diff --git a/systems/ful/configuration.nix b/systems/ful/configuration.nix
index 128f0dc..89ec3af 100644
--- a/systems/ful/configuration.nix
+++ b/systems/ful/configuration.nix
@@ -18,8 +18,18 @@ in {
   ];
 
   age.secrets = {
-    retiolum-rsa.file = ../../secrets/ful-retiolum-privateKey-rsa.age;
-    retiolum-ed25519.file = ../../secrets/ful-retiolum-privateKey-rsa.age;
+    retiolum-rsa = {
+      file = ../../secrets/ful-retiolum-privateKey-rsa.age;
+      mode = "400";
+      owner = "tinc.retiolum";
+      group = "tinc.retiolum";
+    };
+    retiolum-ed25519 = {
+      file = ../../secrets/ful-retiolum-privateKey-ed25519.age;
+      mode = "400";
+      owner = "tinc.retiolum";
+      group = "tinc.retiolum";
+    };
     root.file = ../../secrets/ful-root.age;
     restic.file = ../../secrets/restic.age;
   };
diff --git a/systems/kabsa/configuration.nix b/systems/kabsa/configuration.nix
index 4c54062..dfd582f 100644
--- a/systems/kabsa/configuration.nix
+++ b/systems/kabsa/configuration.nix
@@ -25,8 +25,18 @@ in {
   };
 
   age.secrets = {
-    retiolum-rsa.file = ../../secrets/kabsa-retiolum-privateKey-rsa.age;
-    retiolum-ed25519.file = ../../secrets/kabsa-retiolum-privateKey-ed25519.age;
+    retiolum-rsa = {
+      file = ../../secrets/kabsa-retiolum-privateKey-rsa.age;
+      mode = "400";
+      owner = "tinc.retiolum";
+      group = "tinc.retiolum";
+    };
+    retiolum-ed25519 = {
+      file = ../../secrets/kabsa-retiolum-privateKey-ed25519.age;
+      mode = "400";
+      owner = "tinc.retiolum";
+      group = "tinc.retiolum";
+    };
     restic.file = ../../secrets/restic.age;
     syncthing-cert.file = ../../secrets/kabsa-syncthing-cert.age;
     syncthing-key.file = ../../secrets/kabsa-syncthing-key.age;
diff --git a/systems/makanek/configuration.nix b/systems/makanek/configuration.nix
index b324469..5efc410 100644
--- a/systems/makanek/configuration.nix
+++ b/systems/makanek/configuration.nix
@@ -83,8 +83,18 @@ in {
   };
 
   age.secrets = {
-    retiolum-rsa.file = ../../secrets/makanek-retiolum-privateKey-rsa.age;
-    retiolum-ed25519.file = ../../secrets/makanek-retiolum-privateKey-ed25519.age;
+    retiolum-rsa = {
+      file = ../../secrets/makanek-retiolum-privateKey-rsa.age;
+      mode = "400";
+      owner = "tinc.retiolum";
+      group = "tinc.retiolum";
+    };
+    retiolum-ed25519 = {
+      file = ../../secrets/makanek-retiolum-privateKey-ed25519.age;
+      mode = "400";
+      owner = "tinc.retiolum";
+      group = "tinc.retiolum";
+    };
     restic.file = ../../secrets/restic.age;
   };
 
diff --git a/systems/manakish/configuration.nix b/systems/manakish/configuration.nix
index f6feadc..1cc3d88 100644
--- a/systems/manakish/configuration.nix
+++ b/systems/manakish/configuration.nix
@@ -15,8 +15,18 @@ in {
   ];
 
   age.secrets = {
-    retiolum-rsa.file = ../../secrets/manakish-retiolum-privateKey-rsa.age;
-    retiolum-ed25519.file = ../../secrets/manakish-retiolum-privateKey-ed25519.age;
+    retiolum-rsa = {
+      file = ../../secrets/manakish-retiolum-privateKey-rsa.age;
+      mode = "400";
+      owner = "tinc.retiolum";
+      group = "tinc.retiolum";
+    };
+    retiolum-ed25519 = {
+      file = ../../secrets/manakish-retiolum-privateKey-ed25519.age;
+      mode = "400";
+      owner = "tinc.retiolum";
+      group = "tinc.retiolum";
+    };
     syncthing-cert.file = ../../secrets/manakish-syncthing-cert.age;
     syncthing-key.file = ../../secrets/manakish-syncthing-key.age;
   };
diff --git a/systems/tabula/configuration.nix b/systems/tabula/configuration.nix
index 2f62f68..f3d5614 100644
--- a/systems/tabula/configuration.nix
+++ b/systems/tabula/configuration.nix
@@ -14,8 +14,18 @@ in {
   ];
 
   age.secrets = {
-    retiolum-rsa.file = ../../secrets/tabula-retiolum-privateKey-rsa.age;
-    retiolum-ed25519.file = ../../secrets/tabula-retiolum-privateKey-rsa.age;
+    retiolum-rsa = {
+      file = ../../secrets/tabula-retiolum-privateKey-rsa.age;
+      mode = "400";
+      owner = "tinc.retiolum";
+      group = "tinc.retiolum";
+    };
+    retiolum-ed25519 = {
+      file = ../../secrets/tabula-retiolum-privateKey-ed25519.age;
+      mode = "400";
+      owner = "tinc.retiolum";
+      group = "tinc.retiolum";
+    };
   };
 
   services.xserver = {
diff --git a/systems/tahina/configuration.nix b/systems/tahina/configuration.nix
index ed90f1c..fde04b7 100644
--- a/systems/tahina/configuration.nix
+++ b/systems/tahina/configuration.nix
@@ -14,8 +14,18 @@ in {
   ];
 
   age.secrets = {
-    retiolum-rsa.file = ../../secrets/tahina-retiolum-privateKey-rsa.age;
-    retiolum-ed25519.file = ../../secrets/tahina-retiolum-privateKey-rsa.age;
+    retiolum-rsa = {
+      file = ../../secrets/tahina-retiolum-privateKey-rsa.age;
+      mode = "400";
+      owner = "tinc.retiolum";
+      group = "tinc.retiolum";
+    };
+    retiolum-ed25519 = {
+      file = ../../secrets/tahina-retiolum-privateKey-ed25519.age;
+      mode = "400";
+      owner = "tinc.retiolum";
+      group = "tinc.retiolum";
+    };
   };
 
   console.keyMap = "de";
diff --git a/systems/zaatar/configuration.nix b/systems/zaatar/configuration.nix
index a0269b5..3a9690b 100644
--- a/systems/zaatar/configuration.nix
+++ b/systems/zaatar/configuration.nix
@@ -30,8 +30,18 @@ in {
   ];
 
   age.secrets = {
-    retiolum-rsa.file = ../../secrets/zaatar-retiolum-privateKey-rsa.age;
-    retiolum-ed25519.file = ../../secrets/zaatar-retiolum-privateKey-rsa.age;
+    retiolum-rsa = {
+      file = ../../secrets/zaatar-retiolum-privateKey-rsa.age;
+      mode = "400";
+      owner = "tinc.retiolum";
+      group = "tinc.retiolum";
+    };
+    retiolum-ed25519 = {
+      file = ../../secrets/zaatar-retiolum-privateKey-ed25519.age;
+      mode = "400";
+      owner = "tinc.retiolum";
+      group = "tinc.retiolum";
+    };
     restic.file = ../../secrets/restic.age;
   };