diff --git a/data/site.yaml b/data/site.yaml
new file mode 100644
index 000000000..8672a60c2
--- /dev/null
+++ b/data/site.yaml
@@ -0,0 +1,61 @@
+---
+lookup_options:
+  magic_castle::site::all:
+    merge: 'deep'
+  magic_castle::site::tags:
+    merge: 'deep'
+  magic_castle::site::not_tags:
+    merge: 'deep'
+
+magic_castle::site::all:
+  - profile::base
+  - profile::users::local
+  - profile::sssd::client
+  - profile::metrics::node_exporter
+
+magic_castle::site::tags:
+  dtn:
+    - profile::globus
+  login:
+    - profile::fail2ban
+    - profile::cvmfs::client
+    - profile::slurm::submitter
+    - profile::ssh::hostbased_auth::client
+  mfa:
+    - profile::mfa
+  mgmt:
+    - profile::freeipa::server
+    - profile::metrics::server
+    - profile::metrics::slurm_exporter
+    - profile::rsyslog::server
+    - profile::squid::server
+    - profile::slurm::controller
+    - profile::freeipa::mokey
+    - profile::slurm::accounting
+    - profile::accounts
+    - profile::users::ldap
+  node:
+    - profile::cvmfs::client
+    - profile::gpu
+    - profile::jupyterhub::node
+    - profile::slurm::node
+    - profile::ssh::hostbased_auth::client
+    - profile::ssh::hostbased_auth::server
+    - profile::metrics::slurm_job_exporter
+  nfs:
+    - profile::nfs::server
+    - profile::cvmfs::alien_cache
+  puppet:
+    - profile::consul::server
+  proxy:
+    - profile::jupyterhub::hub
+    - profile::reverse_proxy
+
+magic_castle::site::not_tags:
+  puppet:
+    - profile::consul::client
+  nfs:
+    - profile::nfs::client
+  mgmt:
+    - profile::freeipa::client
+    - profile::rsyslog::client
diff --git a/hiera.yaml b/hiera.yaml
index 989196235..c1a3fd0e7 100644
--- a/hiera.yaml
+++ b/hiera.yaml
@@ -32,3 +32,5 @@ hierarchy:
     options:
       pkcs7_private_key: /etc/puppetlabs/puppet/eyaml/boot_private_key.pkcs7.pem
       pkcs7_public_key:  /etc/puppetlabs/puppet/eyaml/boot_public_key.pkcs7.pem
+  - name: "site.pp definition"
+    path: "site.yaml"
diff --git a/manifests/site.pp b/manifests/site.pp
index c6e02fe5b..196b88880 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -1,78 +1,15 @@
-stage { ['first', 'second']: }
-Stage['first'] -> Stage['second'] -> Stage['main']
-
 node default {
   $instance_tags = lookup("terraform.instances.${facts['networking']['hostname']}.tags")
 
-  if 'puppet' in $instance_tags {
-    include profile::consul::server
-  } else {
-    include profile::consul::client
-  }
-
-  include profile::base
-  include profile::users::local
-  include profile::sssd::client
-  include profile::metrics::node_exporter
-
-  if 'login' in $instance_tags {
-    include profile::fail2ban
-    include profile::cvmfs::client
-    include profile::slurm::submitter
-    include profile::ssh::hostbased_auth::client
-  }
-
-  if 'mgmt' in $instance_tags {
-    include profile::freeipa::server
-
-    include profile::metrics::server
-    include profile::metrics::slurm_exporter
-    include profile::rsyslog::server
-    include profile::squid::server
-    include profile::slurm::controller
-
-    include profile::freeipa::mokey
-    include profile::slurm::accounting
-
-    include profile::accounts
-    include profile::users::ldap
-  } else {
-    include profile::freeipa::client
-    include profile::rsyslog::client
-  }
-
-  if 'node' in $instance_tags {
-    include profile::cvmfs::client
-    include profile::gpu
-    include profile::jupyterhub::node
-
-    include profile::slurm::node
-    include profile::ssh::hostbased_auth::client
-    include profile::ssh::hostbased_auth::server
-
-    include profile::metrics::slurm_job_exporter
-
-    Class['profile::nfs::client'] -> Service['slurmd']
-    Class['profile::gpu'] -> Service['slurmd']
-  }
-
-  if 'nfs' in $instance_tags {
-    include profile::nfs::server
-    include profile::cvmfs::alien_cache
-  } else {
-    include profile::nfs::client
-  }
+  include(lookup('magic_castle::site::all', undef, undef, []))
 
-  if 'proxy' in $instance_tags {
-    include profile::jupyterhub::hub
-    include profile::reverse_proxy
+  $instance_tags.each | $tag | {
+    include(lookup("magic_castle::site::tags.${tag}", undef, undef, []))
   }
-
-  if 'dtn' in $instance_tags {
-    include profile::globus
-  }
-
-  if 'mfa' in $instance_tags {
-    include profile::mfa
+  $not_tags = lookup('magic_castle::site::not_tags')
+  $not_tags.each | $tag, $classes | {
+    if (! $tag in $instance_tags) {
+      include($classes)
+    }
   }
 }