diff --git a/icinga2/files/client_sudo.jinja b/icinga2/files/client_sudo.jinja
new file mode 100644
index 0000000..3ad2c65
--- /dev/null
+++ b/icinga2/files/client_sudo.jinja
@@ -0,0 +1,3 @@
+# monitoring sudoers rules
+nagios ALL=(ALL) NOPASSWD: \
+  {{ salt.pillar.get('icinga2:client_sudo') | join(", \\\n") | indent(2) }}
diff --git a/icinga2/init.sls b/icinga2/server.sls
similarity index 100%
rename from icinga2/init.sls
rename to icinga2/server.sls
diff --git a/icinga2/ssh_client.sls b/icinga2/ssh_client.sls
new file mode 100644
index 0000000..39c6a8a
--- /dev/null
+++ b/icinga2/ssh_client.sls
@@ -0,0 +1,51 @@
+# todo: git clone to /usr/local/lib/nagios
+
+# A deploy key must be added for this to work!
+{{ salt.pillar.get("icinga2:monitoring_plugins_git_url") | yaml_encode }}:
+  git.cloned:
+    - target: /usr/local/lib/nagios
+    - branch: master
+    - user: root
+
+monitoring_packages:
+  pkg.installed:
+    - pkgs:
+      # TODO: these are the Debian names. Figure out the others
+      - monitoring-plugins-basic
+      - smartmontools
+
+nagios:
+  user.present:
+    - shell: /bin/bash
+    - home: /var/lib/nagios
+    - system: true
+    - createhome: true
+
+/var/lib/nagios/.ssh:
+  file.directory:
+    - user: nagios
+    - group: nagios
+    - mode: 700
+    - require:
+      - user: nagios
+
+/var/lib/nagios/.ssh/authorized_keys:
+  file.managed:
+    - user: nagios
+    - group: nagios
+    - mode: 400
+    - contents_pillar: icinga2:nagios_rsa_pubkey
+    - require:
+      - file: /var/lib/nagios/.ssh
+
+/etc/sudoers.d/nagios:
+  file.managed:
+    - user: root
+    - group: root
+    - mode: 440
+    - template: jinja
+    - source: salt://icinga2/files/client_sudo.jinja
+    - check_cmd: /usr/sbin/visudo -c -f
+
+# FIXME
+# [2023-12-06 00:13:41 -0500] warning/PluginNotificationTask: Notification command for object 'usfn-ovh!nvme0' (PID: 12270, arguments: '/etc/icinga2/scripts/mail-service-notification.sh') terminated with exit code 127, output: /etc/icinga2/scripts/mail-service-notification.sh: 20: /etc/icinga2/scripts/mail-service-notification.sh: mail: not found
diff --git a/restic/files/install.sh b/restic/files/install.sh
index 977d6bb..1ffc73c 100644
--- a/restic/files/install.sh
+++ b/restic/files/install.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-{% set arch = 'arm' salt.grains.get(cpuarch).startswith('arm') else 'amd64' %}
+{% set arch = 'arm' if salt.grains.get('cpuarch').startswith('arm') else 'amd64' %}
 {% set restic_version = salt.pillar.get("restic:version") %}
 
 URL="https://github.com/restic/restic/releases/download/v{{ restic_version }}/restic_{{ restic_version }}_linux_{{ arch }}.bz2"
diff --git a/restic/init.sls b/restic/init.sls
index 35f6503..5a8f3ca 100644
--- a/restic/init.sls
+++ b/restic/init.sls
@@ -19,6 +19,9 @@ restic-{{ name }}:
     - contents: {{ salt.mine.get(minion_id, 'root_id_rsa_pub').get(minion_id, "") | yaml_encode }}
 {% endfor %}
 
+bzip2:
+  pkg.installed: []
+
 {% if salt.pillar.get("restic:client", None) is not none %}
 {%   if salt.pillar.get("restic:client:install", True)%}
 'download restic':
@@ -27,6 +30,8 @@ restic-{{ name }}:
     - source: 'salt://restic/files/install.sh'
     - template: jinja
     - unless: "/bin/restic version | grep 'restic {{ salt.pillar.get("restic:version") }} '"
+    - require:
+      - pkg: bzip2
 {%   endif %}
 
 /etc/logrotate.d/restic-backup:
diff --git a/salt/init.sls b/salt/init.sls
index c4a024a..ac38c87 100644
--- a/salt/init.sls
+++ b/salt/init.sls
@@ -18,7 +18,7 @@ pip install salt:
     - require:
       - cmd: 'make salt venv'
 
-{%   for link in ('salt', 'salt-call', 'salt-minion', 'salt-proxy') %}
+{%   for link in ('salt', 'salt-call', 'salt-minion', 'salt-proxy', 'salt-run', 'salt-key') %}
 /usr/bin/{{ link }}:
   file.symlink:
     - target: /opt/saltstack/salt/bin/{{ link }}
@@ -54,6 +54,25 @@ salt-{{ daemon }}:
       - file: /etc/salt/{{ daemon }}
 {%   endfor %}
 
+{% elif grains['os'] == 'Debian' %}
+
+/etc/apt/keyrings/salt-archive-keyring-2023.gpg:
+  file.managed:
+    - source: https://repo.saltproject.io/salt/py3/debian/11/amd64/SALT-PROJECT-GPG-PUBKEY-2023.gpg
+    - source_hash: c6f6cbcd96fdb130b1dde8dcfc05d46a3a3f322ff0514f98e2e6473896243472
+
+{% if grains['osrelease']|int > 11 %}
+  {% set osrelease = 11 %}
+  {% set oscodename = 'bullseye' %}
+{% else %}
+  {% set osrelease = grains['osrelease'] %}
+  {% set oscodename = grains['oscodename'] %}
+{% endif %}
+
+/etc/apt/sources.list.d/salt.list:
+  file.managed:
+    - contents: "deb [signed-by=/etc/apt/keyrings/salt-archive-keyring-2023.gpg arch=amd64] https://repo.saltproject.io/salt/py3/debian/{{ osrelease }}/amd64/minor/{{ salt.pillar.get("salt:version") }} {{ oscodename }} main"
+
 {% elif grains['os'] == 'Ubuntu' %}
 
 /etc/apt/keyrings/salt-archive-keyring-2023.gpg:
@@ -87,6 +106,29 @@ salt-{{ daemon }}:
       - file: /etc/salt/{{ daemon }}
 {%   endfor %}
 
+# FIXME: D.R.Y.
+salt-common:
+  pkg.installed:
+    - version: '{{ salt.pillar.get("salt:version") }}'
+    - refresh: true
+    - require:
+      - file: /etc/apt/keyrings/salt-archive-keyring-2023.gpg
+      - file: /etc/apt/sources.list.d/salt.list
+
+{%   for daemon in salt_daemons %}
+salt-{{ daemon }}:
+  pkg.installed:
+    - version: '{{ salt.pillar.get("salt:version") }}'
+    - require:
+      - pkg: salt-common
+  service.running:
+    - enable: true
+    - require:
+      - pkg: salt-{{ daemon }}
+    - listen:
+      - file: /etc/salt/{{ daemon }}
+{%   endfor %}
+
 {% elif grains['os_family'] == 'RedHat' %}
 
 /etc/pki/rpm-gpg/SALT-PROJECT-GPG-PUBKEY-2023:
diff --git a/top.sls b/top.sls
index 681b8b1..64de08b 100644
--- a/top.sls
+++ b/top.sls
@@ -6,6 +6,9 @@
 {% if salt.pillar.get('restic:client', None) is not none
    or salt.pillar.get('restic:server', None) is not none %}
     - restic
+{% endif %}
+{% if salt.pillar.get("icinga2:ssh_client", None) is not none %}
+    - icinga2.ssh_client
 {% endif %}
   '*.keiran.us':
     - firewall
@@ -13,7 +16,7 @@
   'vps47492.inmotionhosting.com':
     - gitea
   'kpi.keiran.us':
-    - icinga2
+    - icinga2.server
     - nginx
     - restic
     - samba
diff --git a/users/files/bashrc.jinja b/users/files/bashrc.jinja
index 325e9c2..4d46ad6 100644
--- a/users/files/bashrc.jinja
+++ b/users/files/bashrc.jinja
@@ -30,11 +30,15 @@ if [ -x /usr/bin/dircolors ]; then
     alias grep='grep --color=auto'
 fi
 
+export GCC_COLORS='error=01;31:warning=01;35:note=01;36:caret=01;32:locus=01:quote=01'
+
 # some more ls aliases
 alias ll='ls -alF'
 alias la='ls -A'
 alias l='ls -CF'
-
+if [ -f ~/.bash_aliases ]; then
+    . ~/.bash_aliases
+fi
 export EDITOR='vim'
 export VISUAL='vim'
 
@@ -42,11 +46,11 @@ export VISUAL='vim'
 # this, if it's already enabled in /etc/bash.bashrc and /etc/profile
 # sources /etc/bash.bashrc).
 if ! shopt -oq posix; then
-  if [ -f /usr/share/bash-completion/bash_completion ]; then
-    . /usr/share/bash-completion/bash_completion
-  elif [ -f /etc/bash_completion ]; then
-    . /etc/bash_completion
-  fi
+    if [ -f /usr/share/bash-completion/bash_completion ]; then
+        . /usr/share/bash-completion/bash_completion
+    elif [ -f /etc/bash_completion ]; then
+        . /etc/bash_completion
+    fi
 fi
 
 if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then # color support