diff --git a/roles/nextcloud/tasks/rclone.yml b/roles/nextcloud/tasks/rclone.yml
index 8322c67..1b78f75 100644
--- a/roles/nextcloud/tasks/rclone.yml
+++ b/roles/nextcloud/tasks/rclone.yml
@@ -1,10 +1,10 @@
 ---
 # ensure rclone.conf is present (meta role dependencies)
 
-- name: Create rclone mount dir
+- name: Create Rclone mount directory
   file:
     path: "{{ nextcloud_rclone_mount_dir }}"
-    mode: 0755
+    mode: 0770
     state: directory
 
 # Touch rclone log file to set permissions
@@ -12,7 +12,7 @@
   file:
     path: "{{ rclone_log_dir }}/mount_nextcloud.log"
     state: touch
-    mode: 0644
+    mode: 0640
     access_time: preserve
     modification_time: preserve
 
@@ -20,7 +20,7 @@
   template:
     src: rclone_mount_nextcloud.service.j2
     dest: /etc/systemd/system/rclone_mount_nextcloud.service
-    mode: 0644
+    mode: 0640
   notify: restart rclone_mount_nextcloud
 
 - name: "Add {{ webserver_user }} user to rclone group"
diff --git a/roles/nextcloud/templates/rclone_mount_nextcloud.service.j2 b/roles/nextcloud/templates/rclone_mount_nextcloud.service.j2
index d1c28aa..4cac184 100644
--- a/roles/nextcloud/templates/rclone_mount_nextcloud.service.j2
+++ b/roles/nextcloud/templates/rclone_mount_nextcloud.service.j2
@@ -11,12 +11,13 @@ Type=notify
 ExecStart=/usr/bin/rclone mount DTSV_crypt:cloud_data {{ nextcloud_rclone_mount_dir }} \
         --devname rclone \
         --use-mmap \
+        --default-permissions \
         --allow-other \
         --uid {{ created_rclone_user.uid }} \
         --gid {{ created_rclone_group.gid }} \
-        --umask 002 \
-        --dir-perms 775 \
-        --file-perms 664 \
+        --umask 0007 \
+        --dir-perms 0770 \
+        --file-perms 0660 \
         --dir-cache-time 8760h \
         --poll-interval 1h \
         --buffer-size 64M \
diff --git a/roles/rclone/tasks/main.yml b/roles/rclone/tasks/main.yml
index de4ad6a..d6d5f6c 100644
--- a/roles/rclone/tasks/main.yml
+++ b/roles/rclone/tasks/main.yml
@@ -69,7 +69,7 @@
 - name: Create rclone cache/log directory
   file:
     path: "{{ item }}"
-    mode: 0755
+    mode: 0750
     state: directory
   loop:
     - "{{ rclone_cache_dir }}"
diff --git a/roles/webserver/tasks/volume.yml b/roles/webserver/tasks/volume.yml
index 71dea40..48d7266 100644
--- a/roles/webserver/tasks/volume.yml
+++ b/roles/webserver/tasks/volume.yml
@@ -11,6 +11,7 @@
   file:
     path: "{{ hcloud_webserver_volume_path }}"
     state: directory
+    mode: 0750
     force: false
 
 - name: Mount hcloud volume