diff --git a/hosts/alpha/network.nix b/hosts/alpha/network.nix
index 475b37d..b582fcf 100644
--- a/hosts/alpha/network.nix
+++ b/hosts/alpha/network.nix
@@ -93,14 +93,14 @@
 
   age.secrets.wireguard-preshared-key-file = {
     file = "${secrets}/secrets/wireguard-preshared-key-file.age";
-    mode = "640";
+    mode = "440";
     owner = "root";
     group = "systemd-network";
   };
 
   age.secrets.wireguard-private-key-file-alpha = {
     file = "${secrets}/secrets/wireguard-private-key-file-alpha.age";
-    mode = "640";
+    mode = "440";
     owner = "root";
     group = "systemd-network";
   };
diff --git a/hosts/sigma/caddy.nix b/hosts/sigma/caddy.nix
index e6a4152..abc8a3a 100644
--- a/hosts/sigma/caddy.nix
+++ b/hosts/sigma/caddy.nix
@@ -6,7 +6,7 @@
 
   age.secrets.caddy-auth-sigma = {
     file = "${secrets}/secrets/caddy-auth-sigma.age";
-    mode = "600";
+    mode = "400";
     owner = "caddy";
     group = "caddy";
   };
diff --git a/hosts/sigma/mail.nix b/hosts/sigma/mail.nix
index 8193387..766a9d8 100644
--- a/hosts/sigma/mail.nix
+++ b/hosts/sigma/mail.nix
@@ -123,7 +123,7 @@
 
   age.secrets.mail-hashed-password-file = {
     file = "${secrets}/secrets/mail-hashed-password-file.age";
-    mode = "600";
+    mode = "400";
     owner = "root";
     group = "root";
   };
diff --git a/hosts/sigma/network.nix b/hosts/sigma/network.nix
index 5222141..a3f598f 100644
--- a/hosts/sigma/network.nix
+++ b/hosts/sigma/network.nix
@@ -174,14 +174,14 @@
 
   age.secrets.wireguard-preshared-key-file = {
     file = "${secrets}/secrets/wireguard-preshared-key-file.age";
-    mode = "640";
+    mode = "440";
     owner = "root";
     group = "systemd-network";
   };
 
   age.secrets.wireguard-private-key-file-sigma = {
     file = "${secrets}/secrets/wireguard-private-key-file-sigma.age";
-    mode = "640";
+    mode = "440";
     owner = "root";
     group = "systemd-network";
   };