diff --git a/roles/nextcloud/tasks/main.yml b/roles/nextcloud/tasks/main.yml
index 16ccb15..2595fbd 100644
--- a/roles/nextcloud/tasks/main.yml
+++ b/roles/nextcloud/tasks/main.yml
@@ -28,8 +28,7 @@
       - name: Create webroot
         file:
           path: "{{ nextcloud_webroot }}"
-          mode: "0755"
-          recurse: yes
+          mode: "0750"
           state: directory
       - name: Check for existing installation
         stat:
@@ -68,6 +67,16 @@
               path: /var/www/nextcloud.tar.bz2
               state: absent
         when: not stat_webroot_index.stat.exists
+      - name: Assert permissions
+        block:
+          - name: Tighten config.php
+            file:
+              path: "{{ nextcloud_webroot }}/config/config.php"
+              mode: "0660"
+          - name: Loosen occ
+            file:
+              path: "{{ nextcloud_webroot }}/occ"
+              mode: "0755"
       - name: Set up Nextcloud cronjob
         cron:
           user: www-data