diff --git a/gitea/files/install.sh b/gitea/files/install.sh
index adbd771..5abda79 100644
--- a/gitea/files/install.sh
+++ b/gitea/files/install.sh
@@ -1,4 +1,5 @@
 #!/bin/bash
+{# code: lang=jinja-shell #}
 {% set gitea_version = salt.pillar.get('gitea:version') %}
 {% set base_path = salt.pillar.get('gitea:path') %}
 
diff --git a/icinga2/files/client_sudo.jinja b/icinga2/files/client_sudo.jinja
index 3ad2c65..dfa2b10 100644
--- a/icinga2/files/client_sudo.jinja
+++ b/icinga2/files/client_sudo.jinja
@@ -1,3 +1,3 @@
 # monitoring sudoers rules
-nagios ALL=(ALL) NOPASSWD: \
+icinga ALL=(ALL) NOPASSWD: \
   {{ salt.pillar.get('icinga2:client_sudo') | join(", \\\n") | indent(2) }}
diff --git a/icinga2/files/git_clone_icinga2_conf.sh b/icinga2/files/git_clone_icinga2_conf.sh
new file mode 100644
index 0000000..b6bd00b
--- /dev/null
+++ b/icinga2/files/git_clone_icinga2_conf.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+{# code: lang=jinja-shell #}
+
+if ! id icinga &>/dev/null; then
+  echo icinga user is missing
+  exit 1
+fi
+
+if [ -d /etc/icinga2/.git ]; then
+  echo already cloned
+  exit 1
+fi
+
+# show commands executed
+set -x
+# exit on errors
+set -e
+
+rm -rf /etc/icinga2
+
+cd /etc/
+
+git clone '{{ salt.pillar.get('icinga2:server:conf_git_url') }}' icinga2
+
+chown -R icinga.icinga /etc/icinga2
diff --git a/icinga2/files/icingaweb2.jinja b/icinga2/files/icingaweb2.jinja
deleted file mode 100644
index 2987ec6..0000000
--- a/icinga2/files/icingaweb2.jinja
+++ /dev/null
@@ -1,42 +0,0 @@
-server {
-
-server_name icinga.keiran.us;
-
-rewrite ^/$ https://icinga.keiran.us/icingaweb2 permanent;
-
-  location ~ ^/icingaweb2/index\.php(.*)$ {
-    # fastcgi_pass 127.0.0.1:9000;
-    fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
-    fastcgi_index index.php;
-    include fastcgi_params;
-    fastcgi_param SCRIPT_FILENAME /usr/share/icingaweb2/public/index.php;
-    fastcgi_param ICINGAWEB_CONFIGDIR /etc/icingaweb2;
-    fastcgi_param REMOTE_USER $remote_user;
-  }
-
-  location ~ ^/icingaweb2(.+)? {
-    alias /usr/share/icingaweb2/public;
-    index index.php;
-    try_files $1 $uri $uri/ /icingaweb2/index.php$is_args$args;
-  }
-
-    listen 443 ssl; # managed by Certbot
-    ssl_certificate /etc/letsencrypt/live/icinga.keiran.us/fullchain.pem; # managed by Certbot
-    ssl_certificate_key /etc/letsencrypt/live/icinga.keiran.us/privkey.pem; # managed by Certbot
-    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
-    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
-
-}
-server {
-    if ($host = icinga.keiran.us) {
-        return 301 https://$host$request_uri;
-    } # managed by Certbot
-
-
-
-server_name icinga.keiran.us;
-    listen 80;
-    return 404; # managed by Certbot
-
-
-}
diff --git a/icinga2/init.sls b/icinga2/init.sls
new file mode 100644
index 0000000..c346c37
--- /dev/null
+++ b/icinga2/init.sls
@@ -0,0 +1,7 @@
+include:
+{% if salt.pillar.get("icinga2:ssh_client", None) is not none %}
+  - icinga2.ssh_client
+{% endif %}
+{% if salt.pillar.get("icinga2:server", None) is not none %}
+  - icinga2.server
+{% endif %}
diff --git a/icinga2/server.sls b/icinga2/server.sls
index d31e153..bf80880 100644
--- a/icinga2/server.sls
+++ b/icinga2/server.sls
@@ -1,24 +1,4 @@
-include:
-  - nginx
-
-icinga_packages:
-  pkg.installed:
-    - pkgs:
-      - vim-icinga2
-      - icinga2
-      - icingaweb2
-      - icinga2-ido-mysql
-      - certbot
-      - python-certbot-nginx
-
-apache2:
-  service.dead:
-    - enable: False
-    - require_by:
-      - pkg: nginx
-  file.absent:
-    - name: /etc/apache2
-
+{#
 icingaweb2_vhost:
   file.managed:
     - name: /etc/nginx/sites-available/icingaweb2
@@ -30,23 +10,88 @@ icingaweb2_vhost:
       - pkg: nginx
     - watch_by:
       - service: nginx
+#}
 
-/etc/icinga2:
-  git.cloned:
-    - name: ssh://keiran5@git.keiran.us:9022/config-mgmt/icinga2-conf.git
-    - user: nagios
-    - target: /etc/icinga2
+/etc/pki/rpm-gpg/icinga.key:
+  file.managed:
+    - user: root
+    - group: root
+    - mode: 644
+    - source: https://packages.icinga.com/icinga.key
+    - source_hash: be677e07972ed57b99ffc2fd211379ac11b9c6a7c8d9460086b447b96b0a82bb
 
-# icingacli setup config directory
-# icingacli setup token create
-# icingacli setup token show
-# visit /icingaweb2/setup
+icingacmd:
+  group.present: []
 
-icingaweb2_enable:
+icinga:
+  user.present:
+    - shell: /bin/bash
+    - home: /var/spool/icinga2
+    - createhome: true
+    - groups:
+      - icingacmd
+    - system: true
+    - require:
+      - group: icingacmd
+  pkgrepo.managed:
+    - humanname: ICINGA (stable release)
+    - baseurl: https://packages.icinga.com/epel/$releasever/release/
+    - enabled: 1
+    - gpgcheck: 1
+    - gpgkey: file:///etc/pki/rpm-gpg/icinga.key
+    - require:
+      - file: /etc/pki/rpm-gpg/icinga.key
+      - user: icinga
+  pkg.installed:
+    - pkgs:
+      - vim-icinga2
+      - icinga2
+      - nagios-plugins-by_ssh
+      - nagios-plugins-ping
+      - nagios-plugins-ssh
+      - nagios-plugins-http
+      - icinga2-ido-mysql
+    - require:
+      - pkgrepo: icinga
+
+# You'll need to add a temporary deploy key for root, then create a permanent
+# one for the icinga user
+'git clone /etc/icinga2':
+  cmd.script:
+    - shell: /bin/bash
+    - source: 'salt://icinga2/files/git_clone_icinga2_conf.sh'
+    - runas: root
+    - template: jinja
+    - creates: /etc/icinga2/.git
+    - require:
+      - pkg: icinga
+
+/var/spool/icinga2/conf:
   file.symlink:
-    - name: /etc/nginx/sites-enabled/icingaweb2
-    - target: /etc/nginx/sites-available/icingaweb2
-    - watch_by:
-      - service: nginx
+    - target: /etc/icinga2
+    - require:
+      - user: icinga
+
+/var/spool/icinga2/.ssh:
+  file.directory:
+    - user: icinga
+    - group: icinga
+    - mode: 700
+    - require:
+      - user: icinga
+
+/var/spool/icinga2/.ssh/authorized_keys:
+  file.managed:
+    - user: icinga
+    - group: icinga
+    - mode: 400
+    - contents_pillar: icinga2:server:icinga_user_authkeys
+
+#icingaweb2_enable:
+#  file.symlink:
+#    - name: /etc/nginx/sites-enabled/icingaweb2
+#    - target: /etc/nginx/sites-available/icingaweb2
+#    - watch_by:
+#      - service: nginx
 
 # apt --no-install-recommends install nagios-nrpe-plugin
diff --git a/icinga2/ssh_client.sls b/icinga2/ssh_client.sls
index 96604f3..a7394dd 100644
--- a/icinga2/ssh_client.sls
+++ b/icinga2/ssh_client.sls
@@ -1,44 +1,73 @@
-# todo: git clone to /usr/local/lib/nagios
 
 # A deploy key must be added for this to work!
-{{ salt.pillar.get("icinga2:monitoring_plugins_git_url") | yaml_encode }}:
+/usr/local/lib/nagios:
   git.cloned:
+    - name: {{ salt.pillar.get("icinga2:monitoring_plugins_git_url") | yaml_encode }}
     - target: /usr/local/lib/nagios
     - branch: master
     - user: root
 
+
+/usr/local/lib/nagios/venv:
+  cmd.run:
+{% if 'inmotionhosting' in grains.fqdn %}
+    - name: imh-python3 -m venv /usr/local/lib/nagios/venv
+{% else %}
+    - name: python3 -m venv /usr/local/lib/nagios/venv
+{% endif %}
+    - creates: /usr/local/lib/nagios/venv
+    - require:
+      - git: /usr/local/lib/nagios
+      - pkg: monitoring_packages
+
+# TODO: make all this venv stuff a cmd.script
+
+venv-ensurepip:
+  cmd.run:
+    - name: /usr/local/lib/nagios/venv/bin/python3 -m ensurepip
+    - creates: /usr/local/lib/nagios/venv/bin/pip3
+    - require:
+      - cmd: /usr/local/lib/nagios/venv
+
+venv-psutil:
+  cmd.run:
+    - name: /usr/local/lib/nagios/venv/bin/pip3 install psutil
+    - require:
+      - cmd: venv-ensurepip
+
 monitoring_packages:
   pkg.installed:
     - pkgs:
-      # TODO: these are the Debian names. Figure out the others
-      - monitoring-plugins-basic
       - smartmontools
+      {% if grains.os_family == 'Debian' %}
+      - python3-venv
+      {% endif %}
 
-nagios:
+icinga:
   user.present:
     - shell: /bin/bash
-    - home: /var/lib/nagios
+    - home: /var/lib/icinga
     - system: true
     - createhome: true
 
-/var/lib/nagios/.ssh:
+/var/lib/icinga/.ssh:
   file.directory:
-    - user: nagios
-    - group: nagios
+    - user: icinga
+    - group: icinga
     - mode: 700
     - require:
-      - user: nagios
+      - user: icinga
 
-/var/lib/nagios/.ssh/authorized_keys:
+/var/lib/icinga/.ssh/authorized_keys:
   file.managed:
-    - user: nagios
-    - group: nagios
+    - user: icinga
+    - group: icinga
     - mode: 400
-    - contents_pillar: icinga2:nagios_rsa_pubkey
+    - contents_pillar: icinga2:icinga_rsa_pubkey
     - require:
-      - file: /var/lib/nagios/.ssh
+      - file: /var/lib/icinga/.ssh
 
-/etc/sudoers.d/nagios:
+/etc/sudoers.d/icinga:
   file.managed:
     - user: root
     - group: root
diff --git a/top.sls b/top.sls
index 64de08b..326b8c7 100644
--- a/top.sls
+++ b/top.sls
@@ -1,4 +1,4 @@
-{{saltenv}}:
+{{ saltenv }}:
   '*':
     - salt
     - common
@@ -7,16 +7,17 @@
    or salt.pillar.get('restic:server', None) is not none %}
     - restic
 {% endif %}
-{% if salt.pillar.get("icinga2:ssh_client", None) is not none %}
-    - icinga2.ssh_client
+{% if salt.pillar.get("icinga2:ssh_client", None) is not none
+   or salt.pillar.get("icinga2:server", None) is not none %}
+    - icinga2
+{% endif %}
+{% if salt.pillar.get("gitea", None) is not none %}
+    - gitea
 {% endif %}
   '*.keiran.us':
     - firewall
     - resolvers
-  'vps47492.inmotionhosting.com':
-    - gitea
   'kpi.keiran.us':
-    - icinga2.server
     - nginx
     - restic
     - samba