diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -3,8 +3,6 @@ name: CI
 
 on:
   pull_request:
-  schedule:
-    - cron: '4 4 * * *'
 
 
 concurrency:
@@ -14,7 +12,7 @@ concurrency:
 jobs:
   puppet:
     name: Puppet
-    uses: voxpupuli/gha-puppet/.github/workflows/beaker.yml@v1
+    uses: voxpupuli/gha-puppet/.github/workflows/beaker.yml@v2
     with:
       pidfile_workaround: 'true'
       rubocop: false

diff --git a/.gitignore b/.gitignore
@@ -29,7 +29,8 @@ vendor/
 .ruby-*
 
 ## rspec
-spec/fixtures/
+spec/fixtures/manifests
+spec/fixtures/modules
 junit/
 
 ## Puppet module

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,28 @@
 # Changelog
 
+## [19.0.0](https://github.com/theforeman/puppet-puppet/tree/19.0.0) (2023-11-14)
+
+[Full Changelog](https://github.com/theforeman/puppet-puppet/compare/18.0.0...19.0.0)
+
+**Breaking changes:**
+
+- Update to puppetlabs-stdlib 9.x, allow puppetlabs-concat 9.x & puppet-extlib 7.x [\#898](https://github.com/theforeman/puppet-puppet/pull/898) ([ekohl](https://github.com/ekohl))
+- Drop Debian 10 & Ubuntu 18.04 [\#889](https://github.com/theforeman/puppet-puppet/pull/889) ([ekohl](https://github.com/ekohl))
+
+**Implemented enhancements:**
+
+- Add Debian 12 support [\#896](https://github.com/theforeman/puppet-puppet/pull/896) ([evgeni](https://github.com/evgeni))
+- Add Ubuntu 22.04 support [\#895](https://github.com/theforeman/puppet-puppet/pull/895) ([evgeni](https://github.com/evgeni))
+- set PrivateTmp=true for puppetserver [\#892](https://github.com/theforeman/puppet-puppet/pull/892) ([evgeni](https://github.com/evgeni))
+- Test puppetserver on Debian 11 [\#890](https://github.com/theforeman/puppet-puppet/pull/890) ([ekohl](https://github.com/ekohl))
+- Allow disabling CRL checking on agent [\#887](https://github.com/theforeman/puppet-puppet/pull/887) ([cm-jc](https://github.com/cm-jc))
+- Allow puppet/systemd 5.x and 6.x [\#886](https://github.com/theforeman/puppet-puppet/pull/886) ([evgeni](https://github.com/evgeni))
+- Add Puppet 8 support [\#884](https://github.com/theforeman/puppet-puppet/pull/884) ([bastelfreak](https://github.com/bastelfreak))
+
+**Fixed bugs:**
+
+- Fix CentOS 9 support in metadata.json [\#893](https://github.com/theforeman/puppet-puppet/pull/893) ([evgeni](https://github.com/evgeni))
+
 ## [18.0.0](https://github.com/theforeman/puppet-puppet/tree/18.0.0) (2023-08-16)
 
 [Full Changelog](https://github.com/theforeman/puppet-puppet/compare/17.1.0...18.0.0)

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -194,7 +194,7 @@ More filter info available [here](https://relishapp.com/rspec/rspec-core/v/3-9/d
 To run OS specific tests:
 
 ```shell
-SPEC_FACTS_OS=redhat-7-x86_64 bundle exec rspec spec/classes/foreman_spec.rb
+SPEC_FACTS_OS=redhat-8-x86_64 bundle exec rspec spec/classes/foreman_spec.rb
 ```
 
 If you have more than one version of `redhat` OS specified in metadata.json,

diff --git a/Gemfile b/Gemfile
@@ -3,25 +3,17 @@
 
 source 'https://rubygems.org'
 
-gem 'puppet', ENV['PUPPET_GEM_VERSION'] || '>= 5.5', groups: ['development', 'test']
+gem 'puppet', ENV.fetch('PUPPET_GEM_VERSION', '>= 7'), groups: ['development', 'test']
 gem 'rake'
 
 gem 'kafo_module_lint', {"groups"=>["test"]}
-gem 'puppet-lint-empty_string-check', {"groups"=>["test"]}
-gem 'puppet-lint-file_ensure-check', {"groups"=>["test"]}
-gem 'puppet-lint-param-docs', '>= 1.3.0', {"groups"=>["test"]}
-gem 'puppet-lint-spaceship_operator_without_tag-check', {"groups"=>["test"]}
-gem 'puppet-lint-strict_indent-check', {"groups"=>["test"]}
-gem 'puppet-lint-undef_in_function-check', {"groups"=>["test"]}
-gem 'voxpupuli-test', '~> 5.0', {"groups"=>["test"]}
+gem 'puppet-lint-spaceship_operator_without_tag-check', '~> 1.0', {"groups"=>["test"]}
+gem 'voxpupuli-test', '~> 7.0', {"groups"=>["test"]}
 gem 'github_changelog_generator', '>= 1.15.0', {"groups"=>["development"]}
-gem 'puppet_metadata', '~> 1.3'
+gem 'puppet_metadata', '~> 3.4'
 gem 'puppet-blacksmith', '>= 6.0.0', {"groups"=>["development"]}
-gem 'voxpupuli-acceptance', '~> 1.0', {"groups"=>["system_tests"]}
+gem 'voxpupuli-acceptance', '~> 2.0', {"groups"=>["system_tests"]}
 gem 'puppetlabs_spec_helper', {"groups"=>["system_tests"]}
 gem 'hocon'
 
-# Pin rdoc to prevent updating bundled psych (https://github.com/ruby/rdoc/commit/ebe185c8775b2afe844eb3da6fa78adaa79e29a4)
-gem 'rdoc', '< 6.4'
-
 # vim:ft=ruby
diff --git a/manifests/config.pp b/manifests/config.pp
@@ -6,6 +6,7 @@
   $auth_allowed          = $puppet::auth_allowed,
   $ca_server             = $puppet::ca_server,
   $ca_port               = $puppet::ca_port,
+  $certificate_revocation = $puppet::certificate_revocation,
   $dns_alt_names         = $puppet::dns_alt_names,
   $module_repository     = $puppet::module_repository,
   $pluginsource          = $puppet::pluginsource,
@@ -39,6 +40,9 @@
   if $ca_port {
     puppet::config::main { 'ca_port': value => $ca_port; }
   }
+  if $certificate_revocation != undef {
+    puppet::config::main { 'certificate_revocation': value => $certificate_revocation; }
+  }
   if $dns_alt_names and !empty($dns_alt_names) {
     puppet::config::main { 'dns_alt_names': value => $dns_alt_names; }
   }

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -89,6 +89,9 @@
 # $ca_crl_filepath::                        Path to CA CRL file, dynamically resolves based on
 #                                           $::server_ca status.
 #
+# $certificate_revocation::                 Whether certificate revocation checking should be
+#                                           enabled, and what level of checking should be performed
+#
 # $dns_alt_names::                          Use additional DNS names when generating a
 #                                           certificate.  Defaults to an empty Array.
 #
@@ -611,6 +614,7 @@
   Optional[Variant[String, Boolean]] $ca_server = $puppet::params::ca_server,
   Optional[Stdlib::Port] $ca_port = $puppet::params::ca_port,
   Optional[String] $ca_crl_filepath = $puppet::params::ca_crl_filepath,
+  Optional[Variant[Boolean, Enum['chain', 'leaf']]] $certificate_revocation = $puppet::params::certificate_revocation,
   Optional[String] $prerun_command = $puppet::params::prerun_command,
   Optional[String] $postrun_command = $puppet::params::postrun_command,
   Array[String] $dns_alt_names = $puppet::params::dns_alt_names,

diff --git a/manifests/params.pp b/manifests/params.pp
@@ -27,6 +27,7 @@
   $ca_server           = undef
   $ca_port             = undef
   $ca_crl_filepath     = undef
+  $certificate_revocation = undef
   $server_crl_enable   = undef
   $prerun_command      = undef
   $postrun_command     = undef

diff --git a/manifests/server/puppetserver.pp b/manifests/server/puppetserver.pp
@@ -214,6 +214,14 @@
         unit     => 'puppetserver.service',
         content  => "[Service]\nLimitNOFILE=${max_open_files}\n",
       }
+
+      # https://github.com/puppetlabs/ezbake/pull/623
+      systemd::dropin_file { 'puppetserver.service-privatetmp.conf':
+        ensure   => present,
+        filename => 'privatetmp.conf',
+        unit     => 'puppetserver.service',
+        content  => "[Service]\nPrivateTmp=true\n",
+      }
     } else {
       file_line { 'puppet::server::puppetserver::max_open_files':
         ensure => $ensure_max_open_files,

diff --git a/metadata.json b/metadata.json
@@ -1,6 +1,6 @@
 {
   "name": "theforeman-puppet",
-  "version": "18.0.0",
+  "version": "19.0.0",
   "author": "theforeman",
   "summary": "Puppet agent and server configuration",
   "license": "GPL-3.0+",
@@ -17,25 +17,25 @@
   "dependencies": [
     {
       "name": "puppetlabs/concat",
-      "version_requirement": ">= 4.1.0 < 9.0.0"
+      "version_requirement": ">= 4.1.0 < 10.0.0"
     },
     {
       "name": "puppetlabs/stdlib",
-      "version_requirement": ">= 4.18.0 < 9.0.0"
+      "version_requirement": ">= 9.0.0 < 10.0.0"
     },
     {
       "name": "puppet/extlib",
-      "version_requirement": ">= 3.0.0 < 7.0.0"
+      "version_requirement": ">= 3.0.0 < 8.0.0"
     },
     {
       "name": "puppet/systemd",
-      "version_requirement": ">= 2.9.0 < 5.0.0"
+      "version_requirement": ">= 2.9.0 < 7.0.0"
     }
   ],
   "requirements": [
     {
       "name": "puppet",
-      "version_requirement": ">= 7.0.0 < 8.0.0"
+      "version_requirement": ">= 7.0.0 < 9.0.0"
     }
   ],
   "operatingsystem_support": [
@@ -52,7 +52,7 @@
       "operatingsystemrelease": [
         "7",
         "8",
-        "8"
+        "9"
       ]
     },
     {
@@ -70,15 +70,15 @@
     {
       "operatingsystem": "Debian",
       "operatingsystemrelease": [
-        "10",
-        "11"
+        "11",
+        "12"
       ]
     },
     {
       "operatingsystem": "Ubuntu",
       "operatingsystemrelease": [
-        "18.04",
-        "20.04"
+        "20.04",
+        "22.04"
       ]
     },
     {

diff --git a/spec/acceptance/puppet_spec.rb b/spec/acceptance/puppet_spec.rb
@@ -2,7 +2,7 @@
 
 describe 'Scenario: install puppet' do
   before(:context) do
-    on default, puppet('resource', 'service', 'puppet', 'ensure=stopped', 'enable=false')
+    on default, 'puppet resource service puppet ensure=stopped enable=false'
   end
 
   it_behaves_like 'an idempotent resource' do

diff --git a/spec/acceptance/puppetserver_latest_spec.rb b/spec/acceptance/puppetserver_latest_spec.rb
@@ -3,7 +3,7 @@
 describe 'Scenario: install puppetserver (latest):', unless: unsupported_puppetserver do
   before(:all) do
     if check_for_package(default, 'puppetserver')
-      on default, puppet('resource package puppetserver ensure=purged')
+      on default, 'puppet resource package puppetserver ensure=purged'
       on default, 'rm -rf /etc/sysconfig/puppetserver /etc/puppetlabs/puppetserver'
       on default, 'find /etc/puppetlabs/puppet/ssl/ -type f -delete'
     end

diff --git a/spec/acceptance/puppetserver_upgrade_spec.rb b/spec/acceptance/puppetserver_upgrade_spec.rb
@@ -1,84 +1,89 @@
 require 'spec_helper_acceptance'
 
-describe 'Scenario: minor version upgrade', unless: unsupported_puppetserver do
-  before(:all) do
-    if check_for_package(default, 'puppetserver')
-      on default, puppet('resource package puppetserver ensure=purged')
-      on default, 'rm -rf /etc/sysconfig/puppetserver /etc/puppetlabs/puppetserver'
-      on default, 'rm -rf /etc/puppetlabs/puppet/ssl'
-    end
+unless unsupported_puppetserver || unsupported_puppetserver_upgrade
+  describe 'Scenario: minor version upgrade' do
+    before(:all) do
+      if check_for_package(default, 'puppetserver')
+        on default, 'puppet resource package puppetserver ensure=purged'
+        on default, 'rm -rf /etc/sysconfig/puppetserver /etc/puppetlabs/puppetserver'
+        on default, 'rm -rf /etc/puppetlabs/puppet/ssl'
+      end
 
-    # puppetserver won't start with low memory
-    memoryfree_mb = fact('memoryfree_mb').to_i
-    raise 'At least 256MB free memory required' if memoryfree_mb < 256
-  end
+      # puppetserver won't start with low memory
+      memoryfree_mb = fact('memoryfree_mb').to_i
+      raise 'At least 256MB free memory required' if memoryfree_mb < 256
+    end
 
-  case ENV['BEAKER_PUPPET_COLLECTION']
-  when 'puppet7'
-    from_version = '7.0.0'
-    to_version = '7.2.0'
-  else
-    raise 'Unsupported Puppet collection'
-  end
+    case ENV['BEAKER_PUPPET_COLLECTION']
+    when 'puppet8'
+      from_version = '8.2.0'
+      to_version = '8.3.0'
+    when 'puppet7'
+      from_version = '7.6.0'
+      to_version = '7.13.0'
+    else
+      raise 'Unsupported Puppet collection'
+    end
 
-  case fact('osfamily')
-  when 'Debian'
-    from_version_exact = "#{from_version}-1#{fact('os.distro.codename')}"
-    to_version_exact = "#{to_version}-1#{fact('os.distro.codename')}"
-  else
-    from_version_exact = from_version
-    to_version_exact = to_version
-  end
+    case fact('osfamily')
+    when 'Debian'
+      from_version_exact = "#{from_version}-1#{fact('os.distro.codename')}"
+      to_version_exact = "#{to_version}-1#{fact('os.distro.codename')}"
+    else
+      from_version_exact = from_version
+      to_version_exact = to_version
+    end
 
-  context "install #{from_version}" do
-    it_behaves_like 'an idempotent resource' do
-      let(:manifest) do
-        <<-EOS
-        class { 'puppet':
-          server         => true,
-          server_version => '#{from_version_exact}',
-        }
-        EOS
+    context "install #{from_version}" do
+      it_behaves_like 'an idempotent resource' do
+        let(:manifest) do
+          <<-EOS
+          class { 'puppet':
+            server         => true,
+            server_version => '#{from_version_exact}',
+          }
+          EOS
+        end
       end
-    end
 
-    describe command('puppetserver --version') do
-      its(:stdout) { is_expected.to match("puppetserver version: #{from_version}\n") }
-    end
+      describe command('puppetserver --version') do
+        its(:stdout) { is_expected.to match("puppetserver version: #{from_version}\n") }
+      end
 
-    describe service('puppetserver') do
-      it { is_expected.to be_enabled }
-      it { is_expected.to be_running }
-    end
+      describe service('puppetserver') do
+        it { is_expected.to be_enabled }
+        it { is_expected.to be_running }
+      end
 
-    describe port('8140') do
-      it { is_expected.to be_listening }
+      describe port('8140') do
+        it { is_expected.to be_listening }
+      end
     end
-  end
 
-  context "upgrade to #{to_version}" do
-    it_behaves_like 'an idempotent resource' do
-      let(:manifest) do
-        <<-EOS
-        class { 'puppet':
-          server         => true,
-          server_version => '#{to_version_exact}',
-        }
-        EOS
+    context "upgrade to #{to_version}" do
+      it_behaves_like 'an idempotent resource' do
+        let(:manifest) do
+          <<-EOS
+          class { 'puppet':
+            server         => true,
+            server_version => '#{to_version_exact}',
+          }
+          EOS
+        end
       end
-    end
 
-    describe command('puppetserver --version') do
-      its(:stdout) { is_expected.to match("puppetserver version: #{to_version}\n") }
-    end
+      describe command('puppetserver --version') do
+        its(:stdout) { is_expected.to match("puppetserver version: #{to_version}\n") }
+      end
 
-    describe service('puppetserver') do
-      it { is_expected.to be_enabled }
-      it { is_expected.to be_running }
-    end
+      describe service('puppetserver') do
+        it { is_expected.to be_enabled }
+        it { is_expected.to be_running }
+      end
 
-    describe port('8140') do
-      it { is_expected.to be_listening }
+      describe port('8140') do
+        it { is_expected.to be_listening }
+      end
     end
   end
 end