diff --git a/init.sh b/init.sh
index a054517..13c1519 100644
--- a/init.sh
+++ b/init.sh
@@ -22,6 +22,27 @@ if [ -z "$(ls -A /data)" ]; then
     mv $ICINGA2_CONF_DIR/hosts.conf $ICINGA2_ZONE_MASTER/
     mv $ICINGA2_CONF_DIR/*.conf $ICINGA2_GLOBAL_TEMPLATES/
     mv $ICINGA2_GLOBAL_TEMPLATES/api-users.conf $ICINGA2_CONF_DIR/
+
+    ## only on inital setup create a icingaweb api user if env var is set
+    ## permission source: https://icinga.com/docs/icinga-web/latest/modules/monitoring/doc/05-Command-Transports/
+    if [ ! -z "$ICINGA2_API_USER_ICINGAWEB_PASS" ]; then
+        echo set inital icingadb api user
+        echo 'object ApiUser "icingaweb2" {' >> $ICINGA2_FILE_API_USER_CONF
+        echo "  password = \"$ICINGA2_API_USER_ICINGAWEB_PASS\"" >> $ICINGA2_FILE_API_USER_CONF
+        echo '  permissions = [ "status/query", "actions/*", "objects/modify/*", "objects/query/*" ]' >> $ICINGA2_FILE_API_USER_CONF
+        echo '}' >> $ICINGA2_FILE_API_USER_CONF
+    fi
+
+    ## only on inital setup create a pki-ticket api user if env var is set
+    ## permission source: https://icinga.com/docs/icinga-2/latest/doc/06-distributed-monitoring/#csr-auto-signing-on-the-master
+    if [ ! -z "$ICINGA2_API_USER_SATELLITE_PASS" ]; then
+        echo set inital pki-ticket api user
+        echo 'object ApiUser "pki-ticket" {' >> $ICINGA2_FILE_API_USER_CONF
+        echo "  password = \"$ICINGA2_API_USER_SATELLITE_PASS\"" >> $ICINGA2_FILE_API_USER_CONF
+        echo '  permissions = [ "actions/generate-ticket" ]' >> $ICINGA2_FILE_API_USER_CONF
+        echo '}' >> $ICINGA2_FILE_API_USER_CONF
+
+    fi
 fi
 
 
@@ -31,26 +52,6 @@ if [ ! -z "$ICINGA2_API_USER_ROOT_PASS" ]; then
     sed -i "s|password = \".*\"|password = \"$ICINGA2_API_USER_ROOT_PASS\"|g" $ICINGA2_FILE_API_USER_CONF
 fi
 
-## only on inital setup create a icingaweb api user if env var is set
-## permission source: https://icinga.com/docs/icinga-web/latest/modules/monitoring/doc/05-Command-Transports/
-if [ ! -z "$ICINGA2_API_USER_ICINGAWEB_PASS" ]; then
-    echo set inital icingadb api user
-    echo 'object ApiUser "icingaweb2" {' >> $ICINGA2_FILE_API_USER_CONF
-    echo "  password = \"$ICINGA2_API_USER_ICINGAWEB_PASS\"" >> $ICINGA2_FILE_API_USER_CONF
-    echo '  permissions = [ "status/query", "actions/*", "objects/modify/*", "objects/query/*" ]' >> $ICINGA2_FILE_API_USER_CONF
-    echo '}' >> $ICINGA2_FILE_API_USER_CONF
-fi
-
-## only on inital setup create a pki-ticket api user if env var is set
-## permission source: https://icinga.com/docs/icinga-2/latest/doc/06-distributed-monitoring/#csr-auto-signing-on-the-master
-if [ ! -z "$ICINGA2_API_USER_SATELLITE_PASS" ]; then
-    echo set inital icingadb api user
-    echo 'object ApiUser "pki-ticket" {' >> $ICINGA2_FILE_API_USER_CONF
-    echo "  password = \"$ICINGA2_API_USER_SATELLITE_PASS\"" >> $ICINGA2_FILE_API_USER_CONF
-    echo '  permissions = [ "actions/generate-ticket" ]' >> $ICINGA2_FILE_API_USER_CONF
-    echo '}' >> $ICINGA2_FILE_API_USER_CONF
-
-fi
 
 ## enable icingadb feature if not active
 if [ ! -f "$ICINGA2_FILE_ICINGADB_CONF" ]; then