diff --git a/modules/enableit/common/manifests/monitor/splunk/forwarder.pp b/modules/enableit/common/manifests/monitor/splunk/forwarder.pp
index c1847c61c..8234b6f4d 100644
--- a/modules/enableit/common/manifests/monitor/splunk/forwarder.pp
+++ b/modules/enableit/common/manifests/monitor/splunk/forwarder.pp
@@ -40,7 +40,11 @@
   Integer               $log_keep_count      = 5,
   Eit_types::Bytes      $log_max_file_size_b = 25000000,
   Boolean               $enable              = false,
+  Boolean               $manage              = false,
   Eit_types::Noop_Value $noop_value          = undef,
 ) {
-  contain profile::collector::splunk::forwarder
+ 
+  if $manage {
+    contain profile::collector::splunk::forwarder
+  }
 }
diff --git a/modules/enableit/common/manifests/software.pp b/modules/enableit/common/manifests/software.pp
index 5a1ab9a97..76c7cac00 100644
--- a/modules/enableit/common/manifests/software.pp
+++ b/modules/enableit/common/manifests/software.pp
@@ -75,6 +75,6 @@
   }
 
   if lookup('common::software::nivisa::manage', Boolean, undef, false) {
-    include common::software::openvmtools
+    include common::software::nivisa
   }
 }
diff --git a/modules/enableit/common/manifests/software/nivisa.pp b/modules/enableit/common/manifests/software/nivisa.pp
index 0b9434f81..e906fadf3 100644
--- a/modules/enableit/common/manifests/software/nivisa.pp
+++ b/modules/enableit/common/manifests/software/nivisa.pp
@@ -14,6 +14,6 @@
           $facts['os']['release']['major'] != 7,
           'Only el7 supported')
   if $enable {
-    profile::nivisa.include
+    profile::software::nivisa.include
   }
 }
diff --git a/modules/enableit/eit_haproxy/manifests/basic_config.pp b/modules/enableit/eit_haproxy/manifests/basic_config.pp
index 3e0154f15..fa15927af 100644
--- a/modules/enableit/eit_haproxy/manifests/basic_config.pp
+++ b/modules/enableit/eit_haproxy/manifests/basic_config.pp
@@ -210,7 +210,7 @@
 
     if $use_lets_encrypt and !$_use_native_acme {
       sort_domains_on_tld($alldomains, $public_ips).each |$cn, $san| {
-        profile::certs::letsencrypt::domain { $cn:
+        profile::system::certs::letsencrypt::domain { $cn:
           domains             => $san,
           deploy_hook_command => '/opt/obmondo/bin/letsencrypt_deploy_hook.sh',
           cert_host           => '0.0.0.0',
diff --git a/modules/enableit/profile/REFERENCE.md b/modules/enableit/profile/REFERENCE.md
index 40be10134..7697b1968 100644
--- a/modules/enableit/profile/REFERENCE.md
+++ b/modules/enableit/profile/REFERENCE.md
@@ -10,7 +10,7 @@
 * [`profile::appeng::phpfpm`](#profile--appeng--phpfpm): PHPFPm profile
 * [`profile::backup::netbackup`](#profile--backup--netbackup): NetBackup
 * [`profile::bind`](#profile--bind): Bind Profile
-* [`profile::certs::letsencrypt`](#profile--certs--letsencrypt): LetsEncrupt CA Signing
+* [`profile::system::certs::letsencrypt`](#profile--certs--letsencrypt): LetsEncrupt CA Signing
 * [`profile::ci::jenkins`](#profile--ci--jenkins): jenkins profile
 * [`profile::communication::murmur`](#profile--communication--murmur): Mumble fails on lxc because of avahi-daemon which fails getting installed under lxc. Here is the work around. https://lists.linuxcontainers.o
 * [`profile::communication::thinlinc`](#profile--communication--thinlinc): thinlinc  https://www.cendio.com/resources/docs/tag/ch06s02.html
@@ -149,9 +149,9 @@
 
 ### Defined types
 
-* [`profile::certs::ca_cert`](#profile--certs--ca_cert): CA Cert
-* [`profile::certs::letsencrypt::domain`](#profile--certs--letsencrypt--domain): Certificates NOTE: only haproxy role support letsencrypt for now blackbox will scrape the domains if its given in the role::web::haproxy
-* [`profile::certs::manual`](#profile--certs--manual): Manual certificate TODO: lets not accept expired cert from users. need to update the underlying module openssl::cert_date_valid($_cert_file)
+* [`profile::system::certs::ca_cert`](#profile--certs--ca_cert): CA Cert
+* [`profile::system::certs::letsencrypt::domain`](#profile--certs--letsencrypt--domain): Certificates NOTE: only haproxy role support letsencrypt for now blackbox will scrape the domains if its given in the role::web::haproxy
+* [`profile::system::certs::manual`](#profile--certs--manual): Manual certificate TODO: lets not accept expired cert from users. need to update the underlying module openssl::cert_date_valid($_cert_file)
 * [`profile::system::cron::job`](#profile--cron--job): Wrapper that escapes cron command for easy use
 * [`profile::storage::mount`](#profile--storage--mount): regular mount
 * [`profile::storage::nfs::server::export`](#profile--storage--nfs--server--export): nfs export
@@ -414,13 +414,13 @@ Default value: `$::common::backup::netbackup::ca_cert`
 
 Bind Profile
 
-### <a name="profile--certs--letsencrypt"></a>`profile::certs::letsencrypt`
+### <a name="profile--certs--letsencrypt"></a>`profile::system::certs::letsencrypt`
 
 LetsEncrupt CA Signing
 
 #### Parameters
 
-The following parameters are available in the `profile::certs::letsencrypt` class:
+The following parameters are available in the `profile::system::certs::letsencrypt` class:
 
 * [`email`](#-profile--certs--letsencrypt--email)
 * [`epel`](#-profile--certs--letsencrypt--epel)
@@ -10256,13 +10256,13 @@ Default value: `'nginx'`
 
 ## Defined types
 
-### <a name="profile--certs--ca_cert"></a>`profile::certs::ca_cert`
+### <a name="profile--certs--ca_cert"></a>`profile::system::certs::ca_cert`
 
 CA Cert
 
 #### Parameters
 
-The following parameters are available in the `profile::certs::ca_cert` defined type:
+The following parameters are available in the `profile::system::certs::ca_cert` defined type:
 
 * [`source`](#-profile--certs--ca_cert--source)
 * [`content`](#-profile--certs--ca_cert--content)
@@ -10292,7 +10292,7 @@ Data type: `Optional[Eit_types::Cert::Update]`
 
 Default value: `undef`
 
-### <a name="profile--certs--letsencrypt--domain"></a>`profile::certs::letsencrypt::domain`
+### <a name="profile--certs--letsencrypt--domain"></a>`profile::system::certs::letsencrypt::domain`
 
 Certificates
 NOTE: only haproxy role support letsencrypt for now
@@ -10300,7 +10300,7 @@ blackbox will scrape the domains if its given in the role::web::haproxy
 
 #### Parameters
 
-The following parameters are available in the `profile::certs::letsencrypt::domain` defined type:
+The following parameters are available in the `profile::system::certs::letsencrypt::domain` defined type:
 
 * [`email`](#-profile--certs--letsencrypt--domain--email)
 * [`ca`](#-profile--certs--letsencrypt--domain--ca)
@@ -10409,7 +10409,7 @@ Data type: `Optional[Array[Variant[Eit_types::Certname, Eit_types::Host]]]`
 
 Default value: `$::common::system::certs::letsencrypt::distribute_to`
 
-### <a name="profile--certs--manual"></a>`profile::certs::manual`
+### <a name="profile--certs--manual"></a>`profile::system::certs::manual`
 
 Manual certificate
 TODO: lets not accept expired cert from users.
@@ -10418,7 +10418,7 @@ openssl::cert_date_valid($_cert_file)
 
 #### Parameters
 
-The following parameters are available in the `profile::certs::manual` defined type:
+The following parameters are available in the `profile::system::certs::manual` defined type:
 
 * [`key`](#-profile--certs--manual--key)
 * [`cert`](#-profile--certs--manual--cert)
diff --git a/modules/enableit/profile/manifests/software/nivisa.pp b/modules/enableit/profile/manifests/software/nivisa.pp
index b571b216f..9fb9d74bf 100644
--- a/modules/enableit/profile/manifests/software/nivisa.pp
+++ b/modules/enableit/profile/manifests/software/nivisa.pp
@@ -1,6 +1,6 @@
 # NI-VISA Profile
 class profile::software::nivisa (
-  Boolean $enable = $common::extras::computing::nivisa::enable,
+  Boolean $enable = $common::software::nivisa::enable,
 ) {
 
   eit_repos::yum::ni_visa.include
diff --git a/modules/enableit/profile/manifests/system/authentication/sssd.pp b/modules/enableit/profile/manifests/system/authentication/sssd.pp
index 8794a1baa..02ddb2bfd 100644
--- a/modules/enableit/profile/manifests/system/authentication/sssd.pp
+++ b/modules/enableit/profile/manifests/system/authentication/sssd.pp
@@ -204,13 +204,6 @@
         notify  => Service['sssd'],
       }
 
-      # Manage the service state
-      service { 'sssd':
-        ensure => 'running',
-        enable => true,
-        noop   => $noop_value,
-      }
-
       if $_sssd_sockets_supported {
         $_enable_socket_services = ensure_service($enable)
 
diff --git a/modules/enableit/profile/manifests/certs/ca_cert.pp b/modules/enableit/profile/manifests/system/certs/ca_cert.pp
similarity index 90%
rename from modules/enableit/profile/manifests/certs/ca_cert.pp
rename to modules/enableit/profile/manifests/system/certs/ca_cert.pp
index d67b48443..2e1bec355 100644
--- a/modules/enableit/profile/manifests/certs/ca_cert.pp
+++ b/modules/enableit/profile/manifests/system/certs/ca_cert.pp
@@ -1,5 +1,5 @@
 # CA Cert
-define profile::certs::ca_cert (
+define profile::system::certs::ca_cert (
   Optional[Eit_Files::Source]       $source  = undef,
   Optional[String]                  $content = undef,
   Optional[Eit_types::Cert::Update] $update  = undef,
diff --git a/modules/enableit/profile/manifests/certs/letsencrypt.pp b/modules/enableit/profile/manifests/system/certs/letsencrypt.pp
similarity index 98%
rename from modules/enableit/profile/manifests/certs/letsencrypt.pp
rename to modules/enableit/profile/manifests/system/certs/letsencrypt.pp
index cec6dbd6b..fcb2c025c 100644
--- a/modules/enableit/profile/manifests/certs/letsencrypt.pp
+++ b/modules/enableit/profile/manifests/system/certs/letsencrypt.pp
@@ -1,5 +1,5 @@
 # LetsEncrupt CA Signing
-class profile::certs::letsencrypt (
+class profile::system::certs::letsencrypt (
   Eit_types::Email $email          = $::common::system::certs::letsencrypt::email,
   Boolean          $epel           = false,
   Enum[
diff --git a/modules/enableit/profile/manifests/certs/letsencrypt/domain.pp b/modules/enableit/profile/manifests/system/certs/letsencrypt/domain.pp
similarity index 97%
rename from modules/enableit/profile/manifests/certs/letsencrypt/domain.pp
rename to modules/enableit/profile/manifests/system/certs/letsencrypt/domain.pp
index 1243ca5a9..de1f1156f 100644
--- a/modules/enableit/profile/manifests/certs/letsencrypt/domain.pp
+++ b/modules/enableit/profile/manifests/system/certs/letsencrypt/domain.pp
@@ -1,7 +1,7 @@
 # Certificates
 # NOTE: only haproxy role support letsencrypt for now
 # blackbox will scrape the domains if its given in the role::web::haproxy
-define profile::certs::letsencrypt::domain (
+define profile::system::certs::letsencrypt::domain (
   Eit_types::Email                                               $email               = $::common::system::certs::letsencrypt::email,
   Enum[
     'production',
@@ -18,7 +18,7 @@
   Optional[Array[Variant[Eit_types::Certname, Eit_types::Host]]] $distribute_to       = $::common::system::certs::letsencrypt::distribute_to, # lint:ignore:140chars
 ) {
 
-  include ::profile::certs::letsencrypt
+  include ::profile::system::certs::letsencrypt
 
   # The rejected_domains comes from the function sort_domains_on_tld
   if $name == 'rejected_domains' {
diff --git a/modules/enableit/profile/manifests/certs/manual.pp b/modules/enableit/profile/manifests/system/certs/manual.pp
similarity index 97%
rename from modules/enableit/profile/manifests/certs/manual.pp
rename to modules/enableit/profile/manifests/system/certs/manual.pp
index 02143bcb3..27188bf14 100644
--- a/modules/enableit/profile/manifests/certs/manual.pp
+++ b/modules/enableit/profile/manifests/system/certs/manual.pp
@@ -2,7 +2,7 @@
 # TODO: lets not accept expired cert from users.
 # need to update the underlying module
 # openssl::cert_date_valid($_cert_file)
-define profile::certs::manual (
+define profile::system::certs::manual (
   String               $key,
   String               $cert,
   Stdlib::Absolutepath $base_dir_parts,