diff --git a/roles/cups_server/tasks/main.yml b/roles/cups_server/tasks/main.yml
index 5b98c24..9b4bcc3 100644
--- a/roles/cups_server/tasks/main.yml
+++ b/roles/cups_server/tasks/main.yml
@@ -15,7 +15,9 @@
 - name: Configure cups keytab location
   ansible.builtin.copy:
     dest: /etc/systemd/system/cups.service.d/keytab.conf
-    content: "[Service]\nEnvironment=KRB5_KTNAME=FILE:/etc/cups/cups.keytab\n"
+    content: |
+      [Service]
+      Environment=KRB5_KTNAME=FILE:/etc/cups/cups.keytab
     mode: "0644"
     owner: root
     group: "{{ ansible_wheel }}"
@@ -38,7 +40,7 @@
   ansible.builtin.lineinfile:
     path: /etc/cups/cupsd.conf
     line: "SSLListen 631"
-    insertafter: "Listen /var/run/cups/cups.sock"
+    insertafter: "^Listen .*.sock"
   notify: Restart cups
 
 - name: Require tls 1.3
@@ -94,10 +96,18 @@
 - name: Disable unauthenticated access from cups
   ansible.builtin.blockinfile:
     path: /etc/cups/cupsd.conf
-    insertafter: "^<Location />"
-    block: |
-      AuthType Default
-      Require user @foosh
+    marker: "{mark}"
+    marker_begin: "<Location />"
+    marker_end: "</Location>"
+    block: |2
+        AuthType Default
+        Require group foosh
+        Order deny,allow
+      </Location>
+      <Location /admin>
+        AuthType Default
+        Require group sysadm
+        Order deny,allow
   notify: Restart cups
 
 - name: Configure cups admin group