diff --git a/inventory/group_vars/9iron.yml b/inventory/group_vars/9iron.yml
index c5c2e83..93680be 100644
--- a/inventory/group_vars/9iron.yml
+++ b/inventory/group_vars/9iron.yml
@@ -73,6 +73,15 @@ matrix_server_name: "9iron.club"
 matrix_url: "matrix.9iron.club"
 matrix_enable_registration: "true"
 matrix_admin_contact: "mailto:rehashedsalt@cock.li"
+# Nagios
+nagios_user_name: salt
+nagios_user_password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          35353561366233326536313430346266663631663137366130396435363932333766306438323166
+          6437353630373631393938396232343065396162313732610a653433323466613636393437656663
+          33396133643730636632613637653164666638346562656463613931663831373039313632363863
+          3062393539633736610a303932383066663638636165363736323738323838366233333338636636
+          39663064356363656130386235333566636566303263363365363933656231373733
 # Nextcloud
 nextcloud_mysql_password: !vault |
           $ANSIBLE_VAULT;1.1;AES256
diff --git a/playbooks/webservers.yml b/playbooks/webservers.yml
index aadbc11..4a50bf5 100644
--- a/playbooks/webservers.yml
+++ b/playbooks/webservers.yml
@@ -36,3 +36,13 @@
         gitweb_url: "www.9iron.club"
         gitweb_webroot: "/var/www/www"
       tags: [ web, webroot ]
+- hosts: web2
+  roles:
+    - role: backups
+      tags: [ backups ]
+    - role: postfix-ses
+      tags: [ postfix ]
+    - role: nagios
+      vars:
+        nagios_url: "nagios.9iron.club"
+      tags: [ web, nagios ]
diff --git a/roles/apache-php/tasks/main.yml b/roles/apache-php/tasks/main.yml
index 0805f6a..443d7ce 100644
--- a/roles/apache-php/tasks/main.yml
+++ b/roles/apache-php/tasks/main.yml
@@ -21,6 +21,7 @@
       - php-zip
       - php-cgi
       - php-cli
+      - python3-passlib # For htpasswd support
   - name: Find PHP config directory
     find:
       paths: /etc/php
diff --git a/roles/nagios/defaults/main.yml b/roles/nagios/defaults/main.yml
new file mode 100644
index 0000000..c62066a
--- /dev/null
+++ b/roles/nagios/defaults/main.yml
@@ -0,0 +1,2 @@
+# vim:ft=ansible:
+nagios_webroot: /usr/share/nagios3/htdocs
diff --git a/roles/nagios/handlers/main.yml b/roles/nagios/handlers/main.yml
new file mode 100644
index 0000000..e49f98b
--- /dev/null
+++ b/roles/nagios/handlers/main.yml
@@ -0,0 +1,8 @@
+#!/usr/bin/ansible-playbook
+# vim:ft=ansible:
+---
+- name: restart nagios
+  systemd:
+    name: nagios
+    state: restarted
+  become: yes
diff --git a/roles/nagios/meta/main.yml b/roles/nagios/meta/main.yml
new file mode 100644
index 0000000..794fc07
--- /dev/null
+++ b/roles/nagios/meta/main.yml
@@ -0,0 +1,5 @@
+---
+allow_duplicates: no
+dependencies:
+  - role: apache-php
+  - role: postfix-ses
diff --git a/roles/nagios/tasks/main.yml b/roles/nagios/tasks/main.yml
new file mode 100644
index 0000000..dc271b8
--- /dev/null
+++ b/roles/nagios/tasks/main.yml
@@ -0,0 +1,53 @@
+#!/usr/bin/ansible-playbook
+# vim:ft=ansible:
+---
+- name: Install and configure Nagios
+  block:
+    - name: Install packages
+      block:
+        - name: Install Nagios package
+          apt:
+            name:
+              - nagios3
+    - name: Assure CNAME record
+      route53:
+        state: present
+        overwrite: yes
+        zone: "{{ zone }}"
+        type: CNAME
+        record: "{{ nagios_url }}"
+        ttl: 3600
+        value:
+          - "{{ inventory_hostname }}.{{ zone }}."
+    - name: Set up Apache
+      block:
+        - name: Enable modules
+          command:
+            cmd: a2enmod "{{ item }}"
+            creates: "/etc/apache2/mods-enabled/{{ item }}.load"
+          loop:
+            - cgi
+            - rewrite
+          notify: restart apache
+        - name: Assure admin user
+          htpasswd:
+            path: /etc/nagios3/htpasswd.users
+            name: "{{ nagios_user_name }}"
+            password: "{{ nagios_user_password }}"
+          notify: restart nagios
+        - name: Template out vhost
+          template:
+            src: "apache2-vhost-ssl.conf"
+            dest: "/etc/apache2/sites-available/{{ nagios_url }}.conf"
+          notify: restart apache
+        - name: Enable site
+          command:
+            cmd: "a2ensite {{ nagios_url }}.conf"
+            creates: "/etc/apache2/sites-enabled/{{ nagios_url }}.conf"
+          notify: restart apache
+        - name: Generate certificate
+          include_role:
+            name: https
+          vars:
+            website_url: "{{ nagios_url }}"
+  become: yes
diff --git a/roles/nagios/templates/apache2-vhost-ssl.conf b/roles/nagios/templates/apache2-vhost-ssl.conf
new file mode 100644
index 0000000..be9df7a
--- /dev/null
+++ b/roles/nagios/templates/apache2-vhost-ssl.conf
@@ -0,0 +1,32 @@
+# Configuration for {{ nagios_url }}
+# vim:ft=apache:
+
+# Accept connections from non-SNI clients
+SSLStrictSNIVHostCheck off
+
+# Website configuration
+<VirtualHost *:80>
+	ServerName {{ nagios_url }}
+	Redirect permanent / https://{{ nagios_url }}
+</VirtualHost>
+<VirtualHost *:443>
+	SSLEngine on
+	SSLCertificateFile /etc/pki/cert/crt/{{ nagios_url }}.crt
+	SSLCertificateKeyFile /etc/pki/cert/private/{{ nagios_url }}.key
+	SSLCertificateChainFile /etc/pki/cert/crt/{{ nagios_url}}-fullchain.crt
+	SSLProtocol {{ ssl_protocol }}
+	SSLCipherSuite {{ ssl_cipher_suite }}
+	<FilesMatch "\.(cgi|shtml|phtml|php)$">\
+		SSLOptions +StdEnvVars
+	</FilesMatch>
+	<Directory /usr/lib/cgi-bin>
+		SSLOptions +StdEnvVars
+	</Directory>
+	ServerName {{ nagios_url }}
+	DocumentRoot {{ nagios_webroot }}
+	<Directory "{{ nagios_webroot }}">
+		Require all granted
+		AllowOverride All
+		Options MultiViews FollowSymlinks
+	</Directory>
+</VirtualHost>