diff --git a/apt/init.sls b/apt/init.sls
index 2bb3be0..fdb5228 100644
--- a/apt/init.sls
+++ b/apt/init.sls
@@ -50,7 +50,7 @@ salt-repo:
 apt-transport-https:
   pkg.installed
 
-python-apt:
+python3-apt:
   pkg.installed
 
 # Purge old stuff
diff --git a/apt/sources.list.Ubuntu.jammy b/apt/sources.list.Ubuntu.jammy
new file mode 100644
index 0000000..f187c1e
--- /dev/null
+++ b/apt/sources.list.Ubuntu.jammy
@@ -0,0 +1,42 @@
+# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
+# newer versions of the distribution.
+deb http://de.archive.ubuntu.com/ubuntu/ jammy main restricted
+# deb-src http://de.archive.ubuntu.com/ubuntu/ jammy main restricted
+
+## Major bug fix updates produced after the final release of the
+## distribution.
+deb http://de.archive.ubuntu.com/ubuntu/ jammy-updates main restricted
+# deb-src http://de.archive.ubuntu.com/ubuntu/ jammy-updates main restricted
+
+## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
+## team. Also, please note that software in universe WILL NOT receive any
+## review or updates from the Ubuntu security team.
+deb http://de.archive.ubuntu.com/ubuntu/ jammy universe
+# deb-src http://de.archive.ubuntu.com/ubuntu/ jammy universe
+deb http://de.archive.ubuntu.com/ubuntu/ jammy-updates universe
+# deb-src http://de.archive.ubuntu.com/ubuntu/ jammy-updates universe
+
+## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
+## team, and may not be under a free licence. Please satisfy yourself as to
+## your rights to use the software. Also, please note that software in
+## multiverse WILL NOT receive any review or updates from the Ubuntu
+## security team.
+deb http://de.archive.ubuntu.com/ubuntu/ jammy multiverse
+# deb-src http://de.archive.ubuntu.com/ubuntu/ jammy multiverse
+deb http://de.archive.ubuntu.com/ubuntu/ jammy-updates multiverse
+# deb-src http://de.archive.ubuntu.com/ubuntu/ jammy-updates multiverse
+
+## N.B. software from this repository may not have been tested as
+## extensively as that contained in the main release, although it includes
+## newer versions of some applications which may provide useful features.
+## Also, please note that software in backports WILL NOT receive any review
+## or updates from the Ubuntu security team.
+deb http://de.archive.ubuntu.com/ubuntu/ jammy-backports main restricted universe multiverse
+# deb-src http://de.archive.ubuntu.com/ubuntu/ jammy-backports main restricted universe multiverse
+
+deb http://security.ubuntu.com/ubuntu/ jammy-security main restricted
+# deb-src http://security.ubuntu.com/ubuntu/ jammy-security main restricted
+deb http://security.ubuntu.com/ubuntu/ jammy-security universe
+# deb-src http://security.ubuntu.com/ubuntu/ jammy-security universe
+deb http://security.ubuntu.com/ubuntu/ jammy-security multiverse
+# deb-src http://security.ubuntu.com/ubuntu/ jammy-security multiverse
diff --git a/icinga2/host.conf.jinja b/icinga2/host.conf.jinja
new file mode 100644
index 0000000..20c085d
--- /dev/null
+++ b/icinga2/host.conf.jinja
@@ -0,0 +1,62 @@
+#
+# {{ node_id }}
+#
+{%- set role = salt['mine.get'](node_id,'minion_role')[node_id] %}
+{%- set tags = salt['mine.get'](node_id,'minion_tags')[node_id] %}
+{%- set location = salt['mine.get'](node_id,'minion_location', tgt_type='glob')[node_id] %}
+{%- set overlay_address = salt['mine.get'](node_id,'minion_overlay_address', tgt_type='glob')[node_id] %}
+{%- set minion_external_address6 = salt['mine.get'](node_id,'minion_external_ip6', tgt_type='glob')[node_id] %}
+
+{%- if 'icinga2_server' not in tags %}
+object Endpoint "{{ node_id }}" {
+		host = "{{ node_id }}"
+}
+
+object Zone "{{ node_id }}" {
+	endpoints = [ "{{ node_id }}" ]
+	parent = "master"
+}
+{%- endif %}
+
+object Host "{{ node_id }}" {
+	import "generic-host"
+
+	display_name = "{{ node_id }}"
+	check_command = "hostalive"
+
+	{%- if 'mine_interval' not in overlay_address %}
+	address = "{{ overlay_address | regex_replace('/\d+$','') }}"
+	{%- endif %}
+
+	{%- if minion_external_address6 %}
+	# Used to determine whether a host has IPv6
+	vars.external_address_6 = "{{ minion_external_address6 }}"
+	{%- endif %}
+
+	vars.os = "Linux"
+
+	vars.role = "{{ role }}"
+
+	vars.tags = [
+	{%- for tag in tags|sort %}
+		"{{ tag }}",
+	{%- endfor %}
+	]
+
+	vars.location = "{{ location }}"
+
+	vars.disk_wfree = "4%"
+	vars.disk_cfree = "2%"
+	vars.disks["disk /"] = {
+		disk_partitions = "/"
+	}
+	{% if 'backupserver' == role %}
+	vars.disks["disk /srv"] = {
+		disk_partitions = "/srv"
+	}
+	{% elif 'buildserver' == role %}
+	vars.disks["disk /build"] = {
+		disk_partitions = "/build"
+	}
+	{% endif %}
+}
diff --git a/icinga2/host.conf.tmpl b/icinga2/host.conf.tmpl
deleted file mode 100644
index 4b2c390..0000000
--- a/icinga2/host.conf.tmpl
+++ /dev/null
@@ -1,70 +0,0 @@
-#
-# {{ node_id }}
-#
-{%- set roles = salt['mine.get'](node_id,'minion_roles')[node_id] %}
-{%- set role = salt['mine.get'](node_id,'minion_role')[node_id] %}
-{%- set device_role = salt['mine.get'](node_id,'minion_device_role')[node_id] %}
-{%- set sites = salt['pillar.get']('netbox:config_context:sites').values()|sum(start=[]) %}
-{%- set address = salt['mine.get'](node_id,'minion_address', tgt_type='glob')[node_id] %}
-{%- set overlay_address = salt['mine.get'](node_id,'minion_overlay_address', tgt_type='glob')[node_id] %}
-{%- set address6 = salt['mine.get'](node_id,'minion_address6', tgt_type='glob')[node_id] %}
-{%- set icinga_address = salt['mine.get'](grains['id'],'minion_address', tgt_type='glob')[grains['id']] %}
-{%- set location = salt['mine.get'](node_id,'minion_location', tgt_type='glob')[node_id] %}
-
-{% if 'mine_interval' not in role %}
-{% do roles.append(role) %}
-{% elif 'mine_interval' not in device_role %}
-{% do roles.append(device_role) %}
-{% endif %}
-
-{%- if 'icinga2_server' not in roles %}
-object Endpoint "{{ node_id }}" {
-        host = "{{ node_id }}"
-}
-
-object Zone "{{ node_id }}" {
-	endpoints = [ "{{ node_id }}" ]
-	parent = "master"
-}
-{%- endif %}
-
-object Host "{{ node_id }}" {
-	import "generic-host"
-
-	display_name = "{{ node_id }}"
-	{% if 'mine_interval' not in overlay_address %}
-	address = "{{ overlay_address | regex_replace('/\d+$','') }}"
-	{% endif %}
-    check_command = "hostalive"
-
-	vars.os = "Linux"
-
-	vars.roles = [
-	{%- for role in roles|sort %}
-		"{{ role }}",
-	{%- endfor %}
-	]
-
-	vars.sites = [
-	{%- for site in sites|sort %}
-		"{{ site }}",
-	{%- endfor %}
-	]
-
-	vars.location = "{{ location }}"
-
-	vars.disk_wfree = "4%"
-	vars.disk_cfree = "2%"
-	vars.disks["disk /"] = {
-	      disk_partitions = "/"
-	}
-	{% if 'backupserver' in roles %}
-	vars.disks["disk /srv"] = {
-	      disk_partitions = "/srv"
-	}
-	{% elif 'buildserver' in roles %}
-	vars.disks["disk /build"] = {
-	      disk_partitions = "/build"
-	}
-	{% endif %}
-}
diff --git a/icinga2/init.sls b/icinga2/init.sls
index 4b30650..33e3cc2 100644
--- a/icinga2/init.sls
+++ b/icinga2/init.sls
@@ -248,14 +248,13 @@ Cleanup /etc/icinga2/zones.d/master/ffmuc-conf.d/hosts/generated/:
       - service: icinga2-service
 
   # Generate config file for every client known to pillar
-{% for node_id,data in salt['mine.get']('netbox:tag_list:icinga2_client', 'minion_id', tgt_type='pillar').items() %}
+{% for node_id in salt['mine.get']('netbox:tag_list:icinga2_client', 'minion_id', tgt_type='pillar').keys() %}
 /etc/icinga2/zones.d/master/ffmuc-conf.d/hosts/generated/{{ node_id }}.conf:
   file.managed:
-    - source: salt://icinga2/host.conf.tmpl
+    - source: salt://icinga2/host.conf.jinja
     - template: jinja
     - context:
         node_id: {{ node_id }}
-        node_config: {{ data }}
     - require:
       - file: Create /etc/icinga2/zones.d/master/ffmuc-conf.d/hosts/generated/
     - require_in:
diff --git a/icinga2/services/dhcp-server.conf b/icinga2/services/dhcp-server.conf
index 123dd1d..79e1884 100644
--- a/icinga2/services/dhcp-server.conf
+++ b/icinga2/services/dhcp-server.conf
@@ -15,10 +15,10 @@ apply Service "dhcp_pool" {
 		command_endpoint = host.name
 	}
 
-	assign where host.address && host.vars.os == "Linux" && ("gateway" in host.vars.roles || "dhcp-server" in host.vars.roles)
+	assign where host.address && host.vars.os == "Linux" && host.vars.role == "nextgen-gateway"
 }
 
-apply Service "isc-dhcpd" {
+apply Service "dhcpd" {
         import "generic-service"
 
         check_command = "procs"
@@ -34,5 +34,5 @@ apply Service "isc-dhcpd" {
         max_check_attempts = 3
         retry_interval = 1m
 
-        assign where ("gateway" in host.vars.roles || "dhcp-server" in host.vars.roles)
+        assign where host.address && host.vars.os == "Linux" && host.vars.role == "nextgen-gateway"
 }
diff --git a/icinga2/services/dns.conf b/icinga2/services/dns.conf
index b0e74b6..d9487fd 100644
--- a/icinga2/services/dns.conf
+++ b/icinga2/services/dns.conf
@@ -1,11 +1,9 @@
 #
-# dns.srv.in.ffho.net
+# Check DNS servers
 #
 
-# Anycast DNS server
-
-# Check DNS servers
-apply Service "dns4" {
+# Check whether DNS servers on anycast addresses are responding
+apply Service "dns4-" for (key => value in {"VIE01" = "5.1.66.255", "MUC01" = "185.150.99.255"}) {
 	import "generic-service"
 
 	if (host.name != NodeName) {
@@ -14,13 +12,13 @@ apply Service "dns4" {
 	check_command = "dns"
 	vars.dns_lookup = "anycast01.ffmuc.net"
 	vars.dns_expected_answer = "5.1.66.255"
-	vars.dns_server = "5.1.66.255"
 
-	assign where host.address
-	ignore where "VIE01" == host.vars.location
+	vars.dns_server = value
+
+	assign where host.address && host.vars.os == "Linux" && (host.vars.role in ["webserver-external", "nextgen-gateway"])
 }
 
-apply Service "dns6" {
+apply Service "dns6-" for (key => value in {"VIE01" = "2001:678:e68:f000::", "MUC01" = "2001:678:ed0:f000::"}) {
 	import "generic-service"
 
 	if (host.name != NodeName) {
@@ -29,12 +27,14 @@ apply Service "dns6" {
 	check_command = "dns"
 	vars.dns_lookup = "anycast01.ffmuc.net"
 	vars.dns_expected_answer = "5.1.66.255"
-	vars.dns_server = "2001:678:e68:f000::"
 
-	assign where host.vars.os == "Linux" && ("webserver-external" in host.vars.roles || "nextgen-gateway" in host.vars.roles)
+	vars.dns_server = value
+
+	assign where host.vars.external_address_6 && host.vars.os == "Linux" && (host.vars.role in ["webserver-external", "nextgen-gateway"])
 }
 
 
+# Check whether bind is running
 apply Service "named" {
 	import "generic-service"
 
@@ -51,9 +51,10 @@ apply Service "named" {
 	max_check_attempts = 3
 	retry_interval = 1m
 
-	assign where "dnsserver" in host.vars.roles
+	assign where "authorative-dns" in host.vars.tags
 }
 
+# Check whether pdns recursor is running
 apply Service "pdns_recursor" {
 	import "generic-service"
 
@@ -70,10 +71,10 @@ apply Service "pdns_recursor" {
 	max_check_attempts = 3
 	retry_interval = 1m
 
-	assign where "nextgen-gateway" in host.vars.roles || "webserver-external" in host.vars.roles
+	assign where "recursor" in host.vars.tags
 }
 
-
+# Check whether dnsdist is running
 apply Service "dnsdist" {
 	import "generic-service"
 
@@ -90,10 +91,10 @@ apply Service "dnsdist" {
 	max_check_attempts = 3
 	retry_interval = 1m
 
-	assign where "nextgen-gateway" in host.vars.roles || "webserver-external" in host.vars.roles
+	assign where "dnsdist" in host.vars.tags
 }
 
-
+# Check whether nginx is running
 apply Service "nginx" {
 	import "generic-service"
 
@@ -110,5 +111,5 @@ apply Service "nginx" {
 	max_check_attempts = 3
 	retry_interval = 1m
 
-	assign where "webserver-external" in host.vars.roles
+	assign where host.vars.role == "webserver-external"
 }
diff --git a/icinga2/services/docker.conf b/icinga2/services/docker.conf
index 36f8ce6..0785748 100644
--- a/icinga2/services/docker.conf
+++ b/icinga2/services/docker.conf
@@ -3,7 +3,7 @@
 #
 
 
-# Check if graylog-sidecar is running on every node
+# Check if docker is running
 apply Service "dockerd" {
 	import "generic-service"
 
@@ -20,5 +20,5 @@ apply Service "dockerd" {
 	max_check_attempts = 3
 	retry_interval = 30s
 
-	assign where host.name == "guardian.in.ffmuc.net" || "docker" in host.vars.roles
+	assign where (host.vars.role == "docker" || "docker" in host.vars.tags)
 }
diff --git a/icinga2/services/kvm.conf b/icinga2/services/kvm.conf
index b3f89c9..6439490 100644
--- a/icinga2/services/kvm.conf
+++ b/icinga2/services/kvm.conf
@@ -3,7 +3,7 @@
 #
 
 
-# Check if graylog-sidecar is running on every node
+# Check if libvirtd is running on every node
 apply Service "libvirtd" {
 	import "generic-service"
 
@@ -20,5 +20,5 @@ apply Service "libvirtd" {
 	max_check_attempts = 3
 	retry_interval = 5m
 
-	assign where "vmhost" in host.vars.roles
+	assign where host.vars.role == "vmhost"
 }
diff --git a/icinga2/services/network.conf b/icinga2/services/network.conf
index 498366c..54bdf66 100644
--- a/icinga2/services/network.conf
+++ b/icinga2/services/network.conf
@@ -15,27 +15,6 @@ apply Service "conntrack_size" {
 	assign where host.address && host.vars.os == "Linux"
 }
 
-apply Service "dhcpd" {
-	import "generic-service"
-
-	check_command = "procs"
-
-	if (host.name != NodeName) {
-		command_endpoint = host.name
-	}
-
-	vars.procs_command = "dhcpd"
-	vars.procs_critical = "1"
-	vars.procs_warning = "1"
-	check_interval = 1m
-	max_check_attempts = 3
-	retry_interval = 30s
-
-	assign where host.address && host.vars.os == "Linux" && ("master" in host.vars.roles || "gateway" in host.vars.roles)
-}
-
-
-#
 # bird process
 apply Service "bird" {
 	import "generic-service"
@@ -53,11 +32,11 @@ apply Service "bird" {
 	max_check_attempts = 3
 	retry_interval = 3m
 
-	assign where host.vars.os == "Linux" && ("webserver-external" in host.vars.roles || "gateway" in host.vars.roles)
+	assign where host.vars.os == "Linux" && (host.vars.role in ["webserver-external", "nextgen-gateway"])
 }
 
 # Are we able to reach the internet?
-apply Service "gw-ping4" {
+apply Service "ping4-google" {
 	import "generic-service"
 
 	check_command = "ping4"
@@ -69,7 +48,7 @@ apply Service "gw-ping4" {
 	assign where host.address
 }
 
-apply Service "gw-ping6" {
+apply Service "ping6-google" {
 	import "generic-service"
 
 	check_command = "ping6"
@@ -77,5 +56,6 @@ apply Service "gw-ping6" {
 	if (host.name != NodeName) {
 		command_endpoint = host.name
 	}
-	assign where host.vars.os == "Linux" && ("webserver-external" in host.vars.roles || "gateway" in host.vars.roles)
+
+	assign where host.vars.external_address_6
 }
diff --git a/icinga2/services/ntp.conf b/icinga2/services/ntp.conf
index d486ef0..7187c58 100644
--- a/icinga2/services/ntp.conf
+++ b/icinga2/services/ntp.conf
@@ -1,16 +1,16 @@
 #
-# ntp.srv.in.ffho.net
+# NTP checks
 #
 
 
-# Check NTP servers
+# Check system clock against NTP servers
 apply Service "ntp4" {
 	import "generic-service"
 
 	check_command = "ntp_time"
 	vars.ntp_ipv4 = true
 	vars.ntp_address = "2.de.pool.ntp.org"
-	
+
 	max_check_attempts = 5
 
 	check_interval = 5m
@@ -28,15 +28,15 @@ apply Service "ntp6" {
 	check_command = "ntp_time"
 	vars.ntp_ipv6 = true
 	vars.ntp_address = "2.de.pool.ntp.org"
-	
+
 	max_check_attempts = 5
 	check_interval = 5m
 	retry_interval = 1m
-	
+
 	if (host.name != NodeName) {
 		command_endpoint = host.name
 	}
-	assign where host.vars.os == "Linux" && ("webserver-external" in host.vars.roles || "gateway" in host.vars.roles)
+	assign where host.vars.os == "Linux" && host.vars.external_address_6
 }
 
 # Check if ntpd is running on every node