diff --git a/defaults/main.yml b/defaults/main.yml
index deb06e0..7a06006 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -114,7 +114,22 @@ checkmk_agent__user_home: '/var/lib/nagios'
 # .. envvar:: checkmk_agent__user_key
 #
 # SSH Public key for logging in with SSH user.
-checkmk_agent__user_key: ''
+checkmk_agent__user_key: '{{ hostvars[groups["debops_service_checkmk_server"][0]].ansible_local.checkmk_server.ssh_publickey|d("")
+                             if ("debops_service_checkmk_server" in groups) and
+                                (groups["debops_service_checkmk_server"] | length > 0) and
+                                (hostvars[groups["debops_service_checkmk_server"][0]]|d({}))
+                             else "" }}'
+
+
+# .. envvar:: checkmk_agent__authorized_keys__dependent_list
+#
+# Authorized key configuration for the ``debops.authorized_keys`` role.
+checkmk_agent__authorized_keys__dependent_list:
+  - name: '{{ checkmk_agent__ssh_user }}'
+    sshkeys:
+      - '{{ checkmk_agent__user_key }}'
+    options: '{{ authorized_keys__options_map.strict }}'
+    key_options: 'command="{{ "/usr/bin/sudo " if not checkmk_agent__ssh_user == "root" else "" }}{{ checkmk_agent__exec }}"'
 
 # .. )))
 
diff --git a/docs/playbooks/checkmk_agent.yml b/docs/playbooks/checkmk_agent.yml
index d5d5150..951ea13 100644
--- a/docs/playbooks/checkmk_agent.yml
+++ b/docs/playbooks/checkmk_agent.yml
@@ -25,6 +25,13 @@
         - '{{ checkmk_agent__ferm__dependent_rules }}'
       when: (checkmk_agent|d() and 'xinetd' in checkmk_agent)
 
+    - role: debops.authorized_keys
+      tags: [ 'depend::authorized_keys', 'depend::authorized_keys:checkmk_agent',
+              'depend-of::checkmk_agent', 'type::dependency' ]
+      authorized_keys__dependent_list:
+        - '{{ checkmk_agent__authorized_keys__dependent_list }}'
+      when: (checkmk_agent|d() and 'ssh' in checkmk_agent)
+
     - role: debops.mariadb
       tags: [ 'depend::mariadb', 'depend::mariadb:checkmk_agent',
               'depend-of::checkmk_agent', 'type::dependency' ]
diff --git a/tasks/main.yml b/tasks/main.yml
index 2c02a76..5053503 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -41,7 +41,8 @@
     mode: '0755'
 
 - include: ssh_user.yml
-  when: (checkmk_agent|d() and 'ssh' in checkmk_agent)
+  when: ((checkmk_agent|d() and 'ssh' in checkmk_agent) and
+         (not checkmk_agent__ssh_user == "root"))
 
 - include: xinetd.yml
   when: (checkmk_agent|d() and 'xinetd' in checkmk_agent)
diff --git a/tasks/ssh_user.yml b/tasks/ssh_user.yml
index 22659e1..a3de153 100644
--- a/tasks/ssh_user.yml
+++ b/tasks/ssh_user.yml
@@ -15,22 +15,6 @@
     home: '{{ checkmk_agent__user_home }}'
     createhome: 'yes'
 
-- name: Create SSH authorized_keys directory
-  file:
-    name: '/etc/ssh/authorized_keys'
-    owner: 'root'
-    group: 'root'
-    mode: '755'
-    state: 'directory'
-
-- name: Set SSH key for public key login
-  template:
-    src: '{{ lookup("template_src", "etc/ssh/authorized_keys/nagios.j2") }}'
-    dest: '/etc/ssh/authorized_keys/{{ checkmk_agent__ssh_user }}'
-    owner: 'root'
-    group: 'root'
-    mode: '644'
-
 - name: Enable sudo rule for Check_MK SSH user
   template:
     src: '{{ lookup("template_src", "etc/sudoers.d/check-mk-agent.j2") }}'
diff --git a/templates/etc/ssh/authorized_keys/nagios.j2 b/templates/etc/ssh/authorized_keys/nagios.j2
deleted file mode 100644
index f57a9b1..0000000
--- a/templates/etc/ssh/authorized_keys/nagios.j2
+++ /dev/null
@@ -1,3 +0,0 @@
-# {{ ansible_managed }}
-
-command="/usr/bin/sudo {{ checkmk_agent__exec }}"{% if checkmk_agent__allow is defined and checkmk_agent__allow | length > 0 %},from="{{ checkmk_agent__allow | join(',')}}"{% endif %} {{ checkmk_agent__user_key }}