diff --git a/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/nftables/02-mangle.table.j2 b/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/nftables/02-mangle.table.j2
index 9abe332..24b2e35 100644
--- a/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/nftables/02-mangle.table.j2
+++ b/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/nftables/02-mangle.table.j2
@@ -50,7 +50,7 @@ table inet mangle {
         {% if security_firewall_supervisors_ip6 -%}
         ip6 saddr $ansible_controllers_ip6 tcp dport $ssh_localport accept
         ip6 daddr $ansible_controllers_ip6 tcp sport $ssh_localport accept
-        {%- endif %}
+        {% endif -%}
         ip saddr $ansible_controllers_ip4 tcp dport $ssh_localport accept
         ip daddr $ansible_controllers_ip4 tcp sport $ssh_localport accept
     }
diff --git a/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/nftables/03-filter.table.j2 b/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/nftables/03-filter.table.j2
index fad4648..a42312d 100644
--- a/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/nftables/03-filter.table.j2
+++ b/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/nftables/03-filter.table.j2
@@ -5,7 +5,7 @@ table inet filter {
 
         {% if security_firewall_supervisors_ip6 -%}
         ip6 saddr $ansible_controllers_ip6 tcp dport $ssh_localport accept
-        {%- endif %}
+        {% endif -%}
         ip saddr $ansible_controllers_ip4 tcp dport $ssh_localport accept
 
         iifname "lo" counter accept
@@ -17,7 +17,7 @@ table inet filter {
         type filter hook output priority 0; policy {{ security_firewall_filter_policy_output }};
         {% if security_firewall_supervisors_ip6 -%}
         ip6 daddr $ansible_controllers_ip6 tcp sport $ssh_localport accept
-        {%- endif %}
+        {% endif -%}
         ip daddr $ansible_controllers_ip4 tcp sport $ssh_localport accept
 
         oifname "lo" counter accept