diff --git a/site/profile/manifests/ceph.pp b/site/profile/manifests/ceph.pp
index bf2fc1571..309d6e543 100644
--- a/site/profile/manifests/ceph.pp
+++ b/site/profile/manifests/ceph.pp
@@ -1,62 +1,42 @@
+type BindMount = Struct[{
+    'src'  => Stdlib::Unixpath,
+    'dst'  => Stdlib::Unixpath,
+    'type' => Optional[Enum['file', 'directory']],
+}]
+
+type CephFS = Struct[
+  {
+    'share_name' => String,
+    'access_key' => String,
+    'export_path' => Stdlib::Unixpath,
+    'bind_mounts' => Optional[Array[BindMount]],
+    'binds_fcontext_equivalence' => Optional[Stdlib::Unixpath],
+  }
+]
+
 class profile::ceph::client (
-  String $share_name,
-  String $access_key,
-  String $export_path,
   Array[String] $mon_host,
-  Array[String] $mount_binds = [],
-  String $mount_name = 'cephfs01',
-  String $binds_fcontext_equivalence = '/home',
+  Hash[String, CephFS] $shares,
 ) {
-  class { 'profile::ceph::client::config':
-    share_name  => $share_name,
-    access_key  => $access_key,
-    export_path => $export_path,
-    mon_host    => $mon_host,
-  }
-
-  file { "/mnt/${mount_name}":
-    ensure => directory,
-  }
+  require profile::ceph::client::install
 
   $mon_host_string = join($mon_host, ',')
-  mount { "/mnt/${mount_name}":
-    ensure  => 'mounted',
-    fstype  => 'ceph',
-    device  => "${mon_host_string}:${export_path}",
-    options => "name=${share_name},secretfile=/etc/ceph/client.keyonly.${share_name},mds_namespace=cephfs_4_2,x-systemd.device-timeout=30,x-systemd.mount-timeout=30,noatime,_netdev,rw",
-    require => Class['profile::ceph::client::config'],
-  }
-
-  $mount_binds.each |$mount| {
-    file { "/mnt/${mount_name}/${mount}":
-      ensure  => directory,
-      require => Class['profile::ceph::client::config'],
-    }
-    file { "/${mount}":
-      ensure  => directory,
-      require => Class['profile::ceph::client::config'],
-    }
-    mount { "/${mount}":
-      ensure  => 'mounted',
-      fstype  => 'none',
-      options => 'rw,bind',
-      device  => "/mnt/${mount_name}/${mount}",
-      require => [
-        File["/mnt/${mount_name}/${mount}"],
-        File["/${mount}"],
-      ],
-    }
+  $ceph_conf = @("EOT")
+    [global]
+    admin socket = /var/run/ceph/$cluster-$name-$pid.asok
+    client reconnect stale = true
+    debug client = 0/2
+    fuse big writes = true
+    mon host = ${mon_host_string}
+    [client]
+    client quota = true
+    | EOT
 
-    if ($binds_fcontext_equivalence != '' and "/${mount}" != $binds_fcontext_equivalence) {
-      selinux::fcontext::equivalence { "/${mount}":
-        ensure  => 'present',
-        target  => $binds_fcontext_equivalence,
-        require => Mount["/${mount}"],
-        notify  => Selinux::Exec_restorecon["/${mount}"],
-      }
-      selinux::exec_restorecon { "/${mount}": }
-    }
+  file { '/etc/ceph/ceph.conf':
+    content => $ceph_conf,
   }
+
+  ensure_resources(profile::ceph::client::share, $shares, { 'mon_host' => $mon_host, 'bind_mounts' => [] })
 }
 
 class profile::ceph::client::install {
@@ -90,45 +70,60 @@
   }
 }
 
-class profile::ceph::client::config (
+define profile::ceph::client::share (
+  Array[String] $mon_host,
   String $share_name,
   String $access_key,
-  String $export_path,
-  Array[String] $mon_host,
+  Stdlib::Unixpath $export_path,
+  Array[BindMount] $bind_mounts,
+  Optional[Stdlib::Unixpath] $binds_fcontext_equivalence = undef,
 ) {
-  require profile::ceph::client::install
-
   $client_fullkey = @("EOT")
     [client.${share_name}]
     key = ${access_key}
     | EOT
 
-  file { "/etc/ceph/client.fullkey.${share_name}":
+  file { "/etc/ceph/ceph.client.${share_name}.keyring":
     content => $client_fullkey,
     mode    => '0600',
     owner   => 'root',
     group   => 'root',
   }
 
-  file { "/etc/ceph/client.keyonly.${share_name}":
-    content => Sensitive($access_key),
-    mode    => '0600',
-    owner   => 'root',
-    group   => 'root',
+  file { "/mnt/${name}":
+    ensure => directory,
   }
 
   $mon_host_string = join($mon_host, ',')
-  $ceph_conf = @("EOT")
-    admin socket = /var/run/ceph/$cluster-$name-$pid.asok
-    client reconnect stale = true
-    debug client = 0/2
-    fuse big writes = true
-    mon host = ${mon_host_string}
-    [client]
-    client quota = true
-    | EOT
+  mount { "/mnt/${name}":
+    ensure  => 'mounted',
+    fstype  => 'ceph',
+    device  => "${mon_host_string}:${export_path}",
+    options => "name=${share_name},mds_namespace=cephfs_4_2,x-systemd.device-timeout=30,x-systemd.mount-timeout=30,noatime,_netdev,rw",
+    require => File['/etc/ceph/ceph.conf'],
+  }
 
-  file { '/etc/ceph/ceph.conf':
-    content => $ceph_conf,
+  $bind_mounts.each |$mount| {
+    file { $mount['dst']:
+      ensure  => pick($mount['type'], 'directory'),
+    }
+    mount { $mount['dst']:
+      ensure  => 'mounted',
+      fstype  => 'none',
+      options => 'rw,bind',
+      device  => "/mnt/${name}${mount['src']}",
+      require => [
+        File[$mount['dst']],
+        Mount["/mnt/${name}"]
+      ],
+    }
+
+    if ($binds_fcontext_equivalence and $binds_fcontext_equivalence != $mount['dst']) {
+      selinux::fcontext::equivalence { $mount['dst']:
+        ensure  => 'present',
+        target  => $binds_fcontext_equivalence,
+        require => Mount[$mount['dst']],
+      }
+    }
   }
 }