diff --git a/icinga2/init.sls b/icinga2/init.sls
index 0c91e2e..64d8e25 100644
--- a/icinga2/init.sls
+++ b/icinga2/init.sls
@@ -1,3 +1,5 @@
+include:
+  - nginx
 
 icinga_packages:
   pkg.installed:
diff --git a/salt/minion.sls b/salt/minion.sls
index 95cb4de..723f583 100644
--- a/salt/minion.sls
+++ b/salt/minion.sls
@@ -1,25 +1,25 @@
 include:
   - salt.update
 
-/lib/systemd/system/salt-minion.service:
-  file.managed:
-    - source: salt://salt/files/salt-minion.service
-    - user: root
-    - group: root
-    - mode: 644
+#/lib/systemd/system/salt-minion.service:
+#  file.managed:
+#    - source: salt://salt/files/salt-minion.service
+#    - user: root
+#    - group: root
+#    - mode: 644
 
-systemd reload for salt-minion:
-  module.run:
-    - name: service.systemctl_reload
-    - onchanges:
-      - file: /lib/systemd/system/salt-minion.service
+#systemd reload for salt-minion:
+#  module.run:
+#    - name: service.systemctl_reload
+#    - onchanges:
+#      - file: /lib/systemd/system/salt-minion.service
 
-salt-minion:
-  service.running:
-    - enable: true
-    - require:
-      - file: /lib/systemd/system/salt-minion.service
-      - module: systemd reload for salt-minion
+#salt-minion:
+#  service.running:
+#    - enable: true
+#    - require:
+#      - file: /lib/systemd/system/salt-minion.service
+#      - module: systemd reload for salt-minion
 
 /etc/salt/minion:
   file.managed:
diff --git a/salt/update.sls b/salt/update.sls
index f47730f..e4e697f 100644
--- a/salt/update.sls
+++ b/salt/update.sls
@@ -1,4 +1,4 @@
-salt:
-  pip.installed:
-    - user: root
-    - upgrade: true
+#salt:
+#  pip.installed:
+#    - user: root
+#    - upgrade: true
diff --git a/samba/files/smb.conf.jinja b/samba/files/smb.conf.jinja
index 67b0fd3..f2d1598 100644
--- a/samba/files/smb.conf.jinja
+++ b/samba/files/smb.conf.jinja
@@ -1,6 +1,6 @@
 #
 # Managed by Salt
-#
+# TODO: this could use file.serialize
 # run testparm -s after making changes to validate them
 
 [global]
@@ -10,27 +10,37 @@
   logging = file
   panic action = /usr/share/samba/panic-action %d
   server role = standalone server
-  obey pam restrictions = yes
+  obey pam restrictions = no
   unix password sync = no
   map to guest = bad user
   usershare max shares = 0
   encrypt passwords = yes
   smb encrypt = required
+  create mask = 0775
+  directory mask = 0775
+  force user = {{ pillar.samba.force_user }}
+  force group = {{ pillar.samba.force_group }}
+  vfs object = recycle
+  recycle:repository = /mnt/keir/recycle/%U
+  recycle:touch = Yes
+  recycle:keeptree = Yes
+  recycle:versions = Yes
+  recycle:noversions = *.tmp,*.temp,*.o,*.obj,*.TMP,*.TEMP
+  recycle:exclude = *.tmp,*.temp,*.o,*.obj,*.TMP,*.TEMP
+  recycle:excludedir = /recycle,/tmp,/temp,/TMP,/TEMP
 
 {% if salt.pillar.get('samba:enable_homes', false) %}
 [homes]
   comment = Home Directories
   browseable = no
   read only = yes
-  create mask = 0700
-  directory mask = 0700
   valid users = %S
 {% endif %}
 
 {% for name, conf in salt.pillar.get('samba:shares', {}).items() %}
 [{{ name }}]
-  path = {{ conf['path'] }}
-  valid users = {{ conf['users'] }}
-  read only = {{ conf['readonly'] }}
+  {%- for key, val in conf.items() %}
+  {{ key }} = {{ val }}
+  {%- endfor %}
 {% endfor %}
 
diff --git a/users/files/authorized_keys.jinja b/users/files/authorized_keys.jinja
new file mode 100644
index 0000000..06c0f34
--- /dev/null
+++ b/users/files/authorized_keys.jinja
@@ -0,0 +1,3 @@
+{% for comment, key in salt.pillar.get('authorized_keys')[user].items() -%}
+{{ key }} {{ comment }}
+{% endfor -%}
diff --git a/users/init.sls b/users/init.sls
index f152ebd..e336870 100644
--- a/users/init.sls
+++ b/users/init.sls
@@ -1,20 +1,26 @@
 
-{% if salt.pillar.get('root_authorized_keys', None) is not none %}
-/root/.ssh:
+{% for user in salt.pillar.get('authorized_keys').keys() %}
+  {% set home = '' if user == 'root' else '/home' %}
+
+{{ home }}/{{ user }}/.ssh:
   file.directory:
-    - user: root
-    - group: root
+    - user: {{ user }}
+    - group: {{ user }}
     - mode: 700
 
-/root/.ssh/authorized_keys:
+{{ home }}/{{ user }}/.ssh/authorized_keys:
   file.managed:
-    - contents_pillar: root_authorized_keys
-    - user: root
-    - group: root
+    - template: jinja
+    - source: salt://users/files/authorized_keys.jinja
+    - user: {{ user }}
+    - group: {{ user }}
     - mode: 400
+    - context:
+        user: {{ user }}
     - require:
-      - file: /root/.ssh
-{% endif %}
+      - file: {{ home }}/{{ user }}/.ssh
+
+{% endfor %}
 
 {% if salt.pillar.get('manage_root_bashrc', False) %}
 /root/.bashrc:
@@ -71,27 +77,6 @@
       - user: {{ user }}_user
 {% endif %}
 
-{% if 'authorized_keys' in data or 'ssh_config' in data %}
-/home/{{ user }}/.ssh:
-  file.directory:
-    - user: {{ user }}
-    - group: {{ user }}
-    - mode: 0700
-    - require:
-      - user: {{ user }}_user
-{% endif %}
-
-{% if 'authorized_keys' in data %}
-/home/{{ user }}/.ssh/authorized_keys:
-  file.managed:
-    - contents_pillar: users:{{ user }}:authorized_keys
-    - user: {{ user }}
-    - group: {{ user }}
-    - mode: 0400
-    - require:
-      - file: /home/{{ user }}/.ssh
-{% endif %}
-
 {% if 'ssh_config' in data %}
 /home/{{ user }}/.ssh/config:
   file.managed: