diff --git a/nixos/modules/services/web-apps/keycloak.nix b/nixos/modules/services/web-apps/keycloak.nix
index 4d4c5f871a6..73ab8e4de97 100644
--- a/nixos/modules/services/web-apps/keycloak.nix
+++ b/nixos/modules/services/web-apps/keycloak.nix
@@ -652,6 +652,8 @@ in
                   set -o errexit -o pipefail -o nounset -o errtrace
                   shopt -s inherit_errexit
 
+                  umask u=rwx,g=,o=
+
                   install -T -m 0400 -o keycloak -g keycloak '${cfg.databasePasswordFile}' /run/keycloak/secrets/db_password
                 '' + lib.optionalString (cfg.certificatePrivateKeyBundle != null) ''
                   install -T -m 0400 -o keycloak -g keycloak '${cfg.certificatePrivateKeyBundle}' /run/keycloak/secrets/ssl_cert_pk_bundle
@@ -660,6 +662,8 @@ in
                   set -o errexit -o pipefail -o nounset -o errtrace
                   shopt -s inherit_errexit
 
+                  umask u=rwx,g=,o=
+
                   install -m 0600 ${cfg.package}/standalone/configuration/*.properties /run/keycloak/configuration
                   install -T -m 0600 ${keycloakConfig} /run/keycloak/configuration/standalone.xml