diff --git a/manifests/common.pp b/manifests/common.pp
index 5003abd..5ea0afa 100644
--- a/manifests/common.pp
+++ b/manifests/common.pp
@@ -41,12 +41,22 @@ class acme_vault::common (
       mode   => '0750',
     }
 
-    group { $group:
-      ensure          => present,
-      members         => $group_members,
-      system          => true,
+    # group membership is handled through collected virtual resources.  This
+    # allows other modules/profiles to add members to the group, for services
+    # that require access to the certs
+
+    @group { $group:
+      ensure  => present,
+      system  => true,
+      tag     => 'acme_vault_group',
     }
 
+    # include lines similar to this in your own modules to add members to the
+    # group.  We use this method here to add the group_members paramater, but
+    # it will work the same in any module.
+
+    Group <| tag == 'acme_vault_group' |> { members +> $group_members }
+
     # vault module isn't too flexible for install only, just copy in binary
     # would be nice if this worked!
     #class { '::vault::install':
diff --git a/manifests/params.pp b/manifests/params.pp
index 46a0da6..b1b22c6 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -3,7 +3,7 @@ class acme_vault::params {
     # settings for acme user
     $user       = 'acme'
     $group      = 'acme'
-    $group_members      = ['apache']
+    $group_members      = []
     $home_dir   = '/home/acme_vault'
     $contact_email = ''
     $domains     = undef