diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 1f82c4c9..f9a5c9d0 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -4,6 +4,7 @@
 
 name: CI
 
+# yamllint disable-line rule:truthy
 on:
   pull_request: {}
   push:
@@ -18,4 +19,6 @@ concurrency:
 jobs:
   puppet:
     name: Puppet
-    uses: voxpupuli/gha-puppet/.github/workflows/beaker.yml@v2
+    uses: voxpupuli/gha-puppet/.github/workflows/beaker.yml@v3
+    with:
+      unit_runs_on: 'cern-self-hosted'
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index 66127cd0..73be88dc 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -4,6 +4,7 @@
 
 name: "Pull Request Labeler"
 
+# yamllint disable-line rule:truthy
 on:
   pull_request_target: {}
 
diff --git a/.github/workflows/prepare_release.yml b/.github/workflows/prepare_release.yml
new file mode 100644
index 00000000..01efa1a8
--- /dev/null
+++ b/.github/workflows/prepare_release.yml
@@ -0,0 +1,23 @@
+---
+# Managed by modulesync - DO NOT EDIT
+# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/
+
+name: 'Prepare Release'
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Module version to be released. Must be a valid semver string without leading v. (1.2.3)'
+        required: false
+
+jobs:
+  release_prep:
+    uses: 'voxpupuli/gha-puppet/.github/workflows/prepare_release.yml@v3'
+    with:
+      version: ${{ github.event.inputs.version }}
+      allowed_owner: 'voxpupuli'
+    secrets:
+      # Configure secrets here:
+      #  https://docs.github.com/en/actions/security-guides/encrypted-secrets
+      github_pat: '${{ secrets.PCCI_PAT_RELEASE_PREP }}'
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 93b33c2b..3db60fbc 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -4,6 +4,7 @@
 
 name: Release
 
+# yamllint disable-line rule:truthy
 on:
   push:
     tags:
@@ -12,7 +13,7 @@ on:
 jobs:
   release:
     name: Release
-    uses: voxpupuli/gha-puppet/.github/workflows/release.yml@v2
+    uses: voxpupuli/gha-puppet/.github/workflows/release.yml@v3
     with:
       allowed_owner: 'voxpupuli'
     secrets:
@@ -20,10 +21,3 @@ jobs:
       #  https://docs.github.com/en/actions/security-guides/encrypted-secrets
       username: ${{ secrets.PUPPET_FORGE_USERNAME }}
       api_key: ${{ secrets.PUPPET_FORGE_API_KEY }}
-
-  create-github-release:
-    name: Create GitHub Release
-    runs-on: ubuntu-latest
-    steps:
-      - name: Create GitHub release
-        uses: voxpupuli/gha-create-a-github-release@v1
diff --git a/.msync.yml b/.msync.yml
index 95e8c977..36e892e9 100644
--- a/.msync.yml
+++ b/.msync.yml
@@ -2,4 +2,4 @@
 # Managed by modulesync - DO NOT EDIT
 # https://voxpupuli.org/docs/updating-files-managed-with-modulesync/
 
-modulesync_config_version: '9.1.0'
+modulesync_config_version: '9.4.0'
diff --git a/.sync.yml b/.sync.yml
index b1b40cec..65631e60 100644
--- a/.sync.yml
+++ b/.sync.yml
@@ -6,3 +6,7 @@ spec/spec_helper_acceptance.rb:
   enabled_lint_checks:
     - parameter_documentation
     - parameter_types
+
+.github/workflows/ci.yml:
+  with:
+    unit_runs_on: 'cern-self-hosted'
diff --git a/.vscode/extensions.json b/.vscode/extensions.json
deleted file mode 100644
index 2f1e4f73..00000000
--- a/.vscode/extensions.json
+++ /dev/null
@@ -1,6 +0,0 @@
-{
-  "recommendations": [
-    "puppet.puppet-vscode",
-    "rebornix.Ruby"
-  ]
-}
diff --git a/Gemfile b/Gemfile
index 27cdc0de..2ac98f89 100644
--- a/Gemfile
+++ b/Gemfile
@@ -4,7 +4,7 @@
 source ENV['GEM_SOURCE'] || 'https://rubygems.org'
 
 group :test do
-  gem 'voxpupuli-test', '~> 8.0',   :require => false
+  gem 'voxpupuli-test', '~> 9.0',   :require => false
   gem 'coveralls',                  :require => false
   gem 'simplecov-console',          :require => false
   gem 'puppet_metadata', '~> 4.0',  :require => false
@@ -26,7 +26,7 @@ end
 gem 'rake', :require => false
 gem 'facter', ENV['FACTER_GEM_VERSION'], :require => false, :groups => [:test]
 
-puppetversion = ENV['PUPPET_GEM_VERSION'] || '~> 7.24'
+puppetversion = ENV['PUPPET_GEM_VERSION'] || [">= 7.24", "< 9"]
 gem 'puppet', puppetversion, :require => false, :groups => [:test]
 
 # vim: syntax=ruby
diff --git a/REFERENCE.md b/REFERENCE.md
index 1a8f89f6..9a11d9fa 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -1727,10 +1727,10 @@ Insert a file into the nftables configuration
 
 ```puppet
 nftables::file{'geoip':
-  content => @(EOT)
+  content => @(EOT),
     include "/var/local/geoipsets/dbip/nftset/ipv4/*.ipv4"
     include "/var/local/geoipsets/dbip/nftset/ipv6/*.ipv6"
-    |EOT,
+    |EOT
 }
 ```
 
diff --git a/manifests/init.pp b/manifests/init.pp
index f1255127..be713019 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -159,6 +159,13 @@
     ensure => installed,
   }
 
+  # /etc/services file is needed, on newer OSes this is a dependency on nftables
+  if $facts['os']['name'] == 'Ubuntu' and $facts['os']['release']['major'] == '20.04' {
+    package { 'netbase':
+      ensure => present,
+    }
+  }
+
   if $clobber_default_config {
     file { $configuration_path:
       ensure  => file,
@@ -242,7 +249,7 @@
       notify   => Service['nftables'],
     }
 
-    # Generate nftables hash upon changes to the nftables service 
+    # Generate nftables hash upon changes to the nftables service
     exec { 'nftables_generate_hash':
       command     => ["nft -s list ruleset | sha1sum > ${inmem_rules_hash_file}"],
       path        => $facts['path'],
diff --git a/metadata.json b/metadata.json
index b910b0a0..e5918924 100644
--- a/metadata.json
+++ b/metadata.json
@@ -83,7 +83,7 @@
   "requirements": [
     {
       "name": "puppet",
-      "version_requirement": ">= 7.0.0 < 9.0.0"
+      "version_requirement": ">= 8.0.0 < 9.0.0"
     }
   ]
 }
diff --git a/spec/classes/nftables_spec.rb b/spec/classes/nftables_spec.rb
index b4830e91..77b371c9 100644
--- a/spec/classes/nftables_spec.rb
+++ b/spec/classes/nftables_spec.rb
@@ -33,6 +33,13 @@
 
       it { is_expected.to contain_package('nftables') }
 
+      case [os_facts[:os]['name'], os_facts[:os]['release']['major']]
+      when ['Ubuntu', '20.04']
+        it { is_expected.to contain_package('netbase') }
+      else
+        it { is_expected.not_to contain_package('netbase') }
+      end
+
       context 'with clobber_default_config false' do
         let(:params) do
           { clobber_default_config: false }
diff --git a/spec/support/spec/mock.rb b/spec/support/spec/mock.rb
new file mode 100644
index 00000000..434ced74
--- /dev/null
+++ b/spec/support/spec/mock.rb
@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+RSpec.configure do |c|
+  c.before do
+    # select the systemd service provider even when on docker
+    # https://tickets.puppetlabs.com/browse/PUP-11167
+    allow(Puppet::FileSystem).to receive(:exist?).and_call_original
+    allow(Puppet::FileSystem).to receive(:exist?).with('/proc/1/comm').and_return(true)
+    allow(Puppet::FileSystem).to receive(:read).and_call_original
+    allow(Puppet::FileSystem).to receive(:read).with('/proc/1/comm').and_return(['systemd'])
+  end
+end