diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,16 @@
 # Changelog
 
-## [15.0.0](https://github.com/theforeman/puppet-puppet/tree/15.0.0) (2021-04-26)
+## [15.1.0](https://github.com/theforeman/puppet-puppet/tree/15.1.0) (2021-07-26)
+
+[Full Changelog](https://github.com/theforeman/puppet-puppet/compare/15.0.0...15.1.0)
+
+**Implemented enhancements:**
+
+- Allow camptocamp/systemd 3.x + use it for timers [\#790](https://github.com/theforeman/puppet-puppet/pull/790) ([ekohl](https://github.com/ekohl))
+- Allow Puppet 7 compatible versions of puppetlabs mods [\#788](https://github.com/theforeman/puppet-puppet/pull/788) ([ekohl](https://github.com/ekohl))
+- Support Puppet 7 [\#779](https://github.com/theforeman/puppet-puppet/pull/779) ([ekohl](https://github.com/ekohl))
+
+## [15.0.0](https://github.com/theforeman/puppet-puppet/tree/15.0.0) (2021-04-27)
 
 [Full Changelog](https://github.com/theforeman/puppet-puppet/compare/14.2.1...15.0.0)
 

diff --git a/Gemfile b/Gemfile
@@ -17,7 +17,7 @@ gem 'voxpupuli-test', '~> 1.4'
 gem 'github_changelog_generator', '>= 1.15.0', {"groups"=>["development"]}
 gem 'puppet_metadata', '~> 0.3'
 gem 'puppet-blacksmith', '>= 6.0.0', {"groups"=>["development"]}
-gem 'voxpupuli-acceptance', '~> 0.3', {"groups"=>["system_tests"]}
+gem 'voxpupuli-acceptance', '~> 1.0', {"groups"=>["system_tests"]}
 gem 'hocon'
 
 # vim:ft=ruby
diff --git a/README.md b/README.md
@@ -18,6 +18,16 @@ class documentation provided at the top of the manifests. In addition, there
 are hash parameters for each configuration section that can be used to supply
 any options that are not explicitly supported.
 
+## Upgrading from Puppetserver 6 to 7
+
+Puppetserver 7 moves the CA files from ssldir to its own. To move the existing
+files, `puppetserver ca migrate` can be used but this requires the puppetserver
+to be stopped. The module does run this command if needed, but doesn't stop the
+service so the application will fail.
+
+It is recommended to run this command directly after updating the packages. It
+leaves a symlink so the old config should continue to work.
+
 ## Environments support
 
 The module helps configure Puppet environments using directory environments.

diff --git a/manifests/agent/service/systemd.pp b/manifests/agent/service/systemd.pp
@@ -6,69 +6,22 @@
   Optional[Integer[0,59]] $minute  = undef,
 ) {
   unless $puppet::runmode == 'unmanaged' or 'systemd.timer' in $puppet::unavailable_runmodes {
-    exec { 'systemctl-daemon-reload-puppet':
-      refreshonly => true,
-      path        => $::path,
-      command     => 'systemctl daemon-reload',
-    }
-
-    if $enabled {
-      # Use the same times as for cron
-      $times = extlib::ip_to_cron($puppet::runinterval)
-
-      # But only if they are not explicitly specified
-      $_hour = pick($hour, $times[0])
-      $_minute = pick($minute, $times[1])
-
-      $command = $puppet::systemd_cmd ? {
-        undef   => "${puppet::puppet_cmd} agent --config ${puppet::dir}/puppet.conf --onetime --no-daemonize --detailed-exitcode --no-usecacheonfailure",
-        default => $puppet::systemd_cmd,
-      }
-
-      $randomizeddelaysec = $puppet::systemd_randomizeddelaysec
-
-      file { "/etc/systemd/system/${puppet::systemd_unit_name}.timer":
-        content => template('puppet/agent/systemd.puppet-run.timer.erb'),
-        notify  => [
-          Exec['systemctl-daemon-reload-puppet'],
-          Service['puppet-run.timer'],
-        ],
-      }
-
-      file { "/etc/systemd/system/${puppet::systemd_unit_name}.service":
-        content => template('puppet/agent/systemd.puppet-run.service.erb'),
-        notify  => Exec['systemctl-daemon-reload-puppet'],
-      }
-
-      service { 'puppet-run.timer':
-        ensure   => running,
-        provider => 'systemd',
-        name     => "${puppet::systemd_unit_name}.timer",
-        enable   => true,
-        require  => Exec['systemctl-daemon-reload-puppet'],
-      }
-    } else {
-      # Reverse order - stop, delete files, exec
-      service { 'puppet-run.timer':
-        ensure   => stopped,
-        provider => 'systemd',
-        name     => "${puppet::systemd_unit_name}.timer",
-        enable   => false,
-        before   => [
-          File["/etc/systemd/system/${puppet::systemd_unit_name}.timer"],
-          File["/etc/systemd/system/${puppet::systemd_unit_name}.service"],
-        ],
-      }
-
-      file { "/etc/systemd/system/${puppet::systemd_unit_name}.timer":
-        ensure => absent,
-        notify => Exec['systemctl-daemon-reload-puppet'],
-      }
-
-      file { "/etc/systemd/system/${puppet::systemd_unit_name}.service":
-        ensure => absent,
-        notify => Exec['systemctl-daemon-reload-puppet'],
-      }
+    # Use the same times as for cron
+    $times = extlib::ip_to_cron($puppet::runinterval)
+
+    # But only if they are not explicitly specified
+    $_hour = pick($hour, $times[0])
+    $_minute = pick($minute, $times[1])
+
+    $command = pick($puppet::systemd_cmd, "${puppet::puppet_cmd} agent --config ${puppet::dir}/puppet.conf --onetime --no-daemonize --detailed-exitcode --no-usecacheonfailure")
+    $randomizeddelaysec = $puppet::systemd_randomizeddelaysec
+
+    systemd::timer { "${puppet::systemd_unit_name}.timer":
+      ensure          => bool2str($enabled, 'present', 'absent'),
+      active          => $enabled,
+      enable          => $enabled,
+      timer_content   => template('puppet/agent/systemd.puppet-run.timer.erb'),
+      service_content => template('puppet/agent/systemd.puppet-run.service.erb'),
     }
   }
 }
diff --git a/manifests/config.pp b/manifests/config.pp
@@ -99,7 +99,15 @@
       }
     }
   }
-  ~> file { "${puppet_dir}/auth.conf":
-    content => template($auth_template),
+
+  if versioncmp($facts['puppetversion'], '7.0.0') >= 0 {
+    file { "${puppet_dir}/auth.conf":
+      ensure => absent,
+    }
+  } else {
+    file { "${puppet_dir}/auth.conf":
+      ensure  => file,
+      content => template($auth_template),
+    }
   }
 }
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -416,6 +416,7 @@
 #
 # $server_use_legacy_auth_conf::            Should the puppetserver use the legacy puppet auth.conf?
 #                                           Defaults to false (the puppetserver will use its own conf.d/auth.conf)
+#                                           Note that Puppetserver 7 has dropped this option.
 #
 # $server_check_for_updates::               Should the puppetserver phone home to check for available updates?
 #                                           Defaults to true

diff --git a/manifests/params.pp b/manifests/params.pp
@@ -176,12 +176,9 @@
   if $facts['os']['family'] == 'Windows' {
     $dir_owner = undef
     $dir_group = undef
-  } elsif $aio_package or $facts['os']['family'] == 'Suse' {
+  } else {
     $dir_owner = 'root'
     $dir_group = $root_group
-  } else {
-    $dir_owner = $user
-    $dir_group = $group
   }
 
   $package_provider = $facts['os']['family'] ? {
@@ -404,7 +401,7 @@
     'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
   ]
   $server_ssl_protocols                   = [ 'TLSv1.2' ]
-  $server_ssl_chain_filepath              = "${server_ssl_dir}/ca/ca_crt.pem"
+  $server_ssl_chain_filepath              = undef
   $server_check_for_updates               = true
   $server_environment_class_cache_enabled = false
   $server_allow_header_cert_info          = false

diff --git a/manifests/server.pp b/manifests/server.pp
@@ -246,6 +246,7 @@
 #
 # $use_legacy_auth_conf::              Should the puppetserver use the legacy puppet auth.conf?
 #                                      Defaults to false (the puppetserver will use its own conf.d/auth.conf)
+#                                      Note that Puppetserver 7 has dropped support for this.
 #
 # $check_for_updates::                 Should the puppetserver phone home to check for available updates?
 #
@@ -450,10 +451,30 @@
   Optional[Stdlib::Absolutepath] $versioned_code_id = $puppet::server_versioned_code_id,
   Optional[Stdlib::Absolutepath] $versioned_code_content = $puppet::server_versioned_code_content,
 ) {
+  # For Puppetserver, certain configuration parameters are version specific. We
+  # assume a particular version here.
+  if $puppetserver_version {
+    $real_puppetserver_version = $puppetserver_version
+  } elsif versioncmp($facts['puppetversion'], '7.0.0') >= 0 {
+    $real_puppetserver_version = '7.0.0'
+  } elsif versioncmp($facts['puppetversion'], '6.11.0') >= 0 {
+    $real_puppetserver_version = '6.11.0'
+  } elsif versioncmp($facts['puppetversion'], '6.0.0') >= 0 {
+    $real_puppetserver_version = '6.0.0'
+  } else {
+    $real_puppetserver_version = '5.3.6'
+  }
+
+  if versioncmp($real_puppetserver_version, '7.0.0') >= 0 {
+    $cadir = "${puppetserver_dir}/ca"
+  } else {
+    $cadir = "${ssl_dir}/ca"
+  }
+
   if $ca {
-    $ssl_ca_cert     = "${ssl_dir}/ca/ca_crt.pem"
-    $ssl_ca_crl      = "${ssl_dir}/ca/ca_crl.pem"
-    $ssl_chain       = $ssl_chain_filepath
+    $ssl_ca_cert     = "${cadir}/ca_crt.pem"
+    $ssl_ca_crl      = "${cadir}/ca_crl.pem"
+    $ssl_chain       = pick($ssl_chain_filepath, "${cadir}/ca_crt.pem")
     $crl_enable_real = pick($crl_enable, true)
   } else {
     $ssl_ca_cert     = "${ssl_dir}/certs/ca.pem"
@@ -475,14 +496,10 @@
     $config_version_cmd = $config_version
   }
 
-  # For Puppetserver, certain configuration parameters are version specific. We
-  # assume a particular version here.
-  if $puppetserver_version {
-    $real_puppetserver_version = $puppetserver_version
-  } elsif versioncmp($::puppetversion, '6.0.0') >= 0 {
-    $real_puppetserver_version = '6.0.0'
-  } else  {
-    $real_puppetserver_version = '5.3.6'
+  if versioncmp($real_puppetserver_version, '7.0.0') >= 0 {
+    if $use_legacy_auth_conf {
+      fail('The jruby-puppet.use-legacy-auth-conf setting is removed in Puppetserver 7')
+    }
   }
 
   if $jvm_extra_args {

diff --git a/manifests/server/config.pp b/manifests/server/config.pp
@@ -44,7 +44,7 @@
   }
 
   if $trusted_external_command {
-    if versioncmp($::puppetversion, '6.11') < 0 {
+    if versioncmp($puppet::server::real_puppetserver_version, '6.11') < 0 {
       fail('$server_trusted_external_command is only available for Puppet > 6.11')
     }
     puppet::config::master {
@@ -157,7 +157,7 @@
 
   # Generate a new CA and host cert if our host cert doesn't exist
   if $puppet::server::ca {
-    if versioncmp($::puppetversion, '6.0') > 0 {
+    if versioncmp($puppet::server::real_puppetserver_version, '6.0') > 0 {
       $creates = $puppet::server::ssl_ca_cert
       $command = "${puppet::puppetserver_cmd} ca setup"
     } else {
@@ -174,6 +174,19 @@
         Exec['puppet_server_config-create_ssl_dir'],
       ],
     }
+
+    # In Puppet 7 the cadir was changed from $ssldir/ca to $puppetserver_dir/ca
+    # This migrates the directory if it was in the old location
+    # The migration command leaves a symlink in place
+    if versioncmp($puppet::server::real_puppetserver_version, '7.0') > 0 {
+      exec { 'migrate Puppetserver cadir':
+        command => "${puppet::puppetserver_cmd} ca migrate",
+        creates => $puppet::server::cadir,
+        onlyif  => "test -d '${puppet::server::ssl_dir}/ca' && ! test -L '${puppet::server::ssl_dir}'",
+        path    => $::path,
+        before  => Exec['puppet_server_config-generate_ca_cert'],
+      }
+    }
   } elsif $puppet::server::ca_crl_sync {
     # If not a ca AND sync the crl from the ca master
     if defined('$::servername') {

diff --git a/metadata.json b/metadata.json
@@ -1,6 +1,6 @@
 {
   "name": "theforeman-puppet",
-  "version": "15.0.0",
+  "version": "15.1.0",
   "author": "theforeman",
   "summary": "Puppet agent and server configuration",
   "license": "GPL-3.0+",
@@ -17,25 +17,25 @@
   "dependencies": [
     {
       "name": "puppetlabs/concat",
-      "version_requirement": ">= 4.1.0 < 7.0.0"
+      "version_requirement": ">= 4.1.0 < 8.0.0"
     },
     {
       "name": "puppetlabs/stdlib",
-      "version_requirement": ">= 4.18.0 < 7.0.0"
+      "version_requirement": ">= 4.18.0 < 8.0.0"
     },
     {
       "name": "puppet/extlib",
       "version_requirement": ">= 3.0.0 < 6.0.0"
     },
     {
       "name": "camptocamp/systemd",
-      "version_requirement": ">= 2.9.0 < 3.0.0"
+      "version_requirement": ">= 2.9.0 < 4.0.0"
     }
   ],
   "requirements": [
     {
       "name": "puppet",
-      "version_requirement": ">= 5.5.8 < 7.0.0"
+      "version_requirement": ">= 5.5.8 < 8.0.0"
     }
   ],
   "operatingsystem_support": [

diff --git a/spec/acceptance/hieradata/common.yaml b/spec/acceptance/hieradata/common.yaml
@@ -0,0 +1,8 @@
+---
+puppet::server_foreman: false
+puppet::server_reports: 'store'
+puppet::server_external_nodes: ''
+# only for install test - don't think to use this in production!
+# https://docs.puppet.com/puppetserver/latest/tuning_guide.html
+puppet::server_jvm_max_heap_size: '256m'
+puppet::server_jvm_min_heap_size: '256m'
diff --git a/spec/acceptance/puppet_spec.rb b/spec/acceptance/puppet_spec.rb
@@ -5,9 +5,9 @@
     on default, puppet('resource', 'service', 'puppet', 'ensure=stopped', 'enable=false')
   end
 
-  let(:pp) { 'include puppet' }
-
-  it_behaves_like 'a idempotent resource'
+  it_behaves_like 'an idempotent resource' do
+    let(:manifest) { 'include puppet' }
+  end
 
   describe service('puppet') do
     it { is_expected.to be_running }

diff --git a/spec/acceptance/puppetserver_config_spec.rb b/spec/acceptance/puppetserver_config_spec.rb