diff --git a/config.yml b/config.yml
index 7e67831..f80be91 100644
--- a/config.yml
+++ b/config.yml
@@ -1,6 +1,6 @@
 all:
   vars:
-    k8s_api_endpoint: "{{ hostvars[groups['server'][0]]['ansible_host'] | default(groups['server'][0]) }}"
+    api_endpoint: "{{ hostvars[groups['server'][0]]['ansible_host'] | default(groups['server'][0]) }}"
     cert_manager_state: present
     cert_manager_version: v1.18.2
     letsencrypt_clusterissuers:
@@ -19,7 +19,7 @@ k3s_cluster:
 
 agent:
   vars:
-    ansible_ssh_common_args: -o StrictHostKeyChecking=accept-new -o ProxyCommand="ssh -p 1022 -W %h:%p -q root@{{ k8s_api_endpoint }}"
+    ansible_ssh_common_args: -o StrictHostKeyChecking=accept-new -o ProxyCommand="ssh -p {{ hostvars[groups['server'][0]]['ansible_port'] }} -W %h:%p -q root@{{ api_endpoint }}"
     k3s_version: v1.31.6+k3s1
 
 server:
diff --git a/inventory.ini.tftpl b/inventory.ini.tftpl
index 16dd180..7dc9928 100644
--- a/inventory.ini.tftpl
+++ b/inventory.ini.tftpl
@@ -3,9 +3,6 @@
 ${ip}
 %{endfor~}
 
-[server:vars]
-ansible_port=${ssh_port}
-
 [agent]
 %{for ip in agent_ips~}
 ${ip}
@@ -16,5 +13,6 @@ server
 agent
 
 [k3s_cluster:vars]
+ansible_port=${ssh_port}
 network_cidr=${network_cidr}
 private_nat=${private_nat}
diff --git a/roles/agent-setup/handlers/main.yml b/roles/agent-setup/handlers/main.yml
index 92c6514..357f053 100644
--- a/roles/agent-setup/handlers/main.yml
+++ b/roles/agent-setup/handlers/main.yml
@@ -1,3 +1,9 @@
+- name: Restart sshd
+  systemd_service:
+    name: ssh.socket
+    state: restarted
+    daemon_reload: true
+
 - name: Restart resolved
   service:
     name: systemd-resolved
diff --git a/roles/agent-setup/tasks/main.yml b/roles/agent-setup/tasks/main.yml
index c07d6b0..ef09227 100644
--- a/roles/agent-setup/tasks/main.yml
+++ b/roles/agent-setup/tasks/main.yml
@@ -1,3 +1,47 @@
+- name: Set facts for target SSH-connection
+  set_fact:
+    target_ansible_port: "{{ ansible_port }}"
+
+- name: Check if SSH-connection is already adjusted
+  ping:
+  ignore_errors: "yes"
+  ignore_unreachable: "yes"
+  register: target_ssh
+
+- name: Set ansible_port to 22 when SSH-connection is not adjusted
+  set_fact:
+    ansible_port: "22"
+  when: target_ssh.unreachable is defined and
+        target_ssh.unreachable == True
+
+- name: Check if initial SSH-connection is active
+  ping:
+  when: target_ssh.unreachable is defined and
+        target_ssh.unreachable == True
+
+- name: Set SSH-port to 1022
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^#?\s*Port\s+[0-9]+$'
+    line: Port 1022
+  notify: Restart sshd
+  when: target_ssh.unreachable is defined and
+        target_ssh.unreachable == True
+
+- name: Ensure SSH is reloaded
+  meta: flush_handlers
+  when: target_ssh.unreachable is defined and
+        target_ssh.unreachable == True
+
+- name: Reset ansible_port to configured value
+  set_fact:
+    ansible_port: "{{ target_ansible_port }}"
+  when: target_ssh.unreachable is defined and
+        target_ssh.unreachable == True
+
+- name: Run deferred setup to gather facts
+  setup:
+
 - name: Set default network route
   shell: "ip route add default via {{ private_nat }}"
   ignore_errors: "yes"
diff --git a/roles/kube-config/tasks/main.yml b/roles/kube-config/tasks/main.yml
index 28cc040..429c2b8 100644
--- a/roles/kube-config/tasks/main.yml
+++ b/roles/kube-config/tasks/main.yml
@@ -15,5 +15,5 @@
   lineinfile:
     path: "{{ lookup('env', 'HOME') }}/.kube/config"
     regexp: '^(\s*server: https://).*(:\d+)$'
-    line: \g<1>{{ k8s_api_endpoint }}\g<2>
+    line: \g<1>{{ api_endpoint }}\g<2>
     backrefs: yes
diff --git a/roles/server-setup/handlers/main.yml b/roles/server-setup/handlers/main.yml
index ef63412..e236c1f 100644
--- a/roles/server-setup/handlers/main.yml
+++ b/roles/server-setup/handlers/main.yml
@@ -1,7 +1,8 @@
 - name: Restart sshd
-  service:
-    name: ssh
+  systemd_service:
+    name: ssh.socket
     state: restarted
+    daemon_reload: true
 
 - name: Start ip-masquerade
   script: "{{ ip_masquerade_path }}/{{ ip_masquerade_script }}"
diff --git a/roles/server-setup/tasks/main.yml b/roles/server-setup/tasks/main.yml
index 7d3e61c..95ea2a6 100644
--- a/roles/server-setup/tasks/main.yml
+++ b/roles/server-setup/tasks/main.yml
@@ -28,6 +28,11 @@
   when: target_ssh.unreachable is defined and
         target_ssh.unreachable == True
 
+- name: Ensure SSH is reloaded
+  meta: flush_handlers
+  when: target_ssh.unreachable is defined and
+        target_ssh.unreachable == True
+
 - name: Reset ansible_port to configured value
   set_fact:
     ansible_port: "{{ target_ansible_port }}"
diff --git a/site.yml b/site.yml
index e847d55..3ff104e 100644
--- a/site.yml
+++ b/site.yml
@@ -6,6 +6,7 @@
   - init
   - add-server
 - hosts: agent
+  gather_facts: no
   roles:
   - role: agent-setup
   tags: