From dcdee4d93125c963247761458cdb209e8de414b6 Mon Sep 17 00:00:00 2001
From: Joris Van Acoleyen <joris.vanacoleyen@bryxx.eu>
Date: Mon, 4 Dec 2023 22:58:32 +0100
Subject: [PATCH] Module quality update (#520)

* Remove params.pp prep

* Update params

* Update config.pp

* list params in a more sensible way

* Add proper summary

* Update install.pp

* Update more params and refs

* Add defaults

* Refactor config

* Add authconfig type

* Add beter comment for type

* Update documentation

* Update file auth

* Update templates and auth_config

* Update auth conf template

* Update auth config template

* Update log4j properties

* Update params

* Update default api policies

* Update init.pp

* Update profile overrides

* Update profiles template

* Update config structure

* Fix jaas auth template

* Update jaas auth template

* Allow empty auth config

* Update jaas auth config

* Move global project config

* Update config

* Update defaults

* Fix db_config type

* Update jaas auth path

* Use default jaas config

* Use properties file

* Move config which has defaults

* Rename data to common and update init

* Make param not mandatory

* Update keystorage config

* Update user and group

* Update default value

* Remove file_keystore from core config

* Remove deprecated files

* Remove project config it;s managed in DB

* Remove obsolete files and update refs

* Remove more obsolete files and refs

* Update ssl config

* Use valid pass for java_ks

* Update ssl template

* Remove obsolete files

* Update init.pp

* Move resources and update ref

* Fix ssl framework options

* Add ssl port

* Use http port instead of https

* Update profile overrides

* Update plugin code

* Update doc

* Change policy template to epp

* Update defines

* Update jaas auth template

* Update config.pp

* Update reference

* Update specs and add todo's

* Update policy template and unit test

* Update framework config

* Update specs reference and config templates

* Disable gpg check for yumrepo

* Fix wrong hiera parameter for repo_config

* Update unit tests

* Update spec, reference and remove todo

* Update references and repo config also don't align class parameters

* Update repo config

* Update install spec

* Update readme and simplify install

* Add sensitive for db

* Update mail_config password type

* Add new line between key storage config

* Add api token max duration

* Update auth_config type and refs

* Test debian config

* Test source

* Update debian repo config
---
 .fixtures.yml                                 |    2 -
 README.md                                     |  120 +-
 REFERENCE.md                                  | 1592 +++++------------
 data/Debian.yaml                              |   11 +
 data/RedHat.yaml                              |   10 +
 hiera.yaml                                    |   10 +
 manifests/config.pp                           |  247 +--
 manifests/config/aclpolicyfile.pp             |   69 +-
 manifests/config/file_keystore.pp             |   94 -
 manifests/config/framework.pp                 |   23 +
 manifests/config/global/file_keystore.pp      |   14 -
 manifests/config/global/framework.pp          |   44 -
 manifests/config/global/project.pp            |   71 -
 manifests/config/global/rundeck_config.pp     |   51 -
 manifests/config/global/ssl.pp                |  103 --
 manifests/config/global/web.pp                |   54 -
 manifests/config/jaas_auth.pp                 |   37 +
 manifests/config/plugin.pp                    |   53 +-
 manifests/config/project.pp                   |  167 --
 manifests/config/resource_source.pp           |  454 -----
 manifests/config/securityroles.pp             |   12 -
 manifests/config/ssl.pp                       |   37 +
 manifests/init.pp                             |  416 +++--
 manifests/install.pp                          |   87 +-
 manifests/params.pp                           |  333 ----
 manifests/service.pp                          |   19 +-
 metadata.json                                 |    8 -
 spec/acceptance/rundeck_spec.rb               |   21 -
 spec/classes/config/framework_spec.rb         |  102 ++
 .../config/global/aclpolicyfile_spec.rb       |   55 -
 spec/classes/config/global/auth_spec.rb       |  367 ----
 .../config/global/file_keystore_spec.rb       |   46 -
 spec/classes/config/global/framework_spec.rb  |  113 --
 spec/classes/config/global/gui_config_spec.rb |   30 -
 spec/classes/config/global/project_spec.rb    |   37 -
 .../config/global/rundeck_config_spec.rb      |  146 --
 spec/classes/config/global/scm_spec.rb        |   76 -
 .../config/global/service_restart_spec.rb     |   31 -
 spec/classes/config/global/ssl_spec.rb        |   39 -
 spec/classes/config/jaas_auth_spec.rb         |  300 ++++
 spec/classes/config/ssl_spec.rb               |   85 +
 spec/classes/config_spec.rb                   |   97 +-
 spec/classes/install_spec.rb                  |   26 +-
 spec/classes/rundeck_spec.rb                  |   83 +-
 spec/classes/service_spec.rb                  |    2 +-
 spec/defines/config/aclpolicyfile_spec.rb     |  130 +-
 spec/defines/config/plugin_spec.rb            |    4 +-
 spec/defines/config/project_spec.rb           |   56 -
 spec/defines/config/resource_source_spec.rb   |  219 ---
 spec/defines/config/securityroles_spec.rb     |   34 -
 spec/fixtures/files/override.template         |    1 -
 spec/fixtures/files/profile.template          |    1 -
 templates/_auth_ad.epp                        |   55 -
 templates/_auth_file.epp                      |    3 -
 templates/_auth_ldap.epp                      |   65 -
 templates/_auth_pam.epp                       |   17 -
 templates/aclpolicy.epp                       |   46 +
 templates/aclpolicy.erb                       |   43 -
 templates/file_keystorage_meta.erb            |   17 -
 templates/framework.properties.epp            |    4 +-
 templates/jaas-auth.conf.epp                  |   13 -
 templates/jaas-auth.conf.erb                  |   17 -
 templates/jaas-loginmodule.conf.epp           |   33 +
 templates/krb5.conf.erb                       |   11 -
 templates/log4j.properties.erb                |  158 --
 templates/log4j2.properties.epp               |  264 +++
 templates/profile_overrides.epp               |   22 +
 templates/profile_overrides.erb               |   24 -
 templates/realm.properties.epp                |   21 +-
 templates/realm.properties.erb                |   44 -
 templates/rundeck-config.epp                  |   98 -
 templates/rundeck-config.properties.epp       |   61 +
 templates/scm-export.properties.erb           |    3 -
 templates/scm-import.properties.erb           |    3 -
 templates/ssl.properties.epp                  |    7 +
 types/auth_config.pp                          |    6 +
 types/db_config.pp                            |    9 +
 types/key_storage_config.pp                   |    8 +
 types/loglevel.pp                             |    2 +-
 types/mail_config.pp                          |   11 +
 types/sourcetype.pp                           |    2 -
 81 files changed, 2134 insertions(+), 5172 deletions(-)
 create mode 100644 data/Debian.yaml
 create mode 100644 data/RedHat.yaml
 create mode 100644 hiera.yaml
 delete mode 100644 manifests/config/file_keystore.pp
 create mode 100644 manifests/config/framework.pp
 delete mode 100644 manifests/config/global/file_keystore.pp
 delete mode 100644 manifests/config/global/framework.pp
 delete mode 100644 manifests/config/global/project.pp
 delete mode 100644 manifests/config/global/rundeck_config.pp
 delete mode 100644 manifests/config/global/ssl.pp
 delete mode 100644 manifests/config/global/web.pp
 create mode 100644 manifests/config/jaas_auth.pp
 delete mode 100644 manifests/config/project.pp
 delete mode 100644 manifests/config/resource_source.pp
 delete mode 100644 manifests/config/securityroles.pp
 create mode 100644 manifests/config/ssl.pp
 delete mode 100644 manifests/params.pp
 create mode 100644 spec/classes/config/framework_spec.rb
 delete mode 100644 spec/classes/config/global/aclpolicyfile_spec.rb
 delete mode 100644 spec/classes/config/global/auth_spec.rb
 delete mode 100644 spec/classes/config/global/file_keystore_spec.rb
 delete mode 100644 spec/classes/config/global/framework_spec.rb
 delete mode 100644 spec/classes/config/global/gui_config_spec.rb
 delete mode 100644 spec/classes/config/global/project_spec.rb
 delete mode 100644 spec/classes/config/global/rundeck_config_spec.rb
 delete mode 100644 spec/classes/config/global/scm_spec.rb
 delete mode 100644 spec/classes/config/global/service_restart_spec.rb
 delete mode 100644 spec/classes/config/global/ssl_spec.rb
 create mode 100644 spec/classes/config/jaas_auth_spec.rb
 create mode 100644 spec/classes/config/ssl_spec.rb
 delete mode 100644 spec/defines/config/project_spec.rb
 delete mode 100644 spec/defines/config/resource_source_spec.rb
 delete mode 100644 spec/defines/config/securityroles_spec.rb
 delete mode 100644 spec/fixtures/files/override.template
 delete mode 100644 spec/fixtures/files/profile.template
 delete mode 100644 templates/_auth_ad.epp
 delete mode 100644 templates/_auth_file.epp
 delete mode 100644 templates/_auth_ldap.epp
 delete mode 100644 templates/_auth_pam.epp
 create mode 100644 templates/aclpolicy.epp
 delete mode 100644 templates/aclpolicy.erb
 delete mode 100644 templates/file_keystorage_meta.erb
 delete mode 100644 templates/jaas-auth.conf.epp
 delete mode 100644 templates/jaas-auth.conf.erb
 create mode 100644 templates/jaas-loginmodule.conf.epp
 delete mode 100644 templates/krb5.conf.erb
 delete mode 100644 templates/log4j.properties.erb
 create mode 100644 templates/log4j2.properties.epp
 create mode 100644 templates/profile_overrides.epp
 delete mode 100644 templates/profile_overrides.erb
 delete mode 100644 templates/realm.properties.erb
 delete mode 100644 templates/rundeck-config.epp
 create mode 100644 templates/rundeck-config.properties.epp
 delete mode 100644 templates/scm-export.properties.erb
 delete mode 100644 templates/scm-import.properties.erb
 create mode 100644 templates/ssl.properties.epp
 create mode 100644 types/auth_config.pp
 create mode 100644 types/db_config.pp
 create mode 100644 types/key_storage_config.pp
 create mode 100644 types/mail_config.pp
 delete mode 100644 types/sourcetype.pp

diff --git a/.fixtures.yml b/.fixtures.yml
index 9e4fdca72..586cb448a 100644
--- a/.fixtures.yml
+++ b/.fixtures.yml
@@ -1,9 +1,7 @@
 fixtures:
   repositories:
     stdlib: "https://github.com/puppetlabs/puppetlabs-stdlib.git"
-    inifile: "https://github.com/puppetlabs/puppetlabs-inifile.git"
     archive: "https://github.com/puppet-community/puppet-archive.git"
-    dirtree: "https://github.com/puppetlabs/pltraining-dirtree.git"
     java_ks: "https://github.com/puppetlabs/puppetlabs-java_ks.git"
     apt: "https://github.com/puppetlabs/puppetlabs-apt.git"
     yumrepo_core:
diff --git a/README.md b/README.md
index 4d102d282..426c90760 100644
--- a/README.md
+++ b/README.md
@@ -25,39 +25,13 @@ The rundeck puppet module for installing and managing [Rundeck](http://rundeck.o
 
 | Rundeck Version  | Rundeck Puppet module versions |
 | ---------------- | -------------------------------|
-| 2.x - 3.0.X      | v5.4.0 and older               |
-| 3.1 - up         | v6.0.0 and newer               |
-
-Since [Rundeck v3.1](https://docs.rundeck.com/docs/upgrading/upgrade-to-rundeck-3.1.html),
-it is not required the installtion of `rundeck-config` package for RHEL based distributions anymore.
-
-Rundeck Team decided to mark this package _obsolete_, making it difficult to maintain
-backwards compatibility with releases older than 3.1.
-
-Trying to install any version prior to 3.1.0 will throw the following error message:
-
-```console
-Resolving Dependencies
---> Running transaction check
----> Package rundeck.noarch 0:2.11.5-1.56.GA will be installed
---> Processing Dependency: rundeck-config for package: rundeck-2.11.5-1.56.GA.noarch
-Package rundeck-config is obsoleted by rundeck, but obsoleting package does not provide for requirements
-...
-```
-
-If you need to downgrade and/or install a specific version of Rundeck older than 3.1.0, you can still use this module
-to do it (v5.4.0 and prior), although you would need to [manually install the packages](https://github.com/rundeck/rundeck/issues/5168) disabling yum's obsoletes processing logic when performing updates.
-
-```console
-yum reinstall --setopt=obsoletes=0 rundeck-config-3.0.24.20190719-1.201907192053 rundeck-3.0.24.20190719-1.201907192053
-```
-
-The latest version of this puppet module only supports Rundeck 3.1 and up.
+| 2.x   - 3.0.X    | v5.4.0 and older               |
+| 3.1.x - 3.3.x    | v8.0.1 until v6.0.0            |
+| 3.4.x - up       | v9.0.0 and newer               |
 
 ## Module Description
 
-This module provides a way to manage the installation and configuration of
-rundeck, its projects, jobs and plugins.
+This module provides a way to manage the installation and configuration of rundeck and plugins.
 
 ## Setup
 
@@ -90,15 +64,13 @@ class { 'rundeck':
   key_storage_config => [
     {
       'type' => 'db',
-      'path' => '/',
+      'path' => 'keys',
     },
   ],
-  projects_storage_type => 'db',
-  database_config       => {
-    'type'            => 'mysql',
-    'url'             => $db_url,
+  database_config    => {
+    'url'             => 'jdbc:mysql://myserver/rundeck',
     'username'        => 'rundeck',
-    'password'        => $db_pass,
+    'password'        => 'verysecure',
     'driverClassName' => 'com.mysql.jdbc.Driver',
   },
 }
@@ -108,9 +80,9 @@ class { 'rundeck':
 
 ```Puppet
 class { 'rundeck':
-  ssl_enabled  => true,
-  ssl_keyfile  => $ssl_keyfile,
-  ssl_certfile => $ssl_certfile,
+  ssl_enabled       => true,
+  ssl_certificate   => '/path/to/cert',
+  ssl_private_key   => '/path/to/key',
 }
 ```
 
@@ -123,7 +95,7 @@ class { 'rundeck':
   key_storage_config => [
     {
       'type'   => 'vault-storage',
-      'path'   => '/',
+      'path'   => 'keys',
       'config' => {
         'prefix'           => 'rundeck',
         'address'          => 'https://vault.example.com',
@@ -147,14 +119,14 @@ class { 'rundeck':
   key_storage_config => [
     {
       'type'   => 'file',
-      'path'   => '/keys',
+      'path'   => 'keys',
       'config' => {
         'baseDir => '/path/to/dir',
       },
     },
     {
       'type' => 'db',
-      'path' => '/keys/database',
+      'path' => 'keys/database',
     },
   ],
 }
@@ -166,36 +138,48 @@ To perform LDAP authentication and file authorization following code can be used
 
 ```puppet
 class { 'rundeck':
-  auth_types  => ['ldap_shared'],
   auth_config => {
     'file' => {
-      'auth_users' => [
-        {
-          'username' => 'rooty',
-          'roles'    => ['admin'],
-        },
-        {
-          'username' => 'stan',
-          'roles'    => ['sre'],
-        }
-      ],
+      'auth_flag'    => 'sufficient',
+      'jaas_config'  => {
+        'file' => '/etc/rundeck/realm.properties',
+      },
+      'realm_config' => {
+        'admin_user'     => 'admin',
+        'admin_password' => 'admin',
+        'auth_users'     => [
+          {
+            'username' => 'testuser',
+            'password' => 'password',
+            'roles' => %w[user deploy]
+          },
+          {
+            'username' => 'anotheruser',
+            'password' => 'anotherpassword',
+            'roles' => ['user']
+          },
+        ],
+      },
     },
     'ldap' => {
-      'url'                            => 'ldap://ldap:389',
-      'force_binding'                  => true,
-      'bind_dn'                        => 'cn=ProxyUser,dc=example,dc=com',
-      'bind_password'                  => 'secret',
-      'user_base_dn'                   => 'ou=Users,dc=example,dc=com',
-      'user_rdn_attribute'             => 'uid',
-      'user_id_attribute'              => 'uid',
-      'user_object_class'              => 'inetOrgPerson',
-      'role_base_dn'                   => 'ou=Groups,dc=example,dc=com',
-      'role_name_attribute'            => 'cn',
-      'role_member_attribute'          => 'memberUid',
-      'role_username_member_attribute' => 'memberUid',
-      'role_object_class'              => 'posixGroup',
-      'supplemental_roles'             => 'user',
-      'nested_groups'                  => false,
+      'jaas_config' => {
+        'debug' => 'true',
+        'providerUrl' => 'ldap://server:389',
+        'bindDn' => 'cn=Manager,dc=example,dc=com',
+        'bindPassword' => 'secret',
+        'authenticationMethod' => 'simple',
+        'forceBindingLogin' => 'false',
+        'userBaseDn' => 'ou=users,ou=accounts,ou=corp,dc=xyz,dc=com',
+        'userRdnAttribute' => 'sAMAccountName',
+        'userIdAttribute' => 'sAMAccountName',
+        'userPasswordAttribute' => 'unicodePwd',
+        'userObjectClass' => 'user',
+        'roleBaseDn' => 'ou=role based,ou=security,ou=groups,ou=test,dc=xyz,dc=com',
+        'roleNameAttribute' => 'cn',
+        'roleMemberAttribute' => 'member',
+        'roleObjectClass' => 'group',
+        'nestedGroups' => 'true'
+      },
     },
   },
 }
diff --git a/REFERENCE.md b/REFERENCE.md
index 596a0bbd1..fe0dcb06b 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -9,28 +9,20 @@
 #### Public Classes
 
 * [`rundeck`](#rundeck): Class to manage installation and configuration of Rundeck.
-* [`rundeck::config::global::web`](#rundeck--config--global--web): This class will manage the application's web.xml.
-* [`rundeck::params`](#rundeck--params): == Class rundeck::params  This class is meant to be called from `rundeck` It sets variables according to platform
 
 #### Private Classes
 
-* `rundeck::config`: This private class is called from `rundeck` to manage the configuration.
-* `rundeck::config::global::file_keystore`: This private class is used to manage the keys of the Rundeck key storage facility if a file-based backend is used.
-* `rundeck::config::global::framework`: This private class is called from rundeck::config used to manage the framework properties of rundeck.
-* `rundeck::config::global::project`: This private class is called from rundeck::config used to manage the default project properties.
-* `rundeck::config::global::rundeck_config`: This private class is called from rundeck::config used to manage the rundeck-config properties.
-* `rundeck::config::global::ssl`: This private class is called from rundeck::config used to manage the ssl properties if ssl is enabled.
-* `rundeck::install`: This private class installs the rundeck package and its dependencies.
-* `rundeck::service`: This class is meant to be called from `rundeck` and ensures the service is running.
+* `rundeck::config`: This class is called from rundeck to manage the configuration.
+* `rundeck::config::framework`: This private class is called from rundeck::config used to manage the framework properties of rundeck.
+* `rundeck::config::jaas_auth`: This private class is called from rundeck::config used to manage jaas authentication for rundeck.
+* `rundeck::config::ssl`: This private class is called from rundeck::config used to manage the ssl properties if ssl is enabled.
+* `rundeck::install`: This class is called from rundeck for install.
+* `rundeck::service`: This class is called from rundeck to manage service.
 
 ### Defined types
 
 * [`rundeck::config::aclpolicyfile`](#rundeck--config--aclpolicyfile): This define will create a custom acl policy file.
-* [`rundeck::config::file_keystore`](#rundeck--config--file_keystore): This define will create the 'content' and 'meta' components for the key to be stored.
 * [`rundeck::config::plugin`](#rundeck--config--plugin): This define will install a rundeck plugin.
-* [`rundeck::config::project`](#rundeck--config--project): This define can be used to configure rundeck projects.
-* [`rundeck::config::resource_source`](#rundeck--config--resource_source): This define will create a resource source that gathers node information.
-* [`rundeck::config::securityroles`](#rundeck--config--securityroles): Author: Zoltan Lanyi <zoltan.lanyi@gmail.com> Date  : 03.06.2016
 
 ### Functions
 
@@ -38,8 +30,11 @@
 
 ### Data types
 
+* [`Rundeck::Auth_config`](#Rundeck--Auth_config): Rundeck authentication config type.
+* [`Rundeck::Db_config`](#Rundeck--Db_config): Rundeck database config type.
+* [`Rundeck::Key_storage_config`](#Rundeck--Key_storage_config): Rundeck key storage config type.
 * [`Rundeck::Loglevel`](#Rundeck--Loglevel): Rundeck log level type.
-* [`Rundeck::Sourcetype`](#Rundeck--Sourcetype): Rundeck sourcetype type.
+* [`Rundeck::Mail_config`](#Rundeck--Mail_config): Rundeck mail config type.
 
 ## Classes
 
@@ -51,648 +46,129 @@ Class to manage installation and configuration of Rundeck.
 
 The following parameters are available in the `rundeck` class:
 
-* [`acl_policies`](#-rundeck--acl_policies)
-* [`acl_template`](#-rundeck--acl_template)
+* [`manage_repo`](#-rundeck--manage_repo)
+* [`repo_config`](#-rundeck--repo_config)
+* [`package_ensure`](#-rundeck--package_ensure)
+* [`manage_home`](#-rundeck--manage_home)
+* [`user`](#-rundeck--user)
+* [`group`](#-rundeck--group)
+* [`manage_user`](#-rundeck--manage_user)
+* [`manage_group`](#-rundeck--manage_group)
+* [`user_id`](#-rundeck--user_id)
+* [`group_id`](#-rundeck--group_id)
+* [`admin_policies`](#-rundeck--admin_policies)
 * [`api_policies`](#-rundeck--api_policies)
-* [`api_template`](#-rundeck--api_template)
-* [`auth_config`](#-rundeck--auth_config)
-* [`auth_template`](#-rundeck--auth_template)
-* [`auth_types`](#-rundeck--auth_types)
+* [`manage_default_admin_policy`](#-rundeck--manage_default_admin_policy)
+* [`manage_default_api_policy`](#-rundeck--manage_default_api_policy)
+* [`grails_server_url`](#-rundeck--grails_server_url)
 * [`clustermode_enabled`](#-rundeck--clustermode_enabled)
-* [`database_config`](#-rundeck--database_config)
 * [`execution_mode`](#-rundeck--execution_mode)
-* [`file_keystorage_dir`](#-rundeck--file_keystorage_dir)
-* [`file_keystorage_keys`](#-rundeck--file_keystorage_keys)
-* [`framework_config`](#-rundeck--framework_config)
-* [`grails_server_url`](#-rundeck--grails_server_url)
-* [`gui_config`](#-rundeck--gui_config)
 * [`java_home`](#-rundeck--java_home)
 * [`jvm_args`](#-rundeck--jvm_args)
-* [`kerberos_realms`](#-rundeck--kerberos_realms)
-* [`key_password`](#-rundeck--key_password)
-* [`key_storage_config`](#-rundeck--key_storage_config)
-* [`keystore`](#-rundeck--keystore)
-* [`keystore_password`](#-rundeck--keystore_password)
-* [`log_properties_template`](#-rundeck--log_properties_template)
+* [`quartz_job_threadcount`](#-rundeck--quartz_job_threadcount)
+* [`auth_config`](#-rundeck--auth_config)
+* [`database_config`](#-rundeck--database_config)
+* [`framework_config`](#-rundeck--framework_config)
+* [`gui_config`](#-rundeck--gui_config)
 * [`mail_config`](#-rundeck--mail_config)
-* [`sshkey_manage`](#-rundeck--sshkey_manage)
-* [`ssl_keyfile`](#-rundeck--ssl_keyfile)
-* [`ssl_certfile`](#-rundeck--ssl_certfile)
-* [`manage_default_admin_policy`](#-rundeck--manage_default_admin_policy)
-* [`manage_default_api_policy`](#-rundeck--manage_default_api_policy)
-* [`manage_repo`](#-rundeck--manage_repo)
-* [`package_ensure`](#-rundeck--package_ensure)
+* [`security_config`](#-rundeck--security_config)
 * [`preauthenticated_config`](#-rundeck--preauthenticated_config)
-* [`projects`](#-rundeck--projects)
-* [`projects_description`](#-rundeck--projects_description)
-* [`projects_organization`](#-rundeck--projects_organization)
-* [`projects_storage_type`](#-rundeck--projects_storage_type)
-* [`quartz_job_threadcount`](#-rundeck--quartz_job_threadcount)
-* [`rd_loglevel`](#-rundeck--rd_loglevel)
-* [`rd_auditlevel`](#-rundeck--rd_auditlevel)
-* [`rdeck_config_template`](#-rundeck--rdeck_config_template)
-* [`rdeck_home`](#-rundeck--rdeck_home)
-* [`manage_home`](#-rundeck--manage_home)
-* [`rdeck_profile_template`](#-rundeck--rdeck_profile_template)
-* [`rdeck_override_template`](#-rundeck--rdeck_override_template)
+* [`key_storage_config`](#-rundeck--key_storage_config)
+* [`key_storage_encrypt_config`](#-rundeck--key_storage_encrypt_config)
+* [`app_log_level`](#-rundeck--app_log_level)
+* [`audit_log_level`](#-rundeck--audit_log_level)
+* [`config_template`](#-rundeck--config_template)
+* [`override_template`](#-rundeck--override_template)
 * [`realm_template`](#-rundeck--realm_template)
-* [`repo_yum_source`](#-rundeck--repo_yum_source)
-* [`repo_yum_gpgkey`](#-rundeck--repo_yum_gpgkey)
-* [`repo_apt_source`](#-rundeck--repo_apt_source)
-* [`repo_apt_key_id`](#-rundeck--repo_apt_key_id)
-* [`repo_apt_gpgkey`](#-rundeck--repo_apt_gpgkey)
-* [`repo_apt_keyserver`](#-rundeck--repo_apt_keyserver)
+* [`log_properties_template`](#-rundeck--log_properties_template)
 * [`rss_enabled`](#-rundeck--rss_enabled)
-* [`security_config`](#-rundeck--security_config)
-* [`security_role`](#-rundeck--security_role)
 * [`server_web_context`](#-rundeck--server_web_context)
-* [`service_config`](#-rundeck--service_config)
-* [`service_logs_dir`](#-rundeck--service_logs_dir)
-* [`service_name`](#-rundeck--service_name)
-* [`service_restart`](#-rundeck--service_restart)
-* [`service_script`](#-rundeck--service_script)
-* [`service_ensure`](#-rundeck--service_ensure)
-* [`session_timeout`](#-rundeck--session_timeout)
 * [`ssl_enabled`](#-rundeck--ssl_enabled)
 * [`ssl_port`](#-rundeck--ssl_port)
+* [`ssl_certificate`](#-rundeck--ssl_certificate)
+* [`ssl_private_key`](#-rundeck--ssl_private_key)
+* [`key_password`](#-rundeck--key_password)
+* [`keystore`](#-rundeck--keystore)
+* [`keystore_password`](#-rundeck--keystore_password)
 * [`truststore`](#-rundeck--truststore)
 * [`truststore_password`](#-rundeck--truststore_password)
-* [`user`](#-rundeck--user)
-* [`group`](#-rundeck--group)
-* [`manage_user`](#-rundeck--manage_user)
-* [`manage_group`](#-rundeck--manage_group)
-* [`user_id`](#-rundeck--user_id)
-* [`group_id`](#-rundeck--group_id)
-* [`file_default_mode`](#-rundeck--file_default_mode)
-* [`security_roles_array_enabled`](#-rundeck--security_roles_array_enabled)
-* [`security_roles_array`](#-rundeck--security_roles_array)
-* [`storage_encrypt_config`](#-rundeck--storage_encrypt_config)
-
-##### <a name="-rundeck--acl_policies"></a>`acl_policies`
-
-Data type: `Array[Hash]`
-
-Admin acl policies.
-
-Default value: `$rundeck::params::acl_policies`
-
-##### <a name="-rundeck--acl_template"></a>`acl_template`
-
-Data type: `String`
-
-The template used for admin acl policy. Default is rundeck/aclpolicy.erb.
-
-Default value: `$rundeck::params::acl_template`
-
-##### <a name="-rundeck--api_policies"></a>`api_policies`
-
-Data type: `Array[Hash]`
-
-apitoken acl policies.
-
-Default value: `$rundeck::params::api_policies`
-
-##### <a name="-rundeck--api_template"></a>`api_template`
-
-Data type: `String`
-
-The template used for apitoken acl policy. Default is rundeck/aclpolicy.erb.
-
-Default value: `$rundeck::params::api_template`
-
-##### <a name="-rundeck--auth_config"></a>`auth_config`
-
-Data type: `Hash`
-
-Authentication configuration.
-
-Default value: `$rundeck::params::auth_config`
-
-##### <a name="-rundeck--auth_template"></a>`auth_template`
-
-Data type: `String`
-
-The template used for authentication config. Default is rundeck/jaas-auth.conf.epp.
-
-Default value: `$rundeck::params::auth_template`
-
-##### <a name="-rundeck--auth_types"></a>`auth_types`
-
-Data type: `Array`
-
-The method used to authenticate to rundeck. Default is file.
-
-Default value: `$rundeck::params::auth_types`
-
-##### <a name="-rundeck--clustermode_enabled"></a>`clustermode_enabled`
-
-Data type: `Boolean`
-
-Boolean value if set to true enables cluster mode
-
-Default value: `$rundeck::params::clustermode_enabled`
-
-##### <a name="-rundeck--database_config"></a>`database_config`
-
-Data type: `Hash`
-
-Hash of properties for configuring the [Rundeck Database](https://docs.rundeck.com/docs/administration/configuration/database)
-
-Default value: `$rundeck::params::database_config`
-
-##### <a name="-rundeck--execution_mode"></a>`execution_mode`
-
-Data type: `Optional[Enum['active', 'passive']]`
-
-If set, allows setting the execution mode to 'active' or 'passive'.
-
-Default value: `undef`
-
-##### <a name="-rundeck--file_keystorage_dir"></a>`file_keystorage_dir`
-
-Data type: `Stdlib::Absolutepath`
-
-Path to dir where the keystorage should be located.
-
-Default value: `$rundeck::params::file_keystorage_dir`
-
-##### <a name="-rundeck--file_keystorage_keys"></a>`file_keystorage_keys`
-
-Data type: `Hash`
-
-Add keys to file keystorage.
-
-Default value: `$rundeck::params::file_keystorage_keys`
-
-##### <a name="-rundeck--framework_config"></a>`framework_config`
-
-Data type: `Hash`
-
-Hash of properties for configuring the [Rundeck Framework](https://docs.rundeck.com/docs/administration/configuration/config-file-reference.html#framework-properties)
-
-Default value: `$rundeck::params::framework_config`
-
-##### <a name="-rundeck--grails_server_url"></a>`grails_server_url`
-
-Data type: `Stdlib::HTTPUrl`
-
-Sets `grails.serverURL` so that Rundeck knows its external address.
-
-Default value: `$rundeck::params::grails_server_url`
-
-##### <a name="-rundeck--gui_config"></a>`gui_config`
-
-Data type: `Hash`
-
-Hash of properties for customizing the [Rundeck GUI](https://docs.rundeck.com/docs/administration/configuration/gui-customization.html)
-
-Default value: `$rundeck::params::gui_config`
-
-##### <a name="-rundeck--java_home"></a>`java_home`
-
-Data type: `Optional[Stdlib::Absolutepath]`
-
-Set the home directory of java.
-
-Default value: `undef`
-
-##### <a name="-rundeck--jvm_args"></a>`jvm_args`
-
-Data type: `String`
-
-Extra arguments for the JVM.
-
-Default value: `$rundeck::params::jvm_args`
-
-##### <a name="-rundeck--kerberos_realms"></a>`kerberos_realms`
-
-Data type: `Hash`
-
-A hash of mappings between Kerberos domain DNS names and realm names
-
-Default value: `$rundeck::params::kerberos_realms`
-
-##### <a name="-rundeck--key_password"></a>`key_password`
-
-Data type: `String`
-
-The default key password.
-
-Default value: `$rundeck::params::key_password`
-
-##### <a name="-rundeck--key_storage_config"></a>`key_storage_config`
-
-Data type: `Array[Hash]`
-
-An array with hashes of properties for customizing the [Rundeck Key Storage](https://docs.rundeck.com/docs/manual/key-storage/key-storage.html)
-
-Default value: `$rundeck::params::key_storage_config`
-
-##### <a name="-rundeck--keystore"></a>`keystore`
-
-Data type: `Stdlib::Absolutepath`
-
-Full path to the java keystore to be used by Rundeck.
-
-Default value: `$rundeck::params::keystore`
-
-##### <a name="-rundeck--keystore_password"></a>`keystore_password`
-
-Data type: `String`
-
-The password for the given keystore.
-
-Default value: `$rundeck::params::keystore_password`
-
-##### <a name="-rundeck--log_properties_template"></a>`log_properties_template`
-
-Data type: `String`
-
-The template used for log properties. Default is rundeck/log4j.properties.erb.
-
-Default value: `$rundeck::params::log_properties_template`
-
-##### <a name="-rundeck--mail_config"></a>`mail_config`
-
-Data type: `Hash`
-
-A hash of the notification email configuraton.
-
-Default value: `$rundeck::params::mail_config`
-
-##### <a name="-rundeck--sshkey_manage"></a>`sshkey_manage`
-
-Data type: `Boolean`
-
-Should this module manage the sshkey used by rundeck at all.
-
-Default value: `$rundeck::params::sshkey_manage`
-
-##### <a name="-rundeck--ssl_keyfile"></a>`ssl_keyfile`
-
-Data type: `Stdlib::Absolutepath`
-
-Full path to the SSL private key to be used by Rundeck.
-
-Default value: `$rundeck::params::ssl_keyfile`
-
-##### <a name="-rundeck--ssl_certfile"></a>`ssl_certfile`
-
-Data type: `Stdlib::Absolutepath`
-
-Full path to the SSL public key to be used by Rundeck.
-
-Default value: `$rundeck::params::ssl_certfile`
-
-##### <a name="-rundeck--manage_default_admin_policy"></a>`manage_default_admin_policy`
-
-Data type: `Boolean`
-
-Boolean value if set to true enables default admin policy management
-
-Default value: `$rundeck::params::manage_default_admin_policy`
-
-##### <a name="-rundeck--manage_default_api_policy"></a>`manage_default_api_policy`
-
-Data type: `Boolean`
-
-Boolean value if set to true enables default api policy management
-
-Default value: `$rundeck::params::manage_default_api_policy`
-
-##### <a name="-rundeck--manage_repo"></a>`manage_repo`
-
-Data type: `Boolean`
-
-Whether to manage the package repository. Defaults to true.
-
-Default value: `$rundeck::params::manage_repo`
-
-##### <a name="-rundeck--package_ensure"></a>`package_ensure`
-
-Data type: `String`
-
-Ensure the state of the rundeck package, either present, absent or a specific version
-
-Default value: `$rundeck::params::package_ensure`
-
-##### <a name="-rundeck--preauthenticated_config"></a>`preauthenticated_config`
-
-Data type: `Hash`
-
-A hash of the rundeck preauthenticated config mode
-
-Default value: `$rundeck::params::preauthenticated_config`
-
-##### <a name="-rundeck--projects"></a>`projects`
-
-Data type: `Hash`
-
-The hash of projects in your instance.
-
-Default value: `$rundeck::params::projects`
-
-##### <a name="-rundeck--projects_description"></a>`projects_description`
-
-Data type: `String`
-
-The description that will be set by default for any projects.
-
-Default value: `$rundeck::params::projects_default_desc`
-
-##### <a name="-rundeck--projects_organization"></a>`projects_organization`
-
-Data type: `String`
-
-The organization value that will be set by default for any projects.
-
-Default value: `$rundeck::params::projects_default_org`
-
-##### <a name="-rundeck--projects_storage_type"></a>`projects_storage_type`
-
-Data type: `Enum['db', 'filesystem']`
-
-The storage type for any projects. Must be 'filesystem' or 'db'
-
-Default value: `$rundeck::params::projects_storage_type`
-
-##### <a name="-rundeck--quartz_job_threadcount"></a>`quartz_job_threadcount`
-
-Data type: `Integer`
-
-The maximum number of threads used by Rundeck for concurrent jobs by default is set to 10.
-
-Default value: `$rundeck::params::quartz_job_threadcount`
-
-##### <a name="-rundeck--rd_loglevel"></a>`rd_loglevel`
-
-Data type: `Rundeck::Loglevel`
-
-The log4j logging level to be set for the Rundeck application.
-
-Default value: `$rundeck::params::loglevel`
-
-##### <a name="-rundeck--rd_auditlevel"></a>`rd_auditlevel`
-
-Data type: `Rundeck::Loglevel`
-
-The log4j logging level to be set for the Rundeck application.
-
-Default value: `$rundeck::params::loglevel`
-
-##### <a name="-rundeck--rdeck_config_template"></a>`rdeck_config_template`
-
-Data type: `String`
-
-Allows you to override the rundeck-config template.
-
-Default value: `$rundeck::params::rdeck_config_template`
-
-##### <a name="-rundeck--rdeck_home"></a>`rdeck_home`
-
-Data type: `Stdlib::Absolutepath`
-
-Directory under which the projects directories live.
-
-Default value: `$rundeck::params::rdeck_home`
-
-##### <a name="-rundeck--manage_home"></a>`manage_home`
-
-Data type: `Boolean`
-
-Whether to manage rundeck home dir. Defaults to true.
-
-Default value: `$rundeck::params::manage_home`
-
-##### <a name="-rundeck--rdeck_profile_template"></a>`rdeck_profile_template`
-
-Data type: `Optional[String]`
-
-Allows you to use your own profile template instead of the default from the package maintainer
-
-Default value: `undef`
-
-##### <a name="-rundeck--rdeck_override_template"></a>`rdeck_override_template`
-
-Data type: `String`
-
-Allows you to use your own override template instead of the default from the package maintainer
-
-Default value: `'rundeck/profile_overrides.erb'`
-
-##### <a name="-rundeck--realm_template"></a>`realm_template`
-
-Data type: `String`
-
-Allows you to use your own override template instead of the default from the package maintainer
-
-Default value: `$rundeck::params::realm_template`
-
-##### <a name="-rundeck--repo_yum_source"></a>`repo_yum_source`
-
-Data type: `Stdlib::HTTPUrl`
-
-Baseurl for the yum repo
-
-Default value: `$rundeck::params::repo_yum_source`
-
-##### <a name="-rundeck--repo_yum_gpgkey"></a>`repo_yum_gpgkey`
-
-Data type: `String`
-
-URL or path for the GPG key for the rpm
-
-Default value: `$rundeck::params::repo_yum_gpgkey`
-
-##### <a name="-rundeck--repo_apt_source"></a>`repo_apt_source`
-
-Data type: `Stdlib::HTTPUrl`
-
-Baseurl for the apt repo
-
-Default value: `$rundeck::params::repo_apt_source`
-
-##### <a name="-rundeck--repo_apt_key_id"></a>`repo_apt_key_id`
-
-Data type: `String`
-
-Key ID for the GPG key for the Debian package
-
-Default value: `$rundeck::params::repo_apt_key_id`
-
-##### <a name="-rundeck--repo_apt_gpgkey"></a>`repo_apt_gpgkey`
-
-Data type: `Stdlib::Httpsurl`
-
-Location where the GPG key can be found
-
-Default value: `$rundeck::params::repo_apt_gpgkey`
-
-##### <a name="-rundeck--repo_apt_keyserver"></a>`repo_apt_keyserver`
-
-Data type: `String`
-
-Keysever for the GPG key for the Debian package
-
-Default value: `$rundeck::params::repo_apt_keyserver`
+* [`service_name`](#-rundeck--service_name)
+* [`service_ensure`](#-rundeck--service_ensure)
+* [`service_logs_dir`](#-rundeck--service_logs_dir)
+* [`service_notify`](#-rundeck--service_notify)
+* [`service_config`](#-rundeck--service_config)
+* [`service_script`](#-rundeck--service_script)
+* [`override_dir`](#-rundeck--override_dir)
+* [`api_token_max_duration`](#-rundeck--api_token_max_duration)
 
-##### <a name="-rundeck--rss_enabled"></a>`rss_enabled`
+##### <a name="-rundeck--manage_repo"></a>`manage_repo`
 
 Data type: `Boolean`
 
-Boolean value if set to true enables RSS feeds that are public (non-authenticated)
+Whether to manage the package repository.
 
-Default value: `$rundeck::params::rss_enabled`
+Default value: `true`
 
-##### <a name="-rundeck--security_config"></a>`security_config`
+##### <a name="-rundeck--repo_config"></a>`repo_config`
 
 Data type: `Hash`
 
-A hash of the rundeck security configuration.
-
-Default value: `$rundeck::params::security_config`
-
-##### <a name="-rundeck--security_role"></a>`security_role`
-
-Data type: `String`
-
-Name of the role that is required for all users to be allowed access.
-
-Default value: `$rundeck::params::security_role`
-
-##### <a name="-rundeck--server_web_context"></a>`server_web_context`
-
-Data type: `Optional[String]`
-
-Web context path to use, such as "/rundeck". http://host.domain:port/server_web_context
-
-Default value: `undef`
-
-##### <a name="-rundeck--service_config"></a>`service_config`
-
-Data type: `Optional[String]`
-
-The name of the rundeck service.
-
-Default value: `undef`
-
-##### <a name="-rundeck--service_logs_dir"></a>`service_logs_dir`
-
-Data type: `Stdlib::Absolutepath`
-
-The path to the directory to store logs.
-
-Default value: `$rundeck::params::service_logs_dir`
+A hash of repository attributes for configuring the rundeck package repositories.
+Examples/defaults for yumrepo can be found at RedHat.yaml, and for apt at Debian.yaml
 
-##### <a name="-rundeck--service_name"></a>`service_name`
+##### <a name="-rundeck--package_ensure"></a>`package_ensure`
 
-Data type: `String`
+Data type: `String[1]`
 
-The name of the rundeck service.
+Ensure the state of the rundeck package, either present, absent or a specific version.
 
-Default value: `$rundeck::params::service_name`
+Default value: `'installed'`
 
-##### <a name="-rundeck--service_restart"></a>`service_restart`
+##### <a name="-rundeck--manage_home"></a>`manage_home`
 
 Data type: `Boolean`
 
-The restart of the rundeck service (default to true)
+Whether to manage rundeck home dir.
 
 Default value: `true`
 
-##### <a name="-rundeck--service_script"></a>`service_script`
-
-Data type: `Optional[String]`
-
-Allows you to use your own override template instead of the default from the package maintainer for rundeckd init script.
-
-Default value: `undef`
-
-##### <a name="-rundeck--service_ensure"></a>`service_ensure`
-
-Data type: `Enum['stopped', 'running']`
-
-State of the rundeck service (defaults to 'running')
-
-Default value: `$rundeck::params::service_ensure`
-
-##### <a name="-rundeck--session_timeout"></a>`session_timeout`
-
-Data type: `Integer`
-
-Session timeout is an expired time limit for a logged in Rundeck GUI user which as been inactive for a period of time.
-
-Default value: `$rundeck::params::session_timeout`
-
-##### <a name="-rundeck--ssl_enabled"></a>`ssl_enabled`
-
-Data type: `Boolean`
-
-Enable ssl for the rundeck web application.
-
-Default value: `$rundeck::params::ssl_enabled`
-
-##### <a name="-rundeck--ssl_port"></a>`ssl_port`
-
-Data type: `Stdlib::Port`
-
-Ssl port of the rundeck web application (default to '4443').
-
-Default value: `$rundeck::params::ssl_port`
-
-##### <a name="-rundeck--truststore"></a>`truststore`
-
-Data type: `Stdlib::Absolutepath`
-
-The full path to the java truststore to be used by Rundeck.
-
-Default value: `$rundeck::params::truststore`
-
-##### <a name="-rundeck--truststore_password"></a>`truststore_password`
-
-Data type: `String`
-
-The password for the given truststore.
-
-Default value: `$rundeck::params::truststore_password`
-
 ##### <a name="-rundeck--user"></a>`user`
 
-Data type: `String`
+Data type: `String[1]`
 
 The user that rundeck is installed as.
 
-Default value: `$rundeck::params::user`
+Default value: `'rundeck'`
 
 ##### <a name="-rundeck--group"></a>`group`
 
-Data type: `String`
+Data type: `String[1]`
 
 The group permission that rundeck is installed as.
 
-Default value: `$rundeck::params::group`
+Default value: `'rundeck'`
 
 ##### <a name="-rundeck--manage_user"></a>`manage_user`
 
 Data type: `Boolean`
 
-Whether to manage `user` (and enforce `user_id` if set). Defaults to false.
+Whether to manage `user` (and enforce `user_id` if set).
 
-Default value: `$rundeck::params::manage_user`
+Default value: `false`
 
 ##### <a name="-rundeck--manage_group"></a>`manage_group`
 
 Data type: `Boolean`
 
-Whether to manage `group` (and enforce `group_id` if set). Defaults to false.
+Whether to manage `group` (and enforce `group_id` if set).
 
-Default value: `$rundeck::params::manage_group`
+Default value: `false`
 
 ##### <a name="-rundeck--user_id"></a>`user_id`
 
 Data type: `Optional[Integer]`
 
-If you want to have always the same user id. Eg. because of the NFS share.
+If you want to have always the same user id. Eg. because of a NFS share.
 
 Default value: `undef`
 
@@ -700,791 +176,589 @@ Default value: `undef`
 
 Data type: `Optional[Integer]`
 
-If you want to have always the same group id. Eg. because of the NFS share.
+If you want to have always the same group id. Eg. because of a NFS share.
 
 Default value: `undef`
 
-##### <a name="-rundeck--file_default_mode"></a>`file_default_mode`
-
-Data type: `String`
-
-Default file mode for managed files. Default to 0640
-
-Default value: `$rundeck::params::file_default_mode`
-
-##### <a name="-rundeck--security_roles_array_enabled"></a>`security_roles_array_enabled`
-
-Data type: `Boolean`
-
-Boolean value if you need more roles. false or true (default is false).
-
-Default value: `$rundeck::params::security_roles_array_enabled`
-
-##### <a name="-rundeck--security_roles_array"></a>`security_roles_array`
-
-Data type: `Array`
-
-Array value if you need more roles and you set true the "security_roles_array_enabled" value.
-
-Default value: `$rundeck::params::security_roles_array`
-
-##### <a name="-rundeck--storage_encrypt_config"></a>`storage_encrypt_config`
-
-Data type: `Hash[String,String]`
-
-Hash containing the necessary values to configure a plugin for key storage encryption.
-https://docs.rundeck.com/docs/administration/configuration/plugins/configuring.html#storage-converter-plugins
-
-Default value: `{}`
-
-### <a name="rundeck--config--global--web"></a>`rundeck::config::global::web`
-
-Currently only manages the <security-role> required for any user to login and session timout:
-http://rundeck.org/docs/administration/authenticating-users.html#security-role
-http://rundeck.org/docs/administration/configuration-file-reference.html#session-timeout
-
-#### Parameters
-
-The following parameters are available in the `rundeck::config::global::web` class:
-
-* [`security_role`](#-rundeck--config--global--web--security_role)
-* [`session_timeout`](#-rundeck--config--global--web--session_timeout)
-* [`security_roles_array_enabled`](#-rundeck--config--global--web--security_roles_array_enabled)
-* [`security_roles_array`](#-rundeck--config--global--web--security_roles_array)
-
-##### <a name="-rundeck--config--global--web--security_role"></a>`security_role`
-
-Data type: `String[1]`
-
-Name of role that is required for all users to be allowed access.
-
-Default value: `$rundeck::params::security_role`
-
-##### <a name="-rundeck--config--global--web--session_timeout"></a>`session_timeout`
-
-Data type: `Integer[0]`
-
-Session timeout is an expired time limit for a logged in Rundeck GUI user which as been inactive for a period of time.
-
-Default value: `$rundeck::params::session_timeout`
-
-##### <a name="-rundeck--config--global--web--security_roles_array_enabled"></a>`security_roles_array_enabled`
-
-Data type: `Boolean`
-
-Boolen value if you want to have more roles in web.xml
-
-Default value: `$rundeck::params::security_roles_array_enabled`
-
-##### <a name="-rundeck--config--global--web--security_roles_array"></a>`security_roles_array`
-
-Data type: `Array`
-
-Array value if you set the value 'security_roles_array_enabled' to true.
-
-Default value: `$rundeck::params::security_roles_array`
-
-### <a name="rundeck--params"></a>`rundeck::params`
+##### <a name="-rundeck--admin_policies"></a>`admin_policies`
 
-== Class rundeck::params
-
-This class is meant to be called from `rundeck`
-It sets variables according to platform
-
-## Defined types
-
-### <a name="rundeck--config--aclpolicyfile"></a>`rundeck::config::aclpolicyfile`
-
-This define will create a custom acl policy file.
+Data type: `Array[Hash]`
 
-#### Examples
+Admin acl policies.
 
-##### Admin access.
+Default value:
 
 ```puppet
-rundeck::config::aclpolicyfile { 'myPolicyFile':
-  acl_policies => [
+[
     {
-      'description'    => 'Admin, all access',
-      'context'        => {
-        'type' => 'project',
-        'rule' => '.*',
+      'description' => 'Admin, all access',
+      'context'     => { 'project' => '.*' },
+      'for'         => {
+        'resource' => [{ 'allow' => '*' }],
+        'adhoc'    => [{ 'allow' => '*' }],
+        'job'      => [{ 'allow' => '*' }],
+        'node'     => [{ 'allow' => '*' }],
       },
-      'resource_types' => [
-        { 'type'  => 'resource', 'rules' => [{ 'name' => 'allow','rule' => '*' }] },
-        { 'type'  => 'adhoc', 'rules' => [{ 'name' => 'allow','rule' => '*' }] },
-        { 'type'  => 'job', 'rules' => [{ 'name' => 'allow','rule' => '*' }] },
-        { 'type'  => 'node', 'rules' => [{ 'name' => 'allow','rule' => '*' }] }
-      ],
-      'by'             => {
-        'group'    => ['admin'],
-        'username' => undef,
-      }
+      'by'          => [{ 'group' => ['admin'] }],
     },
     {
-      'description'    => 'Admin, all access',
-      'context'        => {
-        'type' => 'application',
-        'rule' => 'rundeck',
+      'description' => 'Admin, all access',
+      'context'     => { 'application' => 'rundeck' },
+      'for'         => {
+        'project'  => [{ 'allow' => '*' }],
+        'resource' => [{ 'allow' => '*' }],
+        'storage'  => [{ 'allow' => '*' }],
       },
-      'resource_types' => [
-        { 'type'  => 'resource', 'rules' => [{ 'name' => 'allow','rule' => '*' }] },
-        { 'type'  => 'project', 'rules' => [{ 'name' => 'allow','rule' => '*' }] },
-        { 'type'  => 'storage', 'rules' => [{ 'name' => 'allow','rule' => '*' }] },
-      ],
-      'by'             => {
-        'group'    => ['admin'],
-        'username' => undef,
-      }
-    }
-  ],
-}
-```
-
-#### Parameters
-
-The following parameters are available in the `rundeck::config::aclpolicyfile` defined type:
-
-* [`acl_policies`](#-rundeck--config--aclpolicyfile--acl_policies)
-* [`group`](#-rundeck--config--aclpolicyfile--group)
-* [`owner`](#-rundeck--config--aclpolicyfile--owner)
-* [`properties_dir`](#-rundeck--config--aclpolicyfile--properties_dir)
-* [`template_file`](#-rundeck--config--aclpolicyfile--template_file)
-
-##### <a name="-rundeck--config--aclpolicyfile--acl_policies"></a>`acl_policies`
-
-Data type: `Array`
-
-An array of hashes containing acl policies. See example.
-
-##### <a name="-rundeck--config--aclpolicyfile--group"></a>`group`
-
-Data type: `String`
-
-The group permission that rundeck is installed as.
-
-Default value: `'rundeck'`
-
-##### <a name="-rundeck--config--aclpolicyfile--owner"></a>`owner`
-
-Data type: `String`
-
-The user that rundeck is installed as.
-
-Default value: `'rundeck'`
-
-##### <a name="-rundeck--config--aclpolicyfile--properties_dir"></a>`properties_dir`
-
-Data type: `Stdlib::Absolutepath`
-
-The rundeck configuration directory.
-
-Default value: `'/etc/rundeck'`
-
-##### <a name="-rundeck--config--aclpolicyfile--template_file"></a>`template_file`
-
-Data type: `String`
-
-The template used for acl policy. Default is rundeck/aclpolicy.erb
-
-Default value: `"${module_name}/aclpolicy.erb"`
-
-### <a name="rundeck--config--file_keystore"></a>`rundeck::config::file_keystore`
-
-Currently supports password-based public keys.
-Private keys are also supported, but not recommended to be privisioned via this mechanism
-without the proper security policies for the private key data in place.
-
-#### Examples
-
-##### Basic usage.
-
-```puppet
-rundeck::config::file_keystore { 'mypassword':
-  path         => 'myproject/mypassword',
-  value        => 'secret',
-  content_type => 'application/x-rundeck-data-password',
-  data_type    => 'password',
-}
+      'by'          => [{ 'group' => ['admin'] }],
+    },
+  ]
 ```
 
-#### Parameters
-
-The following parameters are available in the `rundeck::config::file_keystore` defined type:
+##### <a name="-rundeck--api_policies"></a>`api_policies`
 
-* [`content_type`](#-rundeck--config--file_keystore--content_type)
-* [`data_type`](#-rundeck--config--file_keystore--data_type)
-* [`path`](#-rundeck--config--file_keystore--path)
-* [`value`](#-rundeck--config--file_keystore--value)
-* [`auth_created_username`](#-rundeck--config--file_keystore--auth_created_username)
-* [`auth_modified_username`](#-rundeck--config--file_keystore--auth_modified_username)
-* [`content_creation_time`](#-rundeck--config--file_keystore--content_creation_time)
-* [`content_mask`](#-rundeck--config--file_keystore--content_mask)
-* [`content_modify_time`](#-rundeck--config--file_keystore--content_modify_time)
-* [`content_size`](#-rundeck--config--file_keystore--content_size)
-* [`file_keystorage_dir`](#-rundeck--config--file_keystore--file_keystorage_dir)
-* [`group`](#-rundeck--config--file_keystore--group)
-* [`user`](#-rundeck--config--file_keystore--user)
+Data type: `Array[Hash]`
 
-##### <a name="-rundeck--config--file_keystore--content_type"></a>`content_type`
+Apitoken acl policies.
 
-Data type:
+Default value:
 
 ```puppet
-Enum[
-    'application/x-rundeck-data-password',
-    'application/pgp-keys',
-    'application/octet-stream'
+[
+    {
+      'description' => 'API project level access control',
+      'context'     => { 'project' => '.*' },
+      'for'         => {
+        'resource' => [
+          { 'equals' => { 'kind' => 'job' }, 'allow' => ['create', 'delete'] },
+          { 'equals' => { 'kind' => 'node' }, 'allow' => ['read', 'create', 'update', 'refresh'] },
+          { 'equals' => { 'kind' => 'event' }, 'allow' => ['read', 'create'] },
+        ],
+        'adhoc'    => [{ 'allow' => ['read', 'run', 'kill'] }],
+        'job'      => [{ 'allow' => ['read', 'create', 'update', 'delete', 'run', 'kill'] }],
+        'node'     => [{ 'allow' => ['read', 'run'] }],
+      },
+      'by'          => [{ 'group' => ['api_token_group'] }],
+    },
+    {
+      'description' => 'API Application level access control',
+      'context'     => { 'application' => 'rundeck' },
+      'for'         => {
+        'project'  => [{ 'match' => { 'name' => '.*' }, 'allow' => ['read'] }],
+        'resource' => [{ 'equals' => { 'kind' => 'system' }, 'allow' => ['read'] }],
+        'storage'  => [{ 'match' => { 'path' => '(keys|keys/.*)' }, 'allow' => '*' }],
+      },
+      'by'          => [{ 'group' => ['api_token_group'] }],
+    },
   ]
 ```
 
-MIME type of the content
-
-##### <a name="-rundeck--config--file_keystore--data_type"></a>`data_type`
-
-Data type: `Enum['password', 'public', 'private']`
-
-Data type (password, public-key or private-key)
-
-##### <a name="-rundeck--config--file_keystore--path"></a>`path`
-
-Data type: `String`
-
-The path of the named key
-
-##### <a name="-rundeck--config--file_keystore--value"></a>`value`
-
-Data type: `String`
-
-The actual value (password) of the named key
-
-##### <a name="-rundeck--config--file_keystore--auth_created_username"></a>`auth_created_username`
+##### <a name="-rundeck--manage_default_admin_policy"></a>`manage_default_admin_policy`
 
-Data type: `String`
+Data type: `Boolean`
 
-User who created the key
+Whether to manage the default admin policy.
 
-Default value: `$rundeck::framework_config['framework.ssh.user']`
+Default value: `true`
 
-##### <a name="-rundeck--config--file_keystore--auth_modified_username"></a>`auth_modified_username`
+##### <a name="-rundeck--manage_default_api_policy"></a>`manage_default_api_policy`
 
-Data type: `String`
+Data type: `Boolean`
 
-User who last modified the key
+Whether to manage default api policy.
 
-Default value: `$rundeck::framework_config['framework.ssh.user']`
+Default value: `true`
 
-##### <a name="-rundeck--config--file_keystore--content_creation_time"></a>`content_creation_time`
+##### <a name="-rundeck--grails_server_url"></a>`grails_server_url`
 
-Data type: `String`
+Data type: `Stdlib::HTTPUrl`
 
-When the key was first created
+Sets `grails.serverURL` so that Rundeck knows its external address.
 
-Default value: `chomp(generate('/bin/date', '+%Y-%m-%dT%H:%M:%SZ'))`
+Default value: `"http://${facts['networking']['fqdn']}:4440"`
 
-##### <a name="-rundeck--config--file_keystore--content_mask"></a>`content_mask`
+##### <a name="-rundeck--clustermode_enabled"></a>`clustermode_enabled`
 
-Data type: `String`
+Data type: `Boolean`
 
-Content mask (default is 'content')
+Wheter to enable cluster mode.
 
-Default value: `'content'`
+Default value: `false`
 
-##### <a name="-rundeck--config--file_keystore--content_modify_time"></a>`content_modify_time`
+##### <a name="-rundeck--execution_mode"></a>`execution_mode`
 
-Data type: `String`
+Data type: `Enum['active', 'passive']`
 
-When the key was modified
+Set the execution mode to 'active' or 'passive'.
 
-Default value: `chomp(generate('/bin/date', '+%Y-%m-%dT%H:%M:%SZ'))`
+Default value: `'active'`
 
-##### <a name="-rundeck--config--file_keystore--content_size"></a>`content_size`
+##### <a name="-rundeck--java_home"></a>`java_home`
 
-Data type: `Optional[Integer]`
+Data type: `Optional[Stdlib::Absolutepath]`
 
-Size of the content string in bytes
+Set the home directory of java.
 
 Default value: `undef`
 
-##### <a name="-rundeck--config--file_keystore--file_keystorage_dir"></a>`file_keystorage_dir`
-
-Data type: `Stdlib::Absolutepath`
-
-Base directory for file-based key storage (defaulted to /var/lib/rundeck/var/storage)
-
-Default value: `$rundeck::file_keystorage_dir`
-
-##### <a name="-rundeck--config--file_keystore--group"></a>`group`
+##### <a name="-rundeck--jvm_args"></a>`jvm_args`
 
 Data type: `String`
 
-Default system group for the Rundeck framework
+Extra arguments for the JVM.
 
-Default value: `$rundeck::config::group`
+Default value: `'-Xmx1024m -Xms256m -server'`
 
-##### <a name="-rundeck--config--file_keystore--user"></a>`user`
+##### <a name="-rundeck--quartz_job_threadcount"></a>`quartz_job_threadcount`
 
-Data type: `String`
+Data type: `Integer`
 
-Default system user for the Rundeck framework
+The maximum number of threads used by Rundeck for concurrent jobs.
 
-Default value: `$rundeck::config::user`
+Default value: `10`
 
-### <a name="rundeck--config--plugin"></a>`rundeck::config::plugin`
+##### <a name="-rundeck--auth_config"></a>`auth_config`
 
-This define will install a rundeck plugin.
+Data type: `Rundeck::Auth_config`
 
-#### Examples
+Hash of properties for configuring [Rundeck JAAS Authentication](https://docs.rundeck.com/docs/administration/security/authentication.html#jetty-and-jaas-authentication)
 
-##### Basic usage.
+Default value:
 
 ```puppet
-rundeck::config::plugin { 'rundeck-hipchat-plugin-1.0.0.jar':
-  source => 'http://search.maven.org/remotecontent?filepath=com/hbakkum/rundeck/plugins/rundeck-hipchat-plugin/1.0.0/rundeck-hipchat-plugin-1.0.0.jar',
-}
+{
+    'file' => {
+      'auth_flag'    => 'required',
+      'jaas_config'  => {
+        'file' => '/etc/rundeck/realm.properties',
+      },
+      'realm_config' => {
+        'admin_user'     => 'admin',
+        'admin_password' => 'admin',
+        'auth_users'     => [],
+      },
+    },
+  }
 ```
 
-#### Parameters
+##### <a name="-rundeck--database_config"></a>`database_config`
 
-The following parameters are available in the `rundeck::config::plugin` defined type:
+Data type: `Rundeck::Db_config`
 
-* [`ensure`](#-rundeck--config--plugin--ensure)
-* [`source`](#-rundeck--config--plugin--source)
+Hash of properties for configuring the [Rundeck Database](https://docs.rundeck.com/docs/administration/configuration/database)
 
-##### <a name="-rundeck--config--plugin--ensure"></a>`ensure`
+Default value: `{ 'url' => 'jdbc:h2:file:/var/lib/rundeck/data/rundeckdb' }`
 
-Data type: `Enum['present', 'absent']`
+##### <a name="-rundeck--framework_config"></a>`framework_config`
 
-Set present or absent to add or remove the plugin
+Data type: `Hash`
 
-Default value: `'present'`
+Hash of properties for configuring the [Rundeck Framework](https://docs.rundeck.com/docs/administration/configuration/config-file-reference.html#framework-properties)
+This hash will be merged with the [Rundeck defaults](https://github.com/voxpupuli/puppet-rundeck/blob/master/manifests/config.pp#L8-L20)
 
-##### <a name="-rundeck--config--plugin--source"></a>`source`
+Default value: `{}`
 
-Data type: `String`
+##### <a name="-rundeck--gui_config"></a>`gui_config`
 
-The http source or local path from which to get the plugin.
+Data type: `Hash`
 
-### <a name="rundeck--config--project"></a>`rundeck::config::project`
+Hash of properties for customizing the [Rundeck GUI](https://docs.rundeck.com/docs/administration/configuration/gui-customization.html)
 
-This define can be used to configure rundeck projects.
+Default value: `{}`
 
-#### Examples
+##### <a name="-rundeck--mail_config"></a>`mail_config`
 
-##### Basic usage.
+Data type: `Rundeck::Mail_config`
 
-```puppet
-rundeck::config::project { 'test project':
-  ssh_keypath            => '/var/lib/rundeck/.ssh/id_rsa',
-  file_copier_provider   => 'jsch-scp',
-  node_executor_provider => 'jsch-ssh',
-  resource_sources       => $resource_hash,
-  scm_import_properties  => $scm_import_properties_hash,
-}
-```
+A hash of the notification email configuraton.
 
-#### Parameters
+Default value: `{}`
 
-The following parameters are available in the `rundeck::config::project` defined type:
+##### <a name="-rundeck--security_config"></a>`security_config`
 
-* [`file_copier_provider`](#-rundeck--config--project--file_copier_provider)
-* [`framework_config`](#-rundeck--config--project--framework_config)
-* [`group`](#-rundeck--config--project--group)
-* [`user`](#-rundeck--config--project--user)
-* [`node_executor_provider`](#-rundeck--config--project--node_executor_provider)
-* [`node_executor_settings`](#-rundeck--config--project--node_executor_settings)
-* [`projects_dir`](#-rundeck--config--project--projects_dir)
-* [`resource_sources`](#-rundeck--config--project--resource_sources)
-* [`scm_import_properties`](#-rundeck--config--project--scm_import_properties)
-* [`scm_export_properties`](#-rundeck--config--project--scm_export_properties)
-* [`ssh_keypath`](#-rundeck--config--project--ssh_keypath)
+Data type: `Hash`
 
-##### <a name="-rundeck--config--project--file_copier_provider"></a>`file_copier_provider`
+A hash of the rundeck security configuration.
 
-Data type: `String`
+Default value: `{}`
 
-The type of proivder that will be used for copying files to each of the nodes
+##### <a name="-rundeck--preauthenticated_config"></a>`preauthenticated_config`
 
-Default value: `$rundeck::file_copier_provider`
+Data type: `Hash`
 
-##### <a name="-rundeck--config--project--framework_config"></a>`framework_config`
+A hash of the rundeck preauthenticated configuration.
 
-Data type: `Hash`
+Default value: `{}`
 
-Rundeck framework config
+##### <a name="-rundeck--key_storage_config"></a>`key_storage_config`
 
-Default value: `$rundeck::framework_config`
+Data type: `Rundeck::Key_storage_config`
 
-##### <a name="-rundeck--config--project--group"></a>`group`
+An array with hashes of properties for customizing the [Rundeck Key Storage](https://docs.rundeck.com/docs/manual/key-storage/key-storage.html)
 
-Data type: `String`
+Default value: `[{ 'type' => 'db', 'path' => 'keys' }]`
 
-Rundeck group
+##### <a name="-rundeck--key_storage_encrypt_config"></a>`key_storage_encrypt_config`
 
-Default value: `$rundeck::group`
+Data type: `Array[Hash]`
 
-##### <a name="-rundeck--config--project--user"></a>`user`
+An array with hashes of properties for customizing the [Rundeck Key Storage converter](https://docs.rundeck.com/docs/administration/configuration/plugins/configuring.html#storage-converter-plugins)
 
-Data type: `String`
+Default value: `[]`
 
-Rundeck user
+##### <a name="-rundeck--app_log_level"></a>`app_log_level`
 
-Default value: `$rundeck::user`
+Data type: `Rundeck::Loglevel`
 
-##### <a name="-rundeck--config--project--node_executor_provider"></a>`node_executor_provider`
+The log4j logging level to be set for the Rundeck application.
 
-Data type: `String`
+Default value: `'info'`
 
-The type of provider that will be used to gather node resources
+##### <a name="-rundeck--audit_log_level"></a>`audit_log_level`
 
-Default value: `$rundeck::node_executor_provider`
+Data type: `Rundeck::Loglevel`
 
-##### <a name="-rundeck--config--project--node_executor_settings"></a>`node_executor_settings`
+The log4j logging level to be set for the Rundeck autorization.
 
-Data type: `Hash`
+Default value: `'info'`
 
-Node executor settings
+##### <a name="-rundeck--config_template"></a>`config_template`
 
-Default value: `{}`
+Data type: `String[1]`
 
-##### <a name="-rundeck--config--project--projects_dir"></a>`projects_dir`
+The template used for rundeck-config properties. Needs to be in epp format.
 
-Data type: `Optional[Stdlib::Absolutepath]`
+Default value: `'rundeck/rundeck-config.properties.epp'`
 
-The directory where rundeck is configured to store project information
+##### <a name="-rundeck--override_template"></a>`override_template`
 
-Default value: `undef`
+Data type: `String[1]`
 
-##### <a name="-rundeck--config--project--resource_sources"></a>`resource_sources`
+The template used for rundeck profile overrides. Needs to be in epp format.
 
-Data type: `Hash`
+Default value: `'rundeck/profile_overrides.epp'`
 
-A hash of rundeck::config::resource_source that will be used to specify the node resources for this project
+##### <a name="-rundeck--realm_template"></a>`realm_template`
 
-Default value: `$rundeck::resource_sources`
+Data type: `String[1]`
 
-##### <a name="-rundeck--config--project--scm_import_properties"></a>`scm_import_properties`
+The template used for jaas realm properties. Needs to be in epp format.
 
-Data type: `Hash`
+Default value: `'rundeck/realm.properties.epp'`
 
-A hash of name value pairs representing properties for the scm-import.properties file
+##### <a name="-rundeck--log_properties_template"></a>`log_properties_template`
 
-Default value: `{}`
+Data type: `String[1]`
 
-##### <a name="-rundeck--config--project--scm_export_properties"></a>`scm_export_properties`
+The template used for log properties. Needs to be in epp format.
 
-Data type: `Hash`
+Default value: `'rundeck/log4j2.properties.epp'`
 
-A hash of name value pairs representing properties for the scm-export.properties file
+##### <a name="-rundeck--rss_enabled"></a>`rss_enabled`
 
-Default value: `{}`
+Data type: `Boolean`
 
-##### <a name="-rundeck--config--project--ssh_keypath"></a>`ssh_keypath`
+Boolean value if set to true enables RSS feeds that are public (non-authenticated)
 
-Data type: `Optional[Stdlib::Absolutepath]`
+Default value: `false`
 
-The path to the ssh key that will be used by the ssh/scp providers
+##### <a name="-rundeck--server_web_context"></a>`server_web_context`
+
+Data type: `Optional[String[1]]`
+
+Web context path to use, such as "/rundeck". http://host.domain:port/server_web_context
 
 Default value: `undef`
 
-### <a name="rundeck--config--resource_source"></a>`rundeck::config::resource_source`
+##### <a name="-rundeck--ssl_enabled"></a>`ssl_enabled`
 
-This define will create a resource source that gathers node information.
+Data type: `Boolean`
 
-#### Examples
+Enable ssl for the rundeck web application.
 
-##### Basic usage.
+Default value: `false`
 
-```puppet
-rundeck::config::resource_source { 'myresource':
-  project_name        => 'myproject',
-  number              => '1',
-  source_type         => 'file',
-  include_server_node => false,
-  resource_format     => 'resourceyaml',
-}
-```
+##### <a name="-rundeck--ssl_port"></a>`ssl_port`
 
-#### Parameters
+Data type: `Stdlib::Port`
 
-The following parameters are available in the `rundeck::config::resource_source` defined type:
-
-* [`directory`](#-rundeck--config--resource_source--directory)
-* [`include_server_node`](#-rundeck--config--resource_source--include_server_node)
-* [`mapping_params`](#-rundeck--config--resource_source--mapping_params)
-* [`number`](#-rundeck--config--resource_source--number)
-* [`project_name`](#-rundeck--config--resource_source--project_name)
-* [`resource_format`](#-rundeck--config--resource_source--resource_format)
-* [`running_only`](#-rundeck--config--resource_source--running_only)
-* [`script_args`](#-rundeck--config--resource_source--script_args)
-* [`script_args_quoted`](#-rundeck--config--resource_source--script_args_quoted)
-* [`script_file`](#-rundeck--config--resource_source--script_file)
-* [`script_interpreter`](#-rundeck--config--resource_source--script_interpreter)
-* [`source_type`](#-rundeck--config--resource_source--source_type)
-* [`url`](#-rundeck--config--resource_source--url)
-* [`url_cache`](#-rundeck--config--resource_source--url_cache)
-* [`url_timeout`](#-rundeck--config--resource_source--url_timeout)
-* [`use_default_mapping`](#-rundeck--config--resource_source--use_default_mapping)
-* [`endpoint_url`](#-rundeck--config--resource_source--endpoint_url)
-* [`assume_role_arn`](#-rundeck--config--resource_source--assume_role_arn)
-* [`filter_tag`](#-rundeck--config--resource_source--filter_tag)
-* [`http_proxy_port`](#-rundeck--config--resource_source--http_proxy_port)
-* [`refresh_interval`](#-rundeck--config--resource_source--refresh_interval)
-* [`puppet_enterprise_host`](#-rundeck--config--resource_source--puppet_enterprise_host)
-* [`puppet_enterprise_port`](#-rundeck--config--resource_source--puppet_enterprise_port)
-* [`puppet_enterprise_ssl_dir`](#-rundeck--config--resource_source--puppet_enterprise_ssl_dir)
-* [`puppet_enterprise_certificate_name`](#-rundeck--config--resource_source--puppet_enterprise_certificate_name)
-* [`puppet_enterprise_mapping_file`](#-rundeck--config--resource_source--puppet_enterprise_mapping_file)
-* [`puppet_enterprise_metrics_interval`](#-rundeck--config--resource_source--puppet_enterprise_metrics_interval)
-* [`puppet_enterprise_node_query`](#-rundeck--config--resource_source--puppet_enterprise_node_query)
-* [`puppet_enterprise_default_node_tag`](#-rundeck--config--resource_source--puppet_enterprise_default_node_tag)
-* [`puppet_enterprise_tag_source`](#-rundeck--config--resource_source--puppet_enterprise_tag_source)
-
-##### <a name="-rundeck--config--resource_source--directory"></a>`directory`
+Ssl port of the rundeck web application.
 
-Data type: `Stdlib::Absolutepath`
+Default value: `4443`
 
-When the directory source_type is specified this is the path to that directory.
+##### <a name="-rundeck--ssl_certificate"></a>`ssl_certificate`
 
-Default value: `$rundeck::params::default_resource_dir`
+Data type: `Stdlib::Absolutepath`
 
-##### <a name="-rundeck--config--resource_source--include_server_node"></a>`include_server_node`
+Full path to the SSL public key to be used by Rundeck.
 
-Data type: `Boolean`
+Default value: `'/etc/rundeck/ssl/rundeck.crt'`
 
-Boolean value to decide whether or not to include the server node in your list of avaliable nodes.
+##### <a name="-rundeck--ssl_private_key"></a>`ssl_private_key`
 
-Default value: `$rundeck::params::include_server_node`
+Data type: `Stdlib::Absolutepath`
 
-##### <a name="-rundeck--config--resource_source--mapping_params"></a>`mapping_params`
+Full path to the SSL private key to be used by Rundeck.
 
-Data type: `String`
+Default value: `'/etc/rundeck/ssl/rundeck.key'`
 
-When using the aws-ec2 source_type,this specifies node attributes that will be set
-and what their values will be set to using a "selector" on properties of the EC2 Instance object.
+##### <a name="-rundeck--key_password"></a>`key_password`
 
-Default value: `''`
+Data type: `Optional[String[1]]`
 
-##### <a name="-rundeck--config--resource_source--number"></a>`number`
+The password used to protect the key in keystore.
 
-Data type: `Integer`
+Default value: `undef`
 
-The sequential number of the resource within the project.
+##### <a name="-rundeck--keystore"></a>`keystore`
 
-Default value: `1`
+Data type: `Stdlib::Absolutepath`
 
-##### <a name="-rundeck--config--resource_source--project_name"></a>`project_name`
+Full path to the java keystore to be used by Rundeck.
 
-Data type: `Optional[String]`
+Default value: `'/etc/rundeck/ssl/keystore'`
 
-The name of the project for which this resource in intended to be a part.
+##### <a name="-rundeck--keystore_password"></a>`keystore_password`
 
-Default value: `undef`
+Data type: `String[1]`
 
-##### <a name="-rundeck--config--resource_source--resource_format"></a>`resource_format`
+The password for the given keystore.
 
-Data type: `Enum['resourcexml', 'resourceyaml']`
+Default value: `'adminadmin'`
 
-The format of the resource that will procesed, either resourcexml or resourceyaml.
+##### <a name="-rundeck--truststore"></a>`truststore`
 
-Default value: `$rundeck::params::resource_format`
+Data type: `Stdlib::Absolutepath`
 
-##### <a name="-rundeck--config--resource_source--running_only"></a>`running_only`
+The full path to the java truststore to be used by Rundeck.
 
-Data type: `Boolean`
+Default value: `'/etc/rundeck/ssl/truststore'`
 
-Boolean to retrieve only running AWS EC2 instances.
+##### <a name="-rundeck--truststore_password"></a>`truststore_password`
 
-Default value: `true`
+Data type: `String[1]`
 
-##### <a name="-rundeck--config--resource_source--script_args"></a>`script_args`
+The password for the given truststore.
 
-Data type: `String`
+Default value: `'adminadmin'`
 
-A string of the full arguments to pass the the specified script.
+##### <a name="-rundeck--service_name"></a>`service_name`
 
-Default value: `''`
+Data type: `String[1]`
 
-##### <a name="-rundeck--config--resource_source--script_args_quoted"></a>`script_args_quoted`
+The name of the rundeck service.
 
-Data type: `Boolean`
+Default value: `'rundeckd'`
 
-Boolean value. Quote the arguments of the script.
+##### <a name="-rundeck--service_ensure"></a>`service_ensure`
 
-Default value: `$rundeck::params::script_args_quoted`
+Data type: `Enum['stopped', 'running']`
 
-##### <a name="-rundeck--config--resource_source--script_file"></a>`script_file`
+State of the rundeck service.
 
-Data type: `Optional[Stdlib::Absolutepath]`
+Default value: `'running'`
 
-When the script source_type is specified this is the path that that script.
+##### <a name="-rundeck--service_logs_dir"></a>`service_logs_dir`
 
-Default value: `undef`
+Data type: `Stdlib::Absolutepath`
 
-##### <a name="-rundeck--config--resource_source--script_interpreter"></a>`script_interpreter`
+The path to the directory to store service related logs.
 
-Data type: `String`
+Default value: `'/var/log/rundeck'`
 
-The interpreter to use in executing the script. Defaults to: '/bin/bash'
+##### <a name="-rundeck--service_notify"></a>`service_notify`
 
-Default value: `$rundeck::params::script_interpreter`
+Data type: `Boolean`
 
-##### <a name="-rundeck--config--resource_source--source_type"></a>`source_type`
+Wheter to notify and restart the rundeck service if config changes.
 
-Data type: `Rundeck::Sourcetype`
+Default value: `true`
 
-The source type where resources will come from: file, directory, url or script.
+##### <a name="-rundeck--service_config"></a>`service_config`
 
-Default value: `$rundeck::params::default_source_type`
+Data type: `Optional[String[1]]`
 
-##### <a name="-rundeck--config--resource_source--url"></a>`url`
+Allows you to use your own override template instead to config rundeckd init script.
 
-Data type: `String`
+Default value: `undef`
 
-When the url source_type is specified this is the path to that url.
+##### <a name="-rundeck--service_script"></a>`service_script`
 
-Default value: `''`
+Data type: `Optional[String[1]]`
 
-##### <a name="-rundeck--config--resource_source--url_cache"></a>`url_cache`
+Allows you to use your own override template instead of the default from the package maintainer for rundeckd init script.
 
-Data type: `Boolean`
+Default value: `undef`
 
-Boolean value. Keep a local cache of the resources pulled from the url.
+##### <a name="-rundeck--override_dir"></a>`override_dir`
 
-Default value: `$rundeck::params::url_cache`
+Data type: `Stdlib::Absolutepath`
 
-##### <a name="-rundeck--config--resource_source--url_timeout"></a>`url_timeout`
 
-Data type: `Integer`
 
-An integer value in seconds that rundeck will wait for resources from the url before timing out.
+##### <a name="-rundeck--api_token_max_duration"></a>`api_token_max_duration`
 
-Default value: `$rundeck::params::url_timeout`
+Data type: `String[1]`
 
-##### <a name="-rundeck--config--resource_source--use_default_mapping"></a>`use_default_mapping`
 
-Data type: `Boolean`
 
-When using the aws-ec2 source_type,this specifies wheter to use the default mapping or not.
+Default value: `'30d'`
 
-Default value: `true`
+## Defined types
 
-##### <a name="-rundeck--config--resource_source--endpoint_url"></a>`endpoint_url`
+### <a name="rundeck--config--aclpolicyfile"></a>`rundeck::config::aclpolicyfile`
 
-Data type: `Optional[String]`
+This define will create a custom acl policy file.
 
-The API AWS endpoint.
+#### Examples
 
-Default value: `undef`
+##### Admin access.
 
-##### <a name="-rundeck--config--resource_source--assume_role_arn"></a>`assume_role_arn`
+```puppet
+rundeck::config::aclpolicyfile { 'myPolicyFile':
+  acl_policies => [
+    {
+      'description' => 'Admin, all access',
+      'context'     => { 'project' => '.*' },
+      'for'         => {
+        'resource' => [{ 'allow' => '*' }],
+        'adhoc'    => [{ 'allow' => '*' }],
+        'job'      => [{ 'allow' => '*' }],
+        'node'     => [{ 'allow' => '*' }],
+      },
+      'by'          => [{ 'group' => ['admin'] }],
+    },
+    {
+      'description' => 'Admin, all access',
+      'context'     => { 'application' => 'rundeck' },
+      'for'         => {
+        'project'     => [{ 'allow' => '*' }],
+        'resource'    => [{ 'allow' => '*' }],
+        'storage'     => [{ 'allow' => '*' }],
+      },
+      'by'          => [{ 'group' => ['admin'] }],
+    },
+  ],
+}
+```
 
-Data type: `Optional[String[1]]`
+#### Parameters
 
-When using the aws-ec2 source_type, this specifies the assume role ARN parameter.
+The following parameters are available in the `rundeck::config::aclpolicyfile` defined type:
 
-Default value: `undef`
+* [`acl_policies`](#-rundeck--config--aclpolicyfile--acl_policies)
+* [`ensure`](#-rundeck--config--aclpolicyfile--ensure)
+* [`owner`](#-rundeck--config--aclpolicyfile--owner)
+* [`group`](#-rundeck--config--aclpolicyfile--group)
+* [`properties_dir`](#-rundeck--config--aclpolicyfile--properties_dir)
 
-##### <a name="-rundeck--config--resource_source--filter_tag"></a>`filter_tag`
+##### <a name="-rundeck--config--aclpolicyfile--acl_policies"></a>`acl_policies`
 
-Data type: `String`
+Data type: `Array[Hash]`
 
-String value for using tags.
+An array of hashes containing acl policies. See example.
 
-Default value: `''`
+##### <a name="-rundeck--config--aclpolicyfile--ensure"></a>`ensure`
 
-##### <a name="-rundeck--config--resource_source--http_proxy_port"></a>`http_proxy_port`
+Data type: `Enum['present', 'absent']`
 
-Data type: `Stdlib::Port`
+Set present or absent to add or remove the acl policy file.
 
-An integer value that defines the http proxy port.
+Default value: `'present'`
 
-Default value: `$rundeck::params::default_http_proxy_port`
+##### <a name="-rundeck--config--aclpolicyfile--owner"></a>`owner`
 
-##### <a name="-rundeck--config--resource_source--refresh_interval"></a>`refresh_interval`
+Data type: `String[1]`
 
-Data type: `Integer`
+The user that rundeck is installed as.
 
-How often the data will be updated.
+Default value: `'rundeck'`
 
-Default value: `$rundeck::params::default_refresh_interval`
+##### <a name="-rundeck--config--aclpolicyfile--group"></a>`group`
 
-##### <a name="-rundeck--config--resource_source--puppet_enterprise_host"></a>`puppet_enterprise_host`
+Data type: `String[1]`
 
-Data type: `Optional[String]`
+The group permission that rundeck is installed as.
 
-The Puppet Enterprise host.
+Default value: `'rundeck'`
 
-Default value: `undef`
+##### <a name="-rundeck--config--aclpolicyfile--properties_dir"></a>`properties_dir`
 
-##### <a name="-rundeck--config--resource_source--puppet_enterprise_port"></a>`puppet_enterprise_port`
+Data type: `Stdlib::Absolutepath`
 
-Data type: `Optional[Stdlib::Port]`
+The rundeck configuration directory.
 
-The Puppet Enterprise port.
+Default value: `'/etc/rundeck'`
 
-Default value: `undef`
+### <a name="rundeck--config--plugin"></a>`rundeck::config::plugin`
 
-##### <a name="-rundeck--config--resource_source--puppet_enterprise_ssl_dir"></a>`puppet_enterprise_ssl_dir`
+This define will install a rundeck plugin.
 
-Data type: `Optional[Stdlib::Absolutepath]`
+#### Examples
 
-The Puppet Enterprise ssl directory.
+##### Basic usage.
 
-Default value: `undef`
+```puppet
+rundeck::config::plugin { 'rundeck-hipchat-plugin-1.0.0.jar':
+  source => 'http://search.maven.org/remotecontent?filepath=com/hbakkum/rundeck/plugins/rundeck-hipchat-plugin/1.0.0/rundeck-hipchat-plugin-1.0.0.jar',
+}
+```
 
-##### <a name="-rundeck--config--resource_source--puppet_enterprise_certificate_name"></a>`puppet_enterprise_certificate_name`
+#### Parameters
 
-Data type: `Optional[String]`
+The following parameters are available in the `rundeck::config::plugin` defined type:
 
-The Puppet Enterprise certificate name.
+* [`source`](#-rundeck--config--plugin--source)
+* [`ensure`](#-rundeck--config--plugin--ensure)
+* [`owner`](#-rundeck--config--plugin--owner)
+* [`group`](#-rundeck--config--plugin--group)
+* [`plugins_dir`](#-rundeck--config--plugin--plugins_dir)
+* [`proxy_server`](#-rundeck--config--plugin--proxy_server)
 
-Default value: `undef`
+##### <a name="-rundeck--config--plugin--source"></a>`source`
 
-##### <a name="-rundeck--config--resource_source--puppet_enterprise_mapping_file"></a>`puppet_enterprise_mapping_file`
+Data type: `String[1]`
 
-Data type: `Optional[Stdlib::Absolutepath]`
+The http source or local path from which to get the plugin.
 
-The Puppet Enterprise mapping file.
+##### <a name="-rundeck--config--plugin--ensure"></a>`ensure`
 
-Default value: `undef`
+Data type: `Enum['present', 'absent']`
 
-##### <a name="-rundeck--config--resource_source--puppet_enterprise_metrics_interval"></a>`puppet_enterprise_metrics_interval`
+Set present or absent to add or remove the plugin.
 
-Data type: `Optional[Integer]`
+Default value: `'present'`
 
-The Puppet Enterprise metrics interval.
+##### <a name="-rundeck--config--plugin--owner"></a>`owner`
 
-Default value: `undef`
+Data type: `String[1]`
 
-##### <a name="-rundeck--config--resource_source--puppet_enterprise_node_query"></a>`puppet_enterprise_node_query`
+The user that rundeck is installed as.
 
-Data type: `Optional[String]`
+Default value: `'rundeck'`
 
-The Puppet Enterprise node query.
+##### <a name="-rundeck--config--plugin--group"></a>`group`
 
-Default value: `undef`
+Data type: `String[1]`
 
-##### <a name="-rundeck--config--resource_source--puppet_enterprise_default_node_tag"></a>`puppet_enterprise_default_node_tag`
+The group permission that rundeck is installed as.
 
-Data type: `Optional[String]`
+Default value: `'rundeck'`
 
-The Puppet Enterprise default node tag.
+##### <a name="-rundeck--config--plugin--plugins_dir"></a>`plugins_dir`
 
-Default value: `undef`
+Data type: `Stdlib::Absolutepath`
 
-##### <a name="-rundeck--config--resource_source--puppet_enterprise_tag_source"></a>`puppet_enterprise_tag_source`
+Directory where plugins will be installed.
 
-Data type: `Optional[String]`
+Default value: `'/var/lib/rundeck/libext'`
 
-The Puppet Enterprise tag source.
+##### <a name="-rundeck--config--plugin--proxy_server"></a>`proxy_server`
 
-Default value: `undef`
+Data type: `Optional[Stdlib::HTTPUrl]`
 
-### <a name="rundeck--config--securityroles"></a>`rundeck::config::securityroles`
+Get the plugin trough a proxy server.
 
-Author: Zoltan Lanyi <zoltan.lanyi@gmail.com>
-Date  : 03.06.2016
+Default value: `undef`
 
 ## Functions
 
@@ -1502,15 +776,73 @@ Returns: `Any`
 
 ## Data types
 
+### <a name="Rundeck--Auth_config"></a>`Rundeck::Auth_config`
+
+Rundeck authentication config type.
+
+Alias of
+
+```puppet
+Struct[{
+    Optional['file'] => Hash[String, Any],
+    Optional['ldap'] => Hash[String, Any],
+    Optional['pam']  => Hash[String, Any],
+}]
+```
+
+### <a name="Rundeck--Db_config"></a>`Rundeck::Db_config`
+
+Rundeck database config type.
+
+Alias of
+
+```puppet
+Struct[{
+    'url'                                  => String,
+    Optional['driverClassName']            => String,
+    Optional['username']                   => String,
+    Optional['password']                   => Variant[String[8], Sensitive[String[8]]],
+    Optional['dialect']                    => String,
+    Optional['properties.validationQuery'] => String,
+}]
+```
+
+### <a name="Rundeck--Key_storage_config"></a>`Rundeck::Key_storage_config`
+
+Rundeck key storage config type.
+
+Alias of
+
+```puppet
+Array[Struct[{
+      'type'             => String,
+      'path'             => String,
+      Optional['config'] => Hash,
+  }]]
+```
+
 ### <a name="Rundeck--Loglevel"></a>`Rundeck::Loglevel`
 
 Rundeck log level type.
 
-Alias of `Enum['ALL', 'DEBUG', 'ERROR', 'FATAL', 'INFO', 'OFF', 'TRACE', 'WARN']`
+Alias of `Enum['all', 'debug', 'error', 'fatal', 'info', 'off', 'trace', 'warn']`
+
+### <a name="Rundeck--Mail_config"></a>`Rundeck::Mail_config`
 
-### <a name="Rundeck--Sourcetype"></a>`Rundeck::Sourcetype`
+Rundeck mail config type.
 
-Rundeck sourcetype type.
+Alias of
 
-Alias of `Enum['file', 'directory', 'url', 'script', 'aws-ec2', 'puppet-enterprise']`
+```puppet
+Struct[{
+    Optional['host']         => String,
+    Optional['port']         => Integer,
+    Optional['username']     => String,
+    Optional['password']     => Variant[String[8], Sensitive[String[8]]],
+    Optional['props']        => Array[Hash],
+    Optional['default.from'] => String,
+    Optional['default.to']   => String,
+    Optional['disabled']     => Boolean,
+}]
+```
 
diff --git a/data/Debian.yaml b/data/Debian.yaml
new file mode 100644
index 000000000..0f8bcbfad
--- /dev/null
+++ b/data/Debian.yaml
@@ -0,0 +1,11 @@
+---
+rundeck::override_dir: /etc/default
+
+rundeck::repo_config:
+  rundeck:
+    location: https://packages.rundeck.com/pagerduty/rundeck/any
+    release: any
+    repos: main
+    key:
+      name: rundeck
+      source: https://packages.rundeck.com/pagerduty/rundeck/gpgkey
diff --git a/data/RedHat.yaml b/data/RedHat.yaml
new file mode 100644
index 000000000..ffc954725
--- /dev/null
+++ b/data/RedHat.yaml
@@ -0,0 +1,10 @@
+---
+rundeck::override_dir: /etc/sysconfig
+
+rundeck::repo_config:
+  rundeck:
+    baseurl: https://packages.rundeck.com/pagerduty/rundeck/rpm_any/rpm_any/$basearch
+    repo_gpgcheck: 1
+    gpgcheck: 0
+    enabled: 1
+    gpgkey: https://packages.rundeck.com/pagerduty/rundeck/gpgkey
diff --git a/hiera.yaml b/hiera.yaml
new file mode 100644
index 000000000..89cf4fb83
--- /dev/null
+++ b/hiera.yaml
@@ -0,0 +1,10 @@
+---
+version: 5
+
+defaults:
+  datadir: 'data'
+  data_hash: 'yaml_data'
+
+hierarchy:
+  - name: 'Rundeck Operating System Family defaults'
+    path: '%{facts.os.family}.yaml'
diff --git a/manifests/config.pp b/manifests/config.pp
index 5d08d042e..f39798dfd 100644
--- a/manifests/config.pp
+++ b/manifests/config.pp
@@ -1,229 +1,100 @@
 # @api private
 #
-# @summary This private class is called from `rundeck` to manage the configuration.
+# @summary This class is called from rundeck to manage the configuration.
 #
 class rundeck::config {
   assert_private()
 
-  $acl_policies                       = $rundeck::acl_policies
-  $acl_template                       = $rundeck::acl_template
-  $api_policies                       = $rundeck::api_policies
-  $api_template                       = $rundeck::api_template
-  $auth_template                      = $rundeck::auth_template
-  $auth_types                         = $rundeck::auth_types
-  $clustermode_enabled                = $rundeck::clustermode_enabled
-  $database_config                    = $rundeck::database_config
-  $execution_mode                     = $rundeck::execution_mode
-  $file_default_mode                  = $rundeck::file_default_mode
-  $file_keystorage_dir                = $rundeck::file_keystorage_dir
-  $file_keystorage_keys               = $rundeck::file_keystorage_keys
-  $grails_server_url                  = $rundeck::grails_server_url
-  $group                              = $rundeck::group
-  $gui_config                         = $rundeck::gui_config
-  $java_home                          = $rundeck::java_home
-  $jvm_args                           = $rundeck::jvm_args
-  $kerberos_realms                    = $rundeck::kerberos_realms
-  $key_password                       = $rundeck::key_password
-  $key_storage_config                 = $rundeck::key_storage_config
-  $keystore                           = $rundeck::keystore
-  $keystore_password                  = $rundeck::keystore_password
-  $log_properties_template            = $rundeck::log_properties_template
-  $mail_config                        = $rundeck::mail_config
-  $manage_default_admin_policy        = $rundeck::manage_default_admin_policy
-  $manage_default_api_policy          = $rundeck::manage_default_api_policy
-  $overrides_dir                      = $rundeck::overrides_dir
-  $package_ensure                     = $rundeck::package_ensure
-  $preauthenticated_config            = $rundeck::preauthenticated_config
-  $projects                           = $rundeck::projects
-  $projects_description               = $rundeck::projects_description
-  $projects_organization              = $rundeck::projects_organization
-  $projects_storage_type              = $rundeck::projects_storage_type
-  $quartz_job_threadcount             = $rundeck::quartz_job_threadcount
-  $rd_loglevel                        = $rundeck::rd_loglevel
-  $rd_auditlevel                      = $rundeck::rd_auditlevel
-  $rdeck_config_template              = $rundeck::rdeck_config_template
-  $rdeck_home                         = $rundeck::rdeck_home
-  $manage_home                        = $rundeck::manage_home
-  $rdeck_profile_template             = $rundeck::rdeck_profile_template
-  $rdeck_override_template            = $rundeck::rdeck_override_template
-  $realm_template                     = $rundeck::realm_template
-  $rss_enabled                        = $rundeck::rss_enabled
-  $security_config                    = $rundeck::security_config
-  $security_role                      = $rundeck::security_role
-  $server_web_context                 = $rundeck::server_web_context
-  $service_logs_dir                   = $rundeck::service_logs_dir
-  $service_name                       = $rundeck::service_name
-  $service_restart                    = $rundeck::service_restart
-  $session_timeout                    = $rundeck::session_timeout
-  $ssl_enabled                        = $rundeck::ssl_enabled
-  $ssl_port                           = $rundeck::ssl_port
-  $ssl_keyfile                        = $rundeck::ssl_keyfile
-  $ssl_certfile                       = $rundeck::ssl_certfile
-  $storage_encrypt_config             = $rundeck::storage_encrypt_config
-  $truststore                         = $rundeck::truststore
-  $truststore_password                = $rundeck::truststore_password
-  $user                               = $rundeck::user
-  $security_roles_array_enabled       = $rundeck::security_roles_array_enabled
-  $security_roles_array               = $rundeck::security_roles_array
-
-  File {
-    owner  => $user,
-    group  => $group,
-    mode   => $file_default_mode,
+  $_framework_defaults = {
+    'rdeck.base'                => '/var/lib/rundeck',
+    'framework.server.hostname' => $facts['networking']['hostname'],
+    'framework.server.name'     => $facts['networking']['fqdn'],
+    'framework.server.port'     => '4440',
+    'framework.server.url'      => "http://${facts['networking']['fqdn']}:4440",
+    'framework.etc.dir'         => '/etc/rundeck',
+    'framework.libext.dir'      => '/var/lib/rundeck/libext',
+    'framework.ssh.keypath'     => '/var/lib/rundeck/.ssh/id_rsa',
+    'framework.ssh.user'        => 'rundeck',
+    'framework.ssh.timeout'     => '0',
+    'rundeck.server.uuid'       => fqdn_uuid($facts['networking']['fqdn']),
   }
 
-  $framework_config = deep_merge($rundeck::params::framework_config, $rundeck::framework_config)
-  $auth_config      = deep_merge($rundeck::params::auth_config, $rundeck::auth_config)
+  $framework_config = $_framework_defaults + $rundeck::framework_config
 
-  $logs_dir       = $framework_config['framework.logs.dir']
-  $rdeck_base     = $framework_config['rdeck.base']
-  $projects_dir   = $framework_config['framework.projects.dir']
+  $base_dir       = $framework_config['rdeck.base']
   $properties_dir = $framework_config['framework.etc.dir']
-  $plugin_dir     = $framework_config['framework.libext.dir']
 
-  File[$rdeck_home] ~> File[$framework_config['framework.ssh.keypath']]
-
-  if $manage_home {
-    file { $rdeck_home:
-      ensure  => directory,
-    }
-  } elsif ! defined_with_params(File[$rdeck_home], { 'ensure' => 'directory' }) {
-    fail('when rundeck::manage_home = false a file definition for the home directory must be included outside of this module.')
+  File {
+    owner => $rundeck::user,
+    group => $rundeck::group,
   }
 
-  if $rundeck::sshkey_manage {
-    file { $framework_config['framework.ssh.keypath']:
-      mode    => '0600',
+  if $rundeck::manage_home {
+    file { $base_dir:
+      ensure => directory,
+      mode   => '0755',
     }
   }
 
-  file { $rundeck::service_logs_dir:
-    ensure  => directory,
-  }
-
-  ensure_resource(file, $projects_dir, { 'ensure' => 'directory' })
-  ensure_resource(file, $plugin_dir, { 'ensure'   => 'directory' })
-
-  # Checking if we need to deploy realm file
-  #  ugly, I know. Fix it if you know better way to do that
-  #
-  if 'file' in $auth_types or 'ldap_shared' in $auth_types or 'active_directory_shared' in $auth_types {
-    $_deploy_realm = true
-  } else {
-    $_deploy_realm = false
-  }
-
-  if $_deploy_realm {
-    file { "${properties_dir}/realm.properties":
-      content => template($realm_template),
-      require => File[$properties_dir],
+  $framework_config.each |$_key, $_value| {
+    if $_key =~ '.dir' {
+      file { $_value:
+        ensure => directory,
+        mode   => '0755',
+      }
     }
   }
 
-  if 'file' in $auth_types {
-    $active_directory_auth_flag = 'sufficient'
-    $ldap_auth_flag = 'sufficient'
-  } else {
-    if 'active_directory' in $auth_types {
-      $active_directory_auth_flag = 'required'
-      $ldap_auth_flag = 'sufficient'
-    }
-    elsif 'active_directory_shared' in $auth_types {
-      $active_directory_auth_flag = 'requisite'
-      $ldap_auth_flag = 'sufficient'
-    }
-    elsif 'ldap_shared' in $auth_types {
-      $ldap_auth_flag = 'requisite'
-    }
-    elsif 'ldap' in $auth_types {
-      $ldap_auth_flag = 'required'
-    }
+  file {
+    $rundeck::service_logs_dir:
+      ensure => directory,
+      mode   => '0755',
+      ;
+    "${properties_dir}/log4j2.properties":
+      ensure  => file,
+      content => epp($rundeck::log_properties_template),
+      require => File[$properties_dir, $rundeck::service_logs_dir],
+      ;
   }
 
-  if 'active_directory' in $auth_types or 'ldap' in $auth_types {
-    $ldap_login_module = 'JettyCachingLdapLoginModule'
-  }
-  elsif 'active_directory_shared' in $auth_types or 'ldap_shared' in $auth_types {
-    $ldap_login_module = 'JettyCombinedLdapLoginModule'
-  }
-  file { "${properties_dir}/jaas-auth.conf":
-    content => epp($auth_template),
-    require => File[$properties_dir],
-  }
-
-  file { "${properties_dir}/log4j.properties":
-    content => template($log_properties_template),
-    require => File[$properties_dir],
-  }
-
-  if $manage_default_admin_policy {
+  if $rundeck::manage_default_admin_policy {
     rundeck::config::aclpolicyfile { 'admin':
-      acl_policies   => $acl_policies,
-      owner          => $user,
-      group          => $group,
+      acl_policies   => $rundeck::admin_policies,
+      owner          => $rundeck::user,
+      group          => $rundeck::group,
       properties_dir => $properties_dir,
-      template_file  => $acl_template,
     }
   }
 
-  if $manage_default_api_policy {
+  if $rundeck::manage_default_api_policy {
     rundeck::config::aclpolicyfile { 'apitoken':
-      acl_policies   => $api_policies,
-      owner          => $user,
-      group          => $group,
+      acl_policies   => $rundeck::api_policies,
+      owner          => $rundeck::user,
+      group          => $rundeck::group,
       properties_dir => $properties_dir,
-      template_file  => $api_template,
     }
   }
 
-  if ($rdeck_profile_template) {
-    file { "${properties_dir}/profile":
-      content => template($rdeck_profile_template),
-      require => File[$properties_dir],
+  if $rundeck::override_template {
+    file { "${rundeck::override_dir}/${rundeck::service_name}":
+      ensure  => file,
+      content => epp($rundeck::override_template),
     }
   }
 
-  if ($rdeck_override_template) {
-    file { "${overrides_dir}/${service_name}":
-      content => template($rdeck_override_template),
-    }
-  }
-
-  contain rundeck::config::global::framework
-  contain rundeck::config::global::project
-  contain rundeck::config::global::rundeck_config
-  contain rundeck::config::global::file_keystore
-
-  Class['rundeck::config::global::framework']
-  -> Class['rundeck::config::global::project']
-  -> Class['rundeck::config::global::rundeck_config']
-  -> Class['rundeck::config::global::file_keystore']
+  contain rundeck::config::jaas_auth
+  contain rundeck::config::framework
 
-  if $ssl_enabled {
-    contain rundeck::config::global::ssl
-    Class['rundeck::config::global::rundeck_config']
-    -> Class['rundeck::config::global::ssl']
+  file { "${properties_dir}/project.properties":
+    ensure => absent,
   }
 
-  create_resources(rundeck::config::project, $projects)
-
-  if versioncmp( $package_ensure, '3.0.0' ) < 0 {
-    class { 'rundeck::config::global::web':
-      security_role                => $security_role,
-      session_timeout              => $session_timeout,
-      security_roles_array_enabled => $security_roles_array_enabled,
-      security_roles_array         => $security_roles_array,
-      require                      => Class['rundeck::install'],
-    }
+  file { "${properties_dir}/rundeck-config.properties":
+    ensure  => file,
+    content => epp($rundeck::config_template),
   }
 
-  if !empty($kerberos_realms) {
-    file { "${properties_dir}/krb5.conf":
-      owner   => $user,
-      group   => $group,
-      mode    => '0640',
-      content => template('rundeck/krb5.conf.erb'),
-      require => File[$properties_dir],
-    }
+  if $rundeck::ssl_enabled {
+    contain rundeck::config::ssl
   }
 }
diff --git a/manifests/config/aclpolicyfile.pp b/manifests/config/aclpolicyfile.pp
index ccf15882e..518bf44f2 100644
--- a/manifests/config/aclpolicyfile.pp
+++ b/manifests/config/aclpolicyfile.pp
@@ -4,63 +4,56 @@
 #   rundeck::config::aclpolicyfile { 'myPolicyFile':
 #     acl_policies => [
 #       {
-#         'description'    => 'Admin, all access',
-#         'context'        => {
-#           'type' => 'project',
-#           'rule' => '.*',
+#         'description' => 'Admin, all access',
+#         'context'     => { 'project' => '.*' },
+#         'for'         => {
+#           'resource' => [{ 'allow' => '*' }],
+#           'adhoc'    => [{ 'allow' => '*' }],
+#           'job'      => [{ 'allow' => '*' }],
+#           'node'     => [{ 'allow' => '*' }],
 #         },
-#         'resource_types' => [
-#           { 'type'  => 'resource', 'rules' => [{ 'name' => 'allow','rule' => '*' }] },
-#           { 'type'  => 'adhoc', 'rules' => [{ 'name' => 'allow','rule' => '*' }] },
-#           { 'type'  => 'job', 'rules' => [{ 'name' => 'allow','rule' => '*' }] },
-#           { 'type'  => 'node', 'rules' => [{ 'name' => 'allow','rule' => '*' }] }
-#         ],
-#         'by'             => {
-#           'group'    => ['admin'],
-#           'username' => undef,
-#         }
+#         'by'          => [{ 'group' => ['admin'] }],
 #       },
 #       {
-#         'description'    => 'Admin, all access',
-#         'context'        => {
-#           'type' => 'application',
-#           'rule' => 'rundeck',
+#         'description' => 'Admin, all access',
+#         'context'     => { 'application' => 'rundeck' },
+#         'for'         => {
+#           'project'     => [{ 'allow' => '*' }],
+#           'resource'    => [{ 'allow' => '*' }],
+#           'storage'     => [{ 'allow' => '*' }],
 #         },
-#         'resource_types' => [
-#           { 'type'  => 'resource', 'rules' => [{ 'name' => 'allow','rule' => '*' }] },
-#           { 'type'  => 'project', 'rules' => [{ 'name' => 'allow','rule' => '*' }] },
-#           { 'type'  => 'storage', 'rules' => [{ 'name' => 'allow','rule' => '*' }] },
-#         ],
-#         'by'             => {
-#           'group'    => ['admin'],
-#           'username' => undef,
-#         }
-#       }
+#         'by'          => [{ 'group' => ['admin'] }],
+#       },
 #     ],
 #   }
 #
 # @param acl_policies
 #   An array of hashes containing acl policies. See example.
-# @param group
-#   The group permission that rundeck is installed as.
+# @param ensure
+#   Set present or absent to add or remove the acl policy file.
 # @param owner
 #   The user that rundeck is installed as.
+# @param group
+#   The group permission that rundeck is installed as.
 # @param properties_dir
 #   The rundeck configuration directory.
-# @param template_file
-#   The template used for acl policy. Default is rundeck/aclpolicy.erb
 #
 define rundeck::config::aclpolicyfile (
-  Array                $acl_policies,
-  String               $group          = 'rundeck',
-  String               $owner          = 'rundeck',
+  Array[Hash] $acl_policies,
+  Enum['present', 'absent'] $ensure = 'present',
+  String[1] $owner = 'rundeck',
+  String[1] $group = 'rundeck',
   Stdlib::Absolutepath $properties_dir = '/etc/rundeck',
-  String               $template_file  = "${module_name}/aclpolicy.erb",
 ) {
+  validate_rd_policy($acl_policies)
+
+  ensure_resource('file', $properties_dir, { 'ensure' => 'directory', 'owner' => $owner, 'group' => $group, 'mode' => '0755' })
+
   file { "${properties_dir}/${name}.aclpolicy":
+    ensure  => $ensure,
     owner   => $owner,
     group   => $group,
-    mode    => '0640',
-    content => template($template_file),
+    mode    => '0644',
+    content => epp('rundeck/aclpolicy.epp', { _acl_policies => $acl_policies }),
   }
 }
diff --git a/manifests/config/file_keystore.pp b/manifests/config/file_keystore.pp
deleted file mode 100644
index 80a656e56..000000000
--- a/manifests/config/file_keystore.pp
+++ /dev/null
@@ -1,94 +0,0 @@
-# @summary This define will create the 'content' and 'meta' components for the key to be stored.
-#
-# Currently supports password-based public keys.
-# Private keys are also supported, but not recommended to be privisioned via this mechanism
-# without the proper security policies for the private key data in place.
-#
-# @example Basic usage.
-#   rundeck::config::file_keystore { 'mypassword':
-#     path         => 'myproject/mypassword',
-#     value        => 'secret',
-#     content_type => 'application/x-rundeck-data-password',
-#     data_type    => 'password',
-#   }
-#
-# @param content_type
-#   MIME type of the content
-# @param data_type
-#   Data type (password, public-key or private-key)
-# @param path
-#   The path of the named key
-# @param value
-#   The actual value (password) of the named key
-# @param auth_created_username
-#   User who created the key
-# @param auth_modified_username
-#   User who last modified the key
-# @param content_creation_time
-#   When the key was first created
-# @param content_mask
-#   Content mask (default is 'content')
-# @param content_modify_time
-#   When the key was modified
-# @param content_size
-#   Size of the content string in bytes
-# @param file_keystorage_dir
-#   Base directory for file-based key storage (defaulted to /var/lib/rundeck/var/storage)
-# @param group
-#   Default system group for the Rundeck framework
-# @param user
-#   Default system user for the Rundeck framework
-#
-define rundeck::config::file_keystore (
-  Enum[
-    'application/x-rundeck-data-password',
-    'application/pgp-keys',
-    'application/octet-stream'
-  ]                                     $content_type,
-  Enum['password', 'public', 'private'] $data_type,
-  String                                $path,
-  String                                $value,
-  String                                $auth_created_username  = $rundeck::framework_config['framework.ssh.user'],
-  String                                $auth_modified_username = $rundeck::framework_config['framework.ssh.user'],
-  String                                $content_creation_time  = chomp(generate('/bin/date', '+%Y-%m-%dT%H:%M:%SZ')),
-  String                                $content_mask           = 'content',
-  String                                $content_modify_time    = chomp(generate('/bin/date', '+%Y-%m-%dT%H:%M:%SZ')),
-  Optional[Integer]                     $content_size           = undef,
-  Stdlib::Absolutepath                  $file_keystorage_dir    = $rundeck::file_keystorage_dir,
-  String                                $group                  = $rundeck::config::group,
-  String                                $user                   = $rundeck::config::user,
-) {
-  ensure_resource('file', [$file_keystorage_dir], { 'ensure' => 'directory' })
-
-  if !$content_size {
-    $content_size_value = size($value)
-  } else {
-    $content_size_value = $content_size
-  }
-
-  $key_fqpath = "${file_keystorage_dir}/content/keys/${path}"
-  $key_dirtree = dirtree($key_fqpath, $file_keystorage_dir)
-  $meta_fqpath = "${file_keystorage_dir}/meta/keys/${path}"
-  $meta_dirtree = dirtree($meta_fqpath, $file_keystorage_dir)
-
-  File {
-    ensure => present,
-    mode   => '0664',
-    owner  => $user,
-    group  => $group,
-  }
-
-  ensure_resource('file', [$meta_dirtree, $key_dirtree], { 'ensure' => 'directory' })
-
-  file { "${key_fqpath}/${name}.${data_type}":
-    content => $value,
-    replace => false,
-    require => File[$key_fqpath],
-  }
-
-  file { "${meta_fqpath}/${name}.${data_type}":
-    content => template('rundeck/file_keystorage_meta.erb'),
-    replace => false,
-    require => File[$meta_fqpath],
-  }
-}
diff --git a/manifests/config/framework.pp b/manifests/config/framework.pp
new file mode 100644
index 000000000..87c2b6f4d
--- /dev/null
+++ b/manifests/config/framework.pp
@@ -0,0 +1,23 @@
+# @api private
+#
+# @summary This private class is called from rundeck::config used to manage the framework properties of rundeck.
+#
+class rundeck::config::framework {
+  assert_private()
+
+  if $rundeck::ssl_enabled {
+    $_framework_ssl_config = {
+      'framework.server.port' => $rundeck::ssl_port,
+      'framework.server.url'  => "https://${rundeck::config::framework_config['framework.server.name']}:${rundeck::ssl_port}",
+    }
+  } else {
+    $_framework_ssl_config = {}
+  }
+
+  $_framework_config = $rundeck::config::framework_config + $_framework_ssl_config
+
+  file { "${rundeck::config::properties_dir}/framework.properties":
+    ensure  => file,
+    content => epp('rundeck/framework.properties.epp', { _framework_config => $_framework_config }),
+  }
+}
diff --git a/manifests/config/global/file_keystore.pp b/manifests/config/global/file_keystore.pp
deleted file mode 100644
index ab3195a6b..000000000
--- a/manifests/config/global/file_keystore.pp
+++ /dev/null
@@ -1,14 +0,0 @@
-# @api private
-#
-# @summary This private class is used to manage the keys of the Rundeck key storage facility if a file-based backend is used.
-#
-class rundeck::config::global::file_keystore {
-  assert_private()
-
-  $file_keystorage_dir = $rundeck::file_keystorage_dir
-  $group               = $rundeck::config::group
-  $keys                = $rundeck::config::file_keystorage_keys
-  $user                = $rundeck::config::user
-
-  create_resources(rundeck::config::file_keystore, $keys, { 'user' => $user, 'group' => $group })
-}
diff --git a/manifests/config/global/framework.pp b/manifests/config/global/framework.pp
deleted file mode 100644
index 26d819718..000000000
--- a/manifests/config/global/framework.pp
+++ /dev/null
@@ -1,44 +0,0 @@
-# @api private
-#
-# @summary This private class is called from rundeck::config used to manage the framework properties of rundeck.
-#
-class rundeck::config::global::framework {
-  $group          = $rundeck::config::group
-  $properties_dir = $rundeck::config::properties_dir
-  $user           = $rundeck::config::user
-  $ssl_enabled    = $rundeck::config::ssl_enabled
-  $ssl_port       = $rundeck::config::ssl_port
-
-  $_framework_config = merge($rundeck::params::framework_config, $rundeck::framework_config)
-
-  # Make sure that we use framework.server.hostname when using non-standard
-  # port, rather than hard-coding to fqdn
-  $rundeck_hostname = $_framework_config['framework.server.hostname']
-  $rundeck_port = $_framework_config['framework.server.port']
-
-  if $ssl_enabled {
-    $framework_config_port = { 'framework.server.port' => $ssl_port }
-    $framework_config_url = { 'framework.server.url' => "https://${rundeck_hostname}:${ssl_port}" }
-  } elsif $rundeck_hostname != $rundeck::params::framework_config['framework.server.hostname'] {
-    $framework_config_port = undef
-    $framework_config_url = { 'framework.server.url' => "http://${rundeck_hostname}:${rundeck_port}" }
-  } else {
-    $framework_config_port = undef
-    $framework_config_url = undef
-  }
-
-  $properties_file = "${properties_dir}/framework.properties"
-
-  ensure_resource('file', $properties_dir, { 'ensure' => 'directory', 'owner' => $user, 'group' => $group })
-
-  $framework_config = merge($_framework_config, $framework_config_url, $framework_config_port)
-
-  file { $properties_file:
-    ensure  => file,
-    content => epp('rundeck/framework.properties.epp'),
-    owner   => $user,
-    group   => $group,
-    mode    => '0640',
-    require => File[$properties_dir],
-  }
-}
diff --git a/manifests/config/global/project.pp b/manifests/config/global/project.pp
deleted file mode 100644
index 2c8e8a280..000000000
--- a/manifests/config/global/project.pp
+++ /dev/null
@@ -1,71 +0,0 @@
-# @api private
-#
-# @summary This private class is called from rundeck::config used to manage the default project properties.
-#
-class rundeck::config::global::project {
-  assert_private()
-
-  $group                 = $rundeck::config::group
-  $projects_description  = $rundeck::config::projects_description
-  $projects_dir          = $rundeck::config::projects_dir
-  $projects_organization = $rundeck::config::projects_organization
-  $properties_dir        = $rundeck::config::properties_dir
-  $user                  = $rundeck::config::user
-
-  $properties_file = "${properties_dir}/project.properties"
-
-  ensure_resource('file', $properties_dir, { 'ensure' => 'directory', 'owner' => $user, 'group' => $group })
-
-  file { $properties_file:
-    ensure  => file,
-    owner   => $user,
-    group   => $group,
-    mode    => '0640',
-    require => File[$properties_dir],
-  }
-
-  ini_setting { 'project.dir':
-    ensure  => present,
-    path    => $properties_file,
-    section => '',
-    setting => 'project.dir',
-    value   => "${projects_dir}/\${project.name}",
-    require => File[$properties_file],
-  }
-
-  ini_setting { 'project.etc.dir':
-    ensure  => present,
-    path    => $properties_file,
-    section => '',
-    setting => 'project.etc.dir',
-    value   => "${projects_dir}/\${project.name}/etc",
-    require => File[$properties_file],
-  }
-
-  ini_setting { 'project.resources.file':
-    ensure  => present,
-    path    => $properties_file,
-    section => '',
-    setting => 'project.resources.file',
-    value   => "${projects_dir}/\${project.name}/etc/resources.xml",
-    require => File[$properties_file],
-  }
-
-  ini_setting { 'project.description':
-    ensure  => present,
-    path    => $properties_file,
-    section => '',
-    setting => 'project.description',
-    value   => $projects_description,
-    require => File[$properties_file],
-  }
-
-  ini_setting { 'project.organization':
-    ensure  => present,
-    path    => $properties_file,
-    section => '',
-    setting => 'project.organization',
-    value   => $projects_organization,
-    require => File[$properties_file],
-  }
-}
diff --git a/manifests/config/global/rundeck_config.pp b/manifests/config/global/rundeck_config.pp
deleted file mode 100644
index 107cf6e03..000000000
--- a/manifests/config/global/rundeck_config.pp
+++ /dev/null
@@ -1,51 +0,0 @@
-# @api private
-#
-# @summary This private class is called from rundeck::config used to manage the rundeck-config properties.
-#
-class rundeck::config::global::rundeck_config {
-  assert_private()
-
-  $clustermode_enabled                  = $rundeck::config::clustermode_enabled
-  $execution_mode                       = $rundeck::config::execution_mode
-  $file_keystorage_dir                  = $rundeck::config::file_keystorage_dir
-  $grails_server_url                    = $rundeck::config::grails_server_url
-  $group                                = $rundeck::config::group
-  $gui_config                           = $rundeck::config::gui_config
-  $key_storage_config                   = $rundeck::config::key_storage_config
-  $mail_config                          = $rundeck::config::mail_config
-  $preauthenticated_config              = $rundeck::config::preauthenticated_config
-  $projects_storage_type                = $rundeck::config::projects_storage_type
-  $properties_dir                       = $rundeck::config::properties_dir
-  $quartz_job_threadcount               = $rundeck::config::quartz_job_threadcount
-  $rd_loglevel                          = $rundeck::config::rd_loglevel
-  $rdeck_base                           = $rundeck::config::rdeck_base
-  $rdeck_config_template                = $rundeck::config::rdeck_config_template
-  $rss_enabled                          = $rundeck::config::rss_enabled
-  $security_config                      = $rundeck::config::security_config
-  $storage_encrypt_config               = $rundeck::config::storage_encrypt_config
-  $user                                 = $rundeck::config::user
-
-  $properties_file = "${properties_dir}/rundeck-config.groovy"
-
-  ensure_resource('file', $properties_dir, { 'ensure' => 'directory', 'owner' => $user, 'group' => $group })
-
-  $database_config = merge($rundeck::params::database_config, $rundeck::config::database_config)
-
-  file { "${properties_dir}/rundeck-config.properties":
-    ensure => absent,
-  }
-
-  $_service_notify = $rundeck::config::service_restart ? {
-    false => undef,
-    default => Service[$rundeck::config::service_name]
-  }
-  file { $properties_file:
-    ensure  => file,
-    content => epp($rdeck_config_template),
-    owner   => $user,
-    group   => $group,
-    mode    => '0640',
-    require => File[$properties_dir],
-    notify  => $_service_notify,
-  }
-}
diff --git a/manifests/config/global/ssl.pp b/manifests/config/global/ssl.pp
deleted file mode 100644
index 4b431ee24..000000000
--- a/manifests/config/global/ssl.pp
+++ /dev/null
@@ -1,103 +0,0 @@
-# @api private
-#
-# @summary This private class is called from rundeck::config used to manage the ssl properties if ssl is enabled.
-#
-class rundeck::config::global::ssl {
-  assert_private()
-
-  $group               = $rundeck::config::group
-  $key_password        = $rundeck::config::key_password
-  $ssl_keyfile         = $rundeck::config::ssl_keyfile
-  $ssl_certfile        = $rundeck::config::ssl_certfile
-  $keystore            = $rundeck::config::keystore
-  $keystore_password   = $rundeck::config::keystore_password
-  $properties_dir      = $rundeck::config::properties_dir
-  $service_name        = $rundeck::service_name
-  $truststore          = $rundeck::config::truststore
-  $truststore_password = $rundeck::config::truststore_password
-  $user                = $rundeck::config::user
-
-  $properties_file = "${properties_dir}/ssl/ssl.properties"
-
-  ensure_resource('file', $properties_dir, {
-      'ensure' => 'directory',
-      'owner'  => $user,
-      'group'  => $group
-  })
-  ensure_resource('file', "${properties_dir}/ssl", {
-      'ensure'  => 'directory',
-      'owner'   => $user,
-      'group'   => $group,
-      'require' => File[$properties_dir]
-  })
-
-  java_ks { "rundeck:${properties_dir}/ssl/keystore":
-    ensure       => present,
-    private_key  => $ssl_keyfile,
-    certificate  => $ssl_certfile,
-    password     => $keystore_password,
-    destkeypass  => $key_password,
-    trustcacerts => true,
-  }
-  -> java_ks { "rundeck:${properties_dir}/ssl/truststore":
-    ensure       => present,
-    private_key  => $ssl_keyfile,
-    certificate  => $ssl_certfile,
-    password     => $truststore_password,
-    destkeypass  => $key_password,
-    trustcacerts => true,
-  }
-
-  file { $properties_file:
-    ensure  => file,
-    owner   => $user,
-    group   => $group,
-    mode    => '0640',
-    require => File[$properties_dir],
-  }
-
-  ini_setting { 'keystore':
-    ensure  => present,
-    path    => $properties_file,
-    section => '',
-    setting => 'keystore',
-    value   => $keystore,
-    require => File[$properties_file],
-  }
-
-  ini_setting { 'keystore.password':
-    ensure  => present,
-    path    => $properties_file,
-    section => '',
-    setting => 'keystore.password',
-    value   => $keystore_password,
-    require => File[$properties_file],
-  }
-
-  ini_setting { 'key.password':
-    ensure  => present,
-    path    => $properties_file,
-    section => '',
-    setting => 'key.password',
-    value   => $key_password,
-    require => File[$properties_file],
-  }
-
-  ini_setting { 'truststore':
-    ensure  => present,
-    path    => $properties_file,
-    section => '',
-    setting => 'truststore',
-    value   => $truststore,
-    require => File[$properties_file],
-  }
-
-  ini_setting { 'truststore.password':
-    ensure  => present,
-    path    => $properties_file,
-    section => '',
-    setting => 'truststore.password',
-    value   => $truststore_password,
-    require => File[$properties_file],
-  }
-}
diff --git a/manifests/config/global/web.pp b/manifests/config/global/web.pp
deleted file mode 100644
index 328e9e392..000000000
--- a/manifests/config/global/web.pp
+++ /dev/null
@@ -1,54 +0,0 @@
-# @summary This class will manage the application's web.xml.
-#
-# Currently only manages the <security-role> required for any user to login and session timout:
-# http://rundeck.org/docs/administration/authenticating-users.html#security-role
-# http://rundeck.org/docs/administration/configuration-file-reference.html#session-timeout
-#
-# @param security_role
-#   Name of role that is required for all users to be allowed access.
-# @param session_timeout
-#   Session timeout is an expired time limit for a logged in Rundeck GUI user which as been inactive for a period of time.
-# @param security_roles_array_enabled
-#   Boolen value if you want to have more roles in web.xml
-# @param security_roles_array
-#   Array value if you set the value 'security_roles_array_enabled' to true.
-#
-class rundeck::config::global::web (
-  String[1]  $security_role                = $rundeck::params::security_role,
-  Integer[0] $session_timeout              = $rundeck::params::session_timeout,
-  Boolean    $security_roles_array_enabled = $rundeck::params::security_roles_array_enabled,
-  Array      $security_roles_array         = $rundeck::params::security_roles_array,
-) inherits rundeck::params {
-  if $security_roles_array_enabled {
-    rundeck::config::securityroles { $security_roles_array: }
-  }
-  else {
-    augeas { 'rundeck/web.xml/security-role/role-name':
-      lens    => 'Xml.lns',
-      incl    => $rundeck::params::web_xml,
-      changes => ["set web-app/security-role/role-name/#text '${security_role}'"],
-    }
-  }
-
-  augeas { 'rundeck/web.xml/session-config/session-timeout':
-    lens    => 'Xml.lns',
-    incl    => $rundeck::params::web_xml,
-    changes => ["set web-app/session-config/session-timeout/#text '${session_timeout}'"],
-  }
-
-  if $rundeck::preauthenticated_config['enabled'] {
-    augeas { 'rundeck/web.xml/security-constraint/auth-constraint':
-      lens    => 'Xml.lns',
-      incl    => $rundeck::params::web_xml,
-      changes => ['rm web-app/security-constraint/auth-constraint'],
-    }
-  }
-  else {
-    augeas { 'rundeck/web.xml/security-constraint/auth-constraint/role-name':
-      lens    => 'Xml.lns',
-      incl    => $rundeck::params::web_xml,
-      changes => ["set web-app/security-constraint[last()+1]/auth-constraint/role-name/#text '*'"],
-      onlyif  => 'match web-app/security-constraint/auth-constraint/role-name size == 0',
-    }
-  }
-}
diff --git a/manifests/config/jaas_auth.pp b/manifests/config/jaas_auth.pp
new file mode 100644
index 000000000..7185242cd
--- /dev/null
+++ b/manifests/config/jaas_auth.pp
@@ -0,0 +1,37 @@
+# @api private
+#
+# @summary This private class is called from rundeck::config used to manage jaas authentication for rundeck.
+#
+class rundeck::config::jaas_auth {
+  assert_private()
+
+  $_auth_config = $rundeck::auth_config
+  $_auth_types  = $_auth_config.keys
+
+  if 'file' in $_auth_types {
+    file { "${rundeck::config::properties_dir}/realm.properties":
+      ensure  => file,
+      content => Sensitive(epp($rundeck::realm_template, { _auth_config => $_auth_config })),
+      mode    => '0400',
+    }
+  } else {
+    file { "${rundeck::config::properties_dir}/realm.properties":
+      ensure => absent,
+    }
+  }
+
+  if 'file' in $_auth_types and 'ldap' in $_auth_types {
+    $_ldap_login_module = 'JettyCombinedLdapLoginModule'
+  } else {
+    $_ldap_login_module = 'JettyCachingLdapLoginModule'
+  }
+
+  file { "${rundeck::config::properties_dir}/jaas-loginmodule.conf":
+    ensure  => file,
+    content => Sensitive(epp('rundeck/jaas-loginmodule.conf.epp', {
+          '_auth_config'       => $_auth_config,
+          '_ldap_login_module' => $_ldap_login_module
+    })),
+    mode    => '0400',
+  }
+}
diff --git a/manifests/config/plugin.pp b/manifests/config/plugin.pp
index 9b25539cb..9ccccf85e 100644
--- a/manifests/config/plugin.pp
+++ b/manifests/config/plugin.pp
@@ -5,42 +5,43 @@
 #     source => 'http://search.maven.org/remotecontent?filepath=com/hbakkum/rundeck/plugins/rundeck-hipchat-plugin/1.0.0/rundeck-hipchat-plugin-1.0.0.jar',
 #   }
 #
-# @param ensure
-#   Set present or absent to add or remove the plugin
 # @param source
 #   The http source or local path from which to get the plugin.
+# @param ensure
+#   Set present or absent to add or remove the plugin.
+# @param owner
+#   The user that rundeck is installed as.
+# @param group
+#   The group permission that rundeck is installed as.
+# @param plugins_dir
+#   Directory where plugins will be installed.
+# @param proxy_server
+#   Get the plugin trough a proxy server.
 #
 define rundeck::config::plugin (
-  String                    $source,
+  String[1] $source,
   Enum['present', 'absent'] $ensure = 'present',
+  String[1] $owner = 'rundeck',
+  String[1] $group = 'rundeck',
+  Stdlib::Absolutepath $plugins_dir = '/var/lib/rundeck/libext',
+  Optional[Stdlib::HTTPUrl] $proxy_server = undef,
 ) {
-  include rundeck
-  include archive
-
-  $framework_config = deep_merge($rundeck::params::framework_config, $rundeck::framework_config)
-
-  $user = $rundeck::user
-  $group = $rundeck::group
-  $plugin_dir = $framework_config['framework.libext.dir']
+  ensure_resource('file', $plugins_dir, { 'ensure' => 'directory', 'owner' => $owner, 'group' => $group, 'mode' => '0755' })
 
   if $ensure == 'present' {
     archive { "download plugin ${name}":
-      ensure  => present,
-      source  => $source,
-      path    => "${plugin_dir}/${name}",
-      require => File[$plugin_dir],
-      before  => File["${plugin_dir}/${name}"],
-    }
-
-    file { "${plugin_dir}/${name}":
-      mode  => '0644',
-      owner => $user,
-      group => $group,
+      ensure       => present,
+      source       => $source,
+      path         => "${plugins_dir}/${name}",
+      proxy_server => $proxy_server,
+      before       => File["${plugins_dir}/${name}"],
     }
   }
-  elsif $ensure == 'absent' {
-    file { "${plugin_dir}/${name}":
-      ensure => 'absent',
-    }
+
+  file { "${plugins_dir}/${name}":
+    ensure => $ensure,
+    owner  => $owner,
+    group  => $group,
+    mode   => '0644',
   }
 }
diff --git a/manifests/config/project.pp b/manifests/config/project.pp
deleted file mode 100644
index c852bbb1e..000000000
--- a/manifests/config/project.pp
+++ /dev/null
@@ -1,167 +0,0 @@
-# @summary This define can be used to configure rundeck projects.
-#
-# @example Basic usage.
-#   rundeck::config::project { 'test project':
-#     ssh_keypath            => '/var/lib/rundeck/.ssh/id_rsa',
-#     file_copier_provider   => 'jsch-scp',
-#     node_executor_provider => 'jsch-ssh',
-#     resource_sources       => $resource_hash,
-#     scm_import_properties  => $scm_import_properties_hash,
-#   }
-#
-# @param file_copier_provider
-#   The type of proivder that will be used for copying files to each of the nodes
-# @param framework_config
-#   Rundeck framework config
-# @param group
-#   Rundeck group
-# @param user
-#   Rundeck user
-# @param node_executor_provider
-#   The type of provider that will be used to gather node resources
-# @param node_executor_settings
-#   Node executor settings
-# @param projects_dir
-#   The directory where rundeck is configured to store project information
-# @param resource_sources
-#   A hash of rundeck::config::resource_source that will be used to specify the node resources for this project
-# @param scm_import_properties
-#   A hash of name value pairs representing properties for the scm-import.properties file
-# @param scm_export_properties
-#   A hash of name value pairs representing properties for the scm-export.properties file
-# @param ssh_keypath
-#   The path to the ssh key that will be used by the ssh/scp providers
-#
-define rundeck::config::project (
-  String                         $file_copier_provider   = $rundeck::file_copier_provider,
-  Hash                           $framework_config       = $rundeck::framework_config,
-  String                         $group                  = $rundeck::group,
-  String                         $user                   = $rundeck::user,
-  String                         $node_executor_provider = $rundeck::node_executor_provider,
-  Hash                           $node_executor_settings = {},
-  Optional[Stdlib::Absolutepath] $projects_dir           = undef,
-  Hash                           $resource_sources       = $rundeck::resource_sources,
-  Hash                           $scm_import_properties  = {},
-  Hash                           $scm_export_properties  = {},
-  Optional[Stdlib::Absolutepath] $ssh_keypath            = undef,
-) {
-  include rundeck
-
-  $framework_properties = deep_merge($rundeck::params::framework_config, $rundeck::framework_config, $framework_config)
-
-  $_ssh_keypath = $ssh_keypath ? {
-    undef   => $framework_properties['framework.ssh.keypath'],
-    default => $ssh_keypath,
-  }
-
-  $_projects_dir = $projects_dir ? {
-    undef   => $framework_properties['framework.projects.dir'],
-    default => $projects_dir,
-  }
-
-  $project_dir = "${_projects_dir}/${name}"
-  $properties_file = "${project_dir}/etc/project.properties"
-  $scm_import_properties_file = "${project_dir}/etc/scm-import.properties"
-  $scm_export_properties_file = "${project_dir}/etc/scm-export.properties"
-
-  file { $project_dir:
-    ensure => directory,
-    owner  => $user,
-    group  => $group,
-    mode   => '0775',
-  }
-
-  file { $properties_file:
-    ensure => file,
-    owner  => $user,
-    group  => $group,
-  }
-
-  file { $scm_import_properties_file:
-    ensure  => file,
-    content => template('rundeck/scm-import.properties.erb'),
-    owner   => $user,
-    group   => $group,
-  }
-
-  file { $scm_export_properties_file:
-    ensure  => file,
-    content => template('rundeck/scm-export.properties.erb'),
-    owner   => $user,
-    group   => $group,
-    require => File["${project_dir}/etc"],
-  }
-
-  file { "${project_dir}/var":
-    ensure  => directory,
-    owner   => $user,
-    group   => $group,
-    require => File[$project_dir],
-  }
-
-  file { "${project_dir}/etc":
-    ensure  => directory,
-    owner   => $user,
-    group   => $group,
-    require => File[$project_dir],
-  }
-
-  ini_setting { "${name}::project.name":
-    ensure  => present,
-    path    => $properties_file,
-    section => '',
-    setting => 'project.name',
-    value   => $name,
-    require => File[$properties_file],
-  }
-
-  ini_setting { "${name}::project.ssh-authentication":
-    ensure  => present,
-    path    => $properties_file,
-    section => '',
-    setting => 'project.ssh-authentication',
-    value   => 'privateKey',
-    require => File[$properties_file],
-  }
-
-  ini_setting { "${name}::project.ssh-keypath":
-    ensure  => present,
-    path    => $properties_file,
-    section => '',
-    setting => 'project.ssh-keypath',
-    value   => $_ssh_keypath,
-    require => File[$properties_file],
-  }
-
-  $resource_source_defaults = {
-    project_name => $name,
-  }
-
-  create_resources(rundeck::config::resource_source, $resource_sources, $resource_source_defaults)
-
-  #TODO: there are more settings to be added here for both filecopier and nodeexecutor
-  ini_setting { "${name}::service.FileCopier.default.provider":
-    ensure  => present,
-    path    => $properties_file,
-    section => '',
-    setting => 'service.FileCopier.default.provider',
-    value   => $file_copier_provider,
-    require => File[$properties_file],
-  }
-
-  ini_setting { "${name}::service.NodeExecutor.default.provider":
-    ensure  => present,
-    path    => $properties_file,
-    section => '',
-    setting => 'service.NodeExecutor.default.provider',
-    value   => $node_executor_provider,
-    require => File[$properties_file],
-  }
-
-  $node_executor_settings_defaults = {
-    path    => $properties_file,
-    require => File[$properties_file],
-  }
-
-  inifile::create_ini_settings($node_executor_settings, $node_executor_settings_defaults)
-}
diff --git a/manifests/config/resource_source.pp b/manifests/config/resource_source.pp
deleted file mode 100644
index 90f5f4b49..000000000
--- a/manifests/config/resource_source.pp
+++ /dev/null
@@ -1,454 +0,0 @@
-# @summary This define will create a resource source that gathers node information.
-#
-# @example Basic usage.
-#   rundeck::config::resource_source { 'myresource':
-#     project_name        => 'myproject',
-#     number              => '1',
-#     source_type         => 'file',
-#     include_server_node => false,
-#     resource_format     => 'resourceyaml',
-#   }
-#
-# @param directory
-#   When the directory source_type is specified this is the path to that directory.
-# @param include_server_node
-#   Boolean value to decide whether or not to include the server node in your list of avaliable nodes.
-# @param mapping_params
-#   When using the aws-ec2 source_type,this specifies node attributes that will be set
-#   and what their values will be set to using a "selector" on properties of the EC2 Instance object.
-# @param number
-#   The sequential number of the resource within the project.
-# @param project_name
-#   The name of the project for which this resource in intended to be a part.
-# @param resource_format
-#   The format of the resource that will procesed, either resourcexml or resourceyaml.
-# @param running_only
-#   Boolean to retrieve only running AWS EC2 instances.
-# @param script_args
-#   A string of the full arguments to pass the the specified script.
-# @param script_args_quoted
-#   Boolean value. Quote the arguments of the script.
-# @param script_file
-#   When the script source_type is specified this is the path that that script.
-# @param script_interpreter
-#   The interpreter to use in executing the script. Defaults to: '/bin/bash'
-# @param source_type
-#   The source type where resources will come from: file, directory, url or script.
-# @param url
-#   When the url source_type is specified this is the path to that url.
-# @param url_cache
-#   Boolean value. Keep a local cache of the resources pulled from the url.
-# @param url_timeout
-#   An integer value in seconds that rundeck will wait for resources from the url before timing out.
-# @param use_default_mapping
-#   When using the aws-ec2 source_type,this specifies wheter to use the default mapping or not.
-# @param endpoint_url
-#   The API AWS endpoint.
-# @param assume_role_arn
-#   When using the aws-ec2 source_type, this specifies the assume role ARN parameter.
-# @param filter_tag
-#   String value for using tags.
-# @param http_proxy_port
-#   An integer value that defines the http proxy port.
-# @param refresh_interval
-#   How often the data will be updated.
-# @param puppet_enterprise_host
-#   The Puppet Enterprise host.
-# @param puppet_enterprise_port
-#   The Puppet Enterprise port.
-# @param puppet_enterprise_ssl_dir
-#   The Puppet Enterprise ssl directory.
-# @param puppet_enterprise_certificate_name
-#   The Puppet Enterprise certificate name.
-# @param puppet_enterprise_mapping_file
-#   The Puppet Enterprise mapping file.
-# @param puppet_enterprise_metrics_interval
-#   The Puppet Enterprise metrics interval.
-# @param puppet_enterprise_node_query
-#   The Puppet Enterprise node query.
-# @param puppet_enterprise_default_node_tag
-#   The Puppet Enterprise default node tag.
-# @param puppet_enterprise_tag_source
-#   The Puppet Enterprise tag source.
-#
-define rundeck::config::resource_source (
-  Stdlib::Absolutepath                $directory                          = $rundeck::params::default_resource_dir,
-  Boolean                             $include_server_node                = $rundeck::params::include_server_node,
-  String                              $mapping_params                     = '', # lint:ignore:params_empty_string_assignment
-  Integer                             $number                             = 1,
-  Optional[String]                    $project_name                       = undef,
-  Enum['resourcexml', 'resourceyaml'] $resource_format                    = $rundeck::params::resource_format,
-  Boolean                             $running_only                       = true,
-  String                              $script_args                        = '', # lint:ignore:params_empty_string_assignment
-  Boolean                             $script_args_quoted                 = $rundeck::params::script_args_quoted,
-  Optional[Stdlib::Absolutepath]      $script_file                        = undef,
-  String                              $script_interpreter                 = $rundeck::params::script_interpreter,
-  Rundeck::Sourcetype                 $source_type                        = $rundeck::params::default_source_type,
-  String                              $url                                = '', # lint:ignore:params_empty_string_assignment
-  Boolean                             $url_cache                          = $rundeck::params::url_cache,
-  Integer                             $url_timeout                        = $rundeck::params::url_timeout,
-  Boolean                             $use_default_mapping                = true,
-  Optional[String]                    $endpoint_url                       = undef,
-  Optional[String[1]]                 $assume_role_arn                    = undef,
-  String                              $filter_tag                         = '', # lint:ignore:params_empty_string_assignment
-  Stdlib::Port                        $http_proxy_port                    = $rundeck::params::default_http_proxy_port,
-  Integer                             $refresh_interval                   = $rundeck::params::default_refresh_interval,
-  Optional[String]                    $puppet_enterprise_host             = undef,
-  Optional[Stdlib::Port]              $puppet_enterprise_port             = undef,
-  Optional[Stdlib::Absolutepath]      $puppet_enterprise_ssl_dir          = undef,
-  Optional[String]                    $puppet_enterprise_certificate_name = undef,
-  Optional[Stdlib::Absolutepath]      $puppet_enterprise_mapping_file     = undef,
-  Optional[Integer]                   $puppet_enterprise_metrics_interval = undef,
-  Optional[String]                    $puppet_enterprise_node_query       = undef,
-  Optional[String]                    $puppet_enterprise_default_node_tag = undef,
-  Optional[String]                    $puppet_enterprise_tag_source       = undef,
-) {
-  include rundeck
-
-  $framework_properties = deep_merge($rundeck::params::framework_config, $rundeck::framework_config)
-
-  $projects_dir = $framework_properties['framework.projects.dir']
-  $user = $rundeck::user
-  $group = $rundeck::group
-
-  if $project_name == undef {
-    fail('project_name must be specified')
-  }
-
-  assert_type(Stdlib::Absolutepath, $projects_dir)
-
-  ensure_resource('file', "${projects_dir}/${project_name}", {
-      'ensure' => 'directory',
-      'owner'  => $user,
-      'group'  => $group
-  })
-  ensure_resource('file', "${projects_dir}/${project_name}/etc", {
-      'ensure'  => 'directory',
-      'owner'   => $user,
-      'group'   => $group,
-      'require' => File["${projects_dir}/${project_name}"]
-  })
-
-  $properties_dir  = "${projects_dir}/${project_name}/etc"
-  $properties_file = "${properties_dir}/project.properties"
-
-  ini_setting { "${name}::resources.source.${number}.type":
-    ensure  => present,
-    path    => $properties_file,
-    section => '',
-    setting => "resources.source.${number}.type",
-    value   => $source_type,
-    require => File[$properties_file],
-  }
-
-  case downcase($source_type) {
-    'file': {
-      case $resource_format {
-        'resourcexml': {
-          $file_extension = 'xml'
-        }
-        'resourceyaml': {
-          $file_extension = 'yaml'
-        }
-        default: {
-          err("The rundeck resource model resource_format ${resource_format} is not supported")
-        }
-      }
-
-      $file = "${properties_dir}/${name}.${file_extension}"
-
-      ini_setting { "${name}::resources.source.${number}.config.requireFileExists":
-        ensure  => present,
-        path    => $properties_file,
-        section => '',
-        setting => "resources.source.${number}.config.requireFileExists",
-        value   => bool2str(true),
-        require => File[$properties_file],
-      }
-
-      ini_setting { "${name}::resources.source.${number}.config.includeServerNode":
-        ensure  => present,
-        path    => $properties_file,
-        section => '',
-        setting => "resources.source.${number}.config.includeServerNode",
-        value   => bool2str($include_server_node),
-        require => File[$properties_file],
-      }
-
-      ini_setting { "${name}::resources.source.${number}.config.generateFileAutomatically":
-        ensure  => present,
-        path    => $properties_file,
-        section => '',
-        setting => "resources.source.${number}.config.generateFileAutomatically",
-        value   => bool2str(true),
-        require => File[$properties_file],
-      }
-
-      ini_setting { "${name}::resources.source.${number}.config.format":
-        ensure  => present,
-        path    => $properties_file,
-        section => '',
-        setting => "resources.source.${number}.config.format",
-        value   => $resource_format,
-        require => File[$properties_file],
-      }
-
-      ini_setting { "${name}::resources.source.${number}.config.file":
-        ensure  => present,
-        path    => $properties_file,
-        section => '',
-        setting => "resources.source.${number}.config.file",
-        value   => $file,
-        require => File[$properties_file],
-      }
-    }
-    'url': {
-      ini_setting { "${name}::resources.source.${number}.config.url":
-        ensure  => present,
-        path    => $properties_file,
-        section => '',
-        setting => "resources.source.${number}.config.url",
-        value   => $url,
-        require => File[$properties_file],
-      }
-
-      ini_setting { "${name}::resources.source.${number}.config.timeout":
-        ensure  => present,
-        path    => $properties_file,
-        section => '',
-        setting => "resources.source.${number}.config.timeout",
-        value   => $url_timeout,
-        require => File[$properties_file],
-      }
-
-      ini_setting { "${name}::resources.source.${number}.config.cache":
-        ensure  => present,
-        path    => $properties_file,
-        section => '',
-        setting => "resources.source.${number}.config.cache",
-        value   => bool2str($url_cache),
-        require => File[$properties_file],
-      }
-    }
-    'directory': {
-      file { $directory:
-        ensure => directory,
-        owner  => $user,
-        group  => $group,
-        mode   => '0740',
-      }
-
-      ini_setting { "${name}::resources.source.${number}.config.directory":
-        ensure  => present,
-        path    => $properties_file,
-        section => '',
-        setting => "resources.source.${number}.config.directory",
-        value   => $directory,
-        require => File[$properties_file],
-      }
-    }
-    'script': {
-      ini_setting { "${name}::resources.source.${number}.config.file":
-        ensure  => present,
-        path    => $properties_file,
-        section => '',
-        setting => "resources.source.${number}.config.file",
-        value   => $script_file,
-        require => File[$properties_file],
-      }
-
-      ini_setting { "${name}::resources.source.${number}.config.args":
-        ensure  => present,
-        path    => $properties_file,
-        section => '',
-        setting => "resources.source.${number}.config.args",
-        value   => $script_args,
-        require => File[$properties_file],
-      }
-
-      ini_setting { "${name}::resources.source.${number}.config.format":
-        ensure  => present,
-        path    => $properties_file,
-        section => '',
-        setting => "resources.source.${number}.config.format",
-        value   => $resource_format,
-        require => File[$properties_file],
-      }
-
-      ini_setting { "${name}::resources.source.${number}.config.interpreter":
-        ensure  => present,
-        path    => $properties_file,
-        section => '',
-        setting => "resources.source.${number}.config.interpreter",
-        value   => $script_interpreter,
-        require => File[$properties_file],
-      }
-
-      ini_setting { "${name}::resources.source.${number}.config.argsQuoted":
-        ensure  => present,
-        path    => $properties_file,
-        section => '',
-        setting => "resources.source.${number}.config.argsQuoted",
-        value   => bool2str($script_args_quoted),
-        require => File[$properties_file],
-      }
-    }
-    'aws-ec2': {
-      ini_setting { "${name}::resources.source.${number}.config.mappingParams":
-        ensure  => present,
-        path    => $properties_file,
-        section => '',
-        setting => "resources.source.${number}.config.mappingParams",
-        value   => $mapping_params,
-        require => File[$properties_file],
-      }
-      ini_setting { "${name}::resources.source.${number}.config.useDefaultMapping":
-        ensure  => present,
-        path    => $properties_file,
-        section => '',
-        setting => "resources.source.${number}.config.useDefaultMapping",
-        value   => bool2str($use_default_mapping),
-        require => File[$properties_file],
-      }
-      ini_setting { "${name}::resources.source.${number}.config.runningOnly":
-        ensure  => present,
-        path    => $properties_file,
-        section => '',
-        setting => "resources.source.${number}.config.runningOnly",
-        value   => bool2str($running_only),
-        require => File[$properties_file],
-      }
-      ini_setting { "${name}::resources.source.${number}.config.endpoint":
-        ensure  => present,
-        path    => $properties_file,
-        section => '',
-        setting => "resources.source.${number}.config.endpoint",
-        value   => $endpoint_url,
-        require => File[$properties_file],
-      }
-      ini_setting { "${name}::resources.source.${number}.config.assumeRoleArn":
-        ensure  => present,
-        path    => $properties_file,
-        section => '',
-        setting => "resources.source.${number}.config.assumeRoleArn",
-        value   => $assume_role_arn,
-        require => File[$properties_file],
-      }
-      ini_setting { "${name}::resources.source.${number}.config.filter":
-        ensure  => present,
-        path    => $properties_file,
-        section => '',
-        setting => "resources.source.${number}.config.filter",
-        value   => $filter_tag,
-        require => File[$properties_file],
-      }
-      ini_setting { "${name}::resources.source.${number}.config.httpProxyPort":
-        ensure  => present,
-        path    => $properties_file,
-        section => '',
-        setting => "resources.source.${number}.config.httpProxyPort",
-        value   => $http_proxy_port,
-        require => File[$properties_file],
-      }
-      ini_setting { "${name}::resources.source.${number}.config.refreshInterval":
-        ensure  => present,
-        path    => $properties_file,
-        section => '',
-        setting => "resources.source.${number}.config.refreshInterval",
-        value   => $refresh_interval,
-        require => File[$properties_file],
-      }
-    }
-    'puppet-enterprise': {
-      if ( $puppet_enterprise_mapping_file ) {
-        ini_setting { "${name}::resources.source.${number}.config.PROPERTY_MAPPING_FILE":
-          ensure  => present,
-          path    => $properties_file,
-          section => '',
-          setting => "resources.source.${number}.config.PROPERTY_MAPPING_FILE",
-          value   => $puppet_enterprise_mapping_file,
-          require => File[$properties_file],
-        }
-      }
-      ini_setting { "${name}::resources.source.${number}.config.PROPERTY_PUPPETDB_HOST":
-        ensure  => present,
-        path    => $properties_file,
-        section => '',
-        setting => "resources.source.${number}.config.PROPERTY_PUPPETDB_HOST",
-        value   => $puppet_enterprise_host,
-        require => File[$properties_file],
-      }
-      if ( $puppet_enterprise_metrics_interval ) {
-        ini_setting { "${name}::resources.source.${number}.config.PROPERTY_METRICS_INTERVAL":
-          ensure  => present,
-          path    => $properties_file,
-          section => '',
-          setting => "resources.source.${number}.config.PROPERTY_METRICS_INTERVAL",
-          value   => $puppet_enterprise_metrics_interval,
-          require => File[$properties_file],
-        }
-      }
-      ini_setting { "${name}::resources.source.${number}.config.PROPERTY_PUPPETDB_PORT":
-        ensure  => present,
-        path    => $properties_file,
-        section => '',
-        setting => "resources.source.${number}.config.PROPERTY_PUPPETDB_PORT",
-        value   => $puppet_enterprise_port,
-        require => File[$properties_file],
-      }
-      if ( $puppet_enterprise_ssl_dir ) {
-        ini_setting { "${name}::resources.source.${number}.config.PROPERTY_PUPPETDB_SSL_DIR":
-          ensure  => present,
-          path    => $properties_file,
-          section => '',
-          setting => "resources.source.${number}.config.PROPERTY_PUPPETDB_SSL_DIR",
-          value   => $puppet_enterprise_ssl_dir,
-          require => File[$properties_file],
-        }
-      }
-      if ( $puppet_enterprise_certificate_name ) {
-        ini_setting { "${name}::resources.source.${number}.config.PROPERTY_PUPPETDB_CERTIFICATE_NAME":
-          ensure  => present,
-          path    => $properties_file,
-          section => '',
-          setting => "resources.source.${number}.config.PROPERTY_PUPPETDB_CERTIFICATE_NAME",
-          value   => $puppet_enterprise_certificate_name,
-          require => File[$properties_file],
-        }
-      }
-      if $puppet_enterprise_node_query {
-        ini_setting { "${name}::resources.source.${number}.config.PROPERTY_NODE_QUERY":
-          ensure  => present,
-          path    => $properties_file,
-          section => '',
-          setting => "resources.source.${number}.config.PROPERTY_NODE_QUERY",
-          value   => $puppet_enterprise_node_query,
-          require => File[$properties_file],
-        }
-      }
-      if ( $puppet_enterprise_default_node_tag ) {
-        ini_setting { "${name}::resources.source.${number}.config.PROPERTY_DEFAULT_NODE_TAG":
-          ensure  => present,
-          path    => $properties_file,
-          section => '',
-          setting => "resources.source.${number}.config.PROPERTY_DEFAULT_NODE_TAG",
-          value   => $puppet_enterprise_default_node_tag,
-          require => File[$properties_file],
-        }
-      }
-      if ( $puppet_enterprise_tag_source ) {
-        ini_setting { "${name}::resources.source.${number}.config.PROPERTY_TAGS_SOURCE":
-          ensure  => present,
-          path    => $properties_file,
-          section => '',
-          setting => "resources.source.${number}.config.PROPERTY_TAGS_SOURCE",
-          value   => $puppet_enterprise_tag_source,
-          require => File[$properties_file],
-        }
-      }
-    }
-    default: {
-      err("The rundeck resource model source_type ${source_type} is not supported")
-    }
-  }
-}
diff --git a/manifests/config/securityroles.pp b/manifests/config/securityroles.pp
deleted file mode 100644
index 820bc07c0..000000000
--- a/manifests/config/securityroles.pp
+++ /dev/null
@@ -1,12 +0,0 @@
-#
-# Author: Zoltan Lanyi <zoltan.lanyi@gmail.com>
-# Date  : 03.06.2016
-# 
-define rundeck::config::securityroles {
-  augeas { "rundeck/web.xml/security-role/role-name/${name}":
-    lens    => 'Xml.lns',
-    incl    => $rundeck::params::web_xml,
-    onlyif  => "match web-app/security-role/role-name[#text = '${name}'] size == 0",
-    changes => ["set web-app/security-role/#text[last()] '\t\t'", "set web-app/security-role/role-name[last()+1]/#text '${name}'", "set web-app/security-role/#text[last()+1] '\t'"],
-  }
-}
diff --git a/manifests/config/ssl.pp b/manifests/config/ssl.pp
new file mode 100644
index 000000000..0d8e55241
--- /dev/null
+++ b/manifests/config/ssl.pp
@@ -0,0 +1,37 @@
+# @api private
+#
+# @summary This private class is called from rundeck::config used to manage the ssl properties if ssl is enabled.
+#
+class rundeck::config::ssl {
+  assert_private()
+
+  file {
+    "${rundeck::config::properties_dir}/ssl":
+      ensure => directory,
+      mode   => '0755',
+      ;
+    "${rundeck::config::properties_dir}/ssl/ssl.properties":
+      ensure  => file,
+      content => Sensitive(epp('rundeck/ssl.properties.epp')),
+      mode    => '0400',
+      ;
+  }
+
+  java_ks {
+    default:
+      ensure       => present,
+      certificate  => $rundeck::ssl_certificate,
+      private_key  => $rundeck::ssl_private_key,
+      destkeypass  => $rundeck::key_password,
+      trustcacerts => true,
+      ;
+    'keystore':
+      password => $rundeck::keystore_password,
+      target   => "${rundeck::config::properties_dir}/ssl/keystore",
+      ;
+    'truststore':
+      password => $rundeck::truststore_password,
+      target   => "${rundeck::config::properties_dir}/ssl/truststore",
+      ;
+  }
+}
diff --git a/manifests/init.pp b/manifests/init.pp
index 456deaadf..8e98f393d 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -1,244 +1,242 @@
 # @summary Class to manage installation and configuration of Rundeck.
 #
-# @param acl_policies
+# @param manage_repo
+#   Whether to manage the package repository.
+# @param repo_config
+#   A hash of repository attributes for configuring the rundeck package repositories.
+#   Examples/defaults for yumrepo can be found at RedHat.yaml, and for apt at Debian.yaml
+# @param package_ensure
+#   Ensure the state of the rundeck package, either present, absent or a specific version.
+# @param manage_home
+#   Whether to manage rundeck home dir.
+# @param user
+#   The user that rundeck is installed as.
+# @param group
+#   The group permission that rundeck is installed as.
+# @param manage_user
+#   Whether to manage `user` (and enforce `user_id` if set).
+# @param manage_group
+#   Whether to manage `group` (and enforce `group_id` if set).
+# @param user_id
+#   If you want to have always the same user id. Eg. because of a NFS share.
+# @param group_id
+#   If you want to have always the same group id. Eg. because of a NFS share.
+# @param admin_policies
 #   Admin acl policies.
-# @param acl_template
-#   The template used for admin acl policy. Default is rundeck/aclpolicy.erb.
 # @param api_policies
-#   apitoken acl policies.
-# @param api_template
-#   The template used for apitoken acl policy. Default is rundeck/aclpolicy.erb.
-# @param auth_config
-#   Authentication configuration.
-# @param auth_template
-#   The template used for authentication config. Default is rundeck/jaas-auth.conf.epp.
-# @param auth_types
-#   The method used to authenticate to rundeck. Default is file.
+#   Apitoken acl policies.
+# @param manage_default_admin_policy
+#   Whether to manage the default admin policy.
+# @param manage_default_api_policy
+#   Whether to manage default api policy.
+# @param grails_server_url
+#   Sets `grails.serverURL` so that Rundeck knows its external address.
 # @param clustermode_enabled
-#   Boolean value if set to true enables cluster mode
+#   Wheter to enable cluster mode.
+# @param execution_mode
+#   Set the execution mode to 'active' or 'passive'.
+# @param java_home
+#   Set the home directory of java.
+# @param jvm_args
+#   Extra arguments for the JVM.
+# @param quartz_job_threadcount
+#   The maximum number of threads used by Rundeck for concurrent jobs.
+# @param auth_config
+#   Hash of properties for configuring [Rundeck JAAS Authentication](https://docs.rundeck.com/docs/administration/security/authentication.html#jetty-and-jaas-authentication)
 # @param database_config
 #   Hash of properties for configuring the [Rundeck Database](https://docs.rundeck.com/docs/administration/configuration/database)
-# @param execution_mode
-#   If set, allows setting the execution mode to 'active' or 'passive'.
-# @param file_keystorage_dir
-#   Path to dir where the keystorage should be located.
-# @param file_keystorage_keys
-#   Add keys to file keystorage.
 # @param framework_config
 #   Hash of properties for configuring the [Rundeck Framework](https://docs.rundeck.com/docs/administration/configuration/config-file-reference.html#framework-properties)
-# @param grails_server_url
-#   Sets `grails.serverURL` so that Rundeck knows its external address.
+#   This hash will be merged with the [Rundeck defaults](https://github.com/voxpupuli/puppet-rundeck/blob/master/manifests/config.pp#L8-L20)
 # @param gui_config
 #   Hash of properties for customizing the [Rundeck GUI](https://docs.rundeck.com/docs/administration/configuration/gui-customization.html)
-# @param java_home
-#   Set the home directory of java.
-# @param jvm_args
-#   Extra arguments for the JVM.
-# @param kerberos_realms
-#   A hash of mappings between Kerberos domain DNS names and realm names
-# @param key_password
-#   The default key password.
-# @param key_storage_config
-#   An array with hashes of properties for customizing the [Rundeck Key Storage](https://docs.rundeck.com/docs/manual/key-storage/key-storage.html)
-# @param keystore
-#   Full path to the java keystore to be used by Rundeck.
-# @param keystore_password
-#   The password for the given keystore.
-# @param log_properties_template
-#   The template used for log properties. Default is rundeck/log4j.properties.erb.
 # @param mail_config
 #   A hash of the notification email configuraton.
-# @param sshkey_manage
-#   Should this module manage the sshkey used by rundeck at all.
-# @param ssl_keyfile
-#   Full path to the SSL private key to be used by Rundeck.
-# @param ssl_certfile
-#   Full path to the SSL public key to be used by Rundeck.
-# @param manage_default_admin_policy
-#   Boolean value if set to true enables default admin policy management
-# @param manage_default_api_policy
-#   Boolean value if set to true enables default api policy management
-# @param manage_repo
-#   Whether to manage the package repository. Defaults to true.
-# @param package_ensure
-#   Ensure the state of the rundeck package, either present, absent or a specific version
+# @param security_config
+#   A hash of the rundeck security configuration.
 # @param preauthenticated_config
-#   A hash of the rundeck preauthenticated config mode
-# @param projects
-#   The hash of projects in your instance.
-# @param projects_description
-#   The description that will be set by default for any projects.
-# @param projects_organization
-#   The organization value that will be set by default for any projects.
-# @param projects_storage_type
-#   The storage type for any projects. Must be 'filesystem' or 'db'
-# @param quartz_job_threadcount
-#   The maximum number of threads used by Rundeck for concurrent jobs by default is set to 10.
-# @param rd_loglevel
-#   The log4j logging level to be set for the Rundeck application.
-# @param rd_auditlevel
+#   A hash of the rundeck preauthenticated configuration.
+# @param key_storage_config
+#   An array with hashes of properties for customizing the [Rundeck Key Storage](https://docs.rundeck.com/docs/manual/key-storage/key-storage.html)
+# @param key_storage_encrypt_config
+#   An array with hashes of properties for customizing the [Rundeck Key Storage converter](https://docs.rundeck.com/docs/administration/configuration/plugins/configuring.html#storage-converter-plugins)
+# @param app_log_level
 #   The log4j logging level to be set for the Rundeck application.
-# @param rdeck_config_template
-#   Allows you to override the rundeck-config template.
-# @param rdeck_home
-#   Directory under which the projects directories live.
-# @param manage_home
-#   Whether to manage rundeck home dir. Defaults to true.
-# @param rdeck_profile_template
-#   Allows you to use your own profile template instead of the default from the package maintainer
-# @param rdeck_override_template
-#   Allows you to use your own override template instead of the default from the package maintainer
+# @param audit_log_level
+#   The log4j logging level to be set for the Rundeck autorization.
+# @param config_template
+#   The template used for rundeck-config properties. Needs to be in epp format.
+# @param override_template
+#   The template used for rundeck profile overrides. Needs to be in epp format.
 # @param realm_template
-#   Allows you to use your own override template instead of the default from the package maintainer
-# @param repo_yum_source
-#   Baseurl for the yum repo
-# @param repo_yum_gpgkey
-#   URL or path for the GPG key for the rpm
-# @param repo_apt_source
-#   Baseurl for the apt repo
-# @param repo_apt_key_id
-#   Key ID for the GPG key for the Debian package
-# @param repo_apt_gpgkey
-#   Location where the GPG key can be found
-# @param repo_apt_keyserver
-#   Keysever for the GPG key for the Debian package
+#   The template used for jaas realm properties. Needs to be in epp format.
+# @param log_properties_template
+#   The template used for log properties. Needs to be in epp format.
 # @param rss_enabled
 #   Boolean value if set to true enables RSS feeds that are public (non-authenticated)
-# @param security_config
-#   A hash of the rundeck security configuration.
-# @param security_role
-#   Name of the role that is required for all users to be allowed access.
 # @param server_web_context
 #   Web context path to use, such as "/rundeck". http://host.domain:port/server_web_context
-# @param service_config
-#   The name of the rundeck service.
-# @param service_logs_dir
-#   The path to the directory to store logs.
-# @param service_name
-#   The name of the rundeck service.
-# @param service_restart
-#   The restart of the rundeck service (default to true)
-# @param service_script
-#   Allows you to use your own override template instead of the default from the package maintainer for rundeckd init script.
-# @param service_ensure
-#   State of the rundeck service (defaults to 'running')
-# @param session_timeout
-#   Session timeout is an expired time limit for a logged in Rundeck GUI user which as been inactive for a period of time.
 # @param ssl_enabled
 #   Enable ssl for the rundeck web application.
 # @param ssl_port
-#   Ssl port of the rundeck web application (default to '4443').
+#   Ssl port of the rundeck web application.
+# @param ssl_certificate
+#   Full path to the SSL public key to be used by Rundeck.
+# @param ssl_private_key
+#   Full path to the SSL private key to be used by Rundeck.
+# @param key_password
+#   The password used to protect the key in keystore.
+# @param keystore
+#   Full path to the java keystore to be used by Rundeck.
+# @param keystore_password
+#   The password for the given keystore.
 # @param truststore
 #   The full path to the java truststore to be used by Rundeck.
 # @param truststore_password
 #   The password for the given truststore.
-# @param user
-#   The user that rundeck is installed as.
-# @param group
-#   The group permission that rundeck is installed as.
-# @param manage_user
-#   Whether to manage `user` (and enforce `user_id` if set). Defaults to false.
-# @param manage_group
-#   Whether to manage `group` (and enforce `group_id` if set). Defaults to false.
-# @param user_id
-#   If you want to have always the same user id. Eg. because of the NFS share.
-# @param group_id
-#   If you want to have always the same group id. Eg. because of the NFS share.
-# @param file_default_mode
-#   Default file mode for managed files. Default to 0640
-# @param security_roles_array_enabled
-#   Boolean value if you need more roles. false or true (default is false).
-# @param security_roles_array
-#   Array value if you need more roles and you set true the "security_roles_array_enabled" value.
-# @param storage_encrypt_config
-#   Hash containing the necessary values to configure a plugin for key storage encryption.
-#   https://docs.rundeck.com/docs/administration/configuration/plugins/configuring.html#storage-converter-plugins
+# @param service_name
+#   The name of the rundeck service.
+# @param service_ensure
+#   State of the rundeck service.
+# @param service_logs_dir
+#   The path to the directory to store service related logs.
+# @param service_notify
+#   Wheter to notify and restart the rundeck service if config changes.
+# @param service_config
+#   Allows you to use your own override template instead to config rundeckd init script.
+# @param service_script
+#   Allows you to use your own override template instead of the default from the package maintainer for rundeckd init script.
 #
 class rundeck (
-  Array[Hash]                         $acl_policies                       = $rundeck::params::acl_policies,
-  String                              $acl_template                       = $rundeck::params::acl_template,
-  Array[Hash]                         $api_policies                       = $rundeck::params::api_policies,
-  String                              $api_template                       = $rundeck::params::api_template,
-  Hash                                $auth_config                        = $rundeck::params::auth_config,
-  String                              $auth_template                      = $rundeck::params::auth_template,
-  Array                               $auth_types                         = $rundeck::params::auth_types,
-  Boolean                             $clustermode_enabled                = $rundeck::params::clustermode_enabled,
-  Hash                                $database_config                    = $rundeck::params::database_config,
-  Optional[Enum['active', 'passive']] $execution_mode                     = undef,
-  Stdlib::Absolutepath                $file_keystorage_dir                = $rundeck::params::file_keystorage_dir,
-  Hash                                $file_keystorage_keys               = $rundeck::params::file_keystorage_keys,
-  Hash                                $framework_config                   = $rundeck::params::framework_config,
-  Stdlib::HTTPUrl                     $grails_server_url                  = $rundeck::params::grails_server_url,
-  Hash                                $gui_config                         = $rundeck::params::gui_config,
-  Optional[Stdlib::Absolutepath]      $java_home                          = undef,
-  String                              $jvm_args                           = $rundeck::params::jvm_args,
-  Hash                                $kerberos_realms                    = $rundeck::params::kerberos_realms,
-  String                              $key_password                       = $rundeck::params::key_password,
-  Array[Hash]                         $key_storage_config                 = $rundeck::params::key_storage_config,
-  Stdlib::Absolutepath                $keystore                           = $rundeck::params::keystore,
-  String                              $keystore_password                  = $rundeck::params::keystore_password,
-  String                              $log_properties_template            = $rundeck::params::log_properties_template,
-  Hash                                $mail_config                        = $rundeck::params::mail_config,
-  Boolean                             $sshkey_manage                      = $rundeck::params::sshkey_manage,
-  Stdlib::Absolutepath                $ssl_keyfile                        = $rundeck::params::ssl_keyfile,
-  Stdlib::Absolutepath                $ssl_certfile                       = $rundeck::params::ssl_certfile,
-  Boolean                             $manage_default_admin_policy        = $rundeck::params::manage_default_admin_policy,
-  Boolean                             $manage_default_api_policy          = $rundeck::params::manage_default_api_policy,
-  Boolean                             $manage_repo                        = $rundeck::params::manage_repo,
-  String                              $package_ensure                     = $rundeck::params::package_ensure,
-  Hash                                $preauthenticated_config            = $rundeck::params::preauthenticated_config,
-  Hash                                $projects                           = $rundeck::params::projects,
-  String                              $projects_description               = $rundeck::params::projects_default_desc,
-  String                              $projects_organization              = $rundeck::params::projects_default_org,
-  Enum['db', 'filesystem']            $projects_storage_type              = $rundeck::params::projects_storage_type,
-  Integer                             $quartz_job_threadcount             = $rundeck::params::quartz_job_threadcount,
-  Rundeck::Loglevel                   $rd_loglevel                        = $rundeck::params::loglevel,
-  Rundeck::Loglevel                   $rd_auditlevel                      = $rundeck::params::loglevel,
-  String                              $rdeck_config_template              = $rundeck::params::rdeck_config_template,
-  Stdlib::Absolutepath                $rdeck_home                         = $rundeck::params::rdeck_home,
-  Boolean                             $manage_home                        = $rundeck::params::manage_home,
-  Optional[String]                    $rdeck_profile_template             = undef,
-  String                              $rdeck_override_template            = 'rundeck/profile_overrides.erb',
-  String                              $realm_template                     = $rundeck::params::realm_template,
-  Stdlib::HTTPUrl                     $repo_yum_source                    = $rundeck::params::repo_yum_source,
-  String                              $repo_yum_gpgkey                    = $rundeck::params::repo_yum_gpgkey,
-  Stdlib::HTTPUrl                     $repo_apt_source                    = $rundeck::params::repo_apt_source,
-  String                              $repo_apt_key_id                    = $rundeck::params::repo_apt_key_id,
-  Stdlib::Httpsurl                    $repo_apt_gpgkey                    = $rundeck::params::repo_apt_gpgkey,
-  String                              $repo_apt_keyserver                 = $rundeck::params::repo_apt_keyserver,
-  Boolean                             $rss_enabled                        = $rundeck::params::rss_enabled,
-  Hash                                $security_config                    = $rundeck::params::security_config,
-  String                              $security_role                      = $rundeck::params::security_role,
-  Optional[String]                    $server_web_context                 = undef,
-  Optional[String]                    $service_config                     = undef,
-  Stdlib::Absolutepath                $service_logs_dir                   = $rundeck::params::service_logs_dir,
-  String                              $service_name                       = $rundeck::params::service_name,
-  Boolean                             $service_restart                    = true,
-  Optional[String]                    $service_script                     = undef,
-  Enum['stopped', 'running']          $service_ensure                     = $rundeck::params::service_ensure,
-  Integer                             $session_timeout                    = $rundeck::params::session_timeout,
-  Boolean                             $ssl_enabled                        = $rundeck::params::ssl_enabled,
-  Stdlib::Port                        $ssl_port                           = $rundeck::params::ssl_port,
-  Stdlib::Absolutepath                $truststore                         = $rundeck::params::truststore,
-  String                              $truststore_password                = $rundeck::params::truststore_password,
-  String                              $user                               = $rundeck::params::user,
-  String                              $group                              = $rundeck::params::group,
-  Boolean                             $manage_user                        = $rundeck::params::manage_user,
-  Boolean                             $manage_group                       = $rundeck::params::manage_group,
-  Optional[Integer]                   $user_id                            = undef,
-  Optional[Integer]                   $group_id                           = undef,
-  String                              $file_default_mode                  = $rundeck::params::file_default_mode,
-  Boolean                             $security_roles_array_enabled       = $rundeck::params::security_roles_array_enabled,
-  Array                               $security_roles_array               = $rundeck::params::security_roles_array,
-  Hash[String,String]                 $storage_encrypt_config             = {},
-) inherits rundeck::params {
-  validate_rd_policy($acl_policies)
+  Stdlib::Absolutepath $override_dir,
+  Hash $repo_config,
+  Boolean $manage_repo = true,
+  String[1] $package_ensure = 'installed',
+  Boolean $manage_home = true,
+  String[1] $user = 'rundeck',
+  String[1] $group = 'rundeck',
+  Boolean $manage_user = false,
+  Boolean $manage_group = false,
+  Optional[Integer] $user_id = undef,
+  Optional[Integer] $group_id = undef,
+  Array[Hash] $admin_policies = [
+    {
+      'description' => 'Admin, all access',
+      'context'     => { 'project' => '.*' },
+      'for'         => {
+        'resource' => [{ 'allow' => '*' }],
+        'adhoc'    => [{ 'allow' => '*' }],
+        'job'      => [{ 'allow' => '*' }],
+        'node'     => [{ 'allow' => '*' }],
+      },
+      'by'          => [{ 'group' => ['admin'] }],
+    },
+    {
+      'description' => 'Admin, all access',
+      'context'     => { 'application' => 'rundeck' },
+      'for'         => {
+        'project'  => [{ 'allow' => '*' }],
+        'resource' => [{ 'allow' => '*' }],
+        'storage'  => [{ 'allow' => '*' }],
+      },
+      'by'          => [{ 'group' => ['admin'] }],
+    },
+  ],
+  Array[Hash] $api_policies = [
+    {
+      'description' => 'API project level access control',
+      'context'     => { 'project' => '.*' },
+      'for'         => {
+        'resource' => [
+          { 'equals' => { 'kind' => 'job' }, 'allow' => ['create', 'delete'] },
+          { 'equals' => { 'kind' => 'node' }, 'allow' => ['read', 'create', 'update', 'refresh'] },
+          { 'equals' => { 'kind' => 'event' }, 'allow' => ['read', 'create'] },
+        ],
+        'adhoc'    => [{ 'allow' => ['read', 'run', 'kill'] }],
+        'job'      => [{ 'allow' => ['read', 'create', 'update', 'delete', 'run', 'kill'] }],
+        'node'     => [{ 'allow' => ['read', 'run'] }],
+      },
+      'by'          => [{ 'group' => ['api_token_group'] }],
+    },
+    {
+      'description' => 'API Application level access control',
+      'context'     => { 'application' => 'rundeck' },
+      'for'         => {
+        'project'  => [{ 'match' => { 'name' => '.*' }, 'allow' => ['read'] }],
+        'resource' => [{ 'equals' => { 'kind' => 'system' }, 'allow' => ['read'] }],
+        'storage'  => [{ 'match' => { 'path' => '(keys|keys/.*)' }, 'allow' => '*' }],
+      },
+      'by'          => [{ 'group' => ['api_token_group'] }],
+    },
+  ],
+  Boolean $manage_default_admin_policy = true,
+  Boolean $manage_default_api_policy = true,
+  Stdlib::HTTPUrl $grails_server_url = "http://${facts['networking']['fqdn']}:4440",
+  Boolean $clustermode_enabled = false,
+  Enum['active', 'passive'] $execution_mode = 'active',
+  String[1] $api_token_max_duration = '30d',
+  Optional[Stdlib::Absolutepath] $java_home = undef,
+  String $jvm_args = '-Xmx1024m -Xms256m -server',
+  Integer $quartz_job_threadcount = 10,
+  Rundeck::Auth_config $auth_config = {
+    'file' => {
+      'auth_flag'    => 'required',
+      'jaas_config'  => {
+        'file' => '/etc/rundeck/realm.properties',
+      },
+      'realm_config' => {
+        'admin_user'     => 'admin',
+        'admin_password' => 'admin',
+        'auth_users'     => [],
+      },
+    },
+  },
+  Rundeck::Db_config $database_config = { 'url' => 'jdbc:h2:file:/var/lib/rundeck/data/rundeckdb' },
+  Hash $framework_config = {},
+  Hash $gui_config = {},
+  Rundeck::Mail_config $mail_config = {},
+  Hash $security_config = {},
+  Hash $preauthenticated_config = {},
+  Rundeck::Key_storage_config $key_storage_config = [{ 'type' => 'db', 'path' => 'keys' }],
+  Array[Hash] $key_storage_encrypt_config = [],
+  Rundeck::Loglevel $app_log_level = 'info',
+  Rundeck::Loglevel $audit_log_level = 'info',
+  String[1] $config_template = 'rundeck/rundeck-config.properties.epp',
+  String[1] $override_template = 'rundeck/profile_overrides.epp',
+  String[1] $realm_template = 'rundeck/realm.properties.epp',
+  String[1] $log_properties_template = 'rundeck/log4j2.properties.epp',
+  Boolean $rss_enabled = false,
+  Optional[String[1]] $server_web_context = undef,
+  Boolean $ssl_enabled = false,
+  Stdlib::Port $ssl_port = 4443,
+  Stdlib::Absolutepath $ssl_certificate = '/etc/rundeck/ssl/rundeck.crt',
+  Stdlib::Absolutepath $ssl_private_key = '/etc/rundeck/ssl/rundeck.key',
+  Optional[String[1]] $key_password = undef,
+  Stdlib::Absolutepath $keystore = '/etc/rundeck/ssl/keystore',
+  String[1] $keystore_password = 'adminadmin',
+  Stdlib::Absolutepath $truststore = '/etc/rundeck/ssl/truststore',
+  String[1] $truststore_password = 'adminadmin',
+  String[1] $service_name = 'rundeckd',
+  Enum['stopped', 'running'] $service_ensure = 'running',
+  Stdlib::Absolutepath $service_logs_dir = '/var/log/rundeck',
+  Boolean $service_notify = true,
+  Optional[String[1]] $service_config = undef,
+  Optional[String[1]] $service_script = undef,
+) {
+  validate_rd_policy($admin_policies)
+  validate_rd_policy($api_policies)
 
   contain rundeck::install
   contain rundeck::config
   contain rundeck::service
 
-  Class['rundeck::install']
-  -> Class['rundeck::config']
-  ~> Class['rundeck::service']
+  if $service_notify {
+    Class['rundeck::install']
+    -> Class['rundeck::config']
+    ~> Class['rundeck::service']
+  } else {
+    Class['rundeck::install']
+    -> Class['rundeck::config']
+    -> Class['rundeck::service']
+  }
 }
diff --git a/manifests/install.pp b/manifests/install.pp
index 55ded96ce..5c8ec0075 100644
--- a/manifests/install.pp
+++ b/manifests/install.pp
@@ -1,49 +1,34 @@
 # @api private
 #
-# @summary This private class installs the rundeck package and its dependencies.
+# @summary This class is called from rundeck for install.
 #
 class rundeck::install {
   assert_private()
 
-  $manage_repo        = $rundeck::manage_repo
-  $package_ensure     = $rundeck::package_ensure
-  $repo_yum_source    = $rundeck::repo_yum_source
-  $repo_yum_gpgkey    = $rundeck::repo_yum_gpgkey
-  $repo_apt_source    = $rundeck::repo_apt_source
-  $repo_apt_key_id    = $rundeck::repo_apt_key_id
-  $repo_apt_keyserver = $rundeck::repo_apt_keyserver
-  $user               = $rundeck::user
-  $group              = $rundeck::group
-  $manage_user        = $rundeck::manage_user
-  $manage_group       = $rundeck::manage_group
-  $user_id            = $rundeck::user_id
-  $group_id           = $rundeck::group_id
-
-  if $manage_group {
-    group { $group:
+  if $rundeck::manage_group {
+    group { $rundeck::group:
       ensure => present,
-      gid    => $group_id,
+      gid    => $rundeck::group_id,
       system => true,
     }
 
-    if $group != 'rundeck' {
+    if $rundeck::group != 'rundeck' {
       group { 'rundeck':
         ensure => absent,
       }
     }
   }
 
-  if $manage_user {
-    user { $user:
+  if $rundeck::manage_user {
+    user { $rundeck::user:
       ensure => present,
-      groups => [$group],
-      uid    => $user_id,
-      gid    => $group_id,
+      groups => [$rundeck::group],
+      uid    => $rundeck::user_id,
+      gid    => $rundeck::group_id,
       system => true,
-      before => File['/var/rundeck'],
     }
 
-    if $user != 'rundeck' {
+    if $rundeck::user != 'rundeck' {
       user { 'rundeck':
         ensure => absent,
       }
@@ -52,50 +37,34 @@
 
   case $facts['os']['family'] {
     'RedHat': {
-      if $manage_repo {
-        yumrepo { 'rundeck':
-          baseurl       => $repo_yum_source,
-          descr         => 'rundeck repo',
-          enabled       => '1',
-          gpgcheck      => '0',
-          gpgkey        => $repo_yum_gpgkey,
-          repo_gpgcheck => '1',
-          priority      => '1',
-          before        => Package['rundeck'],
+      if $rundeck::manage_repo {
+        $rundeck::repo_config.each | String $_repo_name, Hash $_attributes| {
+          yumrepo { $_repo_name:
+            *      => $_attributes,
+            before => Package['rundeck'],
+          }
         }
       }
-
-      ensure_packages(['rundeck'], { 'ensure' => $package_ensure, notify => Class['rundeck::service'] })
     }
     'Debian': {
-      if $manage_repo {
-        include apt
-        apt::source { 'rundeck':
-          location => $repo_apt_source,
-          release  => 'any',
-          repos    => 'main',
-          key      => {
-            id     => $repo_apt_key_id,
-            source => $rundeck::repo_apt_gpgkey,
-            server => $repo_apt_keyserver,
-          },
-          before   => Package['rundeck'],
+      if $rundeck::manage_repo {
+        $rundeck::repo_config.each | String $_repo_name, Hash $_attributes| {
+          apt::source { $_repo_name:
+            *      => $_attributes,
+            before => Package['rundeck'],
+          }
         }
       }
-      ensure_packages(['rundeck'], { 'ensure' => $package_ensure, notify => Class['rundeck::service'], require => Class['apt::update'] })
+
+      Class['Apt::Update'] -> Package['rundeck']
     }
     default: {
       err("The osfamily: ${facts['os']['family']} is not supported")
     }
   }
 
-  # Leave this one here, to avoid notifying service when permissions change
-  file { '/var/rundeck':
-    ensure  => directory,
-    owner   => $user,
-    group   => $group,
-    mode    => '0640',
-    recurse => true,
-    require => Package['rundeck'],
+  package { 'rundeck':
+    ensure => $rundeck::package_ensure,
+    notify => Class['rundeck::service'],
   }
 }
diff --git a/manifests/params.pp b/manifests/params.pp
deleted file mode 100644
index e26a72e65..000000000
--- a/manifests/params.pp
+++ /dev/null
@@ -1,333 +0,0 @@
-# Author::    Liam Bennett (mailto:lbennett@opentable.com)
-# Copyright:: Copyright (c) 2013 OpenTable Inc
-# License::   MIT
-
-# == Class rundeck::params
-#
-# This class is meant to be called from `rundeck`
-# It sets variables according to platform
-#
-class rundeck::params {
-  $package_name = 'rundeck'
-  $package_ensure = 'installed'
-  $service_name = 'rundeckd'
-  $manage_repo = true
-  $repo_yum_source = 'https://packagecloud.io/pagerduty/rundeck/rpm_any/rpm_any/$basearch'
-  $repo_yum_gpgkey = 'https://packagecloud.io/pagerduty/rundeck/gpgkey'
-  $repo_apt_source = 'https://packagecloud.io/pagerduty/rundeck/any'
-  $repo_apt_key_id = '0DDD2FA79B15D736ECEA32B89B5206167C5C34C0'
-  $repo_apt_gpgkey = 'https://packagecloud.io/pagerduty/rundeck/gpgkey'
-  $repo_apt_keyserver = 'keyserver.ubuntu.com'
-
-  case $facts['os']['family'] {
-    'Debian': {
-      $overrides_dir = '/etc/default'
-    }
-    'RedHat', 'Amazon': {
-      $overrides_dir = '/etc/sysconfig'
-    }
-    default: {
-      fail("${facts['os']['name']} not supported")
-    }
-  }
-
-  $service_manage = false
-  $service_ensure = 'running'
-
-  $rdeck_base = '/var/lib/rundeck'
-  $rdeck_home = '/var/lib/rundeck'
-  $manage_home = true
-  $service_logs_dir = '/var/log/rundeck'
-
-  $framework_config = {
-    'framework.server.name'     => $facts['networking']['fqdn'],
-    'framework.server.hostname' => $facts['networking']['fqdn'],
-    'framework.server.port'     => '4440',
-    'framework.server.url'      => "http://${facts['networking']['fqdn']}:4440",
-    'framework.server.username' => 'admin',
-    'framework.server.password' => 'admin',
-    'rdeck.base'                => '/var/lib/rundeck',
-    'framework.projects.dir'    => '/var/lib/rundeck/projects',
-    'framework.etc.dir'         => '/etc/rundeck',
-    'framework.var.dir'         => '/var/lib/rundeck/var',
-    'framework.tmp.dir'         => '/var/lib/rundeck/var/tmp',
-    'framework.logs.dir'        => '/var/lib/rundeck/logs',
-    'framework.libext.dir'      => '/var/lib/rundeck/libext',
-    'framework.ssh.keypath'     => '/var/lib/rundeck/.ssh/id_rsa',
-    'framework.ssh.user'        => 'rundeck',
-    'framework.ssh.timeout'     => '0',
-    'rundeck.server.uuid'       => fqdn_uuid($facts['networking']['fqdn']),
-  }
-
-  $auth_types = ['file']
-  $auth_users = {}
-  $auth_template = 'rundeck/jaas-auth.conf.epp'
-
-  $log_properties_template = 'rundeck/log4j.properties.erb'
-
-  $acl_template = 'rundeck/aclpolicy.erb'
-  $api_template = 'rundeck/aclpolicy.erb'
-
-  $acl_policies = [
-    {
-      'description' => 'Admin, all access',
-      'context' => {
-        'project' => '.*',
-      },
-      'for' => {
-        'resource' => [
-          { 'allow' => '*' },
-        ],
-        'adhoc' => [
-          { 'allow' => '*' },
-        ],
-        'job' => [
-          { 'allow' => '*' },
-        ],
-        'node' => [
-          { 'allow' => '*' },
-        ],
-      },
-      'by' => [{
-          'group' => ['admin']
-      }]
-    },
-    {
-      'description' => 'Admin, all access',
-      'context' => {
-        'application' => 'rundeck',
-      },
-      'for' => {
-        'resource' => [
-          { 'allow' => '*' },
-        ],
-        'project' => [
-          { 'allow' => '*' },
-        ],
-        'storage' => [
-          { 'allow' => '*' },
-        ],
-      },
-      'by' => [{
-          'group' => ['admin']
-      }]
-    }
-  ]
-
-  $api_policies = [
-    {
-      'description' => 'API project level access control',
-      'context' => {
-        'project' => '.*',
-      },
-      'for' => {
-        'resource' => [
-          { 'equals' => { 'kind' => 'job' }, 'allow' => ['create','delete'] },
-          { 'equals' => { 'kind' => 'node' }, 'allow' => ['read','create','update','refresh'] },
-          { 'equals' => { 'kind' => 'event' }, 'allow' => ['read','create'] }
-        ],
-        'adhoc' => [
-          { 'allow' => ['read','run','kill'] }
-        ],
-        'job' => [
-          { 'allow' => ['create','read','update','delete','run','kill'] }
-        ],
-        'node' => [
-          { 'allow' => ['read','run'] }
-        ],
-      },
-      'by' => [{
-          'group' => ['api_token_group']
-      }]
-    },
-    {
-      'description' => 'API Application level access control',
-      'context' => {
-        'application' => 'rundeck',
-      },
-      'for' => {
-        'resource' => [
-          { 'equals' => { 'kind' => 'system' }, 'allow' => ['read'] }
-        ],
-        'project' => [
-          { 'match' => { 'name' => '.*' }, 'allow' => ['read'] }
-        ],
-        'storage' => [
-          { 'match' => { 'path' => '(keys|keys/.*)' }, 'allow' => '*' },
-        ],
-      },
-      'by' => [{
-          'group' => ['api_token_group']
-      }]
-    }
-  ]
-
-  $auth_config = {
-    'file' => {
-      'admin_user'     => $framework_config['framework.server.username'],
-      'admin_password' => $framework_config['framework.server.password'],
-      'auth_users'     => {},
-      'file'           => '/etc/rundeck/realm.properties',
-    },
-    'pam' => {
-      'service'            => 'sshd',
-      'supplemental_roles' => ['user'],
-      'store_pass'         => true,
-      'clear_pass'         => undef,
-      'try_first_pass'     => undef,
-      'use_first_pass'     => undef,
-      'use_unix_groups'    => undef,
-    },
-    'ldap' => {
-      'server'                  => undef,
-      'port'                    => '389',
-      'force_binding'           => false,
-      'force_binding_use_root'  => false,
-      'bind_dn'                 => undef,
-      'bind_password'           => undef,
-      'user_base_dn'            => undef,
-      'user_rdn_attribute'      => 'uid',
-      'user_id_attribute'       => 'uid',
-      'user_password_attribute' => 'userPassword',
-      'user_object_class'       => 'user',
-      'role_base_dn'            => undef,
-      'role_name_attribute'     => 'cn',
-      'role_member_attribute'   => 'memberUid',
-      'role_object_class'       => 'group',
-      'role_prefix'             => undef,
-      'nested_groups'           => true,
-    },
-    'active_directory' => {
-      'server'                  => undef,
-      'port'                    => '389',
-      'force_binding'           => true,
-      'force_binding_use_root'  => true,
-      'bind_dn'                 => undef,
-      'bind_password'           => undef,
-      'user_base_dn'            => undef,
-      'user_rdn_attribute'      => 'sAMAccountName',
-      'user_id_attribute'       => 'sAMAccountName',
-      'user_password_attribute' => 'unicodePwd',
-      'user_object_class'       => 'user',
-      'role_base_dn'            => undef,
-      'role_name_attribute'     => 'cn',
-      'role_member_attribute'   => 'member',
-      'role_object_class'       => 'group',
-      'role_prefix'             => undef,
-      'supplemental_roles'      => 'user',
-      'nested_groups'           => true,
-    },
-  }
-
-  $realm_template = 'rundeck/realm.properties.erb'
-
-  $mail_config = {}
-
-  $security_config = {
-    'useHMacRequestTokens' => true,
-    'apiCookieAccess'      => true,
-  }
-
-  $projects = {}
-  $projects_default_org = ''
-  $projects_default_desc = ''
-
-  $file_copier_provider = 'jsch-scp'
-  $node_executor_provider = 'jsch-ssh'
-
-  $url_cache = true
-  $url_timeout = 30
-
-  $resource_format = 'resourcexml'
-  $include_server_node = false
-  $default_source_type = 'file'
-  $default_resource_dir = '/'
-  $default_http_proxy_port = 80
-  $default_refresh_interval = 30
-
-  $script_args_quoted = true
-  $script_interpreter = '/bin/bash'
-
-  $manage_user = false
-  $manage_group = false
-
-  $user = 'rundeck'
-  $group = 'rundeck'
-  $file_default_mode = '0640'
-
-  $loglevel = 'INFO'
-  $rss_enabled = false
-
-  $clustermode_enabled = false
-
-  $grails_server_url = "http://${facts['networking']['fqdn']}:4440"
-
-  $database_config = {
-    'type'            => 'h2',
-    'dbCreate'        => 'update',
-    'url'             => 'jdbc:h2:file:/var/lib/rundeck/data/rundeckdb',
-    'driverClassName' => '',
-    'username'        => '',
-    'password'        => Sensitive(''),
-    'dialect'         => '',
-    'enable_h2_logs'  => 'on',
-  }
-
-  $kerberos_realms = {}
-
-  $file_keystorage_keys = {}
-  $file_keystorage_dir = "${framework_config['framework.var.dir']}/storage"
-
-  $keystore = '/etc/rundeck/ssl/keystore'
-  $key_storage_config = [
-    {
-      'type'   => 'file',
-      'path'   => '/',
-      'config' => {
-        'baseDir' => $file_keystorage_dir,
-      },
-    },
-  ]
-  $projects_storage_type = 'filesystem'
-  $keystore_password = 'adminadmin'
-  $key_password = 'adminadmin'
-  $truststore = '/etc/rundeck/ssl/truststore'
-  $truststore_password = 'adminadmin'
-
-  $resource_sources = {}
-  $gui_config = {}
-
-  $preauthenticated_config = {
-    'enabled'         => false,
-    'attributeName'   => 'REMOTE_USER_GROUPS',
-    'delimiter'       => ':',
-    'userNameHeader'  => 'X-Forwarded-Uuid',
-    'userRolesHeader' => 'X-Forwarded-Roles',
-    'redirectLogout'  => false,
-    'redirectUrl'     => '/oauth2/sign_in',
-  }
-
-  $quartz_job_threadcount = 10
-
-  $jvm_args = '-Xmx1024m -Xms256m -server'
-
-  $sshkey_manage = true
-
-  $ssl_enabled = false
-  $ssl_port = 4443
-
-  $ssl_keyfile = '/etc/rundeck/ssl/rundeck.key'
-  $ssl_certfile = '/etc/rundeck/ssl/rundeck.crt'
-
-  $web_xml = "${rdeck_base}/exp/webapp/WEB-INF/web.xml"
-  $security_role = 'user'
-  $session_timeout = 30
-
-  $rdeck_config_template = 'rundeck/rundeck-config.epp'
-
-  $manage_default_admin_policy = true
-  $manage_default_api_policy   = true
-
-  $security_roles_array_enabled = false
-  $security_roles_array         = []
-}
diff --git a/manifests/service.pp b/manifests/service.pp
index 3669987b2..057714bfc 100644
--- a/manifests/service.pp
+++ b/manifests/service.pp
@@ -1,33 +1,28 @@
 # @api private
 #
-# @summary This class is meant to be called from `rundeck` and ensures the service is running.
+# @summary This class is called from rundeck to manage service.
 #
 class rundeck::service {
   assert_private()
 
-  $service_config = $rundeck::service_config
-  $service_name   = $rundeck::service_name
-  $service_script = $rundeck::service_script
-  $service_ensure = $rundeck::service_ensure
-
-  if $service_config {
+  if $rundeck::service_config {
     file { '/etc/init/rundeckd.conf':
       ensure  => file,
       mode    => '0644',
-      content => template($service_config),
+      content => epp($rundeck::service_config),
     }
   }
 
-  if $service_script {
+  if $rundeck::service_script {
     file { '/etc/init.d/rundeckd':
       ensure  => file,
       mode    => '0755',
-      content => template($service_script),
+      content => template($rundeck::service_script),
     }
   }
 
-  service { $service_name:
-    ensure     => $service_ensure,
+  service { $rundeck::service_name:
+    ensure     => $rundeck::service_ensure,
     enable     => true,
     hasstatus  => true,
     hasrestart => true,
diff --git a/metadata.json b/metadata.json
index 4c174c865..a2ef399e5 100644
--- a/metadata.json
+++ b/metadata.json
@@ -71,14 +71,6 @@
       "name": "puppetlabs/stdlib",
       "version_requirement": ">= 4.25.0 < 10.0.0"
     },
-    {
-      "name": "pltraining/dirtree",
-      "version_requirement": ">= 0.3.0 < 2.0.0"
-    },
-    {
-      "name": "puppetlabs/inifile",
-      "version_requirement": ">= 4.1.0 < 7.0.0"
-    },
     {
       "name": "puppetlabs/java_ks",
       "version_requirement": ">= 1.3.1 < 6.0.0"
diff --git a/spec/acceptance/rundeck_spec.rb b/spec/acceptance/rundeck_spec.rb
index a6d2b67fc..f3bc91d52 100644
--- a/spec/acceptance/rundeck_spec.rb
+++ b/spec/acceptance/rundeck_spec.rb
@@ -31,27 +31,6 @@ class { 'rundeck':
     end
   end
 
-  context 'simple project' do
-    it 'applies successfully' do
-      pp = <<-EOS
-      class { 'rundeck':
-        projects => {
-          'Wizzle' => {},
-        }
-      }
-      EOS
-
-      # Run it twice and test for idempotency
-      apply_manifest(pp, catch_failures: true)
-      apply_manifest(pp, catch_changes: true)
-    end
-
-    describe file('/var/lib/rundeck/projects/Wizzle/etc/project.properties') do
-      it { is_expected.to be_file }
-      its(:content) { is_expected.to match %r{service.FileCopier.default.provider = jsch-scp} }
-    end
-  end
-
   context 'updrade to latest version' do
     it 'applies successfully' do
       pp = <<-EOS
diff --git a/spec/classes/config/framework_spec.rb b/spec/classes/config/framework_spec.rb
new file mode 100644
index 000000000..4d653f0e5
--- /dev/null
+++ b/spec/classes/config/framework_spec.rb
@@ -0,0 +1,102 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'rundeck' do
+  on_supported_os.each do |os, os_facts|
+    context "on #{os}" do
+      let(:facts) { os_facts }
+
+      context 'without any parameters test rundeck::config::framework' do
+        let(:params) { {} }
+
+        framework_details = {
+          'framework.server.name' => 'foo.example.com',
+          'framework.server.hostname' => 'foo',
+          'framework.server.port' => '4440',
+          'framework.server.url' => 'http://foo.example.com:4440',
+          'framework.etc.dir' => '/etc/rundeck',
+          'framework.libext.dir' => '/var/lib/rundeck/libext',
+          'framework.ssh.keypath' => '/var/lib/rundeck/.ssh/id_rsa',
+          'framework.ssh.user' => 'rundeck',
+          'framework.ssh.timeout' => '0'
+        }
+
+        it { is_expected.to contain_file('/etc/rundeck/framework.properties') }
+
+        framework_details.each do |key, value|
+          it 'generates valid content for framework.properties' do
+            content = catalogue.resource('file', '/etc/rundeck/framework.properties')[:content]
+            expect(content).to include("#{key} = #{value}")
+          end
+        end
+      end
+
+      context 'add plugin configuration for the logstash plugin' do
+        let(:params) do
+          {
+            framework_config: {
+              'framework.plugin.StreamingLogWriter.LogstashPlugin.port' => '9700'
+            }
+          }
+        end
+
+        it 'generates valid content for framework.properties' do
+          content = catalogue.resource('file', '/etc/rundeck/framework.properties')[:content]
+          expect(content).to include('framework.server.name = foo.example.com')
+          expect(content).to include('framework.plugin.StreamingLogWriter.LogstashPlugin.port = 9700')
+        end
+      end
+
+      context 'setting framework.server.{name,url}' do
+        context 'with non-default framework.server.url' do
+          let(:params) do
+            {
+              framework_config: {
+                'framework.server.url' => 'http://rundeck.example.com:4440'
+              }
+            }
+          end
+
+          it 'generates valid content for framework.properties' do
+            content = catalogue.resource('file', '/etc/rundeck/framework.properties')[:content]
+            expect(content).to include('framework.server.url = http://rundeck.example.com:4440')
+          end
+        end
+
+        context 'ssl_enabled with non-default SSL port' do
+          let(:params) do
+            {
+              ssl_enabled: true,
+              ssl_port: 443
+            }
+          end
+
+          it 'generates valid content for framework.properties' do
+            content = catalogue.resource('file', '/etc/rundeck/framework.properties')[:content]
+            expect(content).to include('framework.server.port = 443')
+            expect(content).to include('framework.server.url = https://foo.example.com:443')
+          end
+        end
+
+        context 'ssl_enabled with non-default framework.server.hostname' do
+          let(:params) do
+            {
+              ssl_enabled: true,
+              ssl_port: 443,
+              framework_config: {
+                'framework.server.name' => 'rundeck.example.com'
+              }
+            }
+          end
+
+          it 'generates valid content for framework.properties' do
+            content = catalogue.resource('file', '/etc/rundeck/framework.properties')[:content]
+            expect(content).to include('framework.server.port = 443')
+            expect(content).to include('framework.server.url = https://rundeck.example.com:443')
+          end
+        end
+      end
+    end
+  end
+end
diff --git a/spec/classes/config/global/aclpolicyfile_spec.rb b/spec/classes/config/global/aclpolicyfile_spec.rb
deleted file mode 100644
index a66e0e1b4..000000000
--- a/spec/classes/config/global/aclpolicyfile_spec.rb
+++ /dev/null
@@ -1,55 +0,0 @@
-# frozen_string_literal: true
-
-require 'spec_helper'
-
-describe 'rundeck' do
-  on_supported_os.each do |os, facts|
-    context "on #{os}" do
-      let :facts do
-        facts
-      end
-
-      describe "rundeck::config::global::aclpolicyfile class without any parameters on #{os}" do
-        let(:params) { {} }
-
-        default_acl = <<~CONFIG.gsub(%r{[^\S\n]{10}}, '')
-          description: 'Admin, all access'
-          context:
-            project: '.*'
-          for:
-            resource:
-              - allow: '*'
-            adhoc:
-              - allow: '*'
-            job:
-              - allow: '*'
-            node:
-              - allow: '*'
-          by:
-            group:
-              - 'admin'
-
-          ---
-
-          description: 'Admin, all access'
-          context:
-            application: 'rundeck'
-          for:
-            resource:
-              - allow: '*'
-            project:
-              - allow: '*'
-            storage:
-              - allow: '*'
-          by:
-            group:
-              - 'admin'
-        CONFIG
-
-        it do
-          is_expected.to contain_file('/etc/rundeck/admin.aclpolicy').with_content(default_acl)
-        end
-      end
-    end
-  end
-end
diff --git a/spec/classes/config/global/auth_spec.rb b/spec/classes/config/global/auth_spec.rb
deleted file mode 100644
index b463f4e28..000000000
--- a/spec/classes/config/global/auth_spec.rb
+++ /dev/null
@@ -1,367 +0,0 @@
-# frozen_string_literal: true
-
-require 'spec_helper'
-
-describe 'rundeck' do
-  let(:login_module) { 'org.eclipse.jetty.jaas.spi.PropertyFileLoginModule sufficient' }
-
-  on_supported_os.each do |os, facts|
-    context "on #{os}" do
-      let :facts do
-        facts
-      end
-
-      describe 'with empty params' do
-        let(:params) do
-          {}
-        end
-
-        it 'generates valid content for realm.properties' do
-          content = catalogue.resource('file', '/etc/rundeck/realm.properties')[:content]
-          expect(content).to include('admin:admin,user,admin,architect,deploy,build')
-        end
-
-        it 'contains PropertyFileLoginModule and be sufficient' do
-          jaas_auth = catalogue.resource('file', '/etc/rundeck/jaas-auth.conf')[:content]
-          expect(jaas_auth).to include(login_module)
-        end
-      end
-
-      describe 'with empty auth users array' do
-        let(:params) do
-          {
-            auth_config: {
-              'file' => {
-                'auth_users' => []
-              }
-            }
-          }
-        end
-
-        it 'generates valid content for realm.properties' do
-          content = catalogue.resource('file', '/etc/rundeck/realm.properties')[:content]
-          expect(content).to include('admin:admin,user,admin,architect,deploy,build')
-        end
-
-        it 'contains PropertyFileLoginModule and be sufficient' do
-          jaas_auth = catalogue.resource('file', '/etc/rundeck/jaas-auth.conf')[:content]
-          expect(jaas_auth).to include(login_module)
-        end
-      end
-
-      describe 'with auth users array' do
-        let(:params) do
-          {
-            auth_config: {
-              'file' => {
-                'auth_users' => [
-                  {
-                    'username' => 'testuser',
-                    'password' => 'password',
-                    'roles' => %w[user deploy]
-                  },
-                  {
-                    'username' => 'anotheruser',
-                    'password' => 'anotherpassword',
-                    'roles' => ['user']
-                  }
-                ]
-              }
-            }
-          }
-        end
-
-        it 'generates valid content for realm.properties' do
-          content = catalogue.resource('file', '/etc/rundeck/realm.properties')[:content]
-          expect(content).to include('admin:admin,user,admin,architect,deploy,build')
-          expect(content).to include('testuser:password,user,deploy')
-          expect(content).to include('anotheruser:anotherpassword,user')
-        end
-
-        it 'contains PropertyFileLoginModule and be sufficient' do
-          jaas_auth = catalogue.resource('file', '/etc/rundeck/jaas-auth.conf')[:content]
-          expect(jaas_auth).to include(login_module)
-        end
-      end
-
-      describe 'with multiauth ldap and file auth users array' do
-        let(:params) do
-          {
-            auth_types: %w[ldap file],
-            auth_config: {
-              'file' => {
-                'auth_users' => [
-                  {
-                    'username' => 'testuser',
-                    'password' => 'password',
-                    'roles' => %w[user deploy]
-                  },
-                  {
-                    'username' => 'anotheruser',
-                    'password' => 'anotherpassword',
-                    'roles' => ['user']
-                  }
-                ]
-              },
-
-              'ldap' => {
-                'debug' => 'true',
-                'url' => 'localhost:389',
-                'force_binding' => 'true',
-                'force_binding_use_root' => 'true',
-                'bind_dn' => 'test_rundeck',
-                'bind_password' => 'abc123',
-                'user_base_dn' => 'ou=users,ou=accounts,ou=corp,dc=xyz,dc=com',
-                'user_rdn_attribute' => 'sAMAccountName',
-                'user_id_attribute' => 'sAMAccountName',
-                'user_password_attribute' => 'unicodePwd',
-                'user_object_class' => 'user',
-                'role_base_dn' => 'ou=role based,ou=security,ou=groups,ou=test,dc=xyz,dc=com',
-                'role_name_attribute' => 'cn',
-                'role_member_attribute' => 'member',
-                'role_object_class' => 'group',
-                'supplemental_roles' => 'user',
-                'nested_groups' => 'true'
-              }
-            }
-          }
-        end
-
-        it 'generates valid content for realm.properties' do
-          content = catalogue.resource('file', '/etc/rundeck/realm.properties')[:content]
-          expect(content).to include('admin:admin,user,admin,architect,deploy,build')
-          expect(content).to include('testuser:password,user,deploy')
-          expect(content).to include('anotheruser:anotherpassword,user')
-        end
-      end
-
-      describe 'with ldap using ldap_sync' do
-        let(:params) do
-          {
-            auth_types: %w[ldap],
-            auth_config: {
-              'ldap' => {
-                'debug' => 'true',
-                'url' => 'localhost:389',
-                'force_binding' => 'true',
-                'force_binding_use_root' => 'true',
-                'bind_dn' => 'test_rundeck',
-                'bind_password' => 'abc123',
-                'user_base_dn' => 'ou=users,ou=accounts,ou=corp,dc=xyz,dc=com',
-                'user_rdn_attribute' => 'sAMAccountName',
-                'user_id_attribute' => 'sAMAccountName',
-                'user_password_attribute' => 'unicodePwd',
-                'user_object_class' => 'user',
-                'role_base_dn' => 'ou=role based,ou=security,ou=groups,ou=test,dc=xyz,dc=com',
-                'role_name_attribute' => 'cn',
-                'role_member_attribute' => 'member',
-                'role_object_class' => 'group',
-                'supplemental_roles' => 'user',
-                'nested_groups' => 'true',
-                'sync_first_name_attribute' => 'givenName',
-                'sync_last_name_attribute' => 'sn',
-                'sync_email_attribute' => 'mail'
-              }
-            },
-            security_config: {
-              'syncLdapUser' => true
-            }
-          }
-        end
-
-        it 'generates valid content for jaas-auth.conf' do
-          content = catalogue.resource('file', '/etc/rundeck/jaas-auth.conf')[:content]
-          expect(content).to include('userFirstNameAttribute="givenName"')
-          expect(content).to include('userLastNameAttribute="sn"')
-          expect(content).to include('userEmailAttribute="mail"')
-        end
-      end
-
-      describe 'with multiauth active_directory and file auth users array' do
-        let(:params) do
-          {
-            auth_types: %w[active_directory file],
-            auth_config: {
-              'file' => {
-                'auth_users' => [
-                  {
-                    'username' => 'testuser',
-                    'password' => 'password',
-                    'roles' => %w[user deploy]
-                  },
-                  {
-                    'username' => 'anotheruser',
-                    'password' => 'anotherpassword',
-                    'roles' => ['user']
-                  }
-                ]
-              },
-
-              'active_directory' => {
-                'debug' => 'true',
-                'url' => 'localhost:389',
-                'force_binding' => 'true',
-                'force_binding_use_root' => 'true',
-                'bind_dn' => 'test_rundeck',
-                'bind_password' => 'abc123',
-                'user_base_dn' => 'ou=users,ou=accounts,ou=corp,dc=xyz,dc=com',
-                'user_rdn_attribute' => 'sAMAccountName',
-                'user_id_attribute' => 'sAMAccountName',
-                'user_password_attribute' => 'unicodePwd',
-                'user_object_class' => 'user',
-                'role_base_dn' => 'ou=role based,ou=security,ou=groups,ou=test,dc=xyz,dc=com',
-                'role_name_attribute' => 'cn',
-                'role_member_attribute' => 'member',
-                'role_object_class' => 'group',
-                'supplemental_roles' => 'user',
-                'nested_groups' => 'true'
-              }
-            }
-          }
-        end
-
-        it 'generates valid content for realm.properties' do
-          content = catalogue.resource('file', '/etc/rundeck/realm.properties')[:content]
-          expect(content).to include('admin:admin,user,admin,architect,deploy,build')
-          expect(content).to include('testuser:password,user,deploy')
-          expect(content).to include('anotheruser:anotherpassword,user')
-        end
-      end
-
-      describe 'with active_directory using ldap_sync' do
-        let(:params) do
-          {
-            auth_types: %w[active_directory],
-            auth_config: {
-              'active_directory' => {
-                'debug' => 'true',
-                'url' => 'localhost:389',
-                'force_binding' => 'true',
-                'force_binding_use_root' => 'true',
-                'bind_dn' => 'test_rundeck',
-                'bind_password' => 'abc123',
-                'user_base_dn' => 'ou=users,ou=accounts,ou=corp,dc=xyz,dc=com',
-                'user_rdn_attribute' => 'sAMAccountName',
-                'user_id_attribute' => 'sAMAccountName',
-                'user_password_attribute' => 'unicodePwd',
-                'user_object_class' => 'user',
-                'role_base_dn' => 'ou=role based,ou=security,ou=groups,ou=test,dc=xyz,dc=com',
-                'role_name_attribute' => 'cn',
-                'role_member_attribute' => 'member',
-                'role_object_class' => 'group',
-                'supplemental_roles' => 'user',
-                'nested_groups' => 'true',
-                'sync_first_name_attribute' => 'givenName',
-                'sync_last_name_attribute' => 'sn',
-                'sync_email_attribute' => 'mail'
-              }
-            },
-            security_config: {
-              'syncLdapUser' => true
-            }
-          }
-        end
-
-        it 'generates valid content for jaas-auth.conf' do
-          content = catalogue.resource('file', '/etc/rundeck/jaas-auth.conf')[:content]
-          expect(content).to include('userFirstNameAttribute="givenName"')
-          expect(content).to include('userLastNameAttribute="sn"')
-          expect(content).to include('userEmailAttribute="mail"')
-        end
-      end
-
-      describe 'with auth user without roles' do
-        let(:params) do
-          {
-            auth_config: {
-              'file' => {
-                'auth_users' => [
-                  {
-                    'username' => 'testuser',
-                    'password' => 'password'
-                  }
-                ]
-              }
-            }
-          }
-        end
-
-        it 'generates valid content for realm.properties' do
-          content = catalogue.resource('file', '/etc/rundeck/realm.properties')[:content]
-          expect(content).to include('admin:admin,user,admin,architect,deploy,build')
-          expect(content).to include('testuser:password')
-        end
-
-        it 'contains PropertyFileLoginModule and be sufficient' do
-          jaas_auth = catalogue.resource('file', '/etc/rundeck/jaas-auth.conf')[:content]
-          expect(jaas_auth).to include(login_module)
-        end
-      end
-
-      describe 'backward compatibility (no array of users)' do
-        let(:params) do
-          {
-            auth_config: {
-              'file' => {
-                'auth_users' => {
-                  'username' => 'testuser',
-                  'password' => 'password',
-                  'roles' => %w[user deploy]
-                }
-              }
-            }
-          }
-        end
-
-        it 'generates valid content for realm.properties' do
-          content = catalogue.resource('file', '/etc/rundeck/realm.properties')[:content]
-          expect(content).to include('admin:admin,user,admin,architect,deploy,build')
-          expect(content).to include('testuser:password,user,deploy')
-        end
-
-        it 'contains PropertyFileLoginModule and be sufficient' do
-          jaas_auth = catalogue.resource('file', '/etc/rundeck/jaas-auth.conf')[:content]
-          expect(jaas_auth).to include(login_module)
-        end
-      end
-
-      describe 'ldap with rolePrefix' do
-        let(:params) do
-          {
-            auth_types: %w[ldap],
-            auth_config: {
-              'ldap' => {
-                'url' => 'localhost:389',
-                'role_prefix' => 'rundeck_'
-              }
-            }
-          }
-        end
-
-        it 'generates valid content for jaas-auth.conf' do
-          content = catalogue.resource('file', '/etc/rundeck/jaas-auth.conf')[:content]
-          expect(content).to include('rolePrefix="rundeck_"')
-        end
-      end
-
-      describe 'active_directory with rolePrefix' do
-        let(:params) do
-          {
-            auth_types: %w[active_directory],
-            auth_config: {
-              'active_directory' => {
-                'url' => 'localhost:389',
-                'role_prefix' => 'rundeck_'
-              }
-            }
-          }
-        end
-
-        it 'generates valid content for jaas-auth.conf' do
-          content = catalogue.resource('file', '/etc/rundeck/jaas-auth.conf')[:content]
-          expect(content).to include('rolePrefix="rundeck_"')
-        end
-      end
-    end
-  end
-end
diff --git a/spec/classes/config/global/file_keystore_spec.rb b/spec/classes/config/global/file_keystore_spec.rb
deleted file mode 100644
index e6538d5cf..000000000
--- a/spec/classes/config/global/file_keystore_spec.rb
+++ /dev/null
@@ -1,46 +0,0 @@
-# frozen_string_literal: true
-
-require 'spec_helper'
-
-describe 'rundeck' do
-  on_supported_os.each do |os, facts|
-    context "on #{os}" do
-      let :facts do
-        facts
-      end
-
-      describe 'add file-based key storage' do
-        let(:params) do
-          {
-            file_keystorage_dir: '/var/lib/rundeck/var/storage',
-            file_keystorage_keys: {
-              'password_key' => {
-                'value' => 'gobbledygook',
-                'path' => 'foo/bar',
-                'data_type' => 'password',
-                'content_type' => 'application/x-rundeck-data-password'
-              },
-              'public_key' => {
-                'value' => 'ssh-rsa AAAAB3rhwL1EoAIuI3hw9wZL146zjPZ6FIqgZKvO24fpZENYnNfmHn5AuOGBXYGTjeVPMzwV7o0mt3iRWk8J9Ujqvzp45IHfEAE7SO2frEIbfALdcwcNggSReQa0du4nd user@localhost',
-                'path' => 'foo/bar',
-                'data_type' => 'public',
-                'content_type' => 'application/pgp-keys'
-              }
-            }
-          }
-        end
-
-        # base key storage directory needs to be there first
-        it { is_expected.to contain_file('/var/lib/rundeck/var/storage') }
-
-        # content and meta data for passwords
-        it { is_expected.to contain_file('/var/lib/rundeck/var/storage/content/keys/foo/bar/password_key.password').with_content(%r{gobbledygook}) }
-        it { is_expected.to contain_file('/var/lib/rundeck/var/storage/meta/keys/foo/bar/password_key.password').with_content(%r{application/x-rundeck-data-password}) }
-
-        # content and meta data for public keys
-        it { is_expected.to contain_file('/var/lib/rundeck/var/storage/content/keys/foo/bar/public_key.public').with_content(%r{ssh-rsa AAAAB3rhwL1EoAIuI3hw9wZL146zjPZ6FIqgZKvO24fpZENYnNfmHn5AuOGBXYGTjeVPMzwV7o0mt3iRWk8J9Ujqvzp45IHfEAE7SO2frEIbfALdcwcNggSReQa0du4nd user@localhost}) }
-        it { is_expected.to contain_file('/var/lib/rundeck/var/storage/meta/keys/foo/bar/public_key.public').with_content(%r{application/pgp-keys}) }
-      end
-    end
-  end
-end
diff --git a/spec/classes/config/global/framework_spec.rb b/spec/classes/config/global/framework_spec.rb
deleted file mode 100644
index ab0385c6e..000000000
--- a/spec/classes/config/global/framework_spec.rb
+++ /dev/null
@@ -1,113 +0,0 @@
-# frozen_string_literal: true
-
-require 'spec_helper'
-
-describe 'rundeck' do
-  on_supported_os.each do |os, facts|
-    context "on #{os}" do
-      let :facts do
-        facts
-      end
-
-      describe "rundeck::config::global::framework class without any parameters on #{os}" do
-        let(:params) { {} }
-
-        framework_details = {
-          'framework.server.name' => 'foo.example.com',
-          'framework.server.hostname' => 'foo.example.com',
-          'framework.server.port' => '4440',
-          'framework.server.url' => 'http://foo.example.com:4440',
-          'framework.server.username' => 'admin',
-          'framework.server.password' => 'admin',
-          'framework.projects.dir' => '/var/lib/rundeck/projects',
-          'framework.etc.dir' => '/etc/rundeck',
-          'framework.var.dir' => '/var/lib/rundeck/var',
-          'framework.tmp.dir' => '/var/lib/rundeck/var/tmp',
-          'framework.logs.dir' => '/var/lib/rundeck/logs',
-          'framework.libext.dir' => '/var/lib/rundeck/libext',
-          'framework.ssh.keypath' => '/var/lib/rundeck/.ssh/id_rsa',
-          'framework.ssh.user' => 'rundeck',
-          'framework.ssh.timeout' => '0'
-        }
-
-        it { is_expected.to contain_file('/etc/rundeck/framework.properties') }
-
-        framework_details.each do |key, value|
-          it 'generates valid content for framework.properties' do
-            content = catalogue.resource('file', '/etc/rundeck/framework.properties')[:content]
-            expect(content).to include("#{key} = #{value}")
-          end
-        end
-      end
-
-      context 'add plugin configuration' do
-        describe 'add plugin configuration for the logstash plugin' do
-          let(:params) do
-            {
-              framework_config: {
-                'framework.plugin.StreamingLogWriter.LogstashPlugin.port' => '9700'
-              }
-            }
-          end
-
-          it 'generates valid content for framework.properties' do
-            content = catalogue.resource('file', '/etc/rundeck/framework.properties')[:content]
-            expect(content).to include('framework.server.name = foo.example.com')
-            expect(content).to include('framework.plugin.StreamingLogWriter.LogstashPlugin.port = 9700')
-          end
-        end
-      end
-
-      context 'setting framework.server.{port,url}' do
-        describe 'with non-default framework.server.hostname' do
-          let(:params) do
-            {
-              framework_config: {
-                'framework.server.hostname' => 'rundeck.example.com'
-              }
-            }
-          end
-
-          it do
-            is_expected.to contain_file('/etc/rundeck/framework.properties').with_content(
-              %r{framework\.server\.url = http://rundeck\.example\.com:4440}
-            )
-          end
-        end
-
-        describe 'ssl_enabled with non-default SSL port' do
-          let(:params) do
-            {
-              ssl_enabled: true,
-              ssl_port: 443
-            }
-          end
-
-          it do
-            is_expected.to contain_file('/etc/rundeck/framework.properties'). \
-              with_content(%r{^framework\.server\.port = 443$}). \
-              with_content(%r{framework\.server\.url = https://foo\.example\.com:443})
-          end
-        end
-
-        describe 'ssl_enabled with non-default framework.server.hostname' do
-          let(:params) do
-            {
-              ssl_enabled: true,
-              ssl_port: 443,
-              framework_config: {
-                'framework.server.hostname' => 'rundeck.example.com'
-              }
-            }
-          end
-
-          it do
-            is_expected.to contain_file('/etc/rundeck/framework.properties'). \
-              with_content(%r{^framework\.server\.port = 443$}). \
-              with_content(%r{framework\.server\.url = https://rundeck\.example\.com:443})
-          end
-        end
-      end
-    end
-  end
-end
diff --git a/spec/classes/config/global/gui_config_spec.rb b/spec/classes/config/global/gui_config_spec.rb
deleted file mode 100644
index 5d1cbbc72..000000000
--- a/spec/classes/config/global/gui_config_spec.rb
+++ /dev/null
@@ -1,30 +0,0 @@
-# frozen_string_literal: true
-
-require 'spec_helper'
-
-describe 'rundeck' do
-  on_supported_os.each do |os, os_facts|
-    context "on #{os}" do
-      let(:facts) { os_facts }
-      let(:params) do
-        {
-          gui_config: {
-            'rundeck.gui.title' => 'Test title',
-            'rundeck.gui.brand.html' => '<b>App</b>',
-            'rundeck.gui.logo' => 'test-logo.png',
-            'rundeck.gui.login.welcome' => 'Weclome to Rundeck'
-          }
-        }
-      end
-
-      # content and meta data for passwords
-      it 'generates gui_config content for rundeck-config.groovy' do
-        is_expected.to contain_file('/etc/rundeck/rundeck-config.groovy').
-          with_content(%r{rundeck.gui.title = "Test title"}).
-          with_content(%r{rundeck.gui.brand.html = "<b>App</b>"}).
-          with_content(%r{rundeck.gui.logo = "test-logo.png"}).
-          with_content(%r{rundeck.gui.login.welcome = "Weclome to Rundeck"})
-      end
-    end
-  end
-end
diff --git a/spec/classes/config/global/project_spec.rb b/spec/classes/config/global/project_spec.rb
deleted file mode 100644
index 40a89e91b..000000000
--- a/spec/classes/config/global/project_spec.rb
+++ /dev/null
@@ -1,37 +0,0 @@
-# frozen_string_literal: true
-
-require 'spec_helper'
-
-describe 'rundeck' do
-  on_supported_os.each do |os, facts|
-    context "on #{os}" do
-      let :facts do
-        facts
-      end
-
-      describe "rundeck::config::global::project class without any parameters on #{os}" do
-        let(:params) { {} }
-
-        project_details = {
-          'project.dir' => '/var/lib/rundeck/projects/${project.name}',
-          'project.etc.dir' => '/var/lib/rundeck/projects/${project.name}/etc',
-          'project.resources.file' => '/var/lib/rundeck/projects/${project.name}/etc/resources.xml',
-          'project.description' => '',
-          'project.organization' => ''
-        }
-
-        it { is_expected.to contain_file('/etc/rundeck/project.properties') }
-
-        project_details.each do |key, value|
-          it do
-            is_expected.to contain_ini_setting(key).with(
-              'path' => '/etc/rundeck/project.properties',
-              'setting' => key,
-              'value' => value
-            )
-          end
-        end
-      end
-    end
-  end
-end
diff --git a/spec/classes/config/global/rundeck_config_spec.rb b/spec/classes/config/global/rundeck_config_spec.rb
deleted file mode 100644
index 0571c3ca4..000000000
--- a/spec/classes/config/global/rundeck_config_spec.rb
+++ /dev/null
@@ -1,146 +0,0 @@
-# frozen_string_literal: true
-
-require 'spec_helper'
-
-describe 'rundeck' do
-  on_supported_os.each do |os, facts|
-    context "on #{os}" do
-      let :facts do
-        facts
-      end
-
-      describe "rundeck::config::global::rundeck_config class with use hmac request tokens parameter on #{os}" do
-        value = true
-        security_hash = {
-          'useHMacRequestTokens' => value
-        }
-        let(:params) { { security_config: security_hash } }
-
-        it { is_expected.to contain_file('/etc/rundeck/rundeck-config.groovy').with_content(%r{rundeck\.security\.useHMacRequestTokens = #{value}}) }
-      end
-
-      describe "rundeck::config::global::rundeck_config class with use api cookie access parameter on #{os}" do
-        value = true
-        security_hash = {
-          'apiCookieAccess' => value
-        }
-        let(:params) { { security_config: security_hash } }
-
-        it { is_expected.to contain_file('/etc/rundeck/rundeck-config.groovy').with_content(%r{rundeck\.security\.apiCookieAccess\.enabled = #{value}}) }
-      end
-
-      describe "rundeck::config::global::rundeck_config class with api tokens duration parameter on #{os}" do
-        duration = '0'
-        security_hash = {
-          'apiTokensDuration' => duration
-        }
-        let(:params) { { security_config: security_hash } }
-
-        it { is_expected.to contain_file('/etc/rundeck/rundeck-config.groovy').with_content(%r{rundeck\.api\.tokens\.duration\.max = "#{duration}"}) }
-      end
-
-      describe "rundeck::config::global::rundeck_config class with csrf referrer filter method parameter on #{os}" do
-        value = 'NONE'
-        security_hash = {
-          'csrfRefererFilterMethod' => value
-        }
-        let(:params) { { security_config: security_hash } }
-
-        it { is_expected.to contain_file('/etc/rundeck/rundeck-config.groovy').with_content(%r{rundeck\.security\.csrf\.referer\.filterMethod = #{value}}) }
-      end
-
-      describe "rundeck::config::global::rundeck_config class with csrf referrer require https parameter on #{os}" do
-        value = true
-        security_hash = {
-          'csrfRefererRequireHttps' => value
-        }
-        let(:params) { { security_config: security_hash } }
-
-        it { is_expected.to contain_file('/etc/rundeck/rundeck-config.groovy').with_content(%r{rundeck\.security\.csrf\.referer\.requireHttps = #{value}}) }
-      end
-
-      describe "rundeck::config::global::rundeck_config class with no security parameters on #{os}" do
-        bool_value = true
-        filter_method_parameter = 'NONE'
-        duration = '0'
-        security_hash = {}
-        let(:params) { { security_config: security_hash } }
-
-        it { is_expected.not_to contain_file('/etc/rundeck/rundeck-config.groovy').with_content(%r{rundeck\.security\.useHMacRequestTokens = #{bool_value}}) }
-        it { is_expected.not_to contain_file('/etc/rundeck/rundeck-config.groovy').with_content(%r{rundeck\.security\.apiCookieAccess\.enabled = #{bool_value}}) }
-        it { is_expected.not_to contain_file('/etc/rundeck/rundeck-config.groovy').with_content(%r{rundeck\.api\.tokens\.duration\.max = "#{duration}"}) }
-        it { is_expected.not_to contain_file('/etc/rundeck/rundeck-config.groovy').with_content(%r{rundeck\.security\.csrf\.referer\.filterMethod = #{filter_method_parameter}}) }
-        it { is_expected.not_to contain_file('/etc/rundeck/rundeck-config.groovy').with_content(%r{rundeck\.security\.csrf\.referer\.allowApi = #{bool_value}}) }
-        it { is_expected.not_to contain_file('/etc/rundeck/rundeck-config.groovy').with_content(%r{rundeck\.security\.csrf\.referer\.requireHttps = #{bool_value}}) }
-      end
-
-      describe "rundeck::config::global::rundeck_config class without any parameters on #{os}" do
-        let(:params) { {} }
-
-        default_config = <<-CONFIG.gsub(%r{[^\S\n]{10}}, '')
-          loglevel.default = "INFO"
-          rdeck.base = "/var/lib/rundeck"
-          rss.enabled = "false"
-          rundeck.log4j.config.file = "/etc/rundeck/log4j.properties"
-
-          rundeck.security.useHMacRequestTokens = true
-          rundeck.security.apiCookieAccess.enabled = true
-
-          dataSource {
-            dbCreate = "update"
-            url = "jdbc:h2:file:/var/lib/rundeck/data/rundeckdb"
-          }
-
-          grails.serverURL = "http://foo.example.com:4440"
-          rundeck.clusterMode.enabled = "false"
-
-          rundeck.projectsStorageType = "filesystem"
-          quartz.threadPool.threadCount = "10"
-
-          rundeck.storage.provider."1".type = "file"
-          rundeck.storage.provider."1".path = "/"
-          rundeck.storage.provider."1".config.baseDir = "/var/lib/rundeck/var/storage"
-
-
-          rundeck.security.authorization.preauthenticated.enabled = "false"
-          rundeck.security.authorization.preauthenticated.attributeName = "REMOTE_USER_GROUPS"
-          rundeck.security.authorization.preauthenticated.delimiter = ":"
-          rundeck.security.authorization.preauthenticated.userNameHeader = "X-Forwarded-Uuid"
-          rundeck.security.authorization.preauthenticated.userRolesHeader = "X-Forwarded-Roles"
-          rundeck.security.authorization.preauthenticated.redirectLogout = "false"
-          rundeck.security.authorization.preauthenticated.redirectUrl = "/oauth2/sign_in"
-
-        CONFIG
-
-        it { is_expected.to contain_file('/etc/rundeck/rundeck-config.groovy').with('content' => default_config) }
-      end
-
-      describe "rundeck::config::global::rundeck_config class with execution mode parameter 'active' on #{os}" do
-        let(:params) { { execution_mode: 'active' } }
-
-        it { is_expected.to contain_file('/etc/rundeck/rundeck-config.groovy').with_content(%r{rundeck\.executionMode = "active"}) }
-      end
-
-      describe "rundeck::config::global::rundeck_config class with execution mode parameter 'passive' on #{os}" do
-        let(:params) { { execution_mode: 'passive' } }
-
-        it { is_expected.to contain_file('/etc/rundeck/rundeck-config.groovy').with_content(%r{rundeck\.executionMode = "passive"}) }
-      end
-
-      describe "rundeck::config::global::rundeck_config class with key storage encryption on #{os}" do
-        storage_encrypt_config_hash = {
-          'type' => 'thetype',
-          'path' => '/storagepath',
-          'config.encryptionType' => 'basic',
-          'config.password' => 'verysecure'
-        }
-        let(:params) { { storage_encrypt_config: storage_encrypt_config_hash } }
-
-        it { is_expected.to contain_file('/etc/rundeck/rundeck-config.groovy').with_content(%r{rundeck\.storage\.converter\."1"\.type = "thetype"}) }
-        it { is_expected.to contain_file('/etc/rundeck/rundeck-config.groovy').with_content(%r{rundeck\.storage\.converter\."1"\.path = "/storagepath"}) }
-        it { is_expected.to contain_file('/etc/rundeck/rundeck-config.groovy').with_content(%r{rundeck\.storage\.converter\."1"\.config\.encryptionType = "basic"}) }
-        it { is_expected.to contain_file('/etc/rundeck/rundeck-config.groovy').with_content(%r{rundeck\.storage\.converter\."1"\.config\.password = "verysecure"}) }
-      end
-    end
-  end
-end
diff --git a/spec/classes/config/global/scm_spec.rb b/spec/classes/config/global/scm_spec.rb
deleted file mode 100644
index 1a98df9b1..000000000
--- a/spec/classes/config/global/scm_spec.rb
+++ /dev/null
@@ -1,76 +0,0 @@
-# frozen_string_literal: true
-
-require 'spec_helper'
-
-describe 'rundeck' do
-  on_supported_os.each do |os, facts|
-    context "on #{os}" do
-      let :facts do
-        facts
-      end
-
-      describe 'add scm properties to project' do
-        project_hash = {
-          'project_1' => {
-            'scm_import_properties' => {
-              'scm.import.config.useFilePattern' => 'true',
-              'scm.import.config.strictHostKeyChecking' => 'no',
-              'scm.import.config.filePattern' => 'SBO/*',
-              'scm.import.config.url' => 'git.repo.com/project_1.jobs.git',
-              'scm.import.config.format' => 'yaml',
-              'scm.import.config.dir' => '/var/lib/rundeck/projects/proect_1/scm',
-              'scm.import.config.pathTemplate' => '${job.project}/${job.group}${job.name}-${job.id}.${config.format}',
-              'scm.import.config.sshPrivateKeyPath' => '',
-              'scm.import.config.gitPasswordPath' => '',
-              'scm.import.config.branch' => 'master',
-              'scm.import.enabled' => 'false',
-              'scm.import.roles.0' => 'user',
-              'scm.import.type' => 'git-import',
-              'scm.import.username' => '',
-              'scm.import.roles.count' => '3',
-              'scm.import.trackedItems.count' => '0'
-            },
-            'scm_export_properties' => {
-              'scm.export.enabled' => 'false',
-              'scm.export.config.format' => 'yaml',
-              'scm.export.config.dir' => '/var/lib/rundeck/projects/project_1/scm',
-              'scm.export.config.url' => 'git.repo.com/project_1.jobs.git',
-              'scm.export.config.branch' => 'master',
-              'scm.export.config.pathTemplate' => '{job.project}/${job.group}${job.name}-${job.id}.${config.format}',
-              'scm.export.config.strictHostKeyChecking' => 'no',
-              'scm.export.config.gitPasswordPath' => '',
-              'scm.export.config.sshPrivateKeyPath' => 'keys/${project}/users/scm/${user.login}.private',
-              'scm.export.roles.count' => '2',
-              'scm.export.roles.1' => 'user',
-              'scm.export.type' => 'git-export',
-              'scm.export.username' => '${user.username}',
-              'scm.export.config.committerName' => '${user.fullName}',
-              'scm.export.config.committerEmail' => '${user.email}'
-            }
-          }
-        }
-        let(:params) do
-          {
-            projects: project_hash
-          }
-        end
-
-        # content and meta data for passwords
-        it { is_expected.to contain_file('/var/lib/rundeck/projects/project_1/etc/scm-import.properties') }
-
-        project_hash['project_1']['scm_import_properties'].each do |key, value|
-          it 'generates valid content for scm-import.properties' do
-            content = catalogue.resource('file', '/var/lib/rundeck/projects/project_1/etc/scm-import.properties')[:content]
-            expect(content).to include("#{key} = #{value}")
-          end
-        end
-        project_hash['project_1']['scm_export_properties'].each do |key, value|
-          it 'generates valid content for scm-export.properties' do
-            content = catalogue.resource('file', '/var/lib/rundeck/projects/project_1/etc/scm-export.properties')[:content]
-            expect(content).to include("#{key} = #{value}")
-          end
-        end
-      end
-    end
-  end
-end
diff --git a/spec/classes/config/global/service_restart_spec.rb b/spec/classes/config/global/service_restart_spec.rb
deleted file mode 100644
index 10164217d..000000000
--- a/spec/classes/config/global/service_restart_spec.rb
+++ /dev/null
@@ -1,31 +0,0 @@
-# frozen_string_literal: true
-
-require 'spec_helper'
-
-describe 'rundeck' do
-  on_supported_os.each do |os, facts|
-    context "on #{os}" do
-      let :facts do
-        facts
-      end
-
-      describe 'with empty params' do
-        let(:params) do
-          {}
-        end
-
-        it { is_expected.to contain_file('/etc/rundeck/rundeck-config.groovy').that_notifies('Service[rundeckd]') }
-      end
-
-      describe 'with service_restart false' do
-        let(:params) do
-          {
-            service_restart: false
-          }
-        end
-
-        it { is_expected.to contain_file('/etc/rundeck/rundeck-config.groovy').without_notify }
-      end
-    end
-  end
-end
diff --git a/spec/classes/config/global/ssl_spec.rb b/spec/classes/config/global/ssl_spec.rb
deleted file mode 100644
index 14edcec0c..000000000
--- a/spec/classes/config/global/ssl_spec.rb
+++ /dev/null
@@ -1,39 +0,0 @@
-# frozen_string_literal: true
-
-require 'spec_helper'
-
-describe 'rundeck' do
-  on_supported_os.each do |os, os_facts|
-    context "on #{os}" do
-      let(:params) do
-        {
-          ssl_enabled: true
-        }
-      end
-      let(:facts) do
-        os_facts
-      end
-
-      ssl_details = {
-        'keystore' => '/etc/rundeck/ssl/keystore',
-        'keystore.password' => 'adminadmin',
-        'key.password' => 'adminadmin',
-        'truststore' => '/etc/rundeck/ssl/truststore',
-        'truststore.password' => 'adminadmin'
-      }
-
-      it { is_expected.to contain_file('/etc/rundeck/ssl').with('ensure' => 'directory') }
-      it { is_expected.to contain_file('/etc/rundeck/ssl/ssl.properties') }
-
-      ssl_details.each do |key, value|
-        it do
-          is_expected.to contain_ini_setting(key).with(
-            'path' => '/etc/rundeck/ssl/ssl.properties',
-            'setting' => key,
-            'value' => value
-          )
-        end
-      end
-    end
-  end
-end
diff --git a/spec/classes/config/jaas_auth_spec.rb b/spec/classes/config/jaas_auth_spec.rb
new file mode 100644
index 000000000..6484e7c66
--- /dev/null
+++ b/spec/classes/config/jaas_auth_spec.rb
@@ -0,0 +1,300 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'rundeck' do
+  on_supported_os.each do |os, facts|
+    context "on #{os}" do
+      let :facts do
+        facts
+      end
+
+      context 'with empty auth config test rundeck::config::jaas_auth' do
+        let(:params) do
+          {
+            auth_config: {}
+          }
+        end
+
+        it { is_expected.to contain_file('/etc/rundeck/realm.properties').with(ensure: 'absent') }
+        it { is_expected.to contain_file('/etc/rundeck/jaas-loginmodule.conf').with(ensure: 'file') }
+
+        it 'jaas-loginmodule.conf contains no auth classes' do
+          jaas_auth = catalogue.resource('file', '/etc/rundeck/jaas-loginmodule.conf')[:content]
+          expect(jaas_auth).not_to include('org.eclipse.jetty.jaas.spi.PropertyFileLoginModule')
+          expect(jaas_auth).not_to include('com.dtolabs.rundeck.jetty.jaas.JettyCombinedLdapLoginModule')
+          expect(jaas_auth).not_to include('com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule')
+          expect(jaas_auth).not_to include('org.rundeck.jaas.jetty.JettyPamLoginModule')
+        end
+      end
+
+      context 'file auth with empty auth users array' do
+        let(:params) do
+          {
+            auth_config: {
+              'file' => {
+                'jaas_config' => {
+                  'file' => '/etc/rundeck/realm.properties',
+                },
+                'realm_config' => {
+                  'admin_user'     => 'admin',
+                  'admin_password' => 'admin',
+                  'auth_users'     => [],
+                },
+              },
+            }
+          }
+        end
+
+        it { is_expected.to contain_file('/etc/rundeck/realm.properties').with(ensure: 'file') }
+        it { is_expected.to contain_file('/etc/rundeck/jaas-loginmodule.conf').with(ensure: 'file') }
+
+        it 'generates valid content for realm.properties' do
+          content = catalogue.resource('file', '/etc/rundeck/realm.properties')[:content]
+          expect(content).to include('admin:admin,user,admin,architect,deploy,build')
+        end
+
+        it 'contains PropertyFileLoginModule and default auth_flag' do
+          jaas_auth = catalogue.resource('file', '/etc/rundeck/jaas-loginmodule.conf')[:content]
+          expect(jaas_auth).to include('org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required')
+        end
+      end
+
+      context 'file auth with single auth user without roles' do
+        let(:params) do
+          {
+            auth_config: {
+              'file' => {
+                'jaas_config' => {
+                  'file' => '/etc/rundeck/realm.properties',
+                },
+                'realm_config' => {
+                  'admin_user'     => 'admin',
+                  'admin_password' => 'admin',
+                  'auth_users'     => [
+                    {
+                      'username' => 'testuser',
+                      'password' => 'password'
+                    }
+                  ]
+                },
+              },
+            }
+          }
+        end
+
+        it 'generates valid content for realm.properties' do
+          content = catalogue.resource('file', '/etc/rundeck/realm.properties')[:content]
+          expect(content).to include('admin:admin,user,admin,architect,deploy,build')
+          expect(content).to include('testuser:password')
+        end
+
+        it 'contains PropertyFileLoginModule and be sufficient' do
+          jaas_auth = catalogue.resource('file', '/etc/rundeck/jaas-loginmodule.conf')[:content]
+          expect(jaas_auth).to include('org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required')
+        end
+      end
+
+      context 'file auth with single auth user and roles' do
+        let(:params) do
+          {
+            auth_config: {
+              'file' => {
+                'jaas_config' => {
+                  'file' => '/etc/rundeck/realm.properties',
+                },
+                'realm_config' => {
+                  'admin_user'     => 'admin',
+                  'admin_password' => 'admin',
+                  'auth_users'     => [
+                    {
+                      'username' => 'testuser',
+                      'password' => 'password',
+                      'roles'    => %w[user deploy]
+                    }
+                  ]
+                },
+              },
+            }
+          }
+        end
+
+        it 'generates valid content for realm.properties' do
+          content = catalogue.resource('file', '/etc/rundeck/realm.properties')[:content]
+          expect(content).to include('admin:admin,user,admin,architect,deploy,build')
+          expect(content).to include('testuser:password,user,deploy')
+        end
+
+        it 'contains PropertyFileLoginModule and be sufficient' do
+          jaas_auth = catalogue.resource('file', '/etc/rundeck/jaas-loginmodule.conf')[:content]
+          expect(jaas_auth).to include('org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required')
+        end
+      end
+
+      context 'file auth with auth users array and auth_flag' do
+        let(:params) do
+          {
+            auth_config: {
+              'file' => {
+                'auth_flag'    => 'sufficient',
+                'jaas_config'  => {
+                  'file' => '/etc/rundeck/realm.properties',
+                },
+                'realm_config' => {
+                  'admin_user'     => 'admin',
+                  'admin_password' => 'admin',
+                  'auth_users'     => [
+                    {
+                      'username' => 'testuser',
+                      'password' => 'password',
+                      'roles' => %w[user deploy]
+                    },
+                    {
+                      'username' => 'anotheruser',
+                      'password' => 'anotherpassword',
+                      'roles' => ['user']
+                    },
+                  ],
+                },
+              },
+            }
+          }
+        end
+
+        it 'generates valid content for realm.properties' do
+          content = catalogue.resource('file', '/etc/rundeck/realm.properties')[:content]
+          expect(content).to include('admin:admin,user,admin,architect,deploy,build')
+          expect(content).to include('testuser:password,user,deploy')
+          expect(content).to include('anotheruser:anotherpassword,user')
+        end
+
+        it 'contains PropertyFileLoginModule and be sufficient' do
+          jaas_auth = catalogue.resource('file', '/etc/rundeck/jaas-loginmodule.conf')[:content]
+          expect(jaas_auth).to include('org.eclipse.jetty.jaas.spi.PropertyFileLoginModule sufficient')
+        end
+      end
+
+      context 'with ldap auth using ldap_sync' do
+        let(:params) do
+          {
+            auth_config: {
+              'ldap' => {
+                'jaas_config' => {
+                  'debug' => 'true',
+                  'providerUrl' => 'ldap://server:389',
+                  'bindDn' => 'cn=Manager,dc=example,dc=com',
+                  'bindPassword' => 'secret',
+                  'authenticationMethod' => 'simple',
+                  'forceBindingLogin' => 'false',
+                  'userBaseDn' => 'ou=users,ou=accounts,ou=corp,dc=xyz,dc=com',
+                  'userRdnAttribute' => 'sAMAccountName',
+                  'userIdAttribute' => 'sAMAccountName',
+                  'userPasswordAttribute' => 'unicodePwd',
+                  'userObjectClass' => 'user',
+                  'roleBaseDn' => 'ou=role based,ou=security,ou=groups,ou=test,dc=xyz,dc=com',
+                  'roleNameAttribute' => 'cn',
+                  'roleMemberAttribute' => 'member',
+                  'roleObjectClass' => 'group'
+                }
+              }
+            },
+            security_config: {
+              'syncLdapUser' => true
+            }
+          }
+        end
+
+        it 'generates valid content for rundeck-config.properties' do
+          content = catalogue.resource('file', '/etc/rundeck/rundeck-config.properties')[:content]
+          expect(content).to include('rundeck.security.syncLdapUser = true')
+        end
+
+        it 'generates valid content for jaas-loginmodule.conf' do
+          content = catalogue.resource('file', '/etc/rundeck/jaas-loginmodule.conf')[:content]
+          expect(content).to include(' com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule required')
+          expect(content).to include('debug="true"')
+          expect(content).to include('providerUrl="ldap://server:389"')
+          expect(content).to include('bindDn="cn=Manager,dc=example,dc=com"')
+          expect(content).to include('bindPassword="secret"')
+          expect(content).to include('authenticationMethod="simple"')
+          expect(content).to include('userBaseDn="ou=users,ou=accounts,ou=corp,dc=xyz,dc=com"')
+          expect(content).to include('roleBaseDn="ou=role based,ou=security,ou=groups,ou=test,dc=xyz,dc=com"')
+          expect(content).to include('roleObjectClass="group";')
+        end
+      end
+
+      context 'with multiauth ldap and file with auth users array' do
+        let(:params) do
+          {
+            auth_config: {
+              'file' => {
+                'auth_flag'    => 'sufficient',
+                'jaas_config'  => {
+                  'file' => '/etc/rundeck/realm.properties',
+                },
+                'realm_config' => {
+                  'admin_user'     => 'admin',
+                  'admin_password' => 'admin',
+                  'auth_users'     => [
+                    {
+                      'username' => 'testuser',
+                      'password' => 'password',
+                      'roles' => %w[user deploy]
+                    },
+                    {
+                      'username' => 'anotheruser',
+                      'password' => 'anotherpassword',
+                      'roles' => ['user']
+                    },
+                  ],
+                },
+              },
+              'ldap' => {
+                'jaas_config' => {
+                  'debug' => 'true',
+                  'providerUrl' => 'ldap://server:389',
+                  'bindDn' => 'cn=Manager,dc=example,dc=com',
+                  'bindPassword' => 'secret',
+                  'authenticationMethod' => 'simple',
+                  'forceBindingLogin' => 'false',
+                  'userBaseDn' => 'ou=users,ou=accounts,ou=corp,dc=xyz,dc=com',
+                  'userRdnAttribute' => 'sAMAccountName',
+                  'userIdAttribute' => 'sAMAccountName',
+                  'userPasswordAttribute' => 'unicodePwd',
+                  'userObjectClass' => 'user',
+                  'roleBaseDn' => 'ou=role based,ou=security,ou=groups,ou=test,dc=xyz,dc=com',
+                  'roleNameAttribute' => 'cn',
+                  'roleMemberAttribute' => 'member',
+                  'roleObjectClass' => 'group',
+                  'nestedGroups' => 'true'
+                },
+              }
+            }
+          }
+        end
+
+        it 'generates valid content for realm.properties' do
+          content = catalogue.resource('file', '/etc/rundeck/realm.properties')[:content]
+          expect(content).to include('admin:admin,user,admin,architect,deploy,build')
+          expect(content).to include('testuser:password,user,deploy')
+          expect(content).to include('anotheruser:anotherpassword,user')
+        end
+
+        it 'generates valid content for jaas-loginmodule.conf' do
+          content = catalogue.resource('file', '/etc/rundeck/jaas-loginmodule.conf')[:content]
+          expect(content).to include('org.eclipse.jetty.jaas.spi.PropertyFileLoginModule sufficient')
+          expect(content).to include('file="/etc/rundeck/realm.properties";')
+          expect(content).to include('com.dtolabs.rundeck.jetty.jaas.JettyCombinedLdapLoginModule required')
+          expect(content).to include('debug="true"')
+          expect(content).to include('providerUrl="ldap://server:389"')
+          expect(content).to include('bindDn="cn=Manager,dc=example,dc=com"')
+          expect(content).to include('bindPassword="secret"')
+          expect(content).to include('authenticationMethod="simple"')
+          expect(content).to include('userBaseDn="ou=users,ou=accounts,ou=corp,dc=xyz,dc=com"')
+          expect(content).to include('roleBaseDn="ou=role based,ou=security,ou=groups,ou=test,dc=xyz,dc=com"')
+          expect(content).to include('nestedGroups="true";')
+        end
+      end
+    end
+  end
+end
diff --git a/spec/classes/config/ssl_spec.rb b/spec/classes/config/ssl_spec.rb
new file mode 100644
index 000000000..4f17ed721
--- /dev/null
+++ b/spec/classes/config/ssl_spec.rb
@@ -0,0 +1,85 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'rundeck' do
+  on_supported_os.each do |os, facts|
+    context "on #{os}" do
+      let :facts do
+        facts
+      end
+
+      context 'with ssl_enabled => true' do
+        let(:params) do
+          {
+            ssl_enabled: true
+          }
+        end
+
+        ssl_details = {
+          'keystore' => '/etc/rundeck/ssl/keystore',
+          'keystore.password' => 'adminadmin',
+          'truststore' => '/etc/rundeck/ssl/truststore',
+          'truststore.password' => 'adminadmin'
+        }
+
+        it { is_expected.to contain_file('/etc/rundeck/ssl').with('ensure' => 'directory') }
+        it { is_expected.to contain_file('/etc/rundeck/ssl/ssl.properties') }
+
+        it {
+          is_expected.to contain_java_ks('keystore').with(
+            ensure: 'present',
+            certificate: '/etc/rundeck/ssl/rundeck.crt',
+            private_key: '/etc/rundeck/ssl/rundeck.key',
+            trustcacerts: true,
+            password: 'adminadmin',
+            target: '/etc/rundeck/ssl/keystore'
+          )
+        }
+
+        it {
+          is_expected.to contain_java_ks('truststore').with(
+            ensure: 'present',
+            password: 'adminadmin',
+            target: '/etc/rundeck/ssl/truststore'
+          )
+        }
+
+        ssl_details.each do |key, value|
+          it 'generates valid content for ssl.properties' do
+            content = catalogue.resource('file', '/etc/rundeck/ssl/ssl.properties')[:content]
+            expect(content).to include("#{key}=#{value}")
+          end
+        end
+      end
+
+      context 'with ssl_enabled => true and key_password => verysecure' do
+        let(:params) do
+          {
+            ssl_enabled: true,
+            key_password: 'verysecure'
+          }
+        end
+
+        it {
+          is_expected.to contain_java_ks('keystore').with(
+            ensure: 'present',
+            destkeypass: 'verysecure'
+          )
+        }
+
+        it {
+          is_expected.to contain_java_ks('truststore').with(
+            ensure: 'present',
+            destkeypass: 'verysecure'
+          )
+        }
+
+        it 'generates valid content for ssl.properties' do
+          content = catalogue.resource('file', '/etc/rundeck/ssl/ssl.properties')[:content]
+          expect(content).to include('key.password=verysecure')
+        end
+      end
+    end
+  end
+end
diff --git a/spec/classes/config_spec.rb b/spec/classes/config_spec.rb
index a613ac5fa..0cabe488b 100644
--- a/spec/classes/config_spec.rb
+++ b/spec/classes/config_spec.rb
@@ -6,80 +6,64 @@
   on_supported_os.each do |os, facts|
     context "on #{os}" do
       overrides = '/etc/default/rundeckd'
-      overrides = '/etc/sysconfig/rundeckd' if %w[RedHat Amazon].include? facts[:os]['family']
+      overrides = '/etc/sysconfig/rundeckd' if %w[RedHat].include? facts[:os]['family']
 
       let :facts do
         facts
       end
 
-      describe "rundeck::config class without any parameters on #{os}" do
+      context 'without any parameters test rundeck::config' do
         it { is_expected.to contain_file('/var/lib/rundeck').with('ensure' => 'directory') }
         it { is_expected.to contain_file('/var/lib/rundeck/libext').with('ensure' => 'directory') }
-        it { is_expected.to contain_class('rundeck::config::global::framework') }
-        it { is_expected.to contain_class('rundeck::config::global::project') }
-        it { is_expected.to contain_class('rundeck::config::global::rundeck_config') }
-
         it { is_expected.to contain_file('/etc/rundeck').with('ensure' => 'directory') }
+        it { is_expected.to contain_file('/var/log/rundeck').with('ensure' => 'directory') }
 
-        it { is_expected.to contain_file('/etc/rundeck/jaas-auth.conf') }
-
-        it 'generates valid content for jaas-auth.conf' do
-          content = catalogue.resource('file', '/etc/rundeck/jaas-auth.conf')[:content]
-          expect(content).to include('PropertyFileLoginModule')
-          expect(content).to include('/etc/rundeck/realm.properties')
-        end
-
-        it { is_expected.to contain_file('/etc/rundeck/realm.properties') }
+        it { is_expected.to contain_file('/etc/rundeck/log4j2.properties') }
 
-        it 'generates valid content for realm.properties' do
-          content = catalogue.resource('file', '/etc/rundeck/realm.properties')[:content]
-          expect(content).to include('admin:admin,user,admin,architect,deploy,build')
+        it 'generates valid content for log4j2.propertiess' do
+          content = catalogue.resource('file', '/etc/rundeck/log4j2.properties')[:content]
+          expect(content).to include('property.baseDir = /var/log/rundeck')
         end
 
-        it { is_expected.to contain_file('/etc/rundeck/log4j.properties') }
-
-        it 'generates valid content for log4j.propertiess' do
-          content = catalogue.resource('file', '/etc/rundeck/log4j.properties')[:content]
-          expect(content).to include('log4j.appender.server-logger.file=/var/log/rundeck/rundeck.log')
-        end
+        it { is_expected.to contain_rundeck__config__aclpolicyfile('admin') }
+        it { is_expected.to contain_file('/etc/rundeck/admin.aclpolicy') }
+        it { is_expected.to contain_rundeck__config__aclpolicyfile('apitoken') }
+        it { is_expected.to contain_file('/etc/rundeck/apitoken.aclpolicy') }
 
-        it { is_expected.not_to contain_file('/etc/rundeck/profile') }
         it { is_expected.to contain_file(overrides) }
 
         it 'generates valid content for the profile overrides file' do
           content = catalogue.resource('file', overrides)[:content]
-          expect(content).to include('RDECK_BASE=/var/lib/rundeck')
-          expect(content).to include('RDECK_CONFIG=/etc/rundeck')
-          expect(content).to include('RDECK_INSTALL=/var/lib/rundeck')
-          expect(content).to include('JAAS_CONF=$RDECK_CONFIG/jaas-auth.conf')
+          expect(content).to include('RDECK_BASE="/var/lib/rundeck"')
+          expect(content).to include('RDECK_CONFIG="/etc/rundeck"')
+          expect(content).to include('RDECK_CONFIG_FILE="$RDECK_CONFIG/rundeck-config.properties"')
+          expect(content).to include('RDECK_INSTALL="$RDECK_BASE"')
           expect(content).to include('LOGIN_MODULE=authentication')
           expect(content).to include('RDECK_JVM_SETTINGS="-Xmx1024m -Xms256m -server"')
+          expect(content).to include('RDECK_HTTP_PORT=4440')
         end
 
-        it { is_expected.to contain_rundeck__config__aclpolicyfile('admin') }
-        it { is_expected.to contain_rundeck__config__aclpolicyfile('apitoken') }
-      end
-
-      describe 'rundeck::config with rdeck_profile_template set' do
-        template = 'rundeck/../spec/fixtures/files/profile.template'
-        let(:params) { { rdeck_profile_template: template } }
-
-        it { is_expected.to contain_file('/etc/rundeck/profile') }
-      end
-
-      describe 'rundeck::config with rdeck_override_template set' do
-        template = 'rundeck/../spec/fixtures/files/override.template'
-        let(:params) { { rdeck_override_template: template } }
-
-        it { is_expected.to contain_file(overrides) }
-
-        it 'uses the content for the profile overrides template' do
-          content = catalogue.resource('file', overrides)[:content]
-          expect(content).to include('test override template')
+        it { is_expected.to contain_class('rundeck::config::jaas_auth') }
+        it { is_expected.to contain_class('rundeck::config::framework') }
+
+        it { is_expected.to contain_file('/etc/rundeck/project.properties').with('ensure' => 'absent') }
+        it { is_expected.to contain_file('/etc/rundeck/rundeck-config.properties').with('ensure' => 'file') }
+
+        it 'generates valid content for rundeck-config.properties' do
+          content = catalogue.resource('file', '/etc/rundeck/rundeck-config.properties')[:content]
+          expect(content).to include('loglevel.default = info')
+          expect(content).to include('rdeck.base = /var/lib/rundeck')
+          expect(content).to include('rss.enabled = false')
+          expect(content).to include('rundeck.clusterMode.enabled = false')
+          expect(content).to include('rundeck.executionMode = active')
+          expect(content).to include('quartz.threadPool.threadCount = 10')
+          expect(content).to include('dataSource.url = jdbc:h2:file:/var/lib/rundeck/data/rundeckdb')
+          expect(content).to include('rundeck.storage.provider.1.type = db')
+          expect(content).to include('rundeck.storage.provider.1.path = keys')
         end
       end
 
-      describe 'rundeck::config with jvm_args set' do
+      context 'with jvm_args set' do
         jvm_args = '-Dserver.http.port=8008 -Xms2048m -Xmx2048m -server'
         let(:params) { { jvm_args: jvm_args } }
 
@@ -90,19 +74,6 @@
           expect(content).to include("RDECK_JVM_SETTINGS=\"#{jvm_args}\"")
         end
       end
-
-      describe 'rundeck::config with manage_home=false with external homedir file resource' do
-        let(:pre_condition) { 'File{"/var/lib/rundeck": ensure => directory }' }
-        let(:params) { { manage_home: false } }
-
-        it { is_expected.to contain_file('/var/lib/rundeck').that_comes_before('File[/var/lib/rundeck/.ssh/id_rsa]') }
-      end
-
-      describe 'rundeck::config with manage_home=false but no external homedir file resource' do
-        let(:params) { { manage_home: false } }
-
-        it { is_expected.to raise_error(Puppet::PreformattedError, %r{when rundeck::manage_home = false a file definition for the home directory must be included outside of this module.}) }
-      end
     end
   end
 end
diff --git a/spec/classes/install_spec.rb b/spec/classes/install_spec.rb
index bfe0bd42b..698a08a29 100644
--- a/spec/classes/install_spec.rb
+++ b/spec/classes/install_spec.rb
@@ -9,38 +9,30 @@
         facts
       end
 
-      describe "rundeck class without any parameters on #{os}" do
+      context 'without any parameters test rundeck::install' do
         let(:params) { {} }
 
         it { is_expected.not_to contain_user('rundeck') }
 
-        it do
-          is_expected.to contain_file('/var/rundeck').with(
-            ensure: 'directory',
-            owner: 'rundeck',
-            group: 'rundeck',
-            recurse: true
-          )
-        end
-
         case facts[:os]['family']
         when 'RedHat'
           it do
             is_expected.to contain_yumrepo('rundeck').with(
-              baseurl: 'https://packagecloud.io/pagerduty/rundeck/rpm_any/rpm_any/$basearch',
-              gpgcheck: 0,
+              baseurl: 'https://packages.rundeck.com/pagerduty/rundeck/rpm_any/rpm_any/$basearch',
               repo_gpgcheck: 1,
-              gpgkey: 'https://packagecloud.io/pagerduty/rundeck/gpgkey'
+              gpgcheck: 0,
+              enabled: 1,
+              gpgkey: 'https://packages.rundeck.com/pagerduty/rundeck/gpgkey'
             ).that_comes_before('Package[rundeck]')
           end
         when 'Debian'
-          it { is_expected.to contain_apt__source('rundeck').with_location('https://packagecloud.io/pagerduty/rundeck/any') }
+          it { is_expected.to contain_apt__source('rundeck').with_location('https://packages.rundeck.com/pagerduty/rundeck/any') }
+          it { is_expected.to contain_class('apt::update').that_comes_before('Package[rundeck]') }
           it { is_expected.to contain_package('rundeck').that_notifies('Class[rundeck::service]') }
-          it { is_expected.to contain_package('rundeck').that_requires('Class[apt::update]') }
         end
       end
 
-      describe 'different user and group' do
+      context 'with different user and group' do
         let(:params) do
           {
             manage_user: true,
@@ -59,7 +51,7 @@
         it { is_expected.to contain_user('rundeck').with('ensure' => 'absent') }
       end
 
-      describe 'different user and group with ids' do
+      context 'different user and group with ids' do
         let(:params) do
           {
             manage_user: true,
diff --git a/spec/classes/rundeck_spec.rb b/spec/classes/rundeck_spec.rb
index db7674c0a..983cff476 100644
--- a/spec/classes/rundeck_spec.rb
+++ b/spec/classes/rundeck_spec.rb
@@ -9,75 +9,52 @@
         facts
       end
 
-      describe "rundeck class without any parameters on #{os}" do
+      context 'without any parameters test rundeck' do
         let(:params) { {} }
 
         it { is_expected.to compile.with_all_deps }
-        it { is_expected.to contain_class('rundeck::params') }
         it { is_expected.to contain_class('rundeck::install').that_comes_before('Class[rundeck::config]') }
         it { is_expected.to contain_class('rundeck::config').that_notifies('Class[rundeck::service]') }
         it { is_expected.to contain_class('rundeck::service') }
+        it { is_expected.to contain_class('rundeck::config::jaas_auth') }
+        it { is_expected.to contain_class('rundeck::config::framework') }
+        it { is_expected.not_to contain_class('rundeck::config::ssl') }
       end
 
-      context 'non-platform-specific config parameters' do
-        # auth_config cannot be passed as a parameter to rundeck::config :-(
-        # so we have to test it here
-        describe 'setting auth_config ldap roleUsernameMemberAttribute' do
-          let(:params) do
-            {
-              auth_types: ['ldap'],
-              auth_config: {
-                'ldap' => {
-                  'role_username_member_attribute' => 'memberUid'
-                }
-              }
-            }
-          end
+      context 'with service_notify => false' do
+        let(:params) do
+          {
+            service_notify: false
+          }
+        end
 
-          it { is_expected.to contain_file('/etc/rundeck/jaas-auth.conf') }
+        it { is_expected.to contain_class('rundeck::install').that_comes_before('Class[rundeck::config]') }
+        it { is_expected.to contain_class('rundeck::config').that_comes_before('Class[rundeck::service]') }
+        it { is_expected.to contain_class('rundeck::service') }
+      end
 
-          it 'generates valid content for jaas-auth.conf' do
-            content = catalogue.resource('file', '/etc/rundeck/jaas-auth.conf')[:content]
-            expect(content).to include('roleUsernameMemberAttribute="memberUid"')
-            expect(content).not_to include('roleMemberAttribute')
-          end
+      context 'with ssl_enabled => true' do
+        let(:params) do
+          {
+            ssl_enabled: true
+          }
         end
 
-        describe 'setting auth_config ldap url' do
-          let(:params) do
-            {
-              auth_types: ['ldap'],
-              auth_config: {
-                'ldap' => {
-                  'url' => 'ldaps://myrealldap.example.com',
-                  'server' => 'fakeldap',
-                  'port' => '983'
-                }
-              }
-            }
-          end
-
-          it { is_expected.to contain_file('/etc/rundeck/jaas-auth.conf') }
+        it { is_expected.to compile.with_all_deps }
+        it { is_expected.to contain_class('rundeck::config::ssl') }
+      end
 
-          it 'generates valid content for jaas-auth.conf' do
-            content = catalogue.resource('file', '/etc/rundeck/jaas-auth.conf')[:content]
-            expect(content).to include('providerUrl="ldaps://myrealldap.example.com"')
-            expect(content).not_to include('providerUrl="ldap://fakeldap:983"')
-          end
+      context 'override server uuid' do
+        let :facts do
+          # uuid is ac7c2cbd-14fa-5ba3-b3f2-d436e9b8a3b0
+          override_facts(super(), networking: { fqdn: 'rundeck.example.com' })
         end
 
-        describe 'uuid setting' do
-          let :facts do
-            # uuid is ac7c2cbd-14fa-5ba3-b3f2-d436e9b8a3b0
-            override_facts(super(), networking: { fqdn: 'rundeck.example.com' })
-          end
-
-          it { is_expected.to contain_file('/etc/rundeck/framework.properties') }
+        it { is_expected.to contain_file('/etc/rundeck/framework.properties') }
 
-          it 'uses fqdn fact for \'rundeck.server.uuid\'' do
-            content = catalogue.resource('file', '/etc/rundeck/framework.properties')[:content]
-            expect(content).to include('rundeck.server.uuid = ac7c2cbd-14fa-5ba3-b3f2-d436e9b8a3b0')
-          end
+        it 'uses fqdn fact for \'rundeck.server.uuid\'' do
+          content = catalogue.resource('file', '/etc/rundeck/framework.properties')[:content]
+          expect(content).to include('rundeck.server.uuid = ac7c2cbd-14fa-5ba3-b3f2-d436e9b8a3b0')
         end
       end
     end
diff --git a/spec/classes/service_spec.rb b/spec/classes/service_spec.rb
index 37899f0b5..23428d89e 100644
--- a/spec/classes/service_spec.rb
+++ b/spec/classes/service_spec.rb
@@ -9,7 +9,7 @@
         facts
       end
 
-      describe "rundeck class without any parameters on #{os}" do
+      context 'without any parameters test rundeck::service' do
         let(:params) { {} }
 
         it { is_expected.to contain_service('rundeckd') }
diff --git a/spec/defines/config/aclpolicyfile_spec.rb b/spec/defines/config/aclpolicyfile_spec.rb
index f1a3c4e31..133bb9f71 100644
--- a/spec/defines/config/aclpolicyfile_spec.rb
+++ b/spec/defines/config/aclpolicyfile_spec.rb
@@ -3,81 +3,131 @@
 require 'spec_helper'
 
 describe 'rundeck::config::aclpolicyfile', type: :define do
-  test_policies = [
+  test_policy = [
     {
-      'description' => 'Admin, all access',
+      'description' => 'Test project access',
       'context' => {
         'project' => '.*'
       },
       'for' => {
         'resource' => [
-          { 'equals' => { 'kind' => 'job' }, 'allow' => ['create'] }
-        ]
+          { 'allow' => '*' }
+        ],
+        'adhoc' => [
+          { 'allow' => '*' }
+        ],
+        'job' => [
+          { 'allow' => '*' }
+        ],
+        'node' => [
+          { 'allow' => '*' }
+        ],
       },
       'by' => [
-        { 'group' => ['admin'] }
-      ]
-    },
-    {
-      'description' => 'Admin, all access',
-      'context' => {
-        'application' => 'rundeck'
-      },
-      'for' => {
-        'resource' => [
-          { 'equals' => { 'kind' => 'project' }, 'allow' => ['create'] }
-        ]
-      },
-      'by' => [
-        { 'group' => ['admin'] }
-      ]
+        { 'group' => ['test'] }
+      ],
     },
     {
-      'description' => 'System-level read access to a specific project',
+      'description' => 'Test application access',
       'context' => {
         'application' => 'rundeck'
       },
       'for' => {
         'project' => [
-          { 'equals' => { 'name' => 'project' }, 'allow' => ['read'] }
-        ]
+          { 'allow' => '*' }
+        ],
+        'resource' => [
+          { 'allow' => '*' }
+        ],
+        'storage' => [
+          { 'allow' => '*' }
+        ],
       },
       'by' => [
-        { 'group' => ['admin'] }
+        { 'group' => ['test'] }
       ]
     }
   ]
 
-  context 'default parameters' do
-    let(:title) { 'defaultPolicy' }
+  test_acl = <<~CONFIG.gsub(%r{[^\S\n]{10}}, '')
+    description: Test project access
+    context:
+      project: '.*'
+    for:
+      resource:
+        - allow: '*'
+      adhoc:
+        - allow: '*'
+      job:
+        - allow: '*'
+      node:
+        - allow: '*'
+    by:
+      group:
+        - 'test'
+
+    ---
+
+    description: Test application access
+    context:
+      application: 'rundeck'
+    for:
+      project:
+        - allow: '*'
+      resource:
+        - allow: '*'
+      storage:
+        - allow: '*'
+    by:
+      group:
+        - 'test'
+  CONFIG
+
+  context 'with test acl and default parameters' do
+    let(:title) { 'test' }
     let(:params) do
       {
-        acl_policies: test_policies
+        acl_policies: test_policy,
       }
     end
 
-    it do
-      is_expected.to contain_file('/etc/rundeck/defaultPolicy.aclpolicy').with('owner' => 'rundeck',
-                                                                               'group' => 'rundeck',
-                                                                               'mode' => '0640')
-    end
+    it {
+      is_expected.to contain_file('/etc/rundeck/test.aclpolicy').with(
+        owner: 'rundeck',
+        group: 'rundeck',
+        mode: '0644',
+        content: test_acl
+      )
+    }
   end
 
-  context 'custom parameters' do
-    let(:title) { 'myPolicy' }
+  context 'with test acl and custom parameters' do
+    let(:title) { 'test' }
     let(:params) do
       {
-        acl_policies: test_policies,
+        acl_policies: test_policy,
         properties_dir: '/etc/rundeck-acl',
         owner: 'myUser',
         group: 'myGroup'
       }
     end
 
-    it do
-      is_expected.to contain_file('/etc/rundeck-acl/myPolicy.aclpolicy').with('owner' => 'myUser',
-                                                                              'group' => 'myGroup',
-                                                                              'mode' => '0640')
-    end
+    it {
+      is_expected.to contain_file('/etc/rundeck-acl').with(
+        ensure: 'directory',
+        owner: 'myUser',
+        group: 'myGroup',
+        mode: '0755'
+      )
+    }
+
+    it {
+      is_expected.to contain_file('/etc/rundeck-acl/test.aclpolicy').with(
+        owner: 'myUser',
+        group: 'myGroup',
+        mode: '0644',
+        content: test_acl
+      )
+    }
   end
 end
diff --git a/spec/defines/config/plugin_spec.rb b/spec/defines/config/plugin_spec.rb
index 288d91f89..04705a3cb 100644
--- a/spec/defines/config/plugin_spec.rb
+++ b/spec/defines/config/plugin_spec.rb
@@ -9,7 +9,7 @@
         facts
       end
 
-      describe "rundeck::config::plugin definition without any parameters on #{os}" do
+      context 'install rundeck hipchat plugin' do
         name = 'rundeck-hipchat-plugin-1.0.0.jar'
         source = 'http://search.maven.org/remotecontent?filepath=com/hbakkum/rundeck/plugins/rundeck-hipchat-plugin/1.0.0/rundeck-hipchat-plugin-1.0.0.jar'
         plugin_dir = '/var/lib/rundeck/libext'
@@ -36,7 +36,7 @@
         end
       end
 
-      describe "rundeck::config::plugin definition with ensure set to absent on #{os}" do
+      context 'make rundeck hipchat plugin absent' do
         name = 'rundeck-hipchat-plugin-1.0.0.jar'
         source = 'http://search.maven.org/remotecontent?filepath=com/hbakkum/rundeck/plugins/rundeck-hipchat-plugin/1.0.0/rundeck-hipchat-plugin-1.0.0.jar'
         plugin_dir = '/var/lib/rundeck/libext'
diff --git a/spec/defines/config/project_spec.rb b/spec/defines/config/project_spec.rb
deleted file mode 100644
index 253262272..000000000
--- a/spec/defines/config/project_spec.rb
+++ /dev/null
@@ -1,56 +0,0 @@
-# frozen_string_literal: true
-
-require 'spec_helper'
-
-describe 'rundeck::config::project', type: :define do
-  on_supported_os.each do |os, facts|
-    context "on #{os}" do
-      let :facts do
-        facts
-      end
-
-      describe "rundeck::config::project definition without any parameters on #{os}" do
-        projects_dir = '/var/rundeck/projects'
-
-        let(:title) { 'test' }
-        let(:params) do
-          {
-            framework_config: {
-              'framework.projects.dir' => projects_dir,
-              'framework.ssh.keypath' => '/var/lib/rundeck/.ssh/id_rsa'
-            },
-            file_copier_provider: 'jsch-scp',
-            resource_sources: {},
-            node_executor_provider: 'jsch-ssh',
-            user: 'rundedck',
-            group: 'rundeck'
-          }
-        end
-
-        it { is_expected.to contain_file("#{projects_dir}/test/var").with('ensure' => 'directory') }
-
-        it { is_expected.to contain_file("#{projects_dir}/test/etc").with('ensure' => 'directory') }
-
-        it { is_expected.to contain_file("#{projects_dir}/test/etc/project.properties") }
-
-        project_details = {
-          'project.name' => 'test',
-          'project.ssh-authentication' => 'privateKey',
-          'project.ssh-keypath' => '/var/lib/rundeck/.ssh/id_rsa',
-          'service.NodeExecutor.default.provider' => 'jsch-ssh',
-          'service.FileCopier.default.provider' => 'jsch-scp'
-        }
-
-        project_details.each do |key, value|
-          it do
-            is_expected.to contain_ini_setting("test::#{key}").with(
-              'path' => '/var/rundeck/projects/test/etc/project.properties',
-              'setting' => key,
-              'value' => value
-            )
-          end
-        end
-      end
-    end
-  end
-end
diff --git a/spec/defines/config/resource_source_spec.rb b/spec/defines/config/resource_source_spec.rb
deleted file mode 100644
index 4c82dd197..000000000
--- a/spec/defines/config/resource_source_spec.rb
+++ /dev/null
@@ -1,219 +0,0 @@
-# frozen_string_literal: true
-
-require 'spec_helper'
-
-describe 'rundeck::config::resource_source', type: :define do
-  on_supported_os.each do |os, facts|
-    context "on #{os}" do
-      let :facts do
-        facts
-      end
-
-      let :pre_condition do
-        [
-          'include rundeck',
-          "rundeck::config::project { 'test': }"
-        ]
-      end
-
-      describe "rundeck::config::resource_source definition with default parameters on #{os}" do
-        let(:title) { 'source one' }
-        let(:params) do
-          {
-            'project_name' => 'test',
-            'source_type' => 'file',
-            'include_server_node' => false,
-            'resource_format' => 'resourcexml',
-            'url_cache' => true,
-            'url_timeout' => 50,
-            'directory' => '/',
-            'script_args_quoted' => true,
-            'script_interpreter' => '/bin/bash'
-          }
-        end
-
-        file_details = {
-          'resources.source.1.config.requireFileExists' => 'true',
-          'resources.source.1.config.includeServerNode' => 'false',
-          'resources.source.1.config.generateFileAutomatically' => 'true',
-          'resources.source.1.config.format' => 'resourcexml',
-          'resources.source.1.config.file' => '/var/lib/rundeck/projects/test/etc/source one.xml',
-          'resources.source.1.type' => 'file'
-        }
-
-        file_details.each do |key, value|
-          it do
-            is_expected.to contain_ini_setting("source one::#{key}").with(
-              'path' => '/var/lib/rundeck/projects/test/etc/project.properties',
-              'setting' => key,
-              'value' => value
-            )
-          end
-        end
-
-        it do
-          is_expected.to contain_file('/var/lib/rundeck/projects/test').with(
-            'owner' => 'rundeck',
-            'group' => 'rundeck'
-          )
-        end
-      end
-
-      describe "rundeck::config::resource_source definition with url parameters on #{os}" do
-        let(:title) { 'source one' }
-        let(:params) do
-          {
-            'project_name' => 'test',
-            'source_type' => 'url',
-            'url' => 'http\://localhost\:9999',
-            'include_server_node' => true,
-            'url_cache' => true,
-            'url_timeout' => 50,
-            'directory' => '/',
-            'resource_format' => 'resourcexml',
-            'script_args_quoted' => true,
-            'script_interpreter' => '/bin/bash'
-          }
-        end
-
-        url_details = {
-          'resources.source.1.config.url' => 'http\://localhost\:9999',
-          'resources.source.1.config.timeout' => '50',
-          'resources.source.1.config.cache' => 'true',
-          'resources.source.1.type' => 'url'
-        }
-
-        url_details.each do |key, value|
-          it do
-            is_expected.to contain_ini_setting("source one::#{key}").with(
-              'path' => '/var/lib/rundeck/projects/test/etc/project.properties',
-              'setting' => key,
-              'value' => value
-            )
-          end
-        end
-      end
-
-      describe "rundeck::config::resource definition with directory parameters on #{os}" do
-        let(:title) { 'source one' }
-        let(:params) do
-          {
-            'project_name' => 'test',
-            'source_type' => 'directory',
-            'directory' => '/fubar/resources',
-            'include_server_node' => true,
-            'resource_format' => 'resourcexml',
-            'url_cache' => true,
-            'url_timeout' => 50,
-            'script_args_quoted' => true,
-            'script_interpreter' => '/bin/bash'
-
-          }
-        end
-
-        directory_details = {
-          'resources.source.1.config.directory' => '/fubar/resources',
-          'resources.source.1.type' => 'directory'
-        }
-
-        directory_details.each do |key, value|
-          it do
-            is_expected.to contain_ini_setting("source one::#{key}").with(
-              'path' => '/var/lib/rundeck/projects/test/etc/project.properties',
-              'setting' => key,
-              'value' => value
-            )
-          end
-        end
-      end
-
-      describe "rundeck::config::resource definition with script parameters on #{os}" do
-        let(:title) { 'source one' }
-        let(:params) do
-          {
-            'project_name' => 'test',
-            'source_type' => 'script',
-            'script_file' => '/fubar/test.sh',
-            'script_args' => 'fubar',
-            'include_server_node' => true,
-            'resource_format' => 'resourcexml',
-            'script_args_quoted' => true,
-            'script_interpreter' => '/bin/bash',
-            'url_cache' => true,
-            'url_timeout' => 30,
-            'directory' => '/'
-          }
-        end
-
-        script_details = {
-          'resources.source.1.config.file' => '/fubar/test.sh',
-          'resources.source.1.config.interpreter' => '/bin/bash',
-          'resources.source.1.config.format' => 'resourcexml',
-          'resources.source.1.config.args' => 'fubar',
-          'resources.source.1.config.argsQuoted' => true,
-          'resources.source.1.type' => 'script'
-        }
-
-        script_details.each do |key, value|
-          it do
-            is_expected.to contain_ini_setting("source one::#{key}").with(
-              'path' => '/var/lib/rundeck/projects/test/etc/project.properties',
-              'setting' => key,
-              'value' => value
-            )
-          end
-        end
-      end
-
-      describe "rundeck::config::resource definition with Puppet Enterprise parameters on #{os}" do
-        let(:title) { 'source one' }
-        let(:params) do
-          {
-            'project_name' => 'test',
-            'include_server_node' => false,
-            'resource_format' => 'resourcexml',
-            'url_cache' => true,
-            'url_timeout' => 50,
-            'directory' => '/foo/bar/resources',
-            'script_args_quoted' => true,
-            'script_interpreter' => '/bin/bash',
-
-            'source_type' => 'puppet-enterprise',
-            'puppet_enterprise_host' => 'localhost',
-            'puppet_enterprise_port' => 8081,
-            'puppet_enterprise_metrics_interval' => 15,
-            'puppet_enterprise_mapping_file' => '/var/local/resource-mapping.json',
-            'puppet_enterprise_ssl_dir' => '/opt/rundeck/puppetmaster_ssl',
-            'puppet_enterprise_certificate_name' => 'localhost.localdomain',
-            'puppet_enterprise_node_query' => '["=", ["fact", "osfamily"], "RedHat"]',
-            'puppet_enterprise_default_node_tag' => 'default_tag',
-            'puppet_enterprise_tag_source' => 'source_tag'
-          }
-        end
-
-        puppet_enterprise_details = {
-          'resources.source.1.type' => 'puppet-enterprise',
-          'resources.source.1.config.PROPERTY_PUPPETDB_HOST' => 'localhost',
-          'resources.source.1.config.PROPERTY_PUPPETDB_PORT' => '8081',
-          'resources.source.1.config.PROPERTY_METRICS_INTERVAL' => '15',
-          'resources.source.1.config.PROPERTY_MAPPING_FILE' => '/var/local/resource-mapping.json',
-          'resources.source.1.config.PROPERTY_PUPPETDB_SSL_DIR' => '/opt/rundeck/puppetmaster_ssl',
-          'resources.source.1.config.PROPERTY_PUPPETDB_CERTIFICATE_NAME' => 'localhost.localdomain',
-          'resources.source.1.config.PROPERTY_NODE_QUERY' => '["=", ["fact", "osfamily"], "RedHat"]',
-          'resources.source.1.config.PROPERTY_DEFAULT_NODE_TAG' => 'default_tag',
-          'resources.source.1.config.PROPERTY_TAGS_SOURCE' => 'source_tag'
-        }
-
-        puppet_enterprise_details.each do |key, value|
-          it do
-            is_expected.to contain_ini_setting("source one::#{key}").with(
-              'path' => '/var/lib/rundeck/projects/test/etc/project.properties',
-              'setting' => key,
-              'value' => value
-            )
-          end
-        end
-      end
-    end
-  end
-end
diff --git a/spec/defines/config/securityroles_spec.rb b/spec/defines/config/securityroles_spec.rb
deleted file mode 100644
index 8f13104b4..000000000
--- a/spec/defines/config/securityroles_spec.rb
+++ /dev/null
@@ -1,34 +0,0 @@
-# frozen_string_literal: true
-
-require 'spec_helper'
-
-describe 'rundeck::config::securityroles', type: :define do
-  on_supported_os.each do |os, os_facts|
-    context "on #{os}" do
-      let(:facts) do
-        os_facts.merge(
-          serialnumber: 0,
-          rundeck_version: ''
-        )
-      end
-
-      describe 'with array parameters' do
-        let(:title) { 'source one' }
-        let(:params) do
-          {
-            'package_ensure' => 'latest',
-            'security_roles_array_enabled' => true
-          }
-        end
-
-        security_roles_array = %w[devops roots]
-
-        security_roles_array.each do |roles|
-          it "augeas with param: #{roles}" do
-            contain_augeas('rundeck/web.xml/security-role/role-name').with_changes(["set web-app/security-role/role-name/#text '#{roles}'"])
-          end
-        end
-      end
-    end
-  end
-end
diff --git a/spec/fixtures/files/override.template b/spec/fixtures/files/override.template
deleted file mode 100644
index d0f8a935b..000000000
--- a/spec/fixtures/files/override.template
+++ /dev/null
@@ -1 +0,0 @@
-test override template
diff --git a/spec/fixtures/files/profile.template b/spec/fixtures/files/profile.template
deleted file mode 100644
index 0e90314fb..000000000
--- a/spec/fixtures/files/profile.template
+++ /dev/null
@@ -1 +0,0 @@
-test template
diff --git a/templates/_auth_ad.epp b/templates/_auth_ad.epp
deleted file mode 100644
index e66bb68f9..000000000
--- a/templates/_auth_ad.epp
+++ /dev/null
@@ -1,55 +0,0 @@
-com.dtolabs.rundeck.jetty.jaas.<%= $rundeck::config::ldap_login_module %> <%= $rundeck::config::active_directory_auth_flag -%>
-  debug="true"
-  contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
-<%- if $rundeck::config::auth_config['active_directory']['url'] {-%>
-  providerUrl="<%= $rundeck::config::auth_config['active_directory']['url'] %>"
-<%-} else {-%>
-  providerUrl="ldap://<%= $rundeck::config::auth_config['active_directory']['server'] %>:<%= $rundeck::config::auth_config['active_directory']['port'] %>"
-<%-}-%>  
-  authenticationMethod="simple"
-  forceBindingLogin="<%= $rundeck::config::auth_config['active_directory']['force_binding'] %>"
-  <%- if $rundeck::config::auth_config['active_directory']['bind_dn'] { -%>
-  forceBindingLoginUseRootContextForRoles="<%= $rundeck::config::auth_config['active_directory']['force_binding_use_root'] %>"
-  bindDn="<%= $rundeck::config::auth_config['active_directory']['bind_dn']%>"
-  <%- } -%>
-  <%- if $rundeck::config::auth_config['active_directory']['bind_password'] { -%>
-  bindPassword="<%= $rundeck::config::auth_config['active_directory']['bind_password']%>"
-  <%- } -%>
-  userBaseDn="<%= $rundeck::config::auth_config['active_directory']['user_base_dn'] %>"
-  userRdnAttribute="<%= $rundeck::config::auth_config['active_directory']['user_rdn_attribute'] %>"
-  userIdAttribute="<%= $rundeck::config::auth_config['active_directory']['user_id_attribute'] %>"
-  userPasswordAttribute="<%= $rundeck::config::auth_config['active_directory']['user_password_attribute'] %>"
-  <%- if $rundeck::config::security_config['syncLdapUser'] == true {-%>
-  userFirstNameAttribute="<%= $rundeck::config::auth_config['active_directory']['sync_first_name_attribute'] %>"
-  userLastNameAttribute="<%= $rundeck::config::auth_config['active_directory']['sync_last_name_attribute'] %>"
-  userEmailAttribute="<%= $rundeck::config::auth_config['active_directory']['sync_email_attribute'] %>"
-  <%- } -%>
-
-  userObjectClass="<%= $rundeck::config::auth_config['active_directory']['user_object_class'] %>"
-  roleBaseDn="<%= $rundeck::config::auth_config['active_directory']['role_base_dn'] %>"
-  roleNameAttribute="<%= $rundeck::config::auth_config['active_directory']['role_name_attribute'] %>"
-  roleMemberAttribute="<%= $rundeck::config::auth_config['active_directory']['role_member_attribute'] %>"
-  roleObjectClass="<%= $rundeck::config::auth_config['active_directory']['role_object_class'] %>"
-  <%- if $rundeck::config::auth_config['active_directory']['role_prefix'] { -%>
-  rolePrefix="<%= $rundeck::config::auth_config['active_directory']['role_prefix'] %>"
-  <%- } -%>
-  <%- if $rundeck::config::auth_config['active_directory']['supplemental_roles'] { -%>
-  supplementalRoles="<%= $rundeck::config::auth_config['active_directory']['supplemental_roles'] %>"
-  <%- } -%>
-  cacheDurationMillis="300000"
-  reportStatistics="true"
-<%- if $rundeck::config::ldap_login_module == 'JettyCombinedLdapLoginModule' { -%>
-  ignoreRoles="true"
-  storePass="true"
-  clearPass="true"
-  useFirstPass="false"
-  tryFirstPass="false"
-<%- } -%>
-  nestedGroups="<%= $rundeck::config::auth_config['active_directory']['nested_groups'] %>";
-
-<%- if $rundeck::config::ldap_login_module == 'JettyCombinedLdapLoginModule' { -%>
-org.rundeck.jaas.jetty.JettyRolePropertyFileLoginModule required
-  debug="true"
-  useFirstPass="true"
-  file="<%= $rundeck::config::auth_config['file']['file'] %>";
-<%- } -%>
diff --git a/templates/_auth_file.epp b/templates/_auth_file.epp
deleted file mode 100644
index dfdeaea90..000000000
--- a/templates/_auth_file.epp
+++ /dev/null
@@ -1,3 +0,0 @@
-org.eclipse.jetty.jaas.spi.PropertyFileLoginModule sufficient
-  debug="true"
-  file="<%= $rundeck::config::auth_config['file']['file'] %>";
diff --git a/templates/_auth_ldap.epp b/templates/_auth_ldap.epp
deleted file mode 100644
index 489448fb8..000000000
--- a/templates/_auth_ldap.epp
+++ /dev/null
@@ -1,65 +0,0 @@
-com.dtolabs.rundeck.jetty.jaas.<%= $rundeck::config::ldap_login_module %> <%= $rundeck::config::ldap_auth_flag -%>
-  debug="true"
-  contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
-<%- if $rundeck::config::auth_config['ldap']['url'] {-%>
-  providerUrl="<%= $rundeck::config::auth_config['ldap']['url'] %>"
-<%-} else {-%>
-  providerUrl="ldap://<%= $rundeck::config::auth_config['ldap']['server'] %>:<%= $rundeck::config::auth_config['ldap']['port'] %>"
-<%-}-%>  
-  authenticationMethod="simple"
-  forceBindingLogin="<%= $rundeck::config::auth_config['ldap']['force_binding'] %>"
-<%- if $rundeck::config::auth_config['ldap']['force_binding_use_root'] {-%>
-  forceBindingLoginUseRootContextForRoles="<%= $rundeck::config::auth_config['ldap']['force_binding_use_root'] %>"
-<%- } -%>
-<%- if $rundeck::config::auth_config['ldap']['bind_dn'] {-%>
-  bindDn="<%= $rundeck::config::auth_config['ldap']['bind_dn']%>"
-<%- } -%>
-<%- if $rundeck::config::auth_config['ldap']['bind_password'] {-%>
-  bindPassword="<%= $rundeck::config::auth_config['ldap']['bind_password']%>"
-<%- } -%>
-  userBaseDn="<%= $rundeck::config::auth_config['ldap']['user_base_dn'] %>"
-  userRdnAttribute="<%= $rundeck::config::auth_config['ldap']['user_rdn_attribute'] %>"
-  userIdAttribute="<%= $rundeck::config::auth_config['ldap']['user_id_attribute'] %>"
-  userPasswordAttribute="<%= $rundeck::config::auth_config['ldap']['user_password_attribute'] %>"
-<%- if $rundeck::config::security_config['syncLdapUser'] == true {-%>
-  userFirstNameAttribute="<%= $rundeck::config::auth_config['ldap']['sync_first_name_attribute'] %>"
-  userLastNameAttribute="<%= $rundeck::config::auth_config['ldap']['sync_last_name_attribute'] %>"
-  userEmailAttribute="<%= $rundeck::config::auth_config['ldap']['sync_email_attribute'] %>"
-<%- } -%>
-  userObjectClass="<%= $rundeck::config::auth_config['ldap']['user_object_class'] %>"
-<%- if $rundeck::config::auth_config['ldap']['role_prefix'] {-%>
-  rolePrefix="<%= $rundeck::config::auth_config['ldap']['role_prefix'] %>"
-<%- } -%>
-  roleBaseDn="<%= $rundeck::config::auth_config['ldap']['role_base_dn'] %>"
-  roleNameAttribute="<%= $rundeck::config::auth_config['ldap']['role_name_attribute'] %>"
-<%- if $rundeck::config::auth_config['ldap']['role_username_member_attribute'] {-%>
-  roleUsernameMemberAttribute="<%= $rundeck::config::auth_config['ldap']['role_username_member_attribute'] %>"
-<%-} elsif $rundeck::config::auth_config['ldap']['role_member_attribute'] {-%>
-  roleMemberAttribute="<%= $rundeck::config::auth_config['ldap']['role_member_attribute'] %>"
-<%- } -%>
-  roleObjectClass="<%= $rundeck::config::auth_config['ldap']['role_object_class'] %>"
-<%- if $rundeck::config::auth_config['ldap']['supplemental_roles'] {-%>
-  supplementalRoles="<%= $rundeck::config::auth_config['ldap']['supplemental_roles'] %>"
-<%- } -%>
-<%- if $rundeck::config::auth_config['ldap']['cache_duration_millis'] {-%>
-  cacheDurationMillis="<%= $rundeck::config::auth_config['ldap']['cache_duration_millis'] %>"
-<%- } else { -%>
-  cacheDurationMillis="300000"
-<%- }-%>
-  cacheDurationMillis="<%= cache_duration_ms  %>"
-  reportStatistics="true"
-<%- if $rundeck::config::ldap_login_module == 'JettyCombinedLdapLoginModule' {-%>
-  ignoreRoles="true"
-  storePass="true"
-  clearPass="true"
-  useFirstPass="false"
-  tryFirstPass="false"
-<%- } -%>
-  nestedGroups="<%= $rundeck::config::auth_config['ldap']['nested_groups'] %>";
-
-<%- if $rundeck::config::ldap_login_module == 'JettyCombinedLdapLoginModule' {-%>
-org.rundeck.jaas.jetty.JettyRolePropertyFileLoginModule required
-  debug="true"
-  useFirstPass="true"
-  file="<%= $rundeck::config::auth_config['file']['file'] %>";
-<%- } -%>
diff --git a/templates/_auth_pam.epp b/templates/_auth_pam.epp
deleted file mode 100644
index cfa9e0eb9..000000000
--- a/templates/_auth_pam.epp
+++ /dev/null
@@ -1,17 +0,0 @@
-org.rundeck.jaas.jetty.JettyPamLoginModule requisite
-  debug="true"
-  service="<%= $rundeck::config::auth_config['pam']['service'] %>"
-  supplementalRoles="<%= $rundeck::config::auth_config['pam']['supplemental_roles'].join(',') %>"
-<%- if $rundeck::config::auth_config['pam']['clear_pass'] { -%>
-  clearPass="<%= $rundeck::config::auth_config['pam']['clear_pass'] %>"
-<%- } -%>
-<%- if $rundeck::config::auth_config['pam']['try_first_pass'] { -%>
-  tryFirstPass="<%= $rundeck::config::auth_config['pam']['try_first_pass'] %>"
-<%- } -%>
-<%- if $rundeck::config::auth_config['pam']['use_first_pass'] { -%>
-  useFirstPass="<%= $rundeck::config::auth_config['pam']['use_first_pass'] %>"
-<%- } -%>
-<%- if $rundeck::config::auth_config['pam']['use_unix_groups'] { -%>
-  useUnixGroups="<%= $rundeck::config::auth_config['pam']['use_unix_groups'] %>"
-<%- } -%>
-  storePass="<%= $rundeck::config::auth_config['pam']['store_pass'] %>";
diff --git a/templates/aclpolicy.epp b/templates/aclpolicy.epp
new file mode 100644
index 000000000..22e6432a7
--- /dev/null
+++ b/templates/aclpolicy.epp
@@ -0,0 +1,46 @@
+<%- $_acl_policies.each |$_index, $_policy| { -%>
+description: <%= $_policy['description'] %>
+context:
+  <%= $_policy['context'].keys[0] %>: '<%= $_policy['context'].values[0] %>'
+for:
+<%- $_policy['for'].each |$_resource, $_kind| { -%>
+  <%= $_resource %>:
+  <%- $_kind.each |$_rules| { -%>
+  <%- $_rules.each |$_type, $_action| { -%>
+  <%- if keys($_rules)[0] == $_type { -%>
+  <%- $_first_key = '- ' -%>
+  <% } else { -%>
+  <%- $_first_key = '  ' -%>
+  <% } -%>
+  <%- if $_type in ['allow', 'deny'] { -%>
+  <%= $_first_key %><%= $_type %>: <% if $_action =~ String { -%>'<%= $_action %>'<% } else { -%><%= $_action %><%- } %>
+  <%- } elsif $_type in ['match', 'equals', 'contains', 'subset'] { -%>
+  <%= $_first_key %><%= $_type %>:
+  <%- $_action.each |$_k, $_v| { -%>
+        <%= $_k %>: <% if $_v =~ String { -%>'<%= $_v %>'<% } else { -%><%= $_v %><%- } %>
+  <%- } -%>
+  <%- } -%>
+  <%- } -%>
+  <%- } -%>
+<%- } -%>
+by:
+<%- $_policy['by'].each |$_by| { -%>
+<%- if $_by['group'] { -%>
+  group:
+  <%- $_by['group'].each |$_group| { -%>
+    - '<%= $_group %>'
+  <%- } -%>
+<%- } -%>
+<%- if $_by['username'] { -%>
+  username:
+  <%- $_by['username'].each |$_username| { -%>
+    - '<%= $_username %>'
+  <%- } -%>
+<%- } -%>
+<%- } -%>
+<%- if $_index != ( $_acl_policies.length -1 ) {-%>
+
+---
+
+<%- } -%>
+<%- } -%>
diff --git a/templates/aclpolicy.erb b/templates/aclpolicy.erb
deleted file mode 100644
index 0fbfe46e7..000000000
--- a/templates/aclpolicy.erb
+++ /dev/null
@@ -1,43 +0,0 @@
-<%- @acl_policies.each_with_index do |policy, index| -%>
-description: '<%= policy['description'] %>'
-context:
-  <%= policy['context'].keys[0] %>: '<%= policy['context'].values[0] %>'
-for:
-<%- policy['for'].each do |resource,kind| -%>
-  <%= resource %>:
-  <%- kind.each do |rules| -%>
-  <%- first_key = true -%>
-  <%- rules.each do |type, action| -%>
-  <%- if %w( allow deny ).include?(type) -%>
-    <% if first_key -%>-<%- else %> <% end -%> <%= type %>: <%- if action.is_a? String -%>'<%= action %>'<%-else-%><%= action %><%-end%>
-  <%- elsif %w( match equals contains subset ).include?(type) -%>
-    <% if first_key -%>-<%- else %> <% end -%> <%= type %>:
-    <%- action.each do |k,v| -%>
-        <%= k %>: <%- if v.is_a? String -%>'<%= v %>'<%-else-%><%= v %><%-end%>
-    <%- end -%>
-  <%- end -%>
-  <%- first_key = false -%>
-  <%- end -%>
-  <%- end -%>
-<%- end -%>
-by:
-<%- policy['by'].each do |by| -%>
-<%-   if !by['group'].nil? && by['group'] != :undef -%>
-  group:
-  <%- by['group'].each do |group| -%>
-    - '<%= group %>'
-  <%- end -%>
-<%-   end -%>
-<%-   if !by['username'].nil? && by['username'] != :undef -%>
-  username:
-  <%- by['username'].each do |username| -%>
-    - '<%= username %>'
-  <%- end -%>
-<%-   end -%>
-<%- end -%>
-<%- if index != (@acl_policies.length-1) -%>
-
----
-
-<%- end -%>
-<%- end -%>
diff --git a/templates/file_keystorage_meta.erb b/templates/file_keystorage_meta.erb
deleted file mode 100644
index 2262905b3..000000000
--- a/templates/file_keystorage_meta.erb
+++ /dev/null
@@ -1,17 +0,0 @@
-{
-  "Rundeck-content-size":"<%= @content_size_value %>",
-  <%- if @data_type == "password" -%>
-  "Rundeck-data-type":"<%= @data_type %>",
-  "Rundeck-content-mask":"<%= @content_mask %>",
-  <%- elsif @data_type == "public" -%>
-  "Rundeck-key-type":"<%= @data_type %>",
-  <%- else -%>
-  "Rundeck-key-type":"<%= @data_type %>",
-  "Rundeck-content-mask":"<%= @content_mask %>",
-  <%- end -%>
-  "Rundeck-content-creation-time":"<%= @content_creation_time %>",
-  "Rundeck-auth-created-username":"<%= @auth_created_username %>",
-  "Rundeck-auth-modified-username":"<%= @auth_modified_username %>",
-  "Rundeck-content-modify-time":"<%= @content_modify_time %>",
-  "Rundeck-content-type":"<%= @content_type %>"
-}
diff --git a/templates/framework.properties.epp b/templates/framework.properties.epp
index 08dccdfd1..f4241c085 100644
--- a/templates/framework.properties.epp
+++ b/templates/framework.properties.epp
@@ -1,3 +1,3 @@
-<%- $rundeck::config::global::framework::framework_config.keys.sort.each |$k| { -%>
-<%= $k %> = <%= $rundeck::config::global::framework::framework_config[$k] %>
+<%- $_framework_config.each |$_k, $_v| { -%>
+<%= $_k %> = <%= $_v %>
 <%- } -%>
diff --git a/templates/jaas-auth.conf.epp b/templates/jaas-auth.conf.epp
deleted file mode 100644
index e96054b93..000000000
--- a/templates/jaas-auth.conf.epp
+++ /dev/null
@@ -1,13 +0,0 @@
-authentication {
-<%- $rundeck::config::auth_types.each  |$type| { -%>
-  <%- if 'ldap' in $type or 'ldap_shared' in $type { -%>
-    <%= epp('rundeck/_auth_ldap.epp') %>
-  <%- } elsif 'active_directory' in $type or 'active_directory_shared' in $type { -%>
-    <%= epp('rundeck/_auth_ad.epp') %>
-  <%- } elsif 'pam' in $type { -%>
-    <%= epp('rundeck/_auth_pam.epp') %>
-  <%- } elsif 'file' in $type { -%>
-    <%= epp('rundeck/_auth_file.epp') %>
-  <%- } -%>
-<%- } -%>
-};
diff --git a/templates/jaas-auth.conf.erb b/templates/jaas-auth.conf.erb
deleted file mode 100644
index 3e21a53e4..000000000
--- a/templates/jaas-auth.conf.erb
+++ /dev/null
@@ -1,17 +0,0 @@
-authentication {
-
-  <%- @auth_types.each do |type|
-        case type
-        when 'ldap', 'ldap_shared' -%>
-  <%=     scope.function_template(['rundeck/_auth_ldap.erb']) %>
-  <%-   when 'active_directory', 'active_directory_shared' -%>
-  <%=     scope.function_template(['rundeck/_auth_ad.erb']) %>
-  <%-   when 'pam' -%>
-  <%=     scope.function_template(['rundeck/_auth_pam.erb']) %>
-  <%-   when 'file' -%>
-  <%=     scope.function_template(['rundeck/_auth_file.erb']) %>
-  <%-   else
-        end
-      end
-  -%>
-};
diff --git a/templates/jaas-loginmodule.conf.epp b/templates/jaas-loginmodule.conf.epp
new file mode 100644
index 000000000..c937f1d55
--- /dev/null
+++ b/templates/jaas-loginmodule.conf.epp
@@ -0,0 +1,33 @@
+authentication {
+<%- $_auth_config.keys.each |$_type| { -%>
+<%- if $_type == 'file' { -%>
+<%- if $_auth_config['file']['auth_flag'] { -%>
+  org.eclipse.jetty.jaas.spi.PropertyFileLoginModule <%= $_auth_config['file']['auth_flag'] %>
+<%- } else { -%>
+  org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required
+<%- } -%>
+<%- $_auth_config['file']['jaas_config'].each |$_k, $_v| { -%>
+    <%= $_k -%>=<% if keys($_auth_config['file']['jaas_config'])[-1] == $_k { -%>"<%= $_v %>";<% } else { -%>"<%= $_v %>"<%- } %>
+<%- } -%>
+<%- }  elsif $_type == 'ldap' { -%>
+<%- if $_auth_config['ldap']['auth_flag'] { -%>
+  com.dtolabs.rundeck.jetty.jaas.<%= $_ldap_login_module %> <%= $_auth_config['ldap']['auth_flag'] %>
+<%- } else { -%>
+  com.dtolabs.rundeck.jetty.jaas.<%= $_ldap_login_module %> required
+<%- } -%>
+    contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
+<%- $_auth_config['ldap']['jaas_config'].each |$_k, $_v| { -%>
+    <%= $_k -%>=<% if keys($_auth_config['ldap']['jaas_config'])[-1] == $_k { -%>"<%= $_v %>";<% } else { -%>"<%= $_v %>"<%- } %>
+<%- } -%>
+<%- } elsif $_type == 'pam' { -%>
+<%- if $_auth_config['pam']['auth_flag'] { -%>
+  org.rundeck.jaas.jetty.JettyPamLoginModule <%= $_auth_config['pam']['auth_flag'] %>
+<%- } else { -%>
+  org.rundeck.jaas.jetty.JettyPamLoginModule required
+<%- } -%>
+<%- $_auth_config['pam']['jaas_config'].each |$_k, $_v| { -%>
+    <%= $_k -%>=<% if keys($_auth_config['pam']['jaas_config'])[-1] == $_k { -%>"<%= $_v %>";<% } else { -%>"<%= $_v %>"<%- } %>
+<%- } -%>
+<%- } -%>
+<%- } -%>
+};
diff --git a/templates/krb5.conf.erb b/templates/krb5.conf.erb
deleted file mode 100644
index 677f97ac7..000000000
--- a/templates/krb5.conf.erb
+++ /dev/null
@@ -1,11 +0,0 @@
-[realms]
-<%- @kerberos_realms.each do |domain, realm| -%>
-    <%= realm %> = {
-        kdc = <%= domain %>
-    }
-<%- end -%>
-
-[domain_realm]
-<%- @kerberos_realms.each do |domain, realm| -%>
-    <%= domain %> = <%= realm %>
-<%- end -%>
\ No newline at end of file
diff --git a/templates/log4j.properties.erb b/templates/log4j.properties.erb
deleted file mode 100644
index bbbc9f9c8..000000000
--- a/templates/log4j.properties.erb
+++ /dev/null
@@ -1,158 +0,0 @@
-####################################################################################################
-#
-#  Log Levels
-#
-####################################################################################################
-
-# Enable logging for everything. Rarely useful
-log4j.rootLogger=warn, stdout, server-logger
-
-log4j.com.dtolabs.rundeck.core=INFO, cmd-logger
-
-#log4j.logger.org.codehaus.groovy.grails.plugins.quartz=debug,stdout
-#log4j.additivity.org.codehaus.groovy.grails.plugins.quartz=false
-
-# Enable audit logging
-log4j.logger.com.dtolabs.rundeck.core.authorization=<%= @rd_auditlevel %>, audit
-log4j.additivity.com.dtolabs.rundeck.core.authorization=false
-
-# Enable options remote URL logging
-log4j.logger.com.dtolabs.rundeck.remoteservice.http.options=INFO, options
-log4j.additivity.com.dtolabs.rundeck.remoteservice.http.options=false
-
-# Enable Job changes logging
-log4j.logger.com.dtolabs.rundeck.data.jobs.changes=INFO, jobchanges
-log4j.additivity.com.dtolabs.rundeck.data.jobs.changes=false
-
-# Enable API request logging
-log4j.logger.org.rundeck.api.requests=INFO,apirequests
-log4j.additivity.org.rundeck.api.requests=false
-
-# Enable Web access logging
-log4j.logger.org.rundeck.web.requests=INFO,access
-log4j.additivity.org.rundeck.web.requests=false
-
-
-# Enable this logger to log Hibernate output
-# handy to see its database interaction activity
-#log4j.logger.org.hibernate=debug,stdout
-#log4j.additivity.org.hibernate=false
-
-# Enable this logger to see what Spring does, occasionally useful
-#log4j.logger.org.springframework=info,stdout
-#log4j.additivity.org.springframework=false
-
-# This logger covers all of Grails' internals
-# Enable to see whats going on underneath.
-log4j.logger.org.codehaus.groovy.grails=warn,stdout, server-logger
-log4j.additivity.org.codehaus.groovy.grails=false
-
-# This logger is useful if you just want to see what Grails
-# configures with Spring at runtime. Setting to debug will show
-# each bean that is configured
-log4j.logger.org.codehaus.groovy.grails.commons.spring=warn,stdout, server-logger
-log4j.additivity.org.codehaus.groovy.grails.commons.spring=false
-
-# Interesting Logger to see what some of the Grails factory beans are doing
-log4j.logger.org.codehaus.groovy.grails.beans.factory=warn,stdout, server-logger
-log4j.additivity.org.codehaus.groovy.grails.beans.factory=false
-
-# This logger is for Grails' public APIs within the grails. package
-log4j.logger.grails=info,stdout, server-logger
-log4j.additivity.grails=false
-
-# Disable h2database logger if desired (value = on|off)
-log4j.logger.h2database=<%= @database_config['enable_h2_logs'] %>
-
-
-####################################################################################################
-#
-#  Appender Configuration (unlikely a change needs to be made, unless you have unique logging reqs.)
-#
-####################################################################################################
-
-#
-# stdout - ConsoleAppender
-#
-log4j.appender.stdout=org.apache.log4j.ConsoleAppender
-log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
-log4j.appender.stdout.layout.ConversionPattern=%-5p %c{1}: %m%n
-
-#
-# cmd-logger - DailyRollingFileAppender
-#
-# Output of the RunDeck command line utilities
-#
-log4j.appender.cmd-logger=org.apache.log4j.DailyRollingFileAppender
-log4j.appender.cmd-logger.file=<%= @service_logs_dir %>/command.log
-log4j.appender.cmd-logger.datePattern='.'yyyy-MM-dd
-log4j.appender.cmd-logger.append=true
-log4j.appender.cmd-logger.layout=org.apache.log4j.PatternLayout
-log4j.appender.cmd-logger.layout.ConversionPattern=%d{ISO8601} [%t] %-5p %c - %m%n
-
-#
-# server-logger - DailyRollingFileAppender
-#
-# Captures all output from the rundeckd server.
-#
-log4j.appender.server-logger=org.apache.log4j.DailyRollingFileAppender
-log4j.appender.server-logger.file=<%= @service_logs_dir %>/rundeck.log
-log4j.appender.server-logger.datePattern='.'yyyy-MM-dd
-log4j.appender.server-logger.append=true
-log4j.appender.server-logger.layout=org.apache.log4j.PatternLayout
-log4j.appender.server-logger.layout.ConversionPattern=%d{ISO8601} [%t] %-5p %c - %m%n
-
-#
-# audit
-#
-# Captures all audit events.
-#
-log4j.appender.audit=org.apache.log4j.DailyRollingFileAppender
-log4j.appender.audit.file=<%= @service_logs_dir %>/rundeck.audit.log
-log4j.appender.audit.append=true
-log4j.appender.audit.layout=org.apache.log4j.PatternLayout
-log4j.appender.audit.layout.ConversionPattern=%d{ISO8601} - %m%n
-
-#
-# options log
-#
-# Logs remote HTTP requests for Options JSON data
-#
-log4j.appender.options=org.apache.log4j.DailyRollingFileAppender
-log4j.appender.options.file=<%= @service_logs_dir %>/rundeck.options.log
-log4j.appender.options.append=true
-log4j.appender.options.layout=org.apache.log4j.PatternLayout
-log4j.appender.options.layout.ConversionPattern=[%d{ISO8601}] %X{httpStatusCode} %X{contentLength}B %X{durationTime}ms %X{lastModifiedDateTime} [%X{jobName}] %X{url} %X{contentSHA1}%n
-
-#
-# job changes log
-#
-# Logs all Job definition changes
-#
-log4j.appender.jobchanges=org.apache.log4j.DailyRollingFileAppender
-log4j.appender.jobchanges.file=<%= @service_logs_dir %>/rundeck.jobs.log
-log4j.appender.jobchanges.append=true
-log4j.appender.jobchanges.layout=org.apache.log4j.PatternLayout
-log4j.appender.jobchanges.layout.ConversionPattern=[%d{ISO8601}] %X{user} %X{change} [%X{id}] %X{project} "%X{groupPath}/%X{jobName}" (%X{method})%n
-
-#
-# api request log
-#
-# Logs all API requests
-#
-log4j.appender.apirequests=org.apache.log4j.DailyRollingFileAppender
-log4j.appender.apirequests.file=<%= @service_logs_dir %>/rundeck.api.log
-log4j.appender.apirequests.append=true
-log4j.appender.apirequests.layout=org.apache.log4j.PatternLayout
-log4j.appender.apirequests.layout.ConversionPattern=[%d{ISO8601}] %X{remoteHost} %X{secure} %X{remoteUser} %X{authToken} %X{duration} %X{project} "%X{method} %X{uri}" (%X{userAgent})%n
-
-#
-# Web access log
-#
-# Logs all Web requests
-#
-log4j.appender.access=org.apache.log4j.DailyRollingFileAppender
-log4j.appender.access.file=<%= @service_logs_dir %>/rundeck.access.log
-log4j.appender.access.append=true
-log4j.appender.access.layout=org.apache.log4j.PatternLayout
-log4j.appender.access.layout.ConversionPattern=[%d{ISO8601}] "%X{method} %X{uri}" %X{remoteHost} %X{secure} %X{remoteUser} %X{authToken} %X{duration} %X{project} [%X{contentType}] (%X{userAgent})%n
diff --git a/templates/log4j2.properties.epp b/templates/log4j2.properties.epp
new file mode 100644
index 000000000..70ec09232
--- /dev/null
+++ b/templates/log4j2.properties.epp
@@ -0,0 +1,264 @@
+
+name = Rundeck Logging Configuration
+
+property.baseDir = <%= $rundeck::service_logs_dir %>
+property.classLength = 2
+property.noConsoleNoAnsi = true
+property.prefix = [%style{%d{ISO8601}}{dim, noConsoleNoAnsi=${noConsoleNoAnsi}}] %highlight{%-5p}{noConsoleNoAnsi=${noConsoleNoAnsi}} %style{%c{${classLength}}}{cyan,noConsoleNoAnsi=${noConsoleNoAnsi}}
+
+appender.console.type = Console
+appender.console.name = STDOUT
+appender.console.layout.type = PatternLayout
+appender.console.layout.pattern = ${prefix} - %m%n
+
+appender.rundeck.type = RollingFile
+appender.rundeck.name = rundeck
+appender.rundeck.fileName = ${baseDir}/rundeck.log
+appender.rundeck.append = true
+appender.rundeck.bufferedIO = true
+appender.rundeck.filePattern = ${baseDir}/rundeck.log.%d{yyyy-MM-dd}.gz
+appender.rundeck.layout.type = PatternLayout
+appender.rundeck.layout.pattern = ${prefix} [%t] - %m%n
+appender.rundeck.policies.type = Policies
+appender.rundeck.policies.time.type = TimeBasedTriggeringPolicy
+appender.rundeck.policies.time.interval = 1
+
+appender.audit.type = RollingFile
+appender.audit.name = audit
+appender.audit.fileName = ${baseDir}/rundeck.audit.log
+appender.audit.append = true
+appender.audit.bufferedIO = true
+appender.audit.filePattern = ${baseDir}/rundeck.audit.log.%d{yyyy-MM-dd}.gz
+appender.audit.layout.type = PatternLayout
+appender.audit.layout.pattern = ${prefix} - %m%n
+appender.audit.policies.type = Policies
+appender.audit.policies.time.type = TimeBasedTriggeringPolicy
+appender.audit.policies.time.interval = 1
+
+appender.options.type = RollingFile
+appender.options.name = options
+appender.options.fileName = ${baseDir}/rundeck.options.log
+appender.options.append = true
+appender.options.bufferedIO = true
+appender.options.filePattern = ${baseDir}/rundeck.options.log.%d{yyyy-MM-dd}.gz
+appender.options.layout.type = PatternLayout
+appender.options.layout.pattern = ${prefix} %X{httpStatusCode} %X{contentLength}B %X{durationTime}ms %X{lastModifiedDateTime} [%X{jobName}] %X{url} %X{contentSHA1}%n
+appender.options.policies.type = Policies
+appender.options.policies.time.type = TimeBasedTriggeringPolicy
+appender.options.policies.time.interval = 1
+
+appender.storage.type = RollingFile
+appender.storage.name = storage
+appender.storage.fileName = ${baseDir}/rundeck.storage.log
+appender.storage.append = true
+appender.storage.bufferedIO = true
+appender.storage.filePattern = ${baseDir}/rundeck.storage.log.%d{yyyy-MM-dd}.gz
+appender.storage.layout.type = PatternLayout
+appender.storage.layout.pattern = ${prefix} %X{action} %X{type} %X{path} %X{status} %X{metadata}%n
+appender.storage.policies.type = Policies
+appender.storage.policies.time.type = TimeBasedTriggeringPolicy
+appender.storage.policies.time.interval = 1
+
+appender.jobchanges.type = RollingFile
+appender.jobchanges.name = jobchanges
+appender.jobchanges.fileName = ${baseDir}/rundeck.jobs.log
+appender.jobchanges.append = true
+appender.jobchanges.bufferedIO = true
+appender.jobchanges.filePattern = ${baseDir}/rundeck.jobs.log.%d{yyyy-MM-dd}.gz
+appender.jobchanges.layout.type = PatternLayout
+appender.jobchanges.layout.pattern = ${prefix} %X{user} %X{change} [%X{id}] %X{project} "%X{groupPath}/%X{jobName}" (%X{method})%X{extraInfo}%n
+appender.jobchanges.policies.type = Policies
+appender.jobchanges.policies.time.type = TimeBasedTriggeringPolicy
+appender.jobchanges.policies.time.interval = 1
+
+appender.execevents.type = RollingFile
+appender.execevents.name = execevents
+appender.execevents.fileName = ${baseDir}/rundeck.executions.log
+appender.execevents.append = true
+appender.execevents.bufferedIO = true
+appender.execevents.filePattern = ${baseDir}/rundeck.executions.log.%d{yyyy-MM-dd}.gz
+appender.execevents.layout.type = PatternLayout
+appender.execevents.layout.pattern = ${prefix} %X{eventUser} %X{event} [%X{id}:%X{state}] %X{project} %X{user}/%X{abortedby} "%X{groupPath}/%X{jobName}" %X{argString} [%X{uuid}]%n
+appender.execevents.policies.type = Policies
+appender.execevents.policies.time.type = TimeBasedTriggeringPolicy
+appender.execevents.policies.time.interval = 1
+
+appender.apirequests.type = RollingFile
+appender.apirequests.name = apirequests
+appender.apirequests.fileName = ${baseDir}/rundeck.api.log
+appender.apirequests.append = true
+appender.apirequests.bufferedIO = true
+appender.apirequests.filePattern = ${baseDir}/rundeck.api.log.%d{yyyy-MM-dd}.gz
+appender.apirequests.layout.type = PatternLayout
+appender.apirequests.layout.pattern = ${prefix} "%X{method} %X{uri}" %X{remoteHost} %X{secure} %X{remoteUser} %X{authToken} %X{duration} %X{project} (%X{userAgent})%n
+appender.apirequests.policies.type = Policies
+appender.apirequests.policies.time.type = TimeBasedTriggeringPolicy
+appender.apirequests.policies.time.interval = 1
+
+appender.access.type = RollingFile
+appender.access.name = access
+appender.access.fileName = ${baseDir}/rundeck.access.log
+appender.access.append = true
+appender.access.bufferedIO = true
+appender.access.filePattern = ${baseDir}/rundeck.access.log.%d{yyyy-MM-dd}.gz
+appender.access.layout.type = PatternLayout
+appender.access.layout.pattern = ${prefix} "%X{method} %X{uri}" %X{remoteHost} %X{secure} %X{remoteUser} %X{authToken} %X{duration} %X{project} [%X{contentType}] (%X{userAgent})%n
+appender.access.policies.type = Policies
+appender.access.policies.time.type = TimeBasedTriggeringPolicy
+appender.access.policies.time.interval = 1
+
+appender.project.type = RollingFile
+appender.project.name = project
+appender.project.fileName = ${baseDir}/rundeck.project.log
+appender.project.append = true
+appender.project.bufferedIO = true
+appender.project.filePattern = ${baseDir}/rundeck.project.log.%d{yyyy-MM-dd}.gz
+appender.project.layout.type = PatternLayout
+appender.project.layout.pattern = ${prefix} - %m%n
+appender.project.policies.type = Policies
+appender.project.policies.time.type = TimeBasedTriggeringPolicy
+appender.project.policies.time.interval = 1
+
+appender.cleanup.type = RollingFile
+appender.cleanup.name = cleanup
+appender.cleanup.fileName = ${baseDir}/rundeck.cleanup.log
+appender.cleanup.append = true
+appender.cleanup.bufferedIO = true
+appender.cleanup.filePattern = ${baseDir}/rundeck.cleanup.log.%d{yyyy-MM-dd}.gz
+appender.cleanup.layout.type = PatternLayout
+appender.cleanup.layout.pattern = ${prefix} - %m%n
+appender.cleanup.policies.type = Policies
+appender.cleanup.policies.time.type = TimeBasedTriggeringPolicy
+appender.cleanup.policies.time.interval = 1
+
+appender.webhooks.type = RollingFile
+appender.webhooks.name = webhooks
+appender.webhooks.fileName = ${baseDir}/rundeck.webhooks.log
+appender.webhooks.append = true
+appender.webhooks.bufferedIO = true
+appender.webhooks.filePattern = ${baseDir}/rundeck.webhooks.log.%d{yyyy-MM-dd}.gz
+appender.webhooks.layout.type = PatternLayout
+appender.webhooks.layout.pattern = ${prefix} - %m%n
+appender.webhooks.policies.type = Policies
+appender.webhooks.policies.time.type = TimeBasedTriggeringPolicy
+appender.webhooks.policies.time.interval = 1
+
+rootLogger.level = warn
+rootLogger.appenderRef.stdout.ref = STDOUT
+rootLogger.appenderRef.rundeck.ref = rundeck
+
+logger.interceptors.name = rundeck.interceptors
+logger.interceptors.level = info
+logger.interceptors.additivity = false
+logger.interceptors.appenderRef.stdout.ref = STDOUT
+
+logger.rundeckapp.name = rundeckapp
+logger.rundeckapp.level = <%= $rundeck::app_log_level %>
+logger.rundeckapp.additivity = false
+logger.rundeckapp.appenderRef.stdout.ref = STDOUT
+
+logger.bootstrap.name = rundeckapp.BootStrap
+logger.bootstrap.level = info
+logger.bootstrap.additivity = false
+logger.bootstrap.appenderRef.stdout.ref = STDOUT
+
+logger.grails.name = grails
+logger.grails.level = warn
+logger.grails.additivity = false
+logger.grails.appenderRef.stdout.ref = STDOUT
+
+logger.grails_env.name = grails.util.Environment
+logger.grails_env.level = error
+logger.grails_env.additivity = false
+logger.grails_env.appenderRef.stdout.ref = STDOUT
+
+logger.prjmanager.name = grails.app.services.rundeck.services.ProjectManagerService
+logger.prjmanager.level = info
+logger.prjmanager.additivity = false
+logger.prjmanager.appenderRef.stdout.ref = STDOUT
+
+logger.authorization.name = com.dtolabs.rundeck.core.authorization
+logger.authorization.level = <%= $rundeck::audit_log_level %>
+logger.authorization.additivity = false
+logger.authorization.appenderRef.stdout.ref = audit
+
+logger.options.name = com.dtolabs.rundeck.remoteservice.http.options
+logger.options.level = info
+logger.options.additivity = false
+logger.options.appenderRef.stdout.ref = options
+
+logger.jobchanges.name = com.dtolabs.rundeck.data.jobs.changes
+logger.jobchanges.level = info
+logger.jobchanges.additivity = false
+logger.jobchanges.appenderRef.stdout.ref = jobchanges
+
+logger.execevents.name = org.rundeck.execution.status
+logger.execevents.level = info
+logger.execevents.additivity = false
+logger.execevents.appenderRef.stdout.ref = execevents
+
+logger.apirequests.name = org.rundeck.api.requests
+logger.apirequests.level = info
+logger.apirequests.additivity = false
+logger.apirequests.appenderRef.stdout.ref = apirequests
+
+logger.access.name = org.rundeck.web.requests
+logger.access.level = info
+logger.access.additivity = false
+logger.access.appenderRef.access.ref = access
+
+logger.project.name = org.rundeck.project.events
+logger.project.level = info
+logger.project.additivity = false
+logger.project.appenderRef.stdout.ref = project
+
+logger.storage.name = org.rundeck.storage.events
+logger.storage.level = info
+logger.storage.additivity = false
+logger.storage.appenderRef.storage.ref = storage
+
+logger.webhook_events.name = org.rundeck.webhook.events
+logger.webhook_events.level = info
+logger.webhook_events.additivity = false
+logger.webhook_events.appenderRef.webhooks.ref = webhooks
+
+logger.webhook_plugins.name = org.rundeck.plugin.webhook
+logger.webhook_plugins.level = debug
+logger.webhook_plugins.additivity = false
+logger.webhook_plugins.appenderRef.webhooks.ref = webhooks
+
+logger.cleanup.name = rundeck.quartzjobs.ExecutionsCleanUp
+logger.cleanup.level = debug
+logger.cleanup.additivity = false
+logger.cleanup.appenderRef.cleanup.ref = cleanup
+
+logger.jetty.name = org.mortbay.log
+logger.jetty.level = warn
+logger.jetty.additivity = false
+logger.jetty.appenderRef.stdout.ref = STDOUT
+
+logger.hibernate.name = org.hibernate.orm.deprecation
+logger.hibernate.level = error
+logger.hibernate.additivity = false
+logger.hibernate.appenderRef.stdout.ref = STDOUT
+
+logger.rundeck_jaas.name = com.dtolabs.rundeck.jetty.jaas
+logger.rundeck_jaas.level = debug
+logger.rundeck_jaas.additivity = false
+logger.rundeck_jaas.appenderRef.stdout.ref = STDOUT
+
+logger.spring_security.name = grails.plugin.springsecurity.web.authentication.GrailsUsernamePasswordAuthenticationFilter
+logger.spring_security.level = debug
+logger.spring_security.additivity = false
+logger.spring_security.appenderRef.stdout.ref = STDOUT
+
+logger.jaas.name = org.rundeck.jaas
+logger.jaas.level = debug
+logger.jaas.additivity = false
+logger.jaas.appenderRef.stdout.ref = STDOUT
+
+#Quell a noisy WARN from this class
+logger.springBeanPropertyDescriptor.name = org.springframework.beans.GenericTypeAwarePropertyDescriptor
+logger.springBeanPropertyDescriptor.level = error
+logger.springBeanPropertyDescriptor.additivity = false
+logger.springBeanPropertyDescriptor.appenderRef.stdout.ref = STDOUT
diff --git a/templates/profile_overrides.epp b/templates/profile_overrides.epp
new file mode 100644
index 000000000..dd9c49f69
--- /dev/null
+++ b/templates/profile_overrides.epp
@@ -0,0 +1,22 @@
+RDECK_BASE="<%= $rundeck::config::base_dir %>"
+RDECK_CONFIG="<%= $rundeck::config::properties_dir %>"
+RDECK_CONFIG_FILE="$RDECK_CONFIG/rundeck-config.properties"
+RDECK_INSTALL="$RDECK_BASE"
+LOGIN_MODULE=authentication
+JAVA_CMD=java
+RDECK_JVM_SETTINGS="<%= $rundeck::jvm_args %>"
+
+<% if $rundeck::ssl_enabled { -%>
+RDECK_HTTP_PORT=<%= $rundeck::ssl_port %>
+RDECK_JVM_SETTINGS="$RDECK_JVM_SETTINGS -Drundeck.ssl.config=$RDECK_CONFIG/ssl/ssl.properties"
+<% } else { -%>
+RDECK_HTTP_PORT=<%= $rundeck::config::framework_config['framework.server.port'] %>
+<% } -%>
+
+<% if $rundeck::server_web_context { -%>
+RDECK_JVM_SETTINGS="$RDECK_JVM_SETTINGS -Dserver.servlet.context-path=<%= $rundeck::server_web_context %>"
+<% } -%>
+
+<% if $rundeck::java_home { %>
+JAVA_HOME=<%= $rundeck::java_home %>
+<% } %>
diff --git a/templates/profile_overrides.erb b/templates/profile_overrides.erb
deleted file mode 100644
index 939e68d89..000000000
--- a/templates/profile_overrides.erb
+++ /dev/null
@@ -1,24 +0,0 @@
-RDECK_BASE=<%= @rdeck_base %>
-RDECK_CONFIG=<%= @properties_dir %>
-RDECK_CONFIG_FILE=<%= @properties_dir %>/rundeck-config.groovy
-RDECK_INSTALL=<%= @rdeck_base %>
-JAAS_CONF=$RDECK_CONFIG/jaas-auth.conf
-LOGIN_MODULE=authentication
-JAVA_CMD=java
-RDECK_JVM_SETTINGS="<%= @jvm_args %>"
-
-<%- if @server_web_context -%>
-RDECK_JVM_SETTINGS="$RDECK_JVM_SETTINGS -Dserver.web.context=<%= @server_web_context %>"
-<%- end -%>
-
-<%- if !(@kerberos_realms.empty?) -%>
-RDECK_JVM_SETTINGS="$RDECK_JVM_SETTINGS -Djava.security.krb5.conf=$RDECK_CONFIG/krb5.conf"
-<%- end -%>
-
-<% if @java_home %>
-JAVA_HOME=<%= @java_home %>
-<% end %>
-
-<%- if @ssl_enabled -%>
-RUNDECK_WITH_SSL=true
-<%- end -%>
diff --git a/templates/realm.properties.epp b/templates/realm.properties.epp
index ed42cac84..8deff98af 100644
--- a/templates/realm.properties.epp
+++ b/templates/realm.properties.epp
@@ -4,7 +4,7 @@
 # The format is
 #  <username>: <password>[,<rolename> ...]
 #
-# Passwords may be clear text, obfuscated or checksummed.  The class
+# Passwords may be clear text, obfuscated or checksummed. The class
 # org.mortbay.util.Password should be used to generate obfuscated
 # passwords or password checksums
 #
@@ -18,26 +18,25 @@
 #user: password
 # This entry is for digest auth.  The credential is a MD5 hash of username:realmname:password
 #digest: MD5:6e120743ad67abfbc385bc2bb754e297
-#.fetch('password', '-') -%> #['password'] -%> #lookup($x['password'],'-')
 #
 # This sets the default user accounts for the Rundeck app
 #
-<%= $rundeck::config::auth_config['file']['admin_user'] %>:<%= $rundeck::config::auth_config['file']['admin_password'] %>,user,admin,architect,deploy,build
-<%- if $rundeck::config::auth_config['file']['auth_users'] { -%>
-  <%- if is_array($rundeck::config::auth_config['file']['auth_users']) { -%> 
-    <%- $rundeck::config::auth_config['file']['auth_users'].each |$x| { -%>
+<%= $_auth_config['file']['realm_config']['admin_user'] %>:<%= $_auth_config['file']['realm_config']['admin_password'] %>,user,admin,architect,deploy,build
+<%- if $_auth_config['file']['realm_config']['auth_users'] { -%>
+  <%- if $_auth_config['file']['realm_config']['auth_users'] =~ Array { -%> 
+    <%- $_auth_config['file']['realm_config']['auth_users'].each |$x| { -%>
       <%- if $x['username'] { -%>
-        <%= $x['username'] -%>:<%= get('x.password', '-')  -%>
+        <%= $x['username'] -%>:<%= $x['password'] -%>
         <%- if $x['roles'] {-%>
           <%- $x['roles'].each |$v| {-%>,<%= $v -%><%- } %>
         <%- } -%>
       <%- } -%>
     <%- } -%>
   <%- } else { -%>
-    <%- if $rundeck::config::auth_config['file']['auth_users']['username'] and $rundeck::config::auth_config['file']['auth_users']['password'] { -%>
-      <%= $rundeck::config::auth_config['file']['auth_users']['username'] -%>:<%= $rundeck::config::auth_config['file']['auth_users']['password'] -%>
-      <%- if $rundeck::config::auth_config['file']['auth_users']['roles'] { -%>
-        <%- $rundeck::config::auth_config['file']['auth_users']['roles'].each |$v| {-%>,<%=$v -%><%- } %>
+    <%- if $_auth_config['file']['realm_config']['auth_users']['username'] and $_auth_config['file']['realm_config']['auth_users']['password'] { -%>
+      <%= $_auth_config['file']['realm_config']['auth_users']['username'] -%>:<%= $_auth_config['file']['realm_config']['auth_users']['password'] -%>
+      <%- if $_auth_config['file']['realm_config']['auth_users']['roles'] { -%>
+        <%- $_auth_config['file']['realm_config']['auth_users']['roles'].each |$v| {-%>,<%=$v -%><%- } %>
       <%- } -%>
     <%- } -%>
   <%- } -%>
diff --git a/templates/realm.properties.erb b/templates/realm.properties.erb
deleted file mode 100644
index 4d00061b8..000000000
--- a/templates/realm.properties.erb
+++ /dev/null
@@ -1,44 +0,0 @@
-#
-# This file defines users passwords and roles for a HashUserRealm
-#
-# The format is
-#  <username>: <password>[,<rolename> ...]
-#
-# Passwords may be clear text, obfuscated or checksummed.  The class
-# org.mortbay.util.Password should be used to generate obfuscated
-# passwords or password checksums
-#
-# If DIGEST Authentication is used, the password must be in a recoverable
-# format, either plain text or OBF:.
-#
-#jetty: MD5:164c88b302622e17050af52c89945d44,user
-#admin: CRYPT:ad1ks..kc.1Ug,server-administrator,content-administrator,admin
-#other: OBF:1xmk1w261u9r1w1c1xmq
-#plain: plain
-#user: password
-# This entry is for digest auth.  The credential is a MD5 hash of username:realmname:password
-#digest: MD5:6e120743ad67abfbc385bc2bb754e297
-
-#
-# This sets the default user accounts for the Rundeck app
-#
-<%= @auth_config['file']['admin_user'] %>:<%= @auth_config['file']['admin_password'] %>,user,admin,architect,deploy,build
-<%- if @auth_config['file']['auth_users'] -%>
-  <%- if @auth_config['file']['auth_users'].kind_of?(Array) -%>
-    <%- @auth_config['file']['auth_users'].each do |x| -%>
-      <%- if x['username'] and x['password'] -%>
-        <%= x['username'] -%>:<%= x.fetch('password', '-') -%>
-        <%- if x['roles'] -%>
-          <%- x['roles'].each do |v| -%>,<%= v -%><%- end %>
-        <%- end -%>
-      <%- end -%>
-    <%- end -%>
-  <%- else -%>
-    <%- if @auth_config['file']['auth_users']['username'] and @auth_config['file']['auth_users']['password'] -%>
-      <%= @auth_config['file']['auth_users']['username'] -%>:<%= @auth_config['file']['auth_users']['password'] -%>
-      <%- if @auth_config['file']['auth_users']['roles'] -%>
-        <%- @auth_config['file']['auth_users']['roles'].each do |v| -%>,<%= v -%><%- end %>
-      <%- end -%>
-    <%- end -%>
-  <%- end -%>
-<%- end %>
diff --git a/templates/rundeck-config.epp b/templates/rundeck-config.epp
deleted file mode 100644
index c769053cd..000000000
--- a/templates/rundeck-config.epp
+++ /dev/null
@@ -1,98 +0,0 @@
-loglevel.default = "<%= $rundeck::config::global::rundeck_config::rd_loglevel %>"
-rdeck.base = "<%= $rundeck::config::global::rundeck_config::rdeck_base %>"
-rss.enabled = "<%= $rundeck::config::global::rundeck_config::rss_enabled %>"
-rundeck.log4j.config.file = "<%= $rundeck::config::global::rundeck_config::properties_dir %>/log4j.properties"
-
-<%- if 'useHMacRequestTokens' in $rundeck::config::global::rundeck_config::security_config.keys { -%>
-rundeck.security.useHMacRequestTokens = <%= $rundeck::config::global::rundeck_config::security_config['useHMacRequestTokens'] %>
-<%- } -%>
-<%- if 'apiCookieAccess' in $rundeck::config::global::rundeck_config::security_config.keys { -%>
-rundeck.security.apiCookieAccess.enabled = <%= $rundeck::config::global::rundeck_config::security_config['apiCookieAccess'] %>
-<%- } -%>
-<%- if 'apiTokensDuration' in $rundeck::config::global::rundeck_config::security_config.keys { -%>
-rundeck.api.tokens.duration.max = "<%= $rundeck::config::global::rundeck_config::security_config['apiTokensDuration'] %>"
-<%- } -%>
-<%- if 'csrfRefererFilterMethod' in $rundeck::config::global::rundeck_config::security_config.keys { -%>
-rundeck.security.csrf.referer.filterMethod = <%= $rundeck::config::global::rundeck_config::security_config['csrfRefererFilterMethod'] %>
-<%- } -%>
-<%- if 'csrfRefererAllowApi' in $rundeck::config::global::rundeck_config::security_config.keys { -%>
-rundeck.security.csrf.referer.allowApi = <%= $rundeck::config::global::rundeck_config::security_config['csrfRefererAllowApi'] %>
-<%- } -%>
-<%- if 'csrfRefererRequireHttps' in $rundeck::config::global::rundeck_config::security_config.keys { -%>
-rundeck.security.csrf.referer.requireHttps = <%= $rundeck::config::global::rundeck_config::security_config['csrfRefererRequireHttps'] %>
-<%- } -%>
-<%- if $rundeck::config::global::rundeck_config::security_config['syncLdapUser'] { -%>
-rundeck.security.syncLdapUser = <%= $rundeck::config::global::rundeck_config::security_config['syncLdapUser'] %>
-<%- } -%>
-
-dataSource {
-  dbCreate = "<%= $rundeck::config::global::rundeck_config::database_config['dbCreate'] %>"
-  url = "<%= $rundeck::config::global::rundeck_config::database_config['url'] %>"
-  <%- if $rundeck::config::global::rundeck_config::database_config['type'] != 'h2' { -%>
-  driverClassName = "<%= $rundeck::config::global::rundeck_config::database_config['driverClassName'] %>"
-  username = "<%= $rundeck::config::global::rundeck_config::database_config['username'] %>"
-  password = "<%= $rundeck::config::global::rundeck_config::database_config['password'] %>"
-  dialect = "<%= $rundeck::config::global::rundeck_config::database_config['dialect'] %>"
-  <%- } -%>
-}
-
-<%- if !$rundeck::config::global::rundeck_config::mail_config.empty and $rundeck::config::global::rundeck_config::mail_config.keys != ['defaults.from'] { %>
-grails {
-  mail {
-    <%- if $rundeck::config::global::rundeck_config::mail_config['host'] { -%>
-    host = "<%= $rundeck::config::global::rundeck_config::mail_config['host'] %>"
-    <%- } -%>
-    <%- if $rundeck::config::global::rundeck_config::mail_config['username'] { -%>
-    username = "<%= $rundeck::config::global::rundeck_config::mail_config['username'] %>"
-    <%- } -%>
-    <%- if $rundeck::config::global::rundeck_config::mail_config['port'] { -%>
-    port = <%= $rundeck::config::global::rundeck_config::mail_config['port'] %>
-    <%- } -%>
-    <%- if $rundeck::config::global::rundeck_config::mail_config['password'] { -%>
-    password = "<%= $rundeck::config::global::rundeck_config::mail_config['password'] %>"
-    <%- } -%>
-    <%- if $rundeck::config::global::rundeck_config::mail_config['props'] { -%>
-    props = [<% $rundeck::config::global::rundeck_config::mail_config['props'].each |$k,$v| {-%>"<%= $k %>":"<%= $v %>",<%} %>]
-    <%- } -%>
-  }
-}
-<%- } -%>
-<%- if $rundeck::config::global::rundeck_config::mail_config['defaults.from'] { -%>
-grails.mail.default.from = "<%= $rundeck::config::global::rundeck_config::mail_config['defaults.from'] %>"
-<%- } -%>
-grails.serverURL = "<%= $rundeck::config::global::rundeck_config::grails_server_url %>"
-rundeck.clusterMode.enabled = "<%= $rundeck::config::global::rundeck_config::clustermode_enabled %>"
-<%- if $rundeck::config::global::rundeck_config::execution_mode { -%>
-rundeck.executionMode = "<%= $rundeck::config::global::rundeck_config::execution_mode %>"
-<%- } -%>
-
-rundeck.projectsStorageType = "<%= $rundeck::config::global::rundeck_config::projects_storage_type %>"
-quartz.threadPool.threadCount = "<%= $rundeck::config::global::rundeck_config::quartz_job_threadcount %>"
-
-<%- $rundeck::config::global::rundeck_config::key_storage_config.each |$i, $cfg| { -%>
-rundeck.storage.provider."<%= $i+1 %>".type = "<%= $cfg['type'] %>"
-rundeck.storage.provider."<%= $i+1 %>".path = "<%= $cfg['path'] %>"
-<%- if $cfg['removePathPrefix'] { -%>
-rundeck.storage.provider."<%= $i+1 %>".removePathPrefix = <%= $cfg['removePathPrefix'] %>
-<%- } -%>
-<%- if $cfg['config'] { -%>
-<%- $cfg['config'].each |$k, $v| { -%>
-rundeck.storage.provider."<%= $i+1 %>".config.<%= $k %> = "<%= $v %>"
-<%- } -%>
-<%- } -%>
-<%- } -%>
-
-<%- if !$rundeck::config::global::rundeck_config::storage_encrypt_config.empty { -%>
-
-  <%- $rundeck::config::global::rundeck_config::storage_encrypt_config.keys.sort.each |$k| { -%>
-rundeck.storage.converter."1".<%= $k %> = "<%= $rundeck::config::global::rundeck_config::storage_encrypt_config[$k] %>"
-  <%- } -%>
-<%- } -%>
-
-<%- $rundeck::config::global::rundeck_config::preauthenticated_config.each  |$k,$v| { -%>
-rundeck.security.authorization.preauthenticated.<%= $k %> = "<%= $v %>"
-<%- } -%>
-
-<%- $rundeck::config::global::rundeck_config::gui_config.keys.sort.each |$k| {-%>
-<%= $k %> = "<%= $rundeck::config::global::rundeck_config::gui_config[$k] %>"
-<%- } -%>
diff --git a/templates/rundeck-config.properties.epp b/templates/rundeck-config.properties.epp
new file mode 100644
index 000000000..6e0130726
--- /dev/null
+++ b/templates/rundeck-config.properties.epp
@@ -0,0 +1,61 @@
+loglevel.default = <%= $rundeck::app_log_level %>
+rdeck.base = <%= $rundeck::config::base_dir %>
+
+rss.enabled = <%= $rundeck::rss_enabled %>
+
+grails.serverURL = <%= $rundeck::grails_server_url %>
+
+rundeck.clusterMode.enabled = <%= $rundeck::clustermode_enabled %>
+rundeck.executionMode = <%= $rundeck::execution_mode %>
+rundeck.api.tokens.duration.max = <%= $rundeck::api_token_max_duration %>
+
+quartz.threadPool.threadCount = <%= $rundeck::quartz_job_threadcount %>
+
+dataSource.dbCreate = update
+<%- $rundeck::database_config.each |$_k, $_v| {-%>
+dataSource.<%= $_k %> = <%= $_v %>
+<%- } -%>
+
+<%- $rundeck::key_storage_config.each |$_i, $_cfg| { -%>
+rundeck.storage.provider.<%= $_i+1 %>.type = <%= $_cfg['type'] %>
+rundeck.storage.provider.<%= $_i+1 %>.path = <%= $_cfg['path'] %>
+<%- if $_cfg['removePathPrefix'] { -%>
+rundeck.storage.provider.<%= $_i+1 %>.removePathPrefix = <%= $_cfg['removePathPrefix'] %>
+<%- } -%>
+<%- if $_cfg['config'] { -%>
+<%- $_cfg['config'].each |$_k, $_v| { -%>
+rundeck.storage.provider.<%= $_i+1 %>.config.<%= $_k %> = <%= $_v %>
+<%- } -%>
+<%- } -%>
+
+<%- } -%>
+
+<%- $rundeck::key_storage_encrypt_config.each |$_i, $_cfg| { -%>
+rundeck.storage.converter.<%= $_i+1 %>.type = <%= $_cfg['type'] %>
+rundeck.storage.converter.<%= $_i+1 %>.path = <%= $_cfg['path'] %>
+<%- if $_cfg['resourceSelector'] { -%>
+rundeck.storage.converter.<%= $_i+1 %>.resourceSelector = <%= $_cfg['resourceSelector'] %>
+<%- } -%>
+<%- if $_cfg['config'] { -%>
+<%- $_cfg['config'].each |$_k, $_v| { -%>
+rundeck.storage.converter.<%= $_i+1 %>.config.<%= $_k %> = <%= $_v %>
+<%- } -%>
+<%- } -%>
+
+<%- } -%>
+
+<%- $rundeck::mail_config.each |$_k, $_v| {-%>
+grails.mail.<%= $_k %> = <%= $_v %>
+<%- } -%>
+
+<%- $rundeck::security_config.each |$_k, $_v| {-%>
+rundeck.security.<%= $_k %> = <%= $_v %>
+<%- } -%>
+
+<%- $rundeck::preauthenticated_config.each  |$_k, $_v| { -%>
+rundeck.security.authorization.preauthenticated.<%= $_k %> = <%= $_v %>
+<%- } -%>
+
+<%- $rundeck::gui_config.each |$_k, $_v| {-%>
+rundeck.gui.<%= $_k %> = <%= $_v %>
+<%- } -%>
diff --git a/templates/scm-export.properties.erb b/templates/scm-export.properties.erb
deleted file mode 100644
index d01b83bef..000000000
--- a/templates/scm-export.properties.erb
+++ /dev/null
@@ -1,3 +0,0 @@
-<%- @scm_export_properties.sort.each do |k,v| -%>
-<%= k %> = <%= v %>
-<%- end -%>
diff --git a/templates/scm-import.properties.erb b/templates/scm-import.properties.erb
deleted file mode 100644
index 84ff261c0..000000000
--- a/templates/scm-import.properties.erb
+++ /dev/null
@@ -1,3 +0,0 @@
-<%- @scm_import_properties.sort.each do |k,v| -%>
-<%= k %> = <%= v %>
-<%- end -%>
diff --git a/templates/ssl.properties.epp b/templates/ssl.properties.epp
new file mode 100644
index 000000000..262218fca
--- /dev/null
+++ b/templates/ssl.properties.epp
@@ -0,0 +1,7 @@
+keystore=<%= $rundeck::keystore %>
+keystore.password=<%= $rundeck::keystore_password %>
+truststore=<%= $rundeck::truststore %>
+truststore.password=<%= $rundeck::truststore_password %>
+<%- if $rundeck::key_password { -%>
+key.password=<%= $rundeck::key_password %>
+<%- } -%>
diff --git a/types/auth_config.pp b/types/auth_config.pp
new file mode 100644
index 000000000..6b57606b1
--- /dev/null
+++ b/types/auth_config.pp
@@ -0,0 +1,6 @@
+# Rundeck authentication config type.
+type Rundeck::Auth_config = Struct[{
+    Optional['file'] => Hash[String, Any],
+    Optional['ldap'] => Hash[String, Any],
+    Optional['pam']  => Hash[String, Any],
+}]
diff --git a/types/db_config.pp b/types/db_config.pp
new file mode 100644
index 000000000..780038c7d
--- /dev/null
+++ b/types/db_config.pp
@@ -0,0 +1,9 @@
+# Rundeck database config type.
+type Rundeck::Db_config = Struct[{
+    'url'                                  => String,
+    Optional['driverClassName']            => String,
+    Optional['username']                   => String,
+    Optional['password']                   => Variant[String[8], Sensitive[String[8]]],
+    Optional['dialect']                    => String,
+    Optional['properties.validationQuery'] => String,
+}]
diff --git a/types/key_storage_config.pp b/types/key_storage_config.pp
new file mode 100644
index 000000000..25a146a45
--- /dev/null
+++ b/types/key_storage_config.pp
@@ -0,0 +1,8 @@
+# Rundeck key storage config type.
+type Rundeck::Key_storage_config = Array[
+  Struct[{
+      'type'             => String,
+      'path'             => String,
+      Optional['config'] => Hash,
+  }]
+]
diff --git a/types/loglevel.pp b/types/loglevel.pp
index e0e1de698..edfa9085c 100644
--- a/types/loglevel.pp
+++ b/types/loglevel.pp
@@ -1,2 +1,2 @@
 # Rundeck log level type.
-type Rundeck::Loglevel = Enum['ALL', 'DEBUG', 'ERROR', 'FATAL', 'INFO', 'OFF', 'TRACE', 'WARN']
+type Rundeck::Loglevel = Enum['all', 'debug', 'error', 'fatal', 'info', 'off', 'trace', 'warn']
diff --git a/types/mail_config.pp b/types/mail_config.pp
new file mode 100644
index 000000000..6495dca95
--- /dev/null
+++ b/types/mail_config.pp
@@ -0,0 +1,11 @@
+# Rundeck mail config type.
+type Rundeck::Mail_config = Struct[{
+    Optional['host']         => String,
+    Optional['port']         => Integer,
+    Optional['username']     => String,
+    Optional['password']     => Variant[String[8], Sensitive[String[8]]],
+    Optional['props']        => Array[Hash],
+    Optional['default.from'] => String,
+    Optional['default.to']   => String,
+    Optional['disabled']     => Boolean,
+}]
diff --git a/types/sourcetype.pp b/types/sourcetype.pp
deleted file mode 100644
index 5215800d4..000000000
--- a/types/sourcetype.pp
+++ /dev/null
@@ -1,2 +0,0 @@
-# Rundeck sourcetype type.
-type Rundeck::Sourcetype = Enum['file', 'directory', 'url', 'script', 'aws-ec2', 'puppet-enterprise']