diff --git a/roles/icinga2_master/tasks/main.yml b/roles/icinga2_master/tasks/main.yml
index 5862d8a..03fa474 100644
--- a/roles/icinga2_master/tasks/main.yml
+++ b/roles/icinga2_master/tasks/main.yml
@@ -98,19 +98,12 @@
     group: root
     mode: 0700
 
-- name: Create nagstamon ApiUser
+- name: Create api-users.conf file
   become: true
-  ansible.builtin.blockinfile:
-    path: /etc/icinga2/conf.d/api-users.conf
-    block: |
-      object ApiUser "nagstamon" {
-        password = "{{ nagstamon_pwd }}"
-        permissions = [
-          "objects/query/Host",
-          "objects/query/Service",
-          "actions/reschedule-check",
-          "actions/acknowledge-problem",
-          "actions/schedule-downtime",
-        ]
-      }
+  ansible.builtin.template:
+    src: conf.d/api-users.conf.j2
+    dest: /etc/icinga2/conf.d/api-users.conf
+    owner: nagios
+    group: nagios
+    mode: 0644
   notify: Reload icinga2 service
diff --git a/roles/icinga2_master/templates/conf.d/api-users.conf.j2 b/roles/icinga2_master/templates/conf.d/api-users.conf.j2
new file mode 100644
index 0000000..41a324e
--- /dev/null
+++ b/roles/icinga2_master/templates/conf.d/api-users.conf.j2
@@ -0,0 +1,12 @@
+# {{ ansible_managed }}
+
+object ApiUser "nagstamon" {
+  password = "{{ nagstamon_pwd }}"
+  permissions = [
+    "objects/query/Host",
+    "objects/query/Service",
+    "actions/reschedule-check",
+    "actions/acknowledge-problem",
+    "actions/schedule-downtime",
+  ]
+}
diff --git a/roles/icinga2_master/templates/nftables/input.d/icinga2.conf.j2 b/roles/icinga2_master/templates/nftables/input.d/icinga2.conf.j2
index 477e4b9..bc35d34 100644
--- a/roles/icinga2_master/templates/nftables/input.d/icinga2.conf.j2
+++ b/roles/icinga2_master/templates/nftables/input.d/icinga2.conf.j2
@@ -1,3 +1,3 @@
 # {{ ansible_managed }}
 
-ip saddr {{ hostvars[icinga2_agent].ipv4_addr }} tcp dport 5665 accept comment "Allow Icinga2 from Agent"
+tcp dport 5665 accept comment "Allow Icinga2 API"