Allow icinga2 api to master from all, remove root api user

roles/icinga2_master/tasks/main.yml

@@ -98,19 +98,12 @@
     group: root
     mode: 0700
 
-- name: Create nagstamon ApiUser
+- name: Create api-users.conf file
   become: true
-  ansible.builtin.blockinfile:
-    path: /etc/icinga2/conf.d/api-users.conf
-    block: |
-      object ApiUser "nagstamon" {
-        password = "{{ nagstamon_pwd }}"
-        permissions = [
-          "objects/query/Host",
-          "objects/query/Service",
-          "actions/reschedule-check",
-          "actions/acknowledge-problem",
-          "actions/schedule-downtime",
-        ]
-      }
+  ansible.builtin.template:
+    src: conf.d/api-users.conf.j2
+    dest: /etc/icinga2/conf.d/api-users.conf
+    owner: nagios
+    group: nagios
+    mode: 0644
   notify: Reload icinga2 service

roles/icinga2_master/templates/conf.d/api-users.conf.j2

@@ -0,0 +1,12 @@
+# {{ ansible_managed }}
+
+object ApiUser "nagstamon" {
+  password = "{{ nagstamon_pwd }}"
+  permissions = [
+    "objects/query/Host",
+    "objects/query/Service",
+    "actions/reschedule-check",
+    "actions/acknowledge-problem",
+    "actions/schedule-downtime",
+  ]
+}

roles/icinga2_master/templates/nftables/input.d/icinga2.conf.j2

@@ -1,3 +1,3 @@
 # {{ ansible_managed }}
 
-ip saddr {{ hostvars[icinga2_agent].ipv4_addr }} tcp dport 5665 accept comment "Allow Icinga2 from Agent"
+tcp dport 5665 accept comment "Allow Icinga2 API"