/puppet/provider/service/*.rb
+# Source https://github.com/voxpupuli/voxpupuli-test/blob/master/lib/voxpupuli/test/facts.rb
+add_custom_fact :service_provider, ->(_os, facts) do
+  os = RSpec.configuration.facterdb_string_keys ? facts['os'] : facts[:os]
+  case os['family'].downcase
+  when 'archlinux'
+    'systemd'
+  when 'darwin'
+    'launchd'
+  when 'debian'
+    'systemd'
+  when 'freebsd'
+    'freebsd'
+  when 'gentoo'
+    'openrc'
+  when 'openbsd'
+    'openbsd'
+  when 'redhat'
+    (os['release']['major'].to_i >= 7) ? 'systemd' : 'redhat'
+  when 'suse'
+    (os['release']['major'].to_i >= 12) ? 'systemd' : 'redhat'
+  when 'windows'
+    'windows'
+  else
+    'init'
+  end
+end
diff --git a/spec/support/unit/shared/database.rb b/spec/support/unit/shared/database.rb
new file mode 100644
index 00000000..dc667ea3
--- /dev/null
+++ b/spec/support/unit/shared/database.rb
@@ -0,0 +1,268 @@
+# frozen_string_literal: true
+
+require 'puppetlabs_spec_helper/puppetlabs_spec/puppet_internals'
+
+shared_examples 'postgresql_psql read grant' do
+  it {
+    is_expected.to contain_postgresql_psql("grant select permission for #{with[:database_read_only_username]}")
+      .with(
+        db: with[:database_name],
+        command: "GRANT SELECT
+                ON ALL TABLES IN SCHEMA \"public\"
+                TO \"#{with[:database_read_only_username]}\"",
+        unless: "SELECT * FROM (
+                  SELECT COUNT(*)
+                  FROM pg_tables
+                  WHERE schemaname='public'
+                    AND has_table_privilege('#{with[:database_read_only_username]}', schemaname || '.' || tablename, 'SELECT')=false
+                ) x
+                WHERE x.count=0",
+      )
+  }
+
+  it {
+    is_expected.to contain_postgresql_psql("grant usage permission for #{with[:database_read_only_username]}")
+      .with(
+        db: with[:database_name],
+        command: "GRANT USAGE
+                ON ALL SEQUENCES IN SCHEMA \"public\"
+                TO \"#{with[:database_read_only_username]}\"",
+        unless: "SELECT * FROM (
+                  SELECT COUNT(*)
+                  FROM information_schema.sequences
+                  WHERE sequence_schema='public'
+                    AND has_sequence_privilege('#{with[:database_read_only_username]}', sequence_schema || '.' || sequence_name, 'USAGE')=false
+                ) x
+                WHERE x.count=0",
+      )
+  }
+
+  it {
+    is_expected.to contain_postgresql_psql("grant execution permission for #{with[:database_read_only_username]}")
+      .with(
+        db: with[:database_name],
+        command: "GRANT EXECUTE
+                ON ALL FUNCTIONS IN SCHEMA \"public\"
+                TO \"#{with[:database_read_only_username]}\"",
+        unless:  "SELECT * FROM (
+                  SELECT COUNT(*)
+                  FROM pg_catalog.pg_proc p
+                  LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace
+                  WHERE n.nspname='public'
+                    AND has_function_privilege('#{with[:database_read_only_username]}', p.oid, 'EXECUTE')=false
+                ) x
+                WHERE x.count=0",
+      )
+  }
+end
+
+shared_examples 'postgresql_psql default read grant' do
+  it {
+    is_expected.to contain_postgresql_psql("grant default select permission for #{with[:database_read_only_username]}")
+      .with(
+        db:      with[:database_name],
+        command: "ALTER DEFAULT PRIVILEGES
+                  FOR USER \"#{with[:database_username]}\"
+                  IN SCHEMA \"public\"
+                GRANT SELECT ON TABLES
+                  TO \"#{with[:database_read_only_username]}\"",
+        unless:  "SELECT
+                  ns.nspname,
+                  acl.defaclobjtype,
+                  acl.defaclacl
+                FROM pg_default_acl acl
+                JOIN pg_namespace ns ON acl.defaclnamespace=ns.oid
+                WHERE acl.defaclacl::text ~ '.*\\\\\"#{with[:database_read_only_username]}\\\\\"=r/#{with[:database_username]}\\\".*'
+                AND nspname = 'public'",
+      )
+  }
+
+  it {
+    is_expected.to contain_postgresql_psql("grant default usage permission for #{with[:database_read_only_username]}")
+      .with(
+        db:      with[:database_name],
+        command: "ALTER DEFAULT PRIVILEGES
+                  FOR USER \"#{with[:database_username]}\"
+                  IN SCHEMA \"public\"
+                GRANT USAGE ON SEQUENCES
+                  TO \"#{with[:database_read_only_username]}\"",
+        unless:  "SELECT
+                  ns.nspname,
+                  acl.defaclobjtype,
+                  acl.defaclacl
+                FROM pg_default_acl acl
+                JOIN pg_namespace ns ON acl.defaclnamespace=ns.oid
+                WHERE acl.defaclacl::text ~ '.*\\\\\"#{with[:database_read_only_username]}\\\\\"=U/#{with[:database_username]}\\\".*'
+                AND nspname = 'public'",
+      )
+  }
+
+  it {
+    is_expected.to contain_postgresql_psql("grant default execute permission for #{with[:database_read_only_username]}")
+      .with(
+        db:      with[:database_name],
+        command: "ALTER DEFAULT PRIVILEGES
+                  FOR USER \"#{with[:database_username]}\"
+                  IN SCHEMA \"public\"
+                GRANT EXECUTE ON FUNCTIONS
+                  TO \"#{with[:database_read_only_username]}\"",
+        unless:  "SELECT
+                  ns.nspname,
+                  acl.defaclobjtype,
+                  acl.defaclacl
+                FROM pg_default_acl acl
+                JOIN pg_namespace ns ON acl.defaclnamespace=ns.oid
+                WHERE acl.defaclacl::text ~ '.*\\\\\"#{with[:database_read_only_username]}\\\\\"=X/#{with[:database_username]}\\\".*'
+                AND nspname = 'public'",
+      )
+  }
+end
+
+shared_examples 'puppetdb::database::read_only_user' do |error = false|
+  let(:defaults) do
+    {
+      read_database_username: nil,
+      database_name: nil,
+      database_owner: nil,
+      password_hash: false,
+    }
+  end
+  let(:with) { defined?(args) ? defaults.merge(args) : defaults }
+
+  if error
+    it { is_expected.to raise_error(error) }
+  else
+    it { is_expected.to contain_puppetdb__database__read_only_user(name).with(with) }
+
+    it {
+      is_expected.to contain_postgresql__server__role(with[:read_database_username])
+        .that_comes_before("Postgresql::Server::Database_grant[#{with[:database_name]} grant connection permission to #{with[:read_database_username]}]")
+        .with_password_hash(with[:password_hash])
+    }
+
+    it {
+      btitle = "#{with[:database_name]} grant read permission on new objects from #{with[:database_owner]} to #{with[:read_database_username]}"
+      is_expected.to contain_postgresql__server__database_grant("#{with[:database_name]} grant connection permission to #{with[:read_database_username]}")
+        .that_comes_before("Puppetdb::Database::Default_read_grant[#{btitle}]")
+        .with(
+          privilege: 'CONNECT',
+          db:        with[:database_name],
+          role:      with[:read_database_username],
+        )
+    }
+
+    it {
+      rtitle = "#{with[:database_name]} grant read permission on new objects from #{with[:database_owner]} to #{with[:read_database_username]}"
+      is_expected.to contain_puppetdb__database__default_read_grant(rtitle)
+        .that_comes_before("Puppetdb::Database::Read_grant[#{with[:database_name]} grant read-only permission on existing objects to #{with[:read_database_username]}]")
+        .with(
+          database_username:           with[:database_owner],
+          database_read_only_username: with[:read_database_username],
+          database_name:               with[:database_name],
+          schema:                      'public',
+        )
+    }
+
+    it_behaves_like 'postgresql_psql default read grant' do
+      let(:with) do
+        {
+          database_username: super()[:database_owner],
+          database_read_only_username: super()[:read_database_username],
+          database_name: super()[:database_name],
+        }
+      end
+    end
+
+    it {
+      is_expected.to contain_puppetdb__database__read_grant("#{with[:database_name]} grant read-only permission on existing objects to #{with[:read_database_username]}")
+        .with(
+          database_read_only_username: with[:read_database_username],
+          database_name:               with[:database_name],
+          schema:                      'public',
+        )
+    }
+
+    it_behaves_like 'postgresql_psql read grant' do
+      let(:with) do
+        {
+          database_read_only_username: super()[:read_database_username],
+          database_name: super()[:database_name],
+        }
+      end
+    end
+  end
+end
+
+shared_examples 'puppetdb::database::read_grant' do |error|
+  let(:defaults) { {} }
+  let(:with) { defined?(args) ? defaults.merge(args) : defaults }
+
+  if error
+    it { is_expected.to raise_error(error) }
+  else
+    it { is_expected.to contain_puppetdb__database__read_grant(name).with(with) }
+
+    include_examples 'postgresql_psql read grant'
+  end
+end
+
+shared_examples 'puppetdb::database::default_read_grant' do |error|
+  let(:defaults) { {} }
+  let(:with) { defined?(args) ? defaults.merge(args) : defaults }
+
+  if error
+    it { is_expected.to raise_error(error) }
+  else
+    it { is_expected.to contain_puppetdb__database__default_read_grant(name).with(with) }
+
+    include_examples 'postgresql_psql default read grant'
+  end
+end
+
+shared_examples 'puppetdb::database::postgresql_ssl_rules' do |error|
+  let(:defaults) { {} }
+  let(:with) { defined?(args) ? defaults.merge(args) : defaults }
+
+  if error
+    it { is_expected.to raise_error(error) }
+  else
+    let(:identity_map_key) { "#{with[:database_name]}-#{with[:database_username]}-map" }
+
+    it { is_expected.to contain_puppetdb__database__postgresql_ssl_rules(name).with(with) }
+
+    it {
+      is_expected.to contain_postgresql__server__pg_hba_rule("Allow certificate mapped connections to #{with[:database_name]} as #{with[:database_username]} (ipv4)")
+        .with(
+          type:        'hostssl',
+          database:    with[:database_name],
+          user:        with[:database_username],
+          address:     '0.0.0.0/0',
+          auth_method: 'cert',
+          order:       0,
+          auth_option: "map=#{identity_map_key} clientcert=1",
+        )
+    }
+
+    it {
+      is_expected.to contain_postgresql__server__pg_hba_rule("Allow certificate mapped connections to #{with[:database_name]} as #{with[:database_username]} (ipv6)")
+        .with(
+          type:        'hostssl',
+          database:    with[:database_name],
+          user:        with[:database_username],
+          address:     '::0/0',
+          auth_method: 'cert',
+          order:       0,
+          auth_option: "map=#{identity_map_key} clientcert=1",
+        )
+    }
+
+    it {
+      is_expected.to contain_postgresql__server__pg_ident_rule("Map the SSL certificate of the server as a #{with[:database_username]} user")
+        .with(
+          map_name:          identity_map_key,
+          system_username:   with[:puppetdb_server],
+          database_username: with[:database_username],
+        )
+    }
+  end
+end
diff --git a/spec/support/unit/shared/inherits.rb b/spec/support/unit/shared/inherits.rb
new file mode 100644
index 00000000..4a5561de
--- /dev/null
+++ b/spec/support/unit/shared/inherits.rb
@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+shared_examples 'puppetdb::params' do
+  include_examples 'puppetdb::globals'
+
+  it { is_expected.to contain_class('puppetdb::params') }
+end
+
+shared_examples 'puppetdb::globals' do |error = false|
+  let(:defaults) do
+    {
+      version: 'present',
+      database: 'postgres',
+      puppet_confdir: Puppet[:confdir],
+    }
+  end
+
+  let(:with) { defaults.merge(defined?(args) ? args : {}) }
+
+  it {
+    if error
+      is_expected.to raise_error(error)
+    else
+      is_expected.to contain_class('puppetdb::globals').with(with)
+    end
+  }
+end
diff --git a/spec/support/unit/shared/server.rb b/spec/support/unit/shared/server.rb
new file mode 100644
index 00000000..5c03dd37
--- /dev/null
+++ b/spec/support/unit/shared/server.rb
@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+shared_examples 'puppetdb::server::firewall' do
+  let(:defaults) do
+    {
+      http_port: '8080',
+      open_http_port: false,
+      ssl_port: '8081',
+      open_ssl_port: nil,
+    }
+  end
+
+  let(:with) { defined?(params) ? defaults.merge(params) : defaults }
+
+  it { is_expected.to contain_class('puppetdb::server::firewall').with(with) }
+  it { is_expected.to contain_class('firewall') }
+
+  it {
+    option = with[:open_http_port] ? 'to' : 'not_to'
+    is_expected.method(option).call contain_firewall("#{with[:http_port]} accept - puppetdb")
+      .with(
+        dport: with[:http_port],
+        proto: 'tcp',
+        action: 'accept',
+      )
+  }
+
+  it {
+    option = with[:open_ssl_port] ? 'to' : 'not_to'
+    is_expected.method(option).call contain_firewall("#{with[:ssl_port]} accept - puppetdb")
+      .with(
+        dport: with[:ssl_port],
+        proto: 'tcp',
+        action: 'accept',
+      )
+  }
+end
diff --git a/spec/unit/classes/database/postgresql_spec.rb b/spec/unit/classes/database/postgresql_spec.rb
index d53066e7..e1e4e104 100644
--- a/spec/unit/classes/database/postgresql_spec.rb
+++ b/spec/unit/classes/database/postgresql_spec.rb
@@ -1,26 +1,21 @@
+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe 'puppetdb::database::postgresql', type: :class do
-  context 'on a supported platform' do
-    let(:facts) do
-      {
-        osfamily: 'RedHat',
-        operatingsystem: 'RedHat',
-        puppetversion: Puppet.version,
-        operatingsystemrelease: '7.0',
-        kernel: 'Linux',
-        selinux: true,
-        os: {
-          family: 'RedHat',
-          name: 'RedHat',
-          release: { 'full' => '7.0', 'major' => '7' },
-          selinux: { 'enabled' => true },
-        },
-      }
-    end
+  let(:facts) { on_supported_os.take(1).first[1] }
 
+  context 'on a supported platform' do
     it { is_expected.to contain_class('puppetdb::database::postgresql') }
 
+    it { is_expected.to contain_class('postgresql::server::contrib') }
+
+    it {
+      is_expected.to contain_postgresql__server__extension('pg_trgm')
+        .that_requires('Postgresql::Server::Db[puppetdb]')
+        .with_database('puppetdb')
+    }
+
     context 'when ssl communication is used' do
       let(:params) do
         {
@@ -29,6 +24,12 @@
       end
 
       it { is_expected.to contain_class('puppetdb::database::ssl_configuration') }
+
+      context 'when params disable create_read_user_rule' do
+        let(:params) { super().merge({ manage_database: false }) }
+
+        it { is_expected.not_to contain_puppetdb__database__postgresql_ssl_rules('Configure postgresql ssl rules for puppetdb-read') }
+      end
     end
 
     context 'when ssl communication is not used' do
@@ -40,5 +41,75 @@
 
       it { is_expected.not_to contain_class('puppetdb::database::ssl_configuration') }
     end
+
+    context 'manage database with defaults' do
+      let(:params) do
+        {
+          manage_database: true,
+          database_name: 'puppetdb',
+          database_username: 'puppetdb',
+          database_password: 'puppetdb',
+          read_database_username: 'puppetdb-read',
+          read_database_password: 'puppetdb-read',
+        }
+      end
+
+      it {
+        is_expected.to contain_postgresql__server__db(params[:database_name])
+          .with(
+            user:     params[:database_username],
+            password: params[:database_password],
+            grant:    'all',
+          )
+      }
+
+      it {
+        is_expected.to contain_postgresql_psql('revoke all access on public schema')
+          .that_requires("Postgresql::Server::Db[#{params[:database_name]}]")
+          .with(
+            db:      params[:database_name],
+            command: 'REVOKE CREATE ON SCHEMA public FROM public',
+            unless:  "SELECT * FROM
+                  (SELECT has_schema_privilege('public', 'public', 'create') can_create) privs
+                WHERE privs.can_create=false",
+          )
+      }
+
+      it {
+        is_expected.to contain_postgresql_psql("grant all permissions to #{params[:database_username]}")
+          .that_requires('Postgresql_psql[revoke all access on public schema]')
+          .that_comes_before("Puppetdb::Database::Read_only_user[#{params[:read_database_username]}]")
+          .with(
+            db:      params[:database_name],
+            command: "GRANT CREATE ON SCHEMA public TO \"#{params[:database_username]}\"",
+            unless:  "SELECT * FROM
+                  (SELECT has_schema_privilege('#{params[:database_username]}', 'public', 'create') can_create) privs
+                WHERE privs.can_create=true",
+          )
+      }
+
+      it_behaves_like 'puppetdb::database::read_only_user' do
+        let(:name) { 'puppetdb-read' }
+        let(:args) do
+          {
+            read_database_username: params[:read_database_username],
+            database_name:          params[:database_name],
+            password_hash:          'md588e898a4bade3fe1c9b96f650ec85900', # TODO: mock properly
+            database_owner:         params[:database_username],
+          }
+        end
+      end
+
+      it {
+        is_expected.to contain_postgresql_psql("grant #{params[:read_database_username]} role to #{params[:database_username]}")
+          .that_requires("Puppetdb::Database::Read_only_user[#{params[:read_database_username]}]")
+          .with(
+            db:      params[:database_name],
+            command: "GRANT \"#{params[:read_database_username]}\" TO \"#{params[:database_username]}\"",
+            unless:  "SELECT oid, rolname FROM pg_roles WHERE
+                   pg_has_role( '#{params[:database_username]}', oid, 'member') and rolname = '#{params[:read_database_username]}'",
+          )
+      }
+    end
   end
 end
diff --git a/spec/unit/classes/database/ssl_configuration_spec.rb b/spec/unit/classes/database/ssl_configuration_spec.rb
index b5620df2..59702de9 100644
--- a/spec/unit/classes/database/ssl_configuration_spec.rb
+++ b/spec/unit/classes/database/ssl_configuration_spec.rb
@@ -2,23 +2,7 @@
 
 describe 'puppetdb::database::ssl_configuration', type: :class do
   context 'on a supported platform' do
-    let(:facts) do
-      {
-        osfamily: 'RedHat',
-        operatingsystem: 'RedHat',
-        puppetversion: Puppet.version,
-        operatingsystemrelease: '7.0',
-        kernel: 'Linux',
-        selinux: true,
-        os: {
-          family: 'RedHat',
-          name: 'RedHat',
-          release: { 'full' => '7.0', 'major' => '7' },
-          selinux: { 'enabled' => true },
-        },
-        fqdn: 'cheery-rime@puppet',
-      }
-    end
+    let(:facts) { on_supported_os.take(1).first[1] }
 
     let(:params) do
       {
@@ -92,100 +76,38 @@
         .that_requires('File[postgres public key]')
     end
 
-    it 'has hba rule for puppetdb user ipv4' do
-      is_expected.to contain_postgresql__server__pg_hba_rule("Allow certificate mapped connections to #{params[:database_name]} as #{params[:database_username]} (ipv4)")
-        .with_type('hostssl')
-        .with_database(params[:database_name])
-        .with_user(params[:database_username])
-        .with_address('0.0.0.0/0')
-        .with_auth_method('cert')
-        .with_order(0)
-        .with_auth_option("map=#{identity_map} clientcert=1")
-    end
-
-    it 'does not create hba rule for puppetdb-read user ipv4' do
-      is_expected.not_to contain_postgresql__server__pg_hba_rule("Allow certificate mapped connections to #{params[:database_name]} as #{params[:read_database_username]} (ipv4)")
-    end
-
-    it 'has hba rule for puppetdb user ipv6' do
-      is_expected.to contain_postgresql__server__pg_hba_rule("Allow certificate mapped connections to #{params[:database_name]} as #{params[:database_username]} (ipv6)")
-        .with_type('hostssl')
-        .with_database(params[:database_name])
-        .with_user(params[:database_username])
-        .with_address('::0/0')
-        .with_auth_method('cert')
-        .with_order(0)
-        .with_auth_option("map=#{identity_map} clientcert=1")
-    end
-
-    it 'does not create hba rule for puppetdb-read user ipv6' do
-      is_expected.not_to contain_postgresql__server__pg_hba_rule("Allow certificate mapped connections to #{params[:database_name]} as #{params[:read_database_username]} (ipv6)")
+    context 'does not create ssl rules for puppetdb-read user by default' do
+      it { is_expected.not_to contain_postgresql__server__pg_hba_rule("Allow certificate mapped connections to #{params[:database_name]} as #{params[:read_database_username]} (ipv4)") }
+      it { is_expected.not_to contain_postgresql__server__pg_hba_rule("Allow certificate mapped connections to #{params[:database_name]} as #{params[:read_database_username]} (ipv6)") }
+      it { is_expected.not_to contain_postgresql__server__pg_ident_rule("Map the SSL certificate of the server as a #{params[:read_database_username]} user") }
     end
 
-    it 'has ident rule' do
-      is_expected.to contain_postgresql__server__pg_ident_rule("Map the SSL certificate of the server as a #{params[:database_username]} user")
-        .with_map_name(identity_map)
-        .with_system_username(facts[:fqdn])
-        .with_database_username(params[:database_name])
-    end
-
-    it 'does not create read ident rule' do
-      is_expected.not_to contain_postgresql__server__pg_ident_rule("Map the SSL certificate of the server as a #{params[:read_database_username]} user")
-    end
-
-    context 'when the puppetdb_server is set' do
-      let(:params) do
+    context 'configure ssl rules' do
+      let(:name) { "Configure postgresql ssl rules for #{args[:database_username]}" }
+      let(:args) do
         {
-          puppetdb_server: 'puppetdb_fqdn',
-          database_name: 'puppetdb',
-          database_username: 'puppetdb',
+          database_name:     params[:database_name],
+          database_username: params[:database_username],
+          puppetdb_server:   params[:puppetdb_server] || facts[:networking]['fqdn'],
         }
       end
 
-      it 'has ident rule with the specified puppetdb_server host' do
-        is_expected.to contain_postgresql__server__pg_ident_rule("Map the SSL certificate of the server as a #{params[:database_username]} user")
-          .with_map_name(identity_map)
-          .with_system_username(params[:puppetdb_server])
-          .with_database_username(params[:database_name])
+      context 'when the puppetdb_server is not set' do
+        include_examples 'puppetdb::database::postgresql_ssl_rules'
       end
-    end
 
-    context 'when the create_read_user_rule is set to true' do
-      let(:params) do
-        {
-          database_name: 'puppetdb',
-          read_database_username: 'puppetdb-read',
-          create_read_user_rule: true,
-        }
-      end
+      context 'when the puppetdb_server is set' do
+        let(:params) { super().merge({ puppetdb_server: 'puppetdb_fqdn' }) }
 
-      it 'has hba rule for puppetdb-read user ipv4' do
-        is_expected.to contain_postgresql__server__pg_hba_rule("Allow certificate mapped connections to #{params[:database_name]} as #{params[:read_database_username]} (ipv4)")
-          .with_type('hostssl')
-          .with_database(params[:database_name])
-          .with_user(params[:read_database_username])
-          .with_address('0.0.0.0/0')
-          .with_auth_method('cert')
-          .with_order(0)
-          .with_auth_option("map=#{read_identity_map} clientcert=1")
+        include_examples 'puppetdb::database::postgresql_ssl_rules'
       end
 
-      it 'has hba rule for puppetdb-read user ipv6' do
-        is_expected.to contain_postgresql__server__pg_hba_rule("Allow certificate mapped connections to #{params[:database_name]} as #{params[:read_database_username]} (ipv6)")
-          .with_type('hostssl')
-          .with_database(params[:database_name])
-          .with_user(params[:read_database_username])
-          .with_address('::0/0')
-          .with_auth_method('cert')
-          .with_order(0)
-          .with_auth_option("map=#{read_identity_map} clientcert=1")
-      end
+      context 'when the create_read_user_rule is true' do
+        let(:params) { super().merge({ create_read_user_rule: true }) }
 
-      it 'has read ident rule' do
-        is_expected.to contain_postgresql__server__pg_ident_rule("Map the SSL certificate of the server as a #{params[:read_database_username]} user")
-          .with_map_name(read_identity_map)
-          .with_system_username(facts[:fqdn])
-          .with_database_username(params[:read_database_username])
+        it_behaves_like 'puppetdb::database::postgresql_ssl_rules' do
+          let(:args) { super().merge({ database_username: params[:read_database_username] }) }
+        end
       end
     end
   end
diff --git a/spec/unit/classes/globals_spec.rb b/spec/unit/classes/globals_spec.rb
new file mode 100644
index 00000000..b1e6d11b
--- /dev/null
+++ b/spec/unit/classes/globals_spec.rb
@@ -0,0 +1,24 @@
+require 'spec_helper'
+
+describe 'puppetdb::globals', type: :class do
+  # loop required to test fail function
+  on_supported_os.each do |os, facts|
+    context "on #{os}" do
+      let(:facts) { facts }
+
+      include_examples 'puppetdb::globals'
+    end
+  end
+
+  context 'on other os' do
+    include_examples 'puppetdb::globals', %r{puppetdb does not support your os} do
+      let(:facts) { { os: { 'family' => 'Nonsense' } } }
+    end
+  end
+
+  context 'on invalid confdir' do
+    include_examples 'puppetdb::globals', Puppet::ParseError do
+      let(:params) { { puppet_confdir: './relative' } }
+    end
+  end
+end
diff --git a/spec/unit/classes/init_spec.rb b/spec/unit/classes/init_spec.rb
index d35eee37..f9532ee7 100644
--- a/spec/unit/classes/init_spec.rb
+++ b/spec/unit/classes/init_spec.rb
@@ -6,7 +6,7 @@
   on_supported_os.each do |os, facts|
     context "on #{os}" do
       let(:facts) do
-        facts.merge(selinux: false)
+        facts.merge(selinux: false, service_provider: 'systemd')
       end
 
       describe 'when using default values for puppetdb class' do
diff --git a/spec/unit/classes/master/config_spec.rb b/spec/unit/classes/master/config_spec.rb
index 17a338ab..8747b41f 100644
--- a/spec/unit/classes/master/config_spec.rb
+++ b/spec/unit/classes/master/config_spec.rb
@@ -1,13 +1,11 @@
 require 'spec_helper'
 
 describe 'puppetdb::master::config', type: :class do
+  let(:node) { 'puppetdb.example.com' }
+
   on_supported_os.each do |os, facts|
     context "on #{os}" do
-      let(:facts) do
-        facts.merge(puppetversion: Puppet.version,
-                    fqdn: 'puppetdb.example.com',
-                    selinux: true)
-      end
+      let(:facts) { facts }
 
       context 'when PuppetDB on remote server' do
         context 'when using default values' do
@@ -73,90 +71,63 @@
 
           it { is_expected.to contain_package('puppetdb-terminus').with(ensure: '2.2.0') }
           it { is_expected.to contain_puppetdb_conn_validator('puppetdb_conn').with(test_url: '/v3/version') }
+          it {
+            is_expected.to contain_service('puppetmaster')
+              .with_ensure('running')
+              .with_enable(true)
+          }
         end
       end
-    end
-  end
-  context 'when upgrading to from v2 to v3 of PuppetDB on RedHat' do
-    let(:facts) do
-      {
-        osfamily: 'RedHat',
-        operatingsystem: 'RedHat',
-        puppetversion: Puppet.version,
-        operatingsystemrelease: '7.0',
-        kernel: 'Linux',
-        selinux: true,
-        os: {
-          family: 'RedHat',
-          name: 'RedHat',
-          release: { 'full' => '7.0' },
-          selinux: { 'enabled' => true },
-        },
-      }
-    end
-    let(:pre_condition) { 'class { "puppetdb::globals": version => "3.1.1-1.el7", }' }
 
-    it { is_expected.to contain_exec('Remove puppetdb-terminus metadata for upgrade').with(command: 'rpm -e --justdb puppetdb-terminus') }
-  end
+      context 'when restart_puppet is true' do
+        let(:pre_condition) { 'class { "puppetdb": }' }
 
-  context 'when restart_puppet is true' do
-    let(:facts) do
-      {
-        osfamily: 'RedHat',
-        operatingsystem: 'RedHat',
-        puppetversion: Puppet.version,
-        operatingsystemrelease: '7.0',
-        kernel: 'Linux',
-        selinux: true,
-        os: {
-          family: 'RedHat',
-          name: 'RedHat',
-          release: { 'full' => '7.0', 'major' => '7' },
-          selinux: { 'enabled' => true },
-        },
-      }
-    end
+        context 'with create_puppet_service_resource as default' do
+          let(:params) do
+            {
+              puppet_service_name: 'puppetserver',
+              restart_puppet: true,
+            }
+          end
 
-    let(:pre_condition) { 'class { "puppetdb": }' }
+          it { is_expected.to contain_service('puppetserver').with(ensure: 'running') }
+        end
 
-    context 'with create_puppet_service_resource as default' do
-      let(:params) do
-        {
-          puppet_service_name: 'puppetserver',
-          restart_puppet: true,
-        }
-      end
+        context 'with create_puppet_service_resource = true' do
+          let(:params) do
+            {
+              create_puppet_service_resource: true,
+              puppet_service_name: 'puppetserver',
+              restart_puppet: true,
+            }
+          end
 
-      it { is_expected.to contain_service('puppetserver').with(ensure: 'running') }
-    end
+          it { is_expected.to contain_service('puppetserver').with(ensure: 'running') }
+        end
 
-    context 'with create_puppet_service_resource = true' do
-      let(:params) do
-        {
-          create_puppet_service_resource: true,
-          puppet_service_name: 'puppetserver',
-          restart_puppet: true,
-        }
+        context 'with create_puppet_service_resource = false' do
+          # Also setting the various parameters that notify the service to be false. Otherwise this error surfaces:
+          # `Could not find resource 'Service[puppetserver]' for relationship from 'Class[Puppetdb::Master::Puppetdb_conf]'`
+          let(:params) do
+            {
+              create_puppet_service_resource: false,
+              manage_config: false,
+              manage_report_processor: false,
+              manage_routes: false,
+              puppet_service_name: 'puppetserver',
+              restart_puppet: true,
+            }
+          end
+
+          it { is_expected.not_to contain_service('puppetserver') }
+        end
       end
 
-      it { is_expected.to contain_service('puppetserver').with(ensure: 'running') }
-    end
+      context 'when upgrading to from v2 to v3 of PuppetDB on RedHat', if: os =~ %r{^redhat-7} do
+        let(:pre_condition) { 'class { "puppetdb::globals": version => "3.1.1-1.el7", }' }
 
-    context 'with create_puppet_service_resource = false' do
-      # Also setting the various parameters that notify the service to be false. Otherwise this error surfaces:
-      # `Could not find resource 'Service[puppetserver]' for relationship from 'Class[Puppetdb::Master::Puppetdb_conf]'`
-      let(:params) do
-        {
-          create_puppet_service_resource: false,
-          manage_config: false,
-          manage_report_processor: false,
-          manage_routes: false,
-          puppet_service_name: 'puppetserver',
-          restart_puppet: true,
-        }
+        it { is_expected.to contain_exec('Remove puppetdb-terminus metadata for upgrade').with(command: 'rpm -e --justdb puppetdb-terminus') }
       end
-
-      it { is_expected.not_to contain_service('puppetserver') }
     end
   end
 end
diff --git a/spec/unit/classes/master/puppetdb_conf_spec.rb b/spec/unit/classes/master/puppetdb_conf_spec.rb
index 9444eb06..04e93565 100644
--- a/spec/unit/classes/master/puppetdb_conf_spec.rb
+++ b/spec/unit/classes/master/puppetdb_conf_spec.rb
@@ -9,16 +9,23 @@
     context "on #{os}" do
       let(:facts) do
         facts.merge(puppetversion: Puppet.version,
+                    service_provider: 'systemd',
                     selinux: false)
       end
 
       let(:pre_condition) { 'class { "puppetdb": }' }
 
-      context 'when using using default values' do
+      it {
+        is_expected.to contain_ini_setting('soft_write_failure')
+          .with_setting('soft_write_failure')
+          .with_value(false)
+      }
+
+      context 'when using default values' do
         it { is_expected.to contain_ini_setting('puppetdbserver_urls').with(value: 'https://localhost:8081/') }
       end
 
-      context 'when using using default values' do
+      context 'when using legacy_terminus' do
         let(:params) { { legacy_terminus: true } }
 
         it { is_expected.to contain_ini_setting('puppetdbserver').with(value: 'localhost') }
diff --git a/spec/unit/classes/master/report_processor_spec.rb b/spec/unit/classes/master/report_processor_spec.rb
index 9a68f82c..4473f69e 100644
--- a/spec/unit/classes/master/report_processor_spec.rb
+++ b/spec/unit/classes/master/report_processor_spec.rb
@@ -12,6 +12,7 @@
     context "on #{os}" do
       let(:facts) do
         facts.merge(puppetversion: Puppet.version,
+                    service_provider: 'systemd',
                     clientcert: 'test.domain.local')
       end
 
diff --git a/spec/unit/classes/master/routes_spec.rb b/spec/unit/classes/master/routes_spec.rb
new file mode 100644
index 00000000..41a65534
--- /dev/null
+++ b/spec/unit/classes/master/routes_spec.rb
@@ -0,0 +1,76 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+shared_examples 'routes master.facts.cache format' do |format|
+  it "is expected to set master.facts.cache to equal #{format} in routes.yaml" do
+    yaml_data = catalogue.resource('file', "#{params[:puppet_confdir]}/routes.yaml").send(:parameters)[:content]
+    parsed = YAML.safe_load(yaml_data, symbolize_names: true)
+
+    expect(parsed[:master][:facts][:cache]).to eq format.to_s
+  end
+end
+
+describe 'puppetdb::master::routes', type: :class do
+  let(:facts) { on_supported_os.take(1).first[1] }
+  let(:params) do
+    {
+      puppet_confdir: Puppet[:confdir],
+      masterless:     false,
+    }
+  end
+
+  let(:serverversion) { Puppet.version }
+
+  let(:routes_real) do
+    if params[:masterless]
+      {
+        apply: {
+          catalog: {
+            terminus: 'compiler',
+            cache:    'puppetdb',
+          },
+          facts: {
+            terminus: 'facter',
+            cache:    'puppetdb_apply',
+          },
+        },
+      }
+    elsif params[:routes]
+      params[:routes]
+    else
+      {
+        master: {
+          facts: {
+            terminus: 'puppetdb',
+            cache: (Puppet::Util::Package.versioncmp(serverversion, '7.0') >= 0) ? 'json' : 'yaml'
+          },
+        }
+      }
+    end
+  end
+
+  context 'with defaults' do
+    it {
+      is_expected.to contain_file("#{params[:puppet_confdir]}/routes.yaml")
+        .with(
+          ensure:  'file',
+          mode:    '0644',
+        )
+    }
+
+    it {
+      yaml_data = catalogue.resource('file', "#{params[:puppet_confdir]}/routes.yaml").send(:parameters)[:content]
+      parsed = YAML.safe_load(yaml_data, symbolize_names: true)
+
+      expect(parsed).to eq routes_real
+    }
+  end
+
+  # TODO: remove puppetserver 6 support
+  #       unable to easily test puppetserver 6 with rspec
+  #       and it's not a supported version
+  context "with puppetserver version #{Puppet.version}" do
+    include_examples 'routes master.facts.cache format', :json
+  end
+end
diff --git a/spec/unit/classes/master/storeconfigs_spec.rb b/spec/unit/classes/master/storeconfigs_spec.rb
new file mode 100644
index 00000000..7e36af04
--- /dev/null
+++ b/spec/unit/classes/master/storeconfigs_spec.rb
@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'puppetdb::master::storeconfigs', type: :class do
+  let(:facts) { on_supported_os.take(1).first[1] }
+  let(:params) do
+    {
+      masterless: false,
+      enable: true,
+    }
+  end
+
+  let(:param_ensure) { params[:enable] ? 'present' : 'absent' }
+  let(:puppet_conf_section) { params[:masterless] ? 'main' : 'master' }
+  let(:puppet_conf) { File.join(Puppet[:confdir], 'puppet.conf') }
+
+  context 'with default parameters' do
+    it {
+      is_expected.to contain_ini_setting("puppet.conf/#{puppet_conf_section}/storeconfigs")
+        .with_ensure(param_ensure)
+        .with(
+          section: puppet_conf_section,
+          path: puppet_conf,
+          setting: 'storeconfigs',
+          value: true,
+        )
+    }
+    it {
+      is_expected.to contain_ini_setting("puppet.conf/#{puppet_conf_section}/storeconfigs_backend")
+        .with_ensure(param_ensure)
+        .with(
+          section: puppet_conf_section,
+          path: puppet_conf,
+          setting: 'storeconfigs_backend',
+          value: 'puppetdb',
+        )
+    }
+  end
+end
diff --git a/spec/unit/classes/params_spec.rb b/spec/unit/classes/params_spec.rb
new file mode 100644
index 00000000..b22c743b
--- /dev/null
+++ b/spec/unit/classes/params_spec.rb
@@ -0,0 +1,11 @@
+require 'spec_helper'
+
+describe 'puppetdb::params', type: :class do
+  # loop required to test fail function
+  on_supported_os.each do |os, facts|
+    let(:facts) { facts }
+    context "on #{os}" do
+      it { is_expected.to contain_class('puppetdb::globals') }
+    end
+  end
+end
diff --git a/spec/unit/classes/server/command_processing_spec.rb b/spec/unit/classes/server/command_processing_spec.rb
index 06a9315f..c3c98751 100644
--- a/spec/unit/classes/server/command_processing_spec.rb
+++ b/spec/unit/classes/server/command_processing_spec.rb
@@ -1,144 +1,137 @@
 require 'spec_helper'
 
 describe 'puppetdb::server::command_processing', type: :class do
-  context 'on a supported platform' do
-    let(:facts) do
-      {
-        osfamily: 'OpenBSD',
-        puppetversion: Puppet.version,
-      }
-    end
+  let(:facts) { on_supported_os.take(1).first[1] }
 
-    let(:pre_condition) { 'include puppetdb::server::global' }
+  let(:pre_condition) { 'include puppetdb::server::global' }
 
-    it { is_expected.to contain_class('puppetdb::server::command_processing') }
-
-    describe 'when using default values' do
-      it {
-        is_expected.to contain_ini_setting('puppetdb_command_processing_threads')
-          .with(
-            'ensure'  => 'absent',
-            'path'    => '/etc/puppetlabs/puppetdb/conf.d/config.ini',
-            'section' => 'command-processing',
-            'setting' => 'threads',
-          )
-      }
-      it {
-        is_expected.to contain_ini_setting('puppetdb_command_processing_concurrent_writes')
-          .with(
-            'ensure'  => 'absent',
-            'path'    => '/etc/puppetlabs/puppetdb/conf.d/config.ini',
-            'section' => 'command-processing',
-            'setting' => 'concurrent-writes',
-          )
-      }
-      it {
-        is_expected.to contain_ini_setting('puppetdb_command_processing_store_usage')
-          .with(
-            'ensure'  => 'absent',
-            'path'    => '/etc/puppetlabs/puppetdb/conf.d/config.ini',
-            'section' => 'command-processing',
-            'setting' => 'store-usage',
-          )
-      }
-      it {
-        is_expected.to contain_ini_setting('puppetdb_command_processing_temp_usage')
-          .with(
-            'ensure'  => 'absent',
-            'path'    => '/etc/puppetlabs/puppetdb/conf.d/config.ini',
-            'section' => 'command-processing',
-            'setting' => 'temp-usage',
-          )
-      }
-    end
+  it { is_expected.to contain_class('puppetdb::server::command_processing') }
 
-    describe 'when using legacy PuppetDB' do
-      let(:pre_condition) do
-        [
-          'class { "puppetdb::globals": version => "2.2.0", }',
-          super(),
-        ].join("\n")
-      end
+  describe 'when using default values' do
+    it {
+      is_expected.to contain_ini_setting('puppetdb_command_processing_threads')
+        .with(
+          'ensure'  => 'absent',
+          'path'    => '/etc/puppetlabs/puppetdb/conf.d/config.ini',
+          'section' => 'command-processing',
+          'setting' => 'threads',
+        )
+    }
+    it {
+      is_expected.to contain_ini_setting('puppetdb_command_processing_concurrent_writes')
+        .with(
+          'ensure'  => 'absent',
+          'path'    => '/etc/puppetlabs/puppetdb/conf.d/config.ini',
+          'section' => 'command-processing',
+          'setting' => 'concurrent-writes',
+        )
+    }
+    it {
+      is_expected.to contain_ini_setting('puppetdb_command_processing_store_usage')
+        .with(
+          'ensure'  => 'absent',
+          'path'    => '/etc/puppetlabs/puppetdb/conf.d/config.ini',
+          'section' => 'command-processing',
+          'setting' => 'store-usage',
+        )
+    }
+    it {
+      is_expected.to contain_ini_setting('puppetdb_command_processing_temp_usage')
+        .with(
+          'ensure'  => 'absent',
+          'path'    => '/etc/puppetlabs/puppetdb/conf.d/config.ini',
+          'section' => 'command-processing',
+          'setting' => 'temp-usage',
+        )
+    }
+  end
 
-      it {
-        is_expected.to contain_ini_setting('puppetdb_command_processing_threads')
-          .with(
-            'ensure'  => 'absent',
-            'path'    => '/etc/puppetdb/conf.d/config.ini',
-            'section' => 'command-processing',
-            'setting' => 'threads',
-          )
-      }
-      it {
-        is_expected.to contain_ini_setting('puppetdb_command_processing_store_usage')
-          .with(
-            'ensure'  => 'absent',
-            'path'    => '/etc/puppetdb/conf.d/config.ini',
-            'section' => 'command-processing',
-            'setting' => 'store-usage',
-          )
-      }
-      it {
-        is_expected.to contain_ini_setting('puppetdb_command_processing_temp_usage')
-          .with(
-            'ensure'  => 'absent',
-            'path'    => '/etc/puppetdb/conf.d/config.ini',
-            'section' => 'command-processing',
-            'setting' => 'temp-usage',
-          )
-      }
+  describe 'when using legacy PuppetDB' do
+    let(:pre_condition) do
+      [
+        'class { "puppetdb::globals": version => "2.2.0", }',
+        super(),
+      ].join("\n")
     end
 
-    describe 'when using custom values' do
-      let(:params) do
-        {
-          'command_threads'   => 10,
-          'concurrent_writes' => 3,
-          'store_usage'       => 4000,
-          'temp_usage'        => 2000,
-        }
-      end
+    it {
+      is_expected.to contain_ini_setting('puppetdb_command_processing_threads')
+        .with(
+          'ensure'  => 'absent',
+          'path'    => '/etc/puppetdb/conf.d/config.ini',
+          'section' => 'command-processing',
+          'setting' => 'threads',
+        )
+    }
+    it {
+      is_expected.to contain_ini_setting('puppetdb_command_processing_store_usage')
+        .with(
+          'ensure'  => 'absent',
+          'path'    => '/etc/puppetdb/conf.d/config.ini',
+          'section' => 'command-processing',
+          'setting' => 'store-usage',
+        )
+    }
+    it {
+      is_expected.to contain_ini_setting('puppetdb_command_processing_temp_usage')
+        .with(
+          'ensure'  => 'absent',
+          'path'    => '/etc/puppetdb/conf.d/config.ini',
+          'section' => 'command-processing',
+          'setting' => 'temp-usage',
+        )
+    }
+  end
 
-      it {
-        is_expected.to contain_ini_setting('puppetdb_command_processing_threads')
-          .with(
-            'ensure'  => 'present',
-            'path'    => '/etc/puppetlabs/puppetdb/conf.d/config.ini',
-            'section' => 'command-processing',
-            'setting' => 'threads',
-            'value'   => '10',
-          )
-      }
-      it {
-        is_expected.to contain_ini_setting('puppetdb_command_processing_concurrent_writes')
-          .with(
-            'ensure'  => 'present',
-            'path'    => '/etc/puppetlabs/puppetdb/conf.d/config.ini',
-            'section' => 'command-processing',
-            'setting' => 'concurrent-writes',
-            'value'   => '3',
-          )
-      }
-      it {
-        is_expected.to contain_ini_setting('puppetdb_command_processing_store_usage')
-          .with(
-            'ensure'  => 'present',
-            'path'    => '/etc/puppetlabs/puppetdb/conf.d/config.ini',
-            'section' => 'command-processing',
-            'setting' => 'store-usage',
-            'value'   => '4000',
-          )
-      }
-      it {
-        is_expected.to contain_ini_setting('puppetdb_command_processing_temp_usage')
-          .with(
-            'ensure'  => 'present',
-            'path'    => '/etc/puppetlabs/puppetdb/conf.d/config.ini',
-            'section' => 'command-processing',
-            'setting' => 'temp-usage',
-            'value'   => '2000',
-          )
+  describe 'when using custom values' do
+    let(:params) do
+      {
+        'command_threads'   => 10,
+        'concurrent_writes' => 3,
+        'store_usage'       => 4000,
+        'temp_usage'        => 2000,
       }
     end
+
+    it {
+      is_expected.to contain_ini_setting('puppetdb_command_processing_threads')
+        .with(
+          'ensure'  => 'present',
+          'path'    => '/etc/puppetlabs/puppetdb/conf.d/config.ini',
+          'section' => 'command-processing',
+          'setting' => 'threads',
+          'value'   => '10',
+        )
+    }
+    it {
+      is_expected.to contain_ini_setting('puppetdb_command_processing_concurrent_writes')
+        .with(
+          'ensure'  => 'present',
+          'path'    => '/etc/puppetlabs/puppetdb/conf.d/config.ini',
+          'section' => 'command-processing',
+          'setting' => 'concurrent-writes',
+          'value'   => '3',
+        )
+    }
+    it {
+      is_expected.to contain_ini_setting('puppetdb_command_processing_store_usage')
+        .with(
+          'ensure'  => 'present',
+          'path'    => '/etc/puppetlabs/puppetdb/conf.d/config.ini',
+          'section' => 'command-processing',
+          'setting' => 'store-usage',
+          'value'   => '4000',
+        )
+    }
+    it {
+      is_expected.to contain_ini_setting('puppetdb_command_processing_temp_usage')
+        .with(
+          'ensure'  => 'present',
+          'path'    => '/etc/puppetlabs/puppetdb/conf.d/config.ini',
+          'section' => 'command-processing',
+          'setting' => 'temp-usage',
+          'value'   => '2000',
+        )
+    }
   end
 end
diff --git a/spec/unit/classes/server/database_ini_spec.rb b/spec/unit/classes/server/database_ini_spec.rb
index 06f2865c..6eb41c49 100644
--- a/spec/unit/classes/server/database_ini_spec.rb
+++ b/spec/unit/classes/server/database_ini_spec.rb
@@ -1,22 +1,23 @@
 require 'spec_helper'
 
 describe 'puppetdb::server::database', type: :class do
-  context 'on a supported platform' do
-    let(:facts) do
-      {
-        osfamily: 'RedHat',
-        operatingsystem: 'RedHat',
-        puppetversion: Puppet.version,
-        operatingsystemrelease: '7.0',
-        fqdn: 'test.domain.local',
-      }
-    end
+  let(:facts) { on_supported_os.take(1).first[1] }
 
-    it { is_expected.to contain_class('puppetdb::server::database') }
+  it { is_expected.to contain_class('puppetdb::server::database') }
+
+  ['default', 'legacy'].each do |values|
+    describe "when using #{values} values" do
+      let(:pre_condition) { 'class { "puppetdb::globals": version => "2.2.0", }' } if values == 'legacy'
+      let(:pdbconfdir) do
+        if values == 'legacy'
+          '/etc/puppetdb/conf.d'
+        else
+          '/etc/puppetlabs/puppetdb/conf.d'
+        end
+      end
 
-    describe 'when using default values' do
       it {
-        is_expected.to contain_file('/etc/puppetlabs/puppetdb/conf.d/database.ini')
+        is_expected.to contain_file("#{pdbconfdir}/database.ini")
           .with(
             'ensure'  => 'file',
             'owner'   => 'puppetdb',
@@ -28,7 +29,7 @@
         is_expected.to contain_ini_setting('puppetdb_psdatabase_username')
           .with(
             'ensure'  => 'present',
-            'path'    => '/etc/puppetlabs/puppetdb/conf.d/database.ini',
+            'path'    => "#{pdbconfdir}/database.ini",
             'section' => 'database',
             'setting' => 'username',
             'value'   => 'puppetdb',
@@ -38,7 +39,7 @@
         is_expected.to contain_ini_setting('puppetdb_psdatabase_password')
           .with(
             'ensure'  => 'present',
-            'path'    => '/etc/puppetlabs/puppetdb/conf.d/database.ini',
+            'path'    => "#{pdbconfdir}/database.ini",
             'section' => 'database',
             'setting' => 'password',
             'value'   => 'puppetdb',
@@ -48,7 +49,7 @@
         is_expected.to contain_ini_setting('puppetdb_classname')
           .with(
             'ensure'  => 'present',
-            'path'    => '/etc/puppetlabs/puppetdb/conf.d/database.ini',
+            'path'    => "#{pdbconfdir}/database.ini",
             'section' => 'database',
             'setting' => 'classname',
             'value'   => 'org.postgresql.Driver',
@@ -58,17 +59,27 @@
         is_expected.to contain_ini_setting('puppetdb_subprotocol')
           .with(
             'ensure'  => 'present',
-            'path'    => '/etc/puppetlabs/puppetdb/conf.d/database.ini',
+            'path'    => "#{pdbconfdir}/database.ini",
             'section' => 'database',
             'setting' => 'subprotocol',
             'value'   => 'postgresql',
           )
       }
+      it {
+        is_expected.to contain_ini_setting('puppetdb_pgs')
+          .with(
+            'ensure'  => 'present',
+            'path'    => "#{pdbconfdir}/database.ini",
+            'section' => 'database',
+            'setting' => 'syntax_pgs',
+            'value'   => true,
+          )
+      }
       it {
         is_expected.to contain_ini_setting('puppetdb_subname')
           .with(
             'ensure'  => 'present',
-            'path'    => '/etc/puppetlabs/puppetdb/conf.d/database.ini',
+            'path'    => "#{pdbconfdir}/database.ini",
             'section' => 'database',
             'setting' => 'subname',
             'value'   => '//localhost:5432/puppetdb',
@@ -78,17 +89,27 @@
         is_expected.to contain_ini_setting('puppetdb_gc_interval')
           .with(
             'ensure'  => 'present',
-            'path'    => '/etc/puppetlabs/puppetdb/conf.d/database.ini',
+            'path'    => "#{pdbconfdir}/database.ini",
             'section' => 'database',
             'setting' => 'gc-interval',
             'value'   => '60',
           )
       }
+      it {
+        is_expected.to contain_ini_setting('puppetdb_node_purge_gc_batch_limit')
+          .with(
+            'ensure'  => 'present',
+            'path'    => "#{pdbconfdir}/database.ini",
+            'section' => 'database',
+            'setting' => 'node-purge-gc-batch-limit',
+            'value'   => '25',
+          )
+      }
       it {
         is_expected.to contain_ini_setting('puppetdb_node_ttl')
           .with(
             'ensure'  => 'present',
-            'path'    => '/etc/puppetlabs/puppetdb/conf.d/database.ini',
+            'path'    => "#{pdbconfdir}/database.ini",
             'section' => 'database',
             'setting' => 'node-ttl',
             'value'   => '7d',
@@ -98,7 +119,7 @@
         is_expected.to contain_ini_setting('puppetdb_node_purge_ttl')
           .with(
             'ensure'  => 'present',
-            'path'    => '/etc/puppetlabs/puppetdb/conf.d/database.ini',
+            'path'    => "#{pdbconfdir}/database.ini",
             'section' => 'database',
             'setting' => 'node-purge-ttl',
             'value'   => '14d',
@@ -108,7 +129,7 @@
         is_expected.to contain_ini_setting('puppetdb_report_ttl')
           .with(
             'ensure'  => 'present',
-            'path'    => '/etc/puppetlabs/puppetdb/conf.d/database.ini',
+            'path'    => "#{pdbconfdir}/database.ini",
             'section' => 'database',
             'setting' => 'report-ttl',
             'value'   => '14d',
@@ -118,7 +139,7 @@
         is_expected.to contain_ini_setting('puppetdb_log_slow_statements')
           .with(
             'ensure'  => 'present',
-            'path'    => '/etc/puppetlabs/puppetdb/conf.d/database.ini',
+            'path'    => "#{pdbconfdir}/database.ini",
             'section' => 'database',
             'setting' => 'log-slow-statements',
             'value'   => 10,
@@ -128,7 +149,7 @@
         is_expected.to contain_ini_setting('puppetdb_conn_max_age')
           .with(
             'ensure'  => 'present',
-            'path'    => '/etc/puppetlabs/puppetdb/conf.d/database.ini',
+            'path'    => "#{pdbconfdir}/database.ini",
             'section' => 'database',
             'setting' => 'conn-max-age',
             'value'   => '60',
@@ -138,7 +159,7 @@
         is_expected.to contain_ini_setting('puppetdb_conn_keep_alive')
           .with(
             'ensure'  => 'present',
-            'path'    => '/etc/puppetlabs/puppetdb/conf.d/database.ini',
+            'path'    => "#{pdbconfdir}/database.ini",
             'section' => 'database',
             'setting' => 'conn-keep-alive',
             'value'   => '45',
@@ -148,331 +169,205 @@
         is_expected.to contain_ini_setting('puppetdb_conn_lifetime')
           .with(
             'ensure'  => 'present',
-            'path'    => '/etc/puppetlabs/puppetdb/conf.d/database.ini',
+            'path'    => "#{pdbconfdir}/database.ini",
             'section' => 'database',
             'setting' => 'conn-lifetime',
             'value'   => '0',
           )
       }
-      it { is_expected.not_to contain_ini_setting('puppetdb_database_max_pool_size') }
       it {
-        is_expected.to contain_ini_setting('puppetdb_facts_blacklist')
+        is_expected.to contain_ini_setting('puppetdb_migrate')
           .with(
-            'ensure'  => 'absent',
-            'path'    => '/etc/puppetlabs/puppetdb/conf.d/database.ini',
+            'ensure'  => 'present',
+            'path'    => "#{pdbconfdir}/database.ini",
             'section' => 'database',
-            'setting' => 'facts-blacklist',
+            'setting' => 'migrate',
+            'value'   => true,
           )
       }
-    end
-
-    describe 'when using facts_blacklist' do
-      let(:params) do
-        {
-          'facts_blacklist' => [
-            'one_fact',
-            'another_fact',
-          ],
-        }
-      end
-
+      it { is_expected.not_to contain_ini_setting('puppetdb_database_max_pool_size') }
       it {
         is_expected.to contain_ini_setting('puppetdb_facts_blacklist')
           .with(
-            'ensure'  => 'present',
-            'path'    => '/etc/puppetlabs/puppetdb/conf.d/database.ini',
+            'ensure'  => 'absent',
+            'path'    => "#{pdbconfdir}/database.ini",
             'section' => 'database',
             'setting' => 'facts-blacklist',
-            'value'   => 'one_fact, another_fact',
           )
       }
     end
+  end
 
-    describe 'when using a legacy PuppetDB version' do
-      let(:pre_condition) { 'class { "puppetdb::globals": version => "2.2.0", }' }
-
-      it {
-        is_expected.to contain_ini_setting('puppetdb_psdatabase_username')
-          .with(
-            'ensure'  => 'present',
-            'path'    => '/etc/puppetdb/conf.d/database.ini',
-            'section' => 'database',
-            'setting' => 'username',
-            'value'   => 'puppetdb',
-          )
-      }
-      it {
-        is_expected.to contain_ini_setting('puppetdb_psdatabase_password')
-          .with(
-            'ensure'  => 'present',
-            'path'    => '/etc/puppetdb/conf.d/database.ini',
-            'section' => 'database',
-            'setting' => 'password',
-            'value'   => 'puppetdb',
-          )
-      }
-      it {
-        is_expected.to contain_ini_setting('puppetdb_classname')
-          .with(
-            'ensure'  => 'present',
-            'path'    => '/etc/puppetdb/conf.d/database.ini',
-            'section' => 'database',
-            'setting' => 'classname',
-            'value'   => 'org.postgresql.Driver',
-          )
-      }
-      it {
-        is_expected.to contain_ini_setting('puppetdb_subprotocol')
-          .with(
-            'ensure'  => 'present',
-            'path'    => '/etc/puppetdb/conf.d/database.ini',
-            'section' => 'database',
-            'setting' => 'subprotocol',
-            'value'   => 'postgresql',
-          )
-      }
-      it {
-        is_expected.to contain_ini_setting('puppetdb_subname')
-          .with(
-            'ensure'  => 'present',
-            'path'    => '/etc/puppetdb/conf.d/database.ini',
-            'section' => 'database',
-            'setting' => 'subname',
-            'value'   => '//localhost:5432/puppetdb',
-          )
-      }
-      it {
-        is_expected.to contain_ini_setting('puppetdb_gc_interval')
-          .with(
-            'ensure'  => 'present',
-            'path'    => '/etc/puppetdb/conf.d/database.ini',
-            'section' => 'database',
-            'setting' => 'gc-interval',
-            'value'   => '60',
-          )
-      }
-      it {
-        is_expected.to contain_ini_setting('puppetdb_node_ttl')
-          .with(
-            'ensure'  => 'present',
-            'path'    => '/etc/puppetdb/conf.d/database.ini',
-            'section' => 'database',
-            'setting' => 'node-ttl',
-            'value'   => '7d',
-          )
-      }
-      it {
-        is_expected.to contain_ini_setting('puppetdb_node_purge_ttl')
-          .with(
-            'ensure'  => 'present',
-            'path'    => '/etc/puppetdb/conf.d/database.ini',
-            'section' => 'database',
-            'setting' => 'node-purge-ttl',
-            'value'   => '14d',
-          )
-      }
-      it {
-        is_expected.to contain_ini_setting('puppetdb_report_ttl')
-          .with(
-            'ensure'  => 'present',
-            'path'    => '/etc/puppetdb/conf.d/database.ini',
-            'section' => 'database',
-            'setting' => 'report-ttl',
-            'value'   => '14d',
-          )
-      }
-      it {
-        is_expected.to contain_ini_setting('puppetdb_log_slow_statements')
-          .with(
-            'ensure'  => 'present',
-            'path'    => '/etc/puppetdb/conf.d/database.ini',
-            'section' => 'database',
-            'setting' => 'log-slow-statements',
-            'value'   => 10,
-          )
-      }
-      it {
-        is_expected.to contain_ini_setting('puppetdb_conn_max_age')
-          .with(
-            'ensure'  => 'present',
-            'path'    => '/etc/puppetdb/conf.d/database.ini',
-            'section' => 'database',
-            'setting' => 'conn-max-age',
-            'value'   => '60',
-          )
-      }
-      it {
-        is_expected.to contain_ini_setting('puppetdb_conn_keep_alive')
-          .with(
-            'ensure'  => 'present',
-            'path'    => '/etc/puppetdb/conf.d/database.ini',
-            'section' => 'database',
-            'setting' => 'conn-keep-alive',
-            'value'   => '45',
-          )
-      }
-      it {
-        is_expected.to contain_ini_setting('puppetdb_conn_lifetime')
-          .with(
-            'ensure'  => 'present',
-            'path'    => '/etc/puppetdb/conf.d/database.ini',
-            'section' => 'database',
-            'setting' => 'conn-lifetime',
-            'value'   => '0',
-          )
+  describe 'when using facts_blacklist' do
+    let(:params) do
+      {
+        'facts_blacklist' => [
+          'one_fact',
+          'another_fact',
+        ],
       }
-      it { is_expected.not_to contain_ini_setting('puppetdb_database_max_pool_size') }
     end
 
-    describe 'when overriding database_path for embedded' do
-      let(:params) do
-        {
-          'database' => 'embedded',
-          'database_embedded_path' => '/tmp/foo',
-        }
-      end
+    it {
+      is_expected.to contain_ini_setting('puppetdb_facts_blacklist')
+        .with(
+          'ensure'  => 'present',
+          'path'    => '/etc/puppetlabs/puppetdb/conf.d/database.ini',
+          'section' => 'database',
+          'setting' => 'facts-blacklist',
+          'value'   => 'one_fact, another_fact',
+        )
+    }
+  end
 
-      it {
-        is_expected.to contain_ini_setting('puppetdb_subname')
-          .with(
-            'ensure'  => 'present',
-            'path'    => '/etc/puppetlabs/puppetdb/conf.d/database.ini',
-            'section' => 'database',
-            'setting' => 'subname',
-            'value'   => 'file:/tmp/foo;hsqldb.tx=mvcc;sql.syntax_pgs=true',
-          )
+  describe 'when overriding database_path for embedded' do
+    let(:params) do
+      {
+        'database' => 'embedded',
+        'database_embedded_path' => '/tmp/foo',
       }
     end
 
-    describe 'when setting max pool size' do
-      context 'on current PuppetDB' do
-        describe 'to a numeric value' do
-          let(:params) do
-            {
-              'database_max_pool_size' => 12_345,
-            }
-          end
+    it {
+      is_expected.to contain_ini_setting('puppetdb_subname')
+        .with(
+          'ensure'  => 'present',
+          'path'    => '/etc/puppetlabs/puppetdb/conf.d/database.ini',
+          'section' => 'database',
+          'setting' => 'subname',
+          'value'   => 'file:/tmp/foo;hsqldb.tx=mvcc;sql.syntax_pgs=true',
+        )
+    }
+  end
 
-          it {
-            is_expected.to contain_ini_setting('puppetdb_database_max_pool_size')
-              .with(
-                'ensure'  => 'present',
-                'path'    => '/etc/puppetlabs/puppetdb/conf.d/database.ini',
-                'section' => 'database',
-                'setting' => 'maximum-pool-size',
-                'value'   => '12345',
-              )
+  describe 'when setting max pool size' do
+    context 'on current PuppetDB' do
+      describe 'to a numeric value' do
+        let(:params) do
+          {
+            'database_max_pool_size' => 12_345,
           }
         end
 
-        describe 'to absent' do
-          let(:params) do
-            {
-              'database_max_pool_size' => 'absent',
-            }
-          end
+        it {
+          is_expected.to contain_ini_setting('puppetdb_database_max_pool_size')
+            .with(
+              'ensure'  => 'present',
+              'path'    => '/etc/puppetlabs/puppetdb/conf.d/database.ini',
+              'section' => 'database',
+              'setting' => 'maximum-pool-size',
+              'value'   => '12345',
+            )
+        }
+      end
 
-          it {
-            is_expected.to contain_ini_setting('puppetdb_database_max_pool_size')
-              .with(
-                'ensure'  => 'absent',
-                'path'    => '/etc/puppetlabs/puppetdb/conf.d/database.ini',
-                'section' => 'database',
-                'setting' => 'maximum-pool-size',
-              )
+      describe 'to absent' do
+        let(:params) do
+          {
+            'database_max_pool_size' => 'absent',
           }
         end
-      end
 
-      context 'on PuppetDB 3.2' do
-        let(:pre_condition) { 'class { "puppetdb::globals": version => "3.2.0", }' }
+        it {
+          is_expected.to contain_ini_setting('puppetdb_database_max_pool_size')
+            .with(
+              'ensure'  => 'absent',
+              'path'    => '/etc/puppetlabs/puppetdb/conf.d/database.ini',
+              'section' => 'database',
+              'setting' => 'maximum-pool-size',
+            )
+        }
+      end
+    end
 
-        describe 'to a numeric value' do
-          let(:params) do
-            {
-              'database_max_pool_size' => 12_345,
-            }
-          end
+    context 'on PuppetDB 3.2' do
+      let(:pre_condition) { 'class { "puppetdb::globals": version => "3.2.0", }' }
 
-          it {
-            is_expected.to contain_ini_setting('puppetdb_database_max_pool_size')
-              .with(
-                'ensure'  => 'present',
-                'path'    => '/etc/puppetlabs/puppetdb/conf.d/database.ini',
-                'section' => 'database',
-                'setting' => 'partition-conn-max',
-                'value'   => '12345',
-              )
+      describe 'to a numeric value' do
+        let(:params) do
+          {
+            'database_max_pool_size' => 12_345,
           }
         end
 
-        describe 'to absent' do
-          let(:params) do
-            {
-              'database_max_pool_size' => 'absent',
-            }
-          end
+        it {
+          is_expected.to contain_ini_setting('puppetdb_database_max_pool_size')
+            .with(
+              'ensure'  => 'present',
+              'path'    => '/etc/puppetlabs/puppetdb/conf.d/database.ini',
+              'section' => 'database',
+              'setting' => 'partition-conn-max',
+              'value'   => '12345',
+            )
+        }
+      end
 
-          it {
-            is_expected.to contain_ini_setting('puppetdb_database_max_pool_size')
-              .with(
-                'ensure'  => 'absent',
-                'path'    => '/etc/puppetlabs/puppetdb/conf.d/database.ini',
-                'section' => 'database',
-                'setting' => 'partition-conn-max',
-              )
+      describe 'to absent' do
+        let(:params) do
+          {
+            'database_max_pool_size' => 'absent',
           }
         end
-      end
 
-      context 'on a legacy PuppetDB version' do
-        let(:pre_condition) { 'class { "puppetdb::globals": version => "2.2.0", }' }
+        it {
+          is_expected.to contain_ini_setting('puppetdb_database_max_pool_size')
+            .with(
+              'ensure'  => 'absent',
+              'path'    => '/etc/puppetlabs/puppetdb/conf.d/database.ini',
+              'section' => 'database',
+              'setting' => 'partition-conn-max',
+            )
+        }
+      end
+    end
 
-        describe 'to a numeric value' do
-          let(:params) do
-            {
-              'database_max_pool_size' => 12_345,
-            }
-          end
+    context 'on a legacy PuppetDB version' do
+      let(:pre_condition) { 'class { "puppetdb::globals": version => "2.2.0", }' }
 
-          it { is_expected.not_to contain_ini_setting('puppetdb_database_max_pool_size') }
+      describe 'to a numeric value' do
+        let(:params) do
+          {
+            'database_max_pool_size' => 12_345,
+          }
         end
 
-        describe 'to absent' do
-          let(:params) do
-            {
-              'database_max_pool_size' => 'absent',
-            }
-          end
+        it { is_expected.not_to contain_ini_setting('puppetdb_database_max_pool_size') }
+      end
 
-          it { is_expected.not_to contain_ini_setting('puppetdb_database_max_pool_size') }
+      describe 'to absent' do
+        let(:params) do
+          {
+            'database_max_pool_size' => 'absent',
+          }
         end
+
+        it { is_expected.not_to contain_ini_setting('puppetdb_database_max_pool_size') }
       end
     end
+  end
 
-    describe 'when using ssl communication' do
-      let(:params) do
-        {
-          'postgresql_ssl_on' => true,
-          'ssl_key_pk8_path' => '/tmp/private_key.pk8',
-        }
-      end
+  describe 'when using ssl communication' do
+    let(:params) do
+      {
+        'postgresql_ssl_on' => true,
+        'ssl_key_pk8_path' => '/tmp/private_key.pk8',
+      }
+    end
 
-      it 'configures subname correctly' do
-        is_expected.to contain_ini_setting('puppetdb_subname')
-          .with(
-            ensure: 'present',
-            path: '/etc/puppetlabs/puppetdb/conf.d/database.ini',
-            section: 'database',
-            setting: 'subname',
-            value: '//localhost:5432/puppetdb?' \
-                   'ssl=true&sslfactory=org.postgresql.ssl.LibPQFactory&' \
-                   'sslmode=verify-full&' \
-                   'sslrootcert=/etc/puppetlabs/puppetdb/ssl/ca.pem&' \
-                   'sslkey=/tmp/private_key.pk8&' \
-                   'sslcert=/etc/puppetlabs/puppetdb/ssl/public.pem',
-          )
-      end
+    it 'configures subname correctly' do
+      is_expected.to contain_ini_setting('puppetdb_subname')
+        .with(
+          ensure: 'present',
+          path: '/etc/puppetlabs/puppetdb/conf.d/database.ini',
+          section: 'database',
+          setting: 'subname',
+          value: '//localhost:5432/puppetdb?' \
+                 'ssl=true&sslfactory=org.postgresql.ssl.LibPQFactory&' \
+                 'sslmode=verify-full&' \
+                 'sslrootcert=/etc/puppetlabs/puppetdb/ssl/ca.pem&' \
+                 'sslkey=/tmp/private_key.pk8&' \
+                 'sslcert=/etc/puppetlabs/puppetdb/ssl/public.pem',
+        )
     end
   end
 end
diff --git a/spec/unit/classes/server/db_connection_uri_spec.rb b/spec/unit/classes/server/db_connection_uri_spec.rb
index 1c949e2e..80d0bad5 100644
--- a/spec/unit/classes/server/db_connection_uri_spec.rb
+++ b/spec/unit/classes/server/db_connection_uri_spec.rb
@@ -4,10 +4,14 @@
   context 'on a supported platform' do
     let(:facts) do
       {
-        osfamily: 'RedHat',
-        operatingsystem: 'RedHat',
+        os: {
+          family: 'RedHat',
+        },
         operatingsystemrelease: '7.0',
-        fqdn: 'test.domain.local',
+        networking: {
+          fqdn: 'test.domain.local',
+        },
+        service_provider: 'systemd',
       }
     end
 
diff --git a/spec/unit/classes/server/db_read_uri_spec.rb b/spec/unit/classes/server/db_read_uri_spec.rb
index b7943e15..c9bb0992 100644
--- a/spec/unit/classes/server/db_read_uri_spec.rb
+++ b/spec/unit/classes/server/db_read_uri_spec.rb
@@ -4,10 +4,14 @@
   context 'on a supported platform' do
     let(:facts) do
       {
-        osfamily: 'RedHat',
-        operatingsystem: 'RedHat',
+        os: {
+          family: 'RedHat',
+        },
         operatingsystemrelease: '7.0',
-        fqdn: 'test.domain.local',
+        networking: {
+          fqdn: 'test.domain.local',
+        },
+        service_provider: 'systemd',
       }
     end
 
diff --git a/spec/unit/classes/server/firewall_spec.rb b/spec/unit/classes/server/firewall_spec.rb
new file mode 100644
index 00000000..3ecd8060
--- /dev/null
+++ b/spec/unit/classes/server/firewall_spec.rb
@@ -0,0 +1,22 @@
+require 'spec_helper'
+
+describe 'puppetdb::server::firewall', type: :class do
+  let(:facts) { on_supported_os.take(1).first[1] }
+
+  context 'defaults' do
+    include_examples 'puppetdb::server::firewall'
+  end
+
+  context 'custom ports and open firewall' do
+    let(:params) do
+      {
+        http_port: '9000',
+        open_http_port: true,
+        ssl_port: '9001',
+        open_ssl_port: true,
+      }
+    end
+
+    include_examples 'puppetdb::server::firewall'
+  end
+end
diff --git a/spec/unit/classes/server/global_ini_spec.rb b/spec/unit/classes/server/global_ini_spec.rb
index 9b7b75a2..24ff8e30 100644
--- a/spec/unit/classes/server/global_ini_spec.rb
+++ b/spec/unit/classes/server/global_ini_spec.rb
@@ -1,51 +1,54 @@
 require 'spec_helper'
 
 describe 'puppetdb::server::global', type: :class do
-  context 'on a supported platform' do
-    let(:facts) do
-      {
-        osfamily: 'RedHat',
-        fqdn: 'foo.com',
-      }
-    end
+  let(:facts) { on_supported_os.take(1).first[1] }
 
-    it { is_expected.to contain_class('puppetdb::server::global') }
+  describe 'when using default values' do
+    include_examples 'puppetdb::params'
 
-    describe 'when using default values' do
-      it {
-        is_expected.to contain_ini_setting('puppetdb_global_vardir')
-          .with(
-            'ensure' => 'present',
-            'path' => '/etc/puppetlabs/puppetdb/conf.d/config.ini',
-            'section' => 'global',
-            'setting' => 'vardir',
-            'value' => '/opt/puppetlabs/server/data/puppetdb',
-          )
-      }
-      it {
-        is_expected.to contain_file('/etc/puppetlabs/puppetdb/conf.d/config.ini')
-          .with(
-            'ensure'  => 'file',
-            'owner'   => 'puppetdb',
-            'group'   => 'puppetdb',
-            'mode'    => '0600',
-          )
-      }
-    end
+    it {
+      is_expected.to contain_ini_setting('puppetdb_global_vardir')
+        .with(
+          'ensure' => 'present',
+          'path' => '/etc/puppetlabs/puppetdb/conf.d/config.ini',
+          'section' => 'global',
+          'setting' => 'vardir',
+          'value' => '/opt/puppetlabs/server/data/puppetdb',
+        )
+    }
+    it {
+      is_expected.to contain_file('/etc/puppetlabs/puppetdb/conf.d/config.ini')
+        .with(
+          'ensure'  => 'file',
+          'owner'   => 'root',
+          'group'   => 'puppetdb',
+          'mode'    => '0640',
+        )
+    }
+  end
+
+  describe 'when using a legacy puppetdb version' do
+    let(:pre_condition) { 'class { "puppetdb::globals": version => "2.2.0", }' }
 
-    describe 'when using a legacy puppetdb version' do
-      let(:pre_condition) { 'class { "puppetdb::globals": version => "2.2.0", }' }
+    it {
+      is_expected.to contain_ini_setting('puppetdb_global_vardir')
+        .with(
+          'ensure' => 'present',
+          'path' => '/etc/puppetdb/conf.d/config.ini',
+          'section' => 'global',
+          'setting' => 'vardir',
+          'value' => '/var/lib/puppetdb',
+        )
+    }
 
-      it {
-        is_expected.to contain_ini_setting('puppetdb_global_vardir')
-          .with(
-            'ensure' => 'present',
-            'path' => '/etc/puppetdb/conf.d/config.ini',
-            'section' => 'global',
-            'setting' => 'vardir',
-            'value' => '/var/lib/puppetdb',
-          )
-      }
-    end
+    it {
+      is_expected.to contain_file('/etc/puppetdb/conf.d/config.ini')
+        .with(
+          'ensure'  => 'file',
+          'owner'   => 'root',
+          'group'   => 'puppetdb',
+          'mode'    => '0640',
+        )
+    }
   end
 end
diff --git a/spec/unit/classes/server/jetty_ini_spec.rb b/spec/unit/classes/server/jetty_ini_spec.rb
index 749d4238..ce322bc6 100644
--- a/spec/unit/classes/server/jetty_ini_spec.rb
+++ b/spec/unit/classes/server/jetty_ini_spec.rb
@@ -1,19 +1,23 @@
 require 'spec_helper'
 
 describe 'puppetdb::server::jetty', type: :class do
-  context 'on a supported platform' do
-    let(:facts) do
-      {
-        osfamily: 'RedHat',
-        fqdn: 'test.domain.local',
-      }
-    end
-
-    it { is_expected.to contain_class('puppetdb::server::jetty') }
+  let(:facts) { on_supported_os.take(1).first[1] }
+
+  it { is_expected.to contain_class('puppetdb::server::jetty') }
+
+  ['default', 'legacy'].each do |values|
+    describe "when using #{values} values" do
+      let(:pre_condition) { 'class { "puppetdb::globals": version => "2.2.0", }' } if values == 'legacy'
+      let(:pdbconfdir) do
+        if values == 'legacy'
+          '/etc/puppetdb/conf.d'
+        else
+          '/etc/puppetlabs/puppetdb/conf.d'
+        end
+      end
 
-    describe 'when using default values' do
       it {
-        is_expected.to contain_file('/etc/puppetlabs/puppetdb/conf.d/jetty.ini')
+        is_expected.to contain_file("#{pdbconfdir}/jetty.ini")
           .with(
             'ensure'  => 'file',
             'owner'   => 'puppetdb',
@@ -25,7 +29,7 @@
         is_expected.to contain_ini_setting('puppetdb_host')
           .with(
             'ensure'  => 'present',
-            'path'    => '/etc/puppetlabs/puppetdb/conf.d/jetty.ini',
+            'path'    => "#{pdbconfdir}/jetty.ini",
             'section' => 'jetty',
             'setting' => 'host',
             'value'   => 'localhost',
@@ -35,7 +39,7 @@
         is_expected.to contain_ini_setting('puppetdb_port')
           .with(
             'ensure'  => 'present',
-            'path'    => '/etc/puppetlabs/puppetdb/conf.d/jetty.ini',
+            'path'    => "#{pdbconfdir}/jetty.ini",
             'section' => 'jetty',
             'setting' => 'port',
             'value'   => 8080,
@@ -45,7 +49,7 @@
         is_expected.to contain_ini_setting('puppetdb_sslhost')
           .with(
             'ensure'  => 'present',
-            'path'    => '/etc/puppetlabs/puppetdb/conf.d/jetty.ini',
+            'path'    => "#{pdbconfdir}/jetty.ini",
             'section' => 'jetty',
             'setting' => 'ssl-host',
             'value'   => '0.0.0.0',
@@ -55,7 +59,7 @@
         is_expected.to contain_ini_setting('puppetdb_sslport')
           .with(
             'ensure'  => 'present',
-            'path'    => '/etc/puppetlabs/puppetdb/conf.d/jetty.ini',
+            'path'    => "#{pdbconfdir}/jetty.ini",
             'section' => 'jetty',
             'setting' => 'ssl-port',
             'value'   => 8081,
@@ -63,192 +67,147 @@
       }
       it { is_expected.not_to contain_ini_setting('puppetdb_sslprotocols') }
     end
+  end
 
-    describe 'when using a legacy PuppetDB version' do
-      let(:pre_condition) { 'class { "puppetdb::globals": version => "2.2.0", }' }
-
-      it {
-        is_expected.to contain_ini_setting('puppetdb_host')
-          .with(
-            'ensure'  => 'present',
-            'path'    => '/etc/puppetdb/conf.d/jetty.ini',
-            'section' => 'jetty',
-            'setting' => 'host',
-            'value'   => 'localhost',
-          )
-      }
-      it {
-        is_expected.to contain_ini_setting('puppetdb_port')
-          .with(
-            'ensure'  => 'present',
-            'path'    => '/etc/puppetdb/conf.d/jetty.ini',
-            'section' => 'jetty',
-            'setting' => 'port',
-            'value'   => 8080,
-          )
-      }
-      it {
-        is_expected.to contain_ini_setting('puppetdb_sslhost')
-          .with(
-            'ensure'  => 'present',
-            'path'    => '/etc/puppetdb/conf.d/jetty.ini',
-            'section' => 'jetty',
-            'setting' => 'ssl-host',
-            'value'   => '0.0.0.0',
-          )
-      }
-      it {
-        is_expected.to contain_ini_setting('puppetdb_sslport')
-          .with(
-            'ensure'  => 'present',
-            'path'    => '/etc/puppetdb/conf.d/jetty.ini',
-            'section' => 'jetty',
-            'setting' => 'ssl-port',
-            'value'   => 8081,
-          )
+  describe 'when disabling ssl' do
+    let(:params) do
+      {
+        'disable_ssl' => true,
       }
-      it { is_expected.not_to contain_ini_setting('puppetdb_sslprotocols') }
     end
 
-    describe 'when disabling ssl' do
-      let(:params) do
-        {
-          'disable_ssl' => true,
-        }
-      end
+    it {
+      is_expected.to contain_ini_setting('puppetdb_host')
+        .with(
+          'ensure'  => 'present',
+          'path'    => '/etc/puppetlabs/puppetdb/conf.d/jetty.ini',
+          'section' => 'jetty',
+          'setting' => 'host',
+          'value'   => 'localhost',
+        )
+    }
+    it {
+      is_expected.to contain_ini_setting('puppetdb_port')
+        .with(
+          'ensure'  => 'present',
+          'path'    => '/etc/puppetlabs/puppetdb/conf.d/jetty.ini',
+          'section' => 'jetty',
+          'setting' => 'port',
+          'value'   => 8080,
+        )
+    }
+    it {
+      is_expected.to contain_ini_setting('puppetdb_sslhost')
+        .with(
+          'ensure'  => 'absent',
+          'path'    => '/etc/puppetlabs/puppetdb/conf.d/jetty.ini',
+          'section' => 'jetty',
+          'setting' => 'ssl-host',
+        )
+    }
+    it {
+      is_expected.to contain_ini_setting('puppetdb_sslport')
+        .with(
+          'ensure'  => 'absent',
+          'path'    => '/etc/puppetlabs/puppetdb/conf.d/jetty.ini',
+          'section' => 'jetty',
+          'setting' => 'ssl-port',
+        )
+    }
+  end
 
-      it {
-        is_expected.to contain_ini_setting('puppetdb_host')
-          .with(
-            'ensure'  => 'present',
-            'path'    => '/etc/puppetlabs/puppetdb/conf.d/jetty.ini',
-            'section' => 'jetty',
-            'setting' => 'host',
-            'value'   => 'localhost',
-          )
-      }
-      it {
-        is_expected.to contain_ini_setting('puppetdb_port')
-          .with(
-            'ensure'  => 'present',
-            'path'    => '/etc/puppetlabs/puppetdb/conf.d/jetty.ini',
-            'section' => 'jetty',
-            'setting' => 'port',
-            'value'   => 8080,
-          )
-      }
-      it {
-        is_expected.to contain_ini_setting('puppetdb_sslhost')
-          .with(
-            'ensure'  => 'absent',
-            'path'    => '/etc/puppetlabs/puppetdb/conf.d/jetty.ini',
-            'section' => 'jetty',
-            'setting' => 'ssl-host',
-          )
-      }
-      it {
-        is_expected.to contain_ini_setting('puppetdb_sslport')
-          .with(
-            'ensure'  => 'absent',
-            'path'    => '/etc/puppetlabs/puppetdb/conf.d/jetty.ini',
-            'section' => 'jetty',
-            'setting' => 'ssl-port',
-          )
+  describe 'when setting max_threads' do
+    let(:params) do
+      {
+        'max_threads' => 150,
       }
     end
 
-    describe 'when setting max_threads' do
-      let(:params) do
-        {
-          'max_threads' => 150,
-        }
-      end
+    it {
+      is_expected.to contain_ini_setting('puppetdb_max_threads')
+        .with(
+          'ensure'  => 'present',
+          'path'    => '/etc/puppetlabs/puppetdb/conf.d/jetty.ini',
+          'section' => 'jetty',
+          'setting' => 'max-threads',
+          'value'   => '150',
+        )
+    }
+  end
+
+  describe 'when setting ssl_protocols' do
+    context 'to a valid string' do
+      let(:params) { { 'ssl_protocols' => 'TLSv1, TLSv1.1, TLSv1.2' } }
 
       it {
-        is_expected.to contain_ini_setting('puppetdb_max_threads')
-          .with(
-            'ensure'  => 'present',
-            'path'    => '/etc/puppetlabs/puppetdb/conf.d/jetty.ini',
-            'section' => 'jetty',
-            'setting' => 'max-threads',
-            'value'   => '150',
-          )
+        is_expected.to contain_ini_setting('puppetdb_sslprotocols').with(
+          'ensure' => 'present',
+          'path' => '/etc/puppetlabs/puppetdb/conf.d/jetty.ini',
+          'section' => 'jetty',
+          'setting' => 'ssl-protocols',
+          'value' => 'TLSv1, TLSv1.1, TLSv1.2',
+        )
       }
     end
 
-    describe 'when setting ssl_protocols' do
-      context 'to a valid string' do
-        let(:params) { { 'ssl_protocols' => 'TLSv1, TLSv1.1, TLSv1.2' } }
-
-        it {
-          is_expected.to contain_ini_setting('puppetdb_sslprotocols').with(
-            'ensure' => 'present',
-            'path' => '/etc/puppetlabs/puppetdb/conf.d/jetty.ini',
-            'section' => 'jetty',
-            'setting' => 'ssl-protocols',
-            'value' => 'TLSv1, TLSv1.1, TLSv1.2',
-          )
-        }
-      end
-
-      context 'to an invalid type (non-string)' do
-        let(:params) { { 'ssl_protocols' => ['invalid', 'type'] } }
-
-        it 'fails' do
-          expect {
-            is_expected.to contain_class('puppetdb::server::jetty')
-          }.to raise_error(Puppet::Error)
-        end
-      end
-    end
-
-    describe 'when setting cipher_suites' do
-      context 'to a valid string' do
-        let(:params) do
-          {
-            'cipher_suites' => 'SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_RSA_WITH_AES_256_CBC_SHA256',
-          }
-        end
+    context 'to an invalid type (non-string)' do
+      let(:params) { { 'ssl_protocols' => ['invalid', 'type'] } }
 
-        it {
-          is_expected.to contain_ini_setting('puppetdb_cipher-suites').with(
-            'ensure'  => 'present',
-            'path'    => '/etc/puppetlabs/puppetdb/conf.d/jetty.ini',
-            'section' => 'jetty',
-            'setting' => 'cipher-suites',
-            'value'   => 'SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_RSA_WITH_AES_256_CBC_SHA256',
-          )
-        }
+      it 'fails' do
+        expect {
+          is_expected.to contain_class('puppetdb::server::jetty')
+        }.to raise_error(Puppet::Error)
       end
     end
+  end
 
-    describe 'when disabling the cleartext HTTP port' do
+  describe 'when setting cipher_suites' do
+    context 'to a valid string' do
       let(:params) do
         {
-          'disable_cleartext' => true,
+          'cipher_suites' => 'SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_RSA_WITH_AES_256_CBC_SHA256',
         }
       end
 
       it {
-        is_expected.to contain_ini_setting('puppetdb_host')
+        is_expected.to contain_ini_setting('puppetdb_cipher-suites')
           .with(
-            'ensure'  => 'absent',
+            'ensure'  => 'present',
             'path'    => '/etc/puppetlabs/puppetdb/conf.d/jetty.ini',
             'section' => 'jetty',
-            'setting' => 'host',
-            'value'   => 'localhost',
+            'setting' => 'cipher-suites',
+            'value'   => 'SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_RSA_WITH_AES_256_CBC_SHA256',
           )
       }
-      it {
-        is_expected.to contain_ini_setting('puppetdb_port')
-          .with(
-            'ensure'  => 'absent',
-            'path'    => '/etc/puppetlabs/puppetdb/conf.d/jetty.ini',
-            'section' => 'jetty',
-            'setting' => 'port',
-            'value'   => 8080,
-          )
+    end
+  end
+
+  describe 'when disabling the cleartext HTTP port' do
+    let(:params) do
+      {
+        'disable_cleartext' => true,
       }
     end
+
+    it {
+      is_expected.to contain_ini_setting('puppetdb_host')
+        .with(
+          'ensure'  => 'absent',
+          'path'    => '/etc/puppetlabs/puppetdb/conf.d/jetty.ini',
+          'section' => 'jetty',
+          'setting' => 'host',
+          'value'   => 'localhost',
+        )
+    }
+    it {
+      is_expected.to contain_ini_setting('puppetdb_port')
+        .with(
+          'ensure'  => 'absent',
+          'path'    => '/etc/puppetlabs/puppetdb/conf.d/jetty.ini',
+          'section' => 'jetty',
+          'setting' => 'port',
+          'value'   => 8080,
+        )
+    }
   end
 end
diff --git a/spec/unit/classes/server/puppetdb_ini_spec.rb b/spec/unit/classes/server/puppetdb_ini_spec.rb
index a64fb25e..14d8907e 100644
--- a/spec/unit/classes/server/puppetdb_ini_spec.rb
+++ b/spec/unit/classes/server/puppetdb_ini_spec.rb
@@ -1,103 +1,96 @@
 require 'spec_helper'
 
 describe 'puppetdb::server::puppetdb', type: :class do
-  context 'on a supported platform' do
-    let(:facts) do
-      {
-        osfamily: 'RedHat',
-        fqdn: 'test.domain.local',
-      }
-    end
+  let(:facts) { on_supported_os.take(1).first[1] }
 
-    it { is_expected.to contain_class('puppetdb::server::puppetdb') }
+  it { is_expected.to contain_class('puppetdb::server::puppetdb') }
 
-    describe 'when using default values' do
-      it {
-        is_expected.to contain_ini_setting('puppetdb-connections-from-master-only')
-          .with(
-            'ensure'  => 'absent',
-            'path'    => '/etc/puppetlabs/puppetdb/conf.d/puppetdb.ini',
-            'section' => 'puppetdb',
-            'setting' => 'certificate-whitelist',
-            'value'   => '/etc/puppetlabs/puppetdb/certificate-whitelist',
-          )
-      }
-      it {
-        is_expected.to contain_file('/etc/puppetlabs/puppetdb/certificate-whitelist')
-          .with(
-            'ensure'  => 'absent',
-            'owner'   => 0,
-            'group'   => 0,
-            'mode'    => '0644',
-            'content' => '',
-          )
-      }
-      it {
-        is_expected.to contain_file('/etc/puppetlabs/puppetdb/conf.d/puppetdb.ini')
-          .with(
-            'ensure'  => 'file',
-            'owner'   => 'puppetdb',
-            'group'   => 'puppetdb',
-            'mode'    => '0600',
-          )
-      }
-      it {
-        is_expected.to contain_ini_setting('puppetdb_disable_update_checking')
-          .with(
-            'ensure'  => 'absent',
-            'path'    => '/etc/puppetlabs/puppetdb/conf.d/puppetdb.ini',
-            'section' => 'puppetdb',
-            'setting' => 'disable-update-checking',
-          )
-      }
-    end
-
-    describe 'when restricting access to puppetdb' do
-      let(:params) do
-        {
-          'certificate_whitelist' => ['puppetmaster'],
-        }
-      end
+  describe 'when using default values' do
+    it {
+      is_expected.to contain_ini_setting('puppetdb-connections-from-master-only')
+        .with(
+          'ensure'  => 'absent',
+          'path'    => '/etc/puppetlabs/puppetdb/conf.d/puppetdb.ini',
+          'section' => 'puppetdb',
+          'setting' => 'certificate-whitelist',
+          'value'   => '/etc/puppetlabs/puppetdb/certificate-whitelist',
+        )
+    }
+    it {
+      is_expected.to contain_file('/etc/puppetlabs/puppetdb/certificate-whitelist')
+        .with(
+          'ensure'  => 'absent',
+          'owner'   => 0,
+          'group'   => 0,
+          'mode'    => '0644',
+          'content' => '',
+        )
+    }
+    it {
+      is_expected.to contain_file('/etc/puppetlabs/puppetdb/conf.d/puppetdb.ini')
+        .with(
+          'ensure'  => 'file',
+          'owner'   => 'puppetdb',
+          'group'   => 'puppetdb',
+          'mode'    => '0600',
+        )
+    }
+    it {
+      is_expected.to contain_ini_setting('puppetdb_disable_update_checking')
+        .with(
+          'ensure'  => 'absent',
+          'path'    => '/etc/puppetlabs/puppetdb/conf.d/puppetdb.ini',
+          'section' => 'puppetdb',
+          'setting' => 'disable-update-checking',
+        )
+    }
+  end
 
-      it {
-        is_expected.to contain_ini_setting('puppetdb-connections-from-master-only')
-          .with(
-            'ensure'  => 'present',
-            'path'    => '/etc/puppetlabs/puppetdb/conf.d/puppetdb.ini',
-            'section' => 'puppetdb',
-            'setting' => 'certificate-whitelist',
-            'value'   => '/etc/puppetlabs/puppetdb/certificate-whitelist',
-          )
-      }
-      it {
-        is_expected.to contain_file('/etc/puppetlabs/puppetdb/certificate-whitelist')
-          .with(
-            'ensure'  => 'present',
-            'owner'   => 0,
-            'group'   => 0,
-            'mode'    => '0644',
-            'content' => "puppetmaster\n",
-          )
+  describe 'when restricting access to puppetdb' do
+    let(:params) do
+      {
+        'certificate_whitelist' => ['puppetmaster'],
       }
     end
 
-    describe 'when enable disable-update-checking' do
-      let(:params) do
-        {
-          'disable_update_checking' => true,
-        }
-      end
+    it {
+      is_expected.to contain_ini_setting('puppetdb-connections-from-master-only')
+        .with(
+          'ensure'  => 'present',
+          'path'    => '/etc/puppetlabs/puppetdb/conf.d/puppetdb.ini',
+          'section' => 'puppetdb',
+          'setting' => 'certificate-whitelist',
+          'value'   => '/etc/puppetlabs/puppetdb/certificate-whitelist',
+        )
+    }
+    it {
+      is_expected.to contain_file('/etc/puppetlabs/puppetdb/certificate-whitelist')
+        .with(
+          'ensure'  => 'present',
+          'owner'   => 0,
+          'group'   => 0,
+          'mode'    => '0644',
+          'content' => "puppetmaster\n",
+        )
+    }
+  end
 
-      it {
-        is_expected.to contain_ini_setting('puppetdb_disable_update_checking')
-          .with(
-            'ensure'  => 'present',
-            'path'    => '/etc/puppetlabs/puppetdb/conf.d/puppetdb.ini',
-            'section' => 'puppetdb',
-            'setting' => 'disable-update-checking',
-            'value'   => 'true',
-          )
+  describe 'when enable disable-update-checking' do
+    let(:params) do
+      {
+        'disable_update_checking' => true,
       }
     end
+
+    it {
+      is_expected.to contain_ini_setting('puppetdb_disable_update_checking')
+        .with(
+          'ensure'  => 'present',
+          'path'    => '/etc/puppetlabs/puppetdb/conf.d/puppetdb.ini',
+          'section' => 'puppetdb',
+          'setting' => 'disable-update-checking',
+          'value'   => 'true',
+        )
+    }
   end
 end
diff --git a/spec/unit/classes/server/read_database_ini_spec.rb b/spec/unit/classes/server/read_database_ini_spec.rb
index 502cdbcd..7e821f79 100644
--- a/spec/unit/classes/server/read_database_ini_spec.rb
+++ b/spec/unit/classes/server/read_database_ini_spec.rb
@@ -1,168 +1,168 @@
 require 'spec_helper'
 
 describe 'puppetdb::server::read_database', type: :class do
-  context 'on a supported platform' do
-    let(:facts) do
+  let(:facts) { on_supported_os.take(1).first[1] }
+
+  it { is_expected.to contain_class('puppetdb::server::read_database') }
+
+  describe 'when using default values' do
+    it { is_expected.to contain_file('/etc/puppetlabs/puppetdb/conf.d/read_database.ini').with('ensure' => 'absent') }
+  end
+
+  describe 'when using minimum working values' do
+    let(:params) do
       {
-        osfamily: 'RedHat',
-        operatingsystem: 'RedHat',
-        puppetversion: Puppet.version,
-        operatingsystemrelease: '7.0',
-        fqdn: 'test.domain.local',
+        'read_database_host' => 'puppetdb',
       }
     end
 
-    it { is_expected.to contain_class('puppetdb::server::read_database') }
-
-    describe 'when using default values' do
-      it { is_expected.to contain_file('/etc/puppetlabs/puppetdb/conf.d/read_database.ini').with('ensure' => 'absent') }
-    end
+    it {
+      is_expected.to contain_file('/etc/puppetlabs/puppetdb/conf.d/read_database.ini')
+        .with(
+          'ensure'  => 'file',
+          'owner'   => 'puppetdb',
+          'group'   => 'puppetdb',
+          'mode'    => '0600',
+        )
+    }
+    it {
+      is_expected.to contain_ini_setting('puppetdb_read_database_username')
+        .with(
+          'ensure'  => 'present',
+          'path'    => '/etc/puppetlabs/puppetdb/conf.d/read_database.ini',
+          'section' => 'read-database',
+          'setting' => 'username',
+          'value'   => 'puppetdb-read',
+        )
+    }
+    it {
+      is_expected.to contain_ini_setting('puppetdb_read_database_password')
+        .with(
+          'ensure'  => 'present',
+          'path'    => '/etc/puppetlabs/puppetdb/conf.d/read_database.ini',
+          'section' => 'read-database',
+          'setting' => 'password',
+          'value'   => 'puppetdb-read',
+        )
+    }
+    it {
+      is_expected.to contain_ini_setting('puppetdb_read_classname')
+        .with(
+          'ensure'  => 'present',
+          'path'    => '/etc/puppetlabs/puppetdb/conf.d/read_database.ini',
+          'section' => 'read-database',
+          'setting' => 'classname',
+          'value'   => 'org.postgresql.Driver',
+        )
+    }
+    it {
+      is_expected.to contain_ini_setting('puppetdb_read_subprotocol')
+        .with(
+          'ensure'  => 'present',
+          'path'    => '/etc/puppetlabs/puppetdb/conf.d/read_database.ini',
+          'section' => 'read-database',
+          'setting' => 'subprotocol',
+          'value'   => 'postgresql',
+        )
+    }
+    it {
+      is_expected.to contain_ini_setting('puppetdb_read_pgs')
+        .with(
+          'ensure'  => 'present',
+          'path'    => '/etc/puppetlabs/puppetdb/conf.d/read_database.ini',
+          'section' => 'read-database',
+          'setting' => 'syntax_pgs',
+          'value'   => true,
+        )
+    }
+    it {
+      is_expected.to contain_ini_setting('puppetdb_read_subname')
+        .with(
+          'ensure'  => 'present',
+          'path'    => '/etc/puppetlabs/puppetdb/conf.d/read_database.ini',
+          'section' => 'read-database',
+          'setting' => 'subname',
+          'value'   => '//puppetdb:5432/puppetdb',
+        )
+    }
+    it {
+      is_expected.to contain_ini_setting('puppetdb_read_log_slow_statements')
+        .with(
+          'ensure'  => 'present',
+          'path'    => '/etc/puppetlabs/puppetdb/conf.d/read_database.ini',
+          'section' => 'read-database',
+          'setting' => 'log-slow-statements',
+          'value'   => 10,
+        )
+    }
+    it {
+      is_expected.to contain_ini_setting('puppetdb_read_conn_max_age')
+        .with(
+          'ensure'  => 'present',
+          'path'    => '/etc/puppetlabs/puppetdb/conf.d/read_database.ini',
+          'section' => 'read-database',
+          'setting' => 'conn-max-age',
+          'value'   => '60',
+        )
+    }
+    it {
+      is_expected.to contain_ini_setting('puppetdb_read_conn_keep_alive')
+        .with(
+          'ensure'  => 'present',
+          'path'    => '/etc/puppetlabs/puppetdb/conf.d/read_database.ini',
+          'section' => 'read-database',
+          'setting' => 'conn-keep-alive',
+          'value'   => '45',
+        )
+    }
+    it {
+      is_expected.to contain_ini_setting('puppetdb_read_conn_lifetime')
+        .with(
+          'ensure'  => 'present',
+          'path'    => '/etc/puppetlabs/puppetdb/conf.d/read_database.ini',
+          'section' => 'read-database',
+          'setting' => 'conn-lifetime',
+          'value'   => '0',
+        )
+    }
 
-    describe 'when using minimum working values' do
+    context 'when using ssl communication' do
       let(:params) do
         {
-          'read_database_host' => 'puppetdb',
+          read_database_host: 'puppetdb',
+          postgresql_ssl_on: true,
+          ssl_key_pk8_path: '/tmp/private_key.pk8',
         }
       end
 
-      it {
-        is_expected.to contain_file('/etc/puppetlabs/puppetdb/conf.d/read_database.ini')
-          .with(
-            'ensure'  => 'file',
-            'owner'   => 'puppetdb',
-            'group'   => 'puppetdb',
-            'mode'    => '0600',
-          )
-      }
-      it {
-        is_expected.to contain_ini_setting('puppetdb_read_database_username')
-          .with(
-            'ensure'  => 'present',
-            'path'    => '/etc/puppetlabs/puppetdb/conf.d/read_database.ini',
-            'section' => 'read-database',
-            'setting' => 'username',
-            'value'   => 'puppetdb-read',
-          )
-      }
-      it {
-        is_expected.to contain_ini_setting('puppetdb_read_database_password')
-          .with(
-            'ensure'  => 'present',
-            'path'    => '/etc/puppetlabs/puppetdb/conf.d/read_database.ini',
-            'section' => 'read-database',
-            'setting' => 'password',
-            'value'   => 'puppetdb-read',
-          )
-      }
-      it {
-        is_expected.to contain_ini_setting('puppetdb_read_classname')
-          .with(
-            'ensure'  => 'present',
-            'path'    => '/etc/puppetlabs/puppetdb/conf.d/read_database.ini',
-            'section' => 'read-database',
-            'setting' => 'classname',
-            'value'   => 'org.postgresql.Driver',
-          )
-      }
-      it {
-        is_expected.to contain_ini_setting('puppetdb_read_subprotocol')
-          .with(
-            'ensure'  => 'present',
-            'path'    => '/etc/puppetlabs/puppetdb/conf.d/read_database.ini',
-            'section' => 'read-database',
-            'setting' => 'subprotocol',
-            'value'   => 'postgresql',
-          )
-      }
-      it {
+      it 'configures subname correctly' do
         is_expected.to contain_ini_setting('puppetdb_read_subname')
           .with(
-            'ensure'  => 'present',
-            'path'    => '/etc/puppetlabs/puppetdb/conf.d/read_database.ini',
-            'section' => 'read-database',
-            'setting' => 'subname',
-            'value'   => '//puppetdb:5432/puppetdb',
-          )
-      }
-      it {
-        is_expected.to contain_ini_setting('puppetdb_read_log_slow_statements')
-          .with(
-            'ensure'  => 'present',
-            'path'    => '/etc/puppetlabs/puppetdb/conf.d/read_database.ini',
-            'section' => 'read-database',
-            'setting' => 'log-slow-statements',
-            'value'   => 10,
+            ensure: 'present',
+            path: '/etc/puppetlabs/puppetdb/conf.d/read_database.ini',
+            section: 'read-database',
+            setting: 'subname',
+            value: '//puppetdb:5432/puppetdb?' \
+                   'ssl=true&sslfactory=org.postgresql.ssl.LibPQFactory&' \
+                   'sslmode=verify-full&' \
+                   'sslrootcert=/etc/puppetlabs/puppetdb/ssl/ca.pem&' \
+                   'sslkey=/tmp/private_key.pk8&' \
+                   'sslcert=/etc/puppetlabs/puppetdb/ssl/public.pem',
           )
-      }
-      it {
-        is_expected.to contain_ini_setting('puppetdb_read_conn_max_age')
-          .with(
-            'ensure'  => 'present',
-            'path'    => '/etc/puppetlabs/puppetdb/conf.d/read_database.ini',
-            'section' => 'read-database',
-            'setting' => 'conn-max-age',
-            'value'   => '60',
-          )
-      }
-      it {
-        is_expected.to contain_ini_setting('puppetdb_read_conn_keep_alive')
-          .with(
-            'ensure'  => 'present',
-            'path'    => '/etc/puppetlabs/puppetdb/conf.d/read_database.ini',
-            'section' => 'read-database',
-            'setting' => 'conn-keep-alive',
-            'value'   => '45',
-          )
-      }
-      it {
-        is_expected.to contain_ini_setting('puppetdb_read_conn_lifetime')
-          .with(
-            'ensure'  => 'present',
-            'path'    => '/etc/puppetlabs/puppetdb/conf.d/read_database.ini',
-            'section' => 'read-database',
-            'setting' => 'conn-lifetime',
-            'value'   => '0',
-          )
-      }
+      end
 
-      context 'when using ssl communication' do
+      context 'when setting jdbc_ssl_properties as well' do
         let(:params) do
           {
             read_database_host: 'puppetdb',
+            jdbc_ssl_properties: '?ssl=true',
             postgresql_ssl_on: true,
-            ssl_key_pk8_path: '/tmp/private_key.pk8',
           }
         end
 
-        it 'configures subname correctly' do
-          is_expected.to contain_ini_setting('puppetdb_read_subname')
-            .with(
-              ensure: 'present',
-              path: '/etc/puppetlabs/puppetdb/conf.d/read_database.ini',
-              section: 'read-database',
-              setting: 'subname',
-              value: '//puppetdb:5432/puppetdb?' \
-                     'ssl=true&sslfactory=org.postgresql.ssl.LibPQFactory&' \
-                     'sslmode=verify-full&' \
-                     'sslrootcert=/etc/puppetlabs/puppetdb/ssl/ca.pem&' \
-                     'sslkey=/tmp/private_key.pk8&' \
-                     'sslcert=/etc/puppetlabs/puppetdb/ssl/public.pem',
-            )
-        end
-
-        context 'when setting jdbc_ssl_properties as well' do
-          let(:params) do
-            {
-              read_database_host: 'puppetdb',
-              jdbc_ssl_properties: '?ssl=true',
-              postgresql_ssl_on: true,
-            }
-          end
-
-          it 'raises an error' do
-            is_expected.to compile
-              .and_raise_error(%r{Variables 'postgresql_ssl_on' and 'jdbc_ssl_properties' can not be used at the same time!})
-          end
+        it 'raises an error' do
+          is_expected.to compile
+            .and_raise_error(%r{Variables 'postgresql_ssl_on' and 'jdbc_ssl_properties' can not be used at the same time!})
         end
       end
     end
diff --git a/spec/unit/classes/server/validate_db_spec.rb b/spec/unit/classes/server/validate_db_spec.rb
new file mode 100644
index 00000000..6ffd57c5
--- /dev/null
+++ b/spec/unit/classes/server/validate_db_spec.rb
@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+# FIXME: the connection validator resource in this code was deprecated and
+#        removed from the postgres module long ago.
+#        although the class is included, the resource is never added to
+#        the catalog, masking the unknown resource error, because
+#        jdbc_ssl_properties returns '' instead of false.
+describe 'puppetdb::server::validate_db', type: :class do
+  let(:facts) { on_supported_os.take(1).first[1] }
+
+  context 'with default params' do
+    it {
+      is_expected.to contain_class('puppetdb::server::validate_db')
+        .with(
+          database: 'postgres',
+          database_host:     'localhost',
+          database_port:     '5432',
+          database_username: 'puppetdb',
+          database_password: 'puppetdb',
+          database_name:     'puppetdb',
+          jdbc_ssl_properties: '',
+        )
+    }
+
+    it { is_expected.not_to contain_postgresql__validate_db_connection('validate puppetdb postgres connection') }
+  end
+
+  context 'with parameter tests' do
+    let(:params) { { jdbc_ssl_properties: false } }
+
+    context 'with jdbc_ssl_properties set false' do
+      it {
+        is_expected.to contain_postgresql__validate_db_connection('validate puppetdb postgres connection')
+          .with(
+            database_host:     'localhost',
+            database_port:     '5432',
+            database_username: 'puppetdb',
+            database_password: 'puppetdb',
+            database_name:     'puppetdb',
+          )
+      }
+    end
+
+    context 'with unsupported database' do
+      let(:params) { { database: 'nosql' } }
+
+      it { is_expected.not_to contain_postgresql__validate_db_connection('validate puppetdb postgres connection') }
+    end
+
+    context 'without database password' do
+      let(:params) { { database_password: nil } }
+
+      it { is_expected.not_to contain_postgresql__validate_db_connection('validate puppetdb postgres connection') }
+    end
+  end
+end
diff --git a/spec/unit/classes/server/validate_read_db_spec.rb b/spec/unit/classes/server/validate_read_db_spec.rb
new file mode 100644
index 00000000..96aa2ffa
--- /dev/null
+++ b/spec/unit/classes/server/validate_read_db_spec.rb
@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+# FIXME: the connection validator resource in this code was deprecated and
+#        removed from the postgres module long ago.
+#        although the class is included, the resource is never added to
+#        the catalog, masking the unknown resource error, because
+#        jdbc_ssl_properties returns '' instead of false.
+describe 'puppetdb::server::validate_read_db', type: :class do
+  let(:facts) { on_supported_os.take(1).first[1] }
+
+  context 'with default params' do
+    it {
+      is_expected.to contain_class('puppetdb::server::validate_read_db')
+        .with(
+          database: 'postgres',
+          database_host:     'localhost',
+          database_port:     '5432',
+          database_username: 'puppetdb',
+          database_password: 'puppetdb',
+          database_name:     'puppetdb',
+          jdbc_ssl_properties: '',
+        )
+    }
+
+    it { is_expected.not_to contain_postgresql__validate_db_connection('validate puppetdb postgres (read) connection') }
+  end
+
+  context 'with parameter tests' do
+    let(:params) { { jdbc_ssl_properties: false } }
+
+    context 'with jdbc_ssl_properties set false' do
+      it {
+        is_expected.to contain_postgresql__validate_db_connection('validate puppetdb postgres (read) connection')
+          .with(
+            database_host:     'localhost',
+            database_port:     '5432',
+            database_username: 'puppetdb',
+            database_password: 'puppetdb',
+            database_name:     'puppetdb',
+          )
+      }
+    end
+
+    context 'with unsupported database' do
+      let(:params) { { database: 'nosql' } }
+
+      it { is_expected.not_to contain_postgresql__validate_db_connection('validate puppetdb postgres (read) connection') }
+    end
+
+    context 'without database password' do
+      let(:params) { { database_password: nil } }
+
+      it { is_expected.not_to contain_postgresql__validate_db_connection('validate puppetdb postgres (read) connection') }
+    end
+  end
+end
diff --git a/spec/unit/classes/server_spec.rb b/spec/unit/classes/server_spec.rb
index c3d2d315..78cd4f49 100644
--- a/spec/unit/classes/server_spec.rb
+++ b/spec/unit/classes/server_spec.rb
@@ -5,19 +5,18 @@
     'test.domain.local'
   end
 
+  let(:pathdir) do
+    case facts[:os]['family']
+    when 'Debian'
+      '/etc/default/puppetdb'
+    else
+      '/etc/sysconfig/puppetdb'
+    end
+  end
+
   on_supported_os.each do |os, facts|
     context "on #{os}" do
-      let(:facts) do
-        facts.merge(puppetversion: Puppet.version,
-                    selinux: true)
-      end
-
-      pathdir = case facts[:osfamily]
-                when 'Debian'
-                  '/etc/default/puppetdb'
-                else
-                  '/etc/sysconfig/puppetdb'
-                end
+      let(:facts) { facts }
 
       describe 'when using default values' do
         it { is_expected.to contain_class('puppetdb::server') }
@@ -27,6 +26,17 @@
         it { is_expected.to contain_class('puppetdb::server::read_database') }
         it { is_expected.to contain_class('puppetdb::server::jetty') }
         it { is_expected.to contain_class('puppetdb::server::puppetdb') }
+
+        it {
+          is_expected.to contain_package('puppetdb')
+            .that_notifies('Service[puppetdb]')
+        }
+
+        it {
+          is_expected.to contain_service('puppetdb')
+            .with_ensure('running')
+            .with_enable(true)
+        }
       end
 
       describe 'when not specifying JAVA_ARGS' do
@@ -42,20 +52,18 @@
           }
         end
 
-        context 'on redhat PuppetDB' do
-          it {
-            is_expected.to contain_ini_subsetting("'-Xms'")
-              .with(
-                'ensure'            => 'present',
-                'path'              => pathdir.to_s,
-                'section'           => '',
-                'key_val_separator' => '=',
-                'setting'           => 'JAVA_ARGS',
-                'subsetting'        => '-Xms',
-                'value'             => '2g',
-              )
-          }
-        end
+        it {
+          is_expected.to contain_ini_subsetting("'-Xms'")
+            .with(
+              'ensure'            => 'present',
+              'path'              => pathdir.to_s,
+              'section'           => '',
+              'key_val_separator' => '=',
+              'setting'           => 'JAVA_ARGS',
+              'subsetting'        => '-Xms',
+              'value'             => '2g',
+            )
+        }
       end
 
       describe 'when specifying JAVA_ARGS with merge_default_java_args false' do
@@ -82,7 +90,7 @@
 
       context 'when systemd is available' do
         let(:facts) do
-          facts.merge(systemd: true)
+          super().merge(systemd: true)
         end
 
         describe 'by default dlo cleanup service is enabled' do
@@ -201,7 +209,7 @@
           it 'contains file private.pk8' do
             is_expected.to contain_file('/etc/puppetlabs/puppetdb/ssl/private.pk8')
               .with(
-                ensure: 'present',
+                ensure: 'file',
                 owner: 'puppetdb',
                 group: 'puppetdb',
                 mode: '0600',
diff --git a/spec/unit/util/puppetdb_validator_spec.rb b/spec/unit/util/puppetdb_validator_spec.rb
index c96cd801..47355f5a 100644
--- a/spec/unit/util/puppetdb_validator_spec.rb
+++ b/spec/unit/util/puppetdb_validator_spec.rb
@@ -8,51 +8,34 @@
 
     url = '/pdb/meta/v1/version'
     if Puppet::PUPPETVERSION.to_f < 7
-      conn_ok = stub
-      conn_ok.stubs(:get).with(url, 'Accept' => 'application/json').returns(nethttpok)
-      conn_ok.stubs(:read_timeout=).with(2)
-      conn_ok.stubs(:open_timeout=).with(2)
+      conn_ok = double
+      allow(conn_ok).to receive(:get).with(url, 'Accept' => 'application/json').and_return(nethttpok)
+      allow(conn_ok).to receive(:read_timeout=).with(2)
+      allow(conn_ok).to receive(:open_timeout=).with(2)
 
-      conn_not_found = stub
-      conn_not_found.stubs(:get).with('/pdb/meta/v1/version', 'Accept' => 'application/json').returns(notfound)
+      conn_not_found = double
+      allow(conn_not_found).to receive(:get).with('/pdb/meta/v1/version', 'Accept' => 'application/json').and_return(notfound)
 
-      Puppet::Network::HttpPool.stubs(:http_instance).raises('Unknown host')
-      Puppet::Network::HttpPool.stubs(:http_instance).with('mypuppetdb.com', 8080, true).raises('Connection refused')
-      Puppet::Network::HttpPool.stubs(:http_instance).with('mypuppetdb.com', 8080, false).returns(conn_ok)
-      Puppet::Network::HttpPool.stubs(:http_instance).with('mypuppetdb.com', 8081, true).returns(conn_ok)
-      Puppet::Network::HttpPool.stubs(:http_instance).with('wrongserver.com', 8081, true).returns(conn_not_found)
+      allow(Puppet::Network::HttpPool).to receive(:http_instance).and_raise('Unknown host')
+      allow(Puppet::Network::HttpPool).to receive(:http_instance).with('mypuppetdb.com', 8080, true).and_raise('Connection refused')
+      allow(Puppet::Network::HttpPool).to receive(:http_instance).with('mypuppetdb.com', 8080, false).and_return(conn_ok)
+      allow(Puppet::Network::HttpPool).to receive(:http_instance).with('mypuppetdb.com', 8081, true).and_return(conn_ok)
+      allow(Puppet::Network::HttpPool).to receive(:http_instance).with('wrongserver.com', 8081, true).and_return(conn_not_found)
     else
-      http = stub
-      Puppet::HTTP::Client.stubs(:new).returns(http)
+      http = double
+      allow(Puppet::HTTP::Client).to receive(:new).and_return(http)
 
-      http.stubs(:get).with { |uri, _opts|
-        uri.hostname == 'mypuppetdb.com' &&
-          uri.port == 8080 &&
-          uri.scheme == 'https'
-      }.raises Puppet::HTTP::HTTPError, 'Connection refused'
+      allow(http).to receive(:get) do |uri, _opts|
+        raise(Puppet::HTTP::HTTPError, 'Connection refused') if uri.hostname == 'mypuppetdb.com' && uri.port == 8080 && uri.scheme == 'https'
+        raise Puppet::HTTP::ResponseError, Puppet::HTTP::ResponseNetHTTP.new(url, notfound) if uri.hostname == 'wrongserver.com' && uri.port == 8081 && uri.scheme == 'https'
+        raise Puppet::HTTP::HTTPError, 'Unknown host' if uri.hostname == 'non-existing.com' && uri.scheme == 'https'
 
-      http.stubs(:get).with { |uri, _opts|
-        uri.hostname == 'mypuppetdb.com' &&
-          uri.port == 8080 &&
-          uri.scheme == 'http'
-      }.returns(Puppet::HTTP::ResponseNetHTTP.new(url, nethttpok))
-
-      http.stubs(:get).with { |uri, _opts|
-        uri.hostname == 'mypuppetdb.com' &&
-          uri.port == 8081 &&
-          uri.scheme == 'https'
-      }.returns(Puppet::HTTP::ResponseNetHTTP.new(url, nethttpok))
-
-      http.stubs(:get).with { |uri, _opts|
-        uri.hostname == 'wrongserver.com' &&
-          uri.port == 8081 &&
-          uri.scheme == 'https'
-      }.raises Puppet::HTTP::ResponseError, Puppet::HTTP::ResponseNetHTTP.new(url, notfound)
-
-      http.stubs(:get).with { |uri, _opts|
-        uri.hostname == 'non-existing.com' &&
-          uri.scheme == 'https'
-      }.raises Puppet::HTTP::HTTPError, 'Unknown host'
+        if uri.hostname == 'mypuppetdb.com' && uri.port == 8080 && uri.scheme == 'http'
+          Puppet::HTTP::ResponseNetHTTP.new(url, nethttpok)
+        elsif uri.hostname == 'mypuppetdb.com' && uri.port == 8081 && uri.scheme == 'https'
+          Puppet::HTTP::ResponseNetHTTP.new(url, nethttpok)
+        end
+      end
     end
   end
 
@@ -70,7 +53,7 @@
     puppetdb_server = 'mypuppetdb.com'
     puppetdb_port = 8080
     validator = Puppet::Util::PuppetdbValidator.new(puppetdb_server, puppetdb_port)
-    Puppet.expects(:notice).with("Unable to connect to puppetdb server (https://#{puppetdb_server}:#{puppetdb_port}): Connection refused")
+    expect(Puppet).to receive(:notice).with("Unable to connect to puppetdb server (https://#{puppetdb_server}:#{puppetdb_port}): Connection refused")
     expect(validator.attempt_connection).to be false
   end
 
@@ -78,7 +61,7 @@
     puppetdb_server = 'wrongserver.com'
     puppetdb_port = 8081
     validator = Puppet::Util::PuppetdbValidator.new(puppetdb_server, puppetdb_port)
-    Puppet.expects(:notice).with("Unable to connect to puppetdb server (https://#{puppetdb_server}:#{puppetdb_port}): [404] Not found")
+    expect(Puppet).to receive(:notice).with("Unable to connect to puppetdb server (https://#{puppetdb_server}:#{puppetdb_port}): [404] Not found")
     expect(validator.attempt_connection).to be false
   end
 
@@ -86,7 +69,7 @@
     puppetdb_server = 'non-existing.com'
     puppetdb_port = nil
     validator = Puppet::Util::PuppetdbValidator.new(puppetdb_server, puppetdb_port)
-    Puppet.expects(:notice).with("Unable to connect to puppetdb server (https://#{puppetdb_server}:#{puppetdb_port}): Unknown host")
+    expect(Puppet).to receive(:notice).with("Unable to connect to puppetdb server (https://#{puppetdb_server}:#{puppetdb_port}): Unknown host")
     expect(validator.attempt_connection).to be false
   end
 end