diff --git a/bundles/icinga2/files/check_by_sshmon b/bundles/icinga2/files/check_by_sshmon
new file mode 100644
index 0000000..df553f9
--- /dev/null
+++ b/bundles/icinga2/files/check_by_sshmon
@@ -0,0 +1,31 @@
+#!/bin/sh
+
+UNKNOWN=3
+
+if [ -z "$SSHMON_TEST" ]
+then
+    echo 'check_by_sshmon: Env SSHMON_TEST missing' >&2
+    exit $UNKNOWN
+elif [ -z "$SSHMON_COMMAND" ]
+then
+    echo 'check_by_sshmon: Env SSHMON_COMMAND missing' >&2
+    exit $UNKNOWN
+elif [ -z "$SSHMON_HOST" ]
+then
+    echo 'check_by_sshmon: Env SSHMON_HOST missing' >&2
+    exit $UNKNOWN
+fi
+
+ssh sshmon@"$SSHMON_HOST" "$SSHMON_COMMAND"
+
+if [ "$exitcode" = 124 ]
+then
+    echo 'check_by_sshmon: Timeout while running check remotely' >&2
+    exit $UNKNOWN
+elif [ "$exitcode" = 255 ]
+then
+    echo 'check_by_sshmon: SSH error' >&2
+    exit $UNKNOWN
+else
+    exit $exitcode
+fi
diff --git a/bundles/icinga2/files/conf.d/commands.conf b/bundles/icinga2/files/conf.d/commands.conf
index 588f9f6..571ff35 100644
--- a/bundles/icinga2/files/conf.d/commands.conf
+++ b/bundles/icinga2/files/conf.d/commands.conf
@@ -6,6 +6,18 @@
  * optional parameters.
  */
 
+
+object CheckCommand "sshmon" {
+    import "ipv4-or-ipv6"
+
+    command = [ "/usr/lib/nagios/plugins/check_by_sshmon" ]
+
+    env.SSHMON_TEST = "1234"
+    env.SSHMON_COMMAND = "$command$"
+    env.SSHMON_HOST = "$address$"
+}
+
+
 object NotificationCommand "mail-host-notification" {
   command = [ ConfigDir + "/scripts/mail-host-notification.sh" ]
 
diff --git a/bundles/icinga2/files/hosts.d/host.conf b/bundles/icinga2/files/hosts.d/host.conf
index abba679..2f04906 100644
--- a/bundles/icinga2/files/hosts.d/host.conf
+++ b/bundles/icinga2/files/hosts.d/host.conf
@@ -28,7 +28,7 @@ object Host "${host_name}" {
   % endfor
 }
 
-% for service_name, service_config in sorted(services.items(), key=lambda e: [e[1]['vars.bundle'], e[0]]):
+% for service_name, service_config in sorted(services.items()):
 object Service "${service_name}" {
   import "generic-service"
   % for key, value in sorted(service_config.items()):
diff --git a/bundles/icinga2/items.py b/bundles/icinga2/items.py
index 2ab16a8..72f48b4 100644
--- a/bundles/icinga2/items.py
+++ b/bundles/icinga2/items.py
@@ -222,11 +222,16 @@ files = {
             'svc_systemd:icinga2.service:restart',
         ],
     },
+    '/usr/lib/nagios/plugins/check_by_sshmon': {
+        'mode': '0755',
+    },
 }
 
 for other_node in repo.nodes:
     if other_node.dummy:
         continue
+    elif not other_node.in_group('monitored'):
+        continue
 
     files[f'/etc/icinga2/hosts.d/{other_node.name}.conf'] = {
         'content_type': 'mako',
@@ -237,7 +242,7 @@ for other_node in repo.nodes:
             'host_settings': {
                 'address': str(ip_interface(other_node.metadata.get('network/internal/ipv4', None) or other_node.metadata.get('wireguard/my_ip')).ip),
             },
-            'services': other_node.metadata.get('monitoring', {}),
+            'services': other_node.metadata.get('monitoring/services'),
         },
         'triggers': [
             'svc_systemd:icinga2.service:restart',
diff --git a/bundles/icinga2/metadata.py b/bundles/icinga2/metadata.py
index 37a9198..8295ca6 100644
--- a/bundles/icinga2/metadata.py
+++ b/bundles/icinga2/metadata.py
@@ -32,6 +32,12 @@ defaults = {
             },
         },
     },
+    'users': {
+        'nagios': {
+            'home': '/var/lib/nagios',
+            'shell': '/usr/sbin/nologin',
+        },
+    },
     'zfs': {
         'datasets': {
             'tank/icinga2': {
diff --git a/bundles/monitored/metadata.py b/bundles/monitored/metadata.py
new file mode 100644
index 0000000..aaa0a07
--- /dev/null
+++ b/bundles/monitored/metadata.py
@@ -0,0 +1,25 @@
+defaults = {
+    'monitoring': {
+        'services': {
+            'test': {
+                'vars.command': '/bin/ls /',
+                'check_command': 'sshmon',
+                'host_name': node.name,
+            },
+        },
+    },
+}
+
+@metadata_reactor.provides(
+    'users/sshmon/authorized_users'
+)
+def user(metadata):
+    return {
+        'users': {
+            'sshmon': {
+                'authorized_users': {
+                    'nagios@' + metadata.get('monitoring/icinga2_node'),
+                }
+            },
+        },
+    }
diff --git a/bundles/zsh/items.py b/bundles/zsh/items.py
index 12990a2..6a2a40c 100644
--- a/bundles/zsh/items.py
+++ b/bundles/zsh/items.py
@@ -36,7 +36,7 @@ files = {
 }
 
 for name, user_config in node.metadata.get('users').items():
-    if user_config.get('shell', None) != '/usr/bin/zsh':
+    if user_config.get('shell', None) == '/usr/bin/zsh':
         files[join(user_config['home'], '.zshrc')] = {
             'owner': name,
             'group': name,
diff --git a/groups/applications/monitored.py b/groups/applications/monitored.py
index ccf4ee8..bfbdfb5 100644
--- a/groups/applications/monitored.py
+++ b/groups/applications/monitored.py
@@ -1,10 +1,14 @@
 {
     'bundles': [
         'telegraf',
+        'monitored',
     ],
     'metadata': {
         'telegraf': {
             'influxdb_node': 'home.server',
         },
+        'monitoring': {
+            'icinga2_node': 'home.server',
+        },
     },
 }