diff --git a/roles/nextcloud/tasks/main.yml b/roles/nextcloud/tasks/main.yml
index 4b4883d..643155f 100644
--- a/roles/nextcloud/tasks/main.yml
+++ b/roles/nextcloud/tasks/main.yml
@@ -41,7 +41,7 @@
       - name: Create webroot
         file:
           path: "{{ nextcloud_webroot }}"
-          mode: "0644"
+          mode: "0755"
           recurse: yes
           state: directory
       - name: Check for existing installation
@@ -74,12 +74,12 @@
           recurse: yes
           state: directory
         loop:
-          - { dir: "/etc/pki", mode: "0600" }
-          - { dir: "/etc/pki/cert", mode: "0600" }
-          - { dir: "/etc/pki/cert/crt", mode: "0600" }
-          - { dir: "/etc/pki/cert/csr", mode: "0600" }
-          - { dir: "/etc/pki/cert/private", mode: "0600" }
-          - { dir: "/etc/pki/cert/challenge/{{ nextcloud_url }}", mode: "0600" }
+          - { dir: "/etc/pki", mode: "0700" }
+          - { dir: "/etc/pki/cert", mode: "0700" }
+          - { dir: "/etc/pki/cert/crt", mode: "0700" }
+          - { dir: "/etc/pki/cert/csr", mode: "0700" }
+          - { dir: "/etc/pki/cert/private", mode: "0700" }
+          - { dir: "/etc/pki/cert/challenge/{{ nextcloud_url }}", mode: "0700" }
       - name: Create ACME account key
         openssl_privatekey:
           path: "/etc/pki/cert/private/account.key"
@@ -97,7 +97,7 @@
       - name: Create well-known directory
         file:
           path: "{{ nextcloud_webroot }}/.well-known/acme-challenge"
-          mode: "0644"
+          mode: "0755"
           recurse: yes
           state: directory
       - name: Create challenge for CSR