diff --git a/site-modules/profile/manifests/icinga2.pp b/site-modules/profile/manifests/icinga2.pp
index 6f2bc5a2..a7962526 100644
--- a/site-modules/profile/manifests/icinga2.pp
+++ b/site-modules/profile/manifests/icinga2.pp
@@ -1,12 +1,29 @@
 # Icinga2 configuration
 class profile::icinga2 {
   $icinga2_role = lookup('icinga2::role')
 
   include profile::icinga2::apt_config
 
+  $user = 'nagios'
+  $group = 'nagios'
+  $additional_groups = [
+    'puppet',  # needed to grant access to puppet directories to check its status
+  ]
+
+  group {$group:
+    system => true,
+  }
+  -> user {$user:
+    system => true,
+    gid    => $group,
+    shell  => '/usr/sbin/nologin',
+    home   => '/var/lib/nagios',
+    groups => $additional_groups
+  }
+
   case $icinga2_role {
     'agent':  { include profile::icinga2::agent }
     'master': { include profile::icinga2::master }
     default:  { fail("Unknown icinga2::role: ${icinga2_role}") }
   }
 }
diff --git a/site-modules/profile/manifests/icinga2/agent.pp b/site-modules/profile/manifests/icinga2/agent.pp
index ca658ce4..59c157a7 100644
--- a/site-modules/profile/manifests/icinga2/agent.pp
+++ b/site-modules/profile/manifests/icinga2/agent.pp
@@ -1,82 +1,81 @@
 # Icinga2 agent configuration
 class profile::icinga2::agent {
   $features = lookup('icinga2::features')
   $icinga2_network = lookup('icinga2::network')
   $hiera_host_vars = lookup('icinga2::host::vars', Hash, 'deep')
 
   $mount_excludes = lookup('icinga2::disk::excludes', Array[String], 'unique')
 
   $parent_zone = lookup('icinga2::parent_zone')
   $parent_endpoints = lookup('icinga2::parent_endpoints')
 
   include profile::icinga2::objects::agent_checks
 
-
   $check_mounts = $::mounts.filter |$mount| {
     $mount_excludes.all |$exclude| { !$mount.match($exclude) }
   }
 
   $local_host_vars = {
     disks => hash(flatten(
       $check_mounts.map |$mount| {
         ["disk ${mount}", {disk_partitions => $mount}]
       },
     )),
     plugins => keys($profile::icinga2::objects::agent_checks::plugins),
   }
 
   class {'::icinga2':
     confd    => true,
     features => $features,
   }
 
   class { '::icinga2::feature::api':
     pki             => 'puppet',
     accept_config   => true,
     accept_commands => true,
     zones           => {
       'ZoneName' => {
         endpoints => ['NodeName'],
         parent    => $parent_zone,
       },
     },
   }
 
   create_resources('::icinga2::object::endpoint', $parent_endpoints)
   ::icinga2::object::zone {$parent_zone:
     endpoints => keys($parent_endpoints),
   }
 
   @@::icinga2::object::endpoint {$::fqdn:
     host   => ip_for_network($icinga2_network),
     target => "/etc/icinga2/zones.d/${parent_zone}/${::fqdn}.conf",
   }
 
   @@::icinga2::object::zone {$::fqdn:
     endpoints => [$::fqdn],
     parent    => $parent_zone,
     target    => "/etc/icinga2/zones.d/${parent_zone}/${::fqdn}.conf",
   }
 
   @@::icinga2::object::host {$::fqdn:
     address       => ip_for_network($icinga2_network),
     display_name  => $::fqdn,
     check_command => 'hostalive',
     vars          => deep_merge($local_host_vars, $hiera_host_vars),
     target        => "/etc/icinga2/zones.d/${parent_zone}/${::fqdn}.conf",
   }
 
   icinga2::object::zone { 'global-templates':
     global => true,
   }
 
   file {['/etc/icinga2/conf.d']:
     ensure  => directory,
     owner   => 'nagios',
     group   => 'nagios',
     mode    => '0755',
     purge   => true,
     recurse => true,
     tag     => 'icinga2::config::file',
   }
 }