diff --git a/tasks/main.yml b/tasks/main.yml
index 3e2e571f0482f314c2e2e76c1b770c6ba5d126e3..f2793f1b1e001c0eac0ef3f9e08ddc173e1da594 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -21,12 +21,16 @@
   file:
     state: directory
     path: /opt/hedgedoc
+    owner: root
+    group: root
+    mode: 0755
 
 - name: create hedgedoc upload folder
   file:
     state: directory
     owner: hedgedoc
     group: hedgedoc
+    mode: 0750
     path: /var/lib/hedgedoc/uploads
 
 - name: create release archiv folder
@@ -51,6 +55,7 @@
     dest: "/opt/hedgedoc/release-archive/{{ hedgedoc.version }}.tar.gz"
     owner: hedgedoc
     group: hedgedoc
+    mode: 0640
 
 - name: "create release {{ hedgedoc.version }} folder"
   file:
@@ -77,6 +82,9 @@
   template:
     src: config.json.j2
     dest: "/opt/hedgedoc/release/{{ hedgedoc.version }}/hedgedoc/config.json"
+    owner: hedgedoc
+    group: hedgedoc
+    mode: 0640
   notify:
     - restart hedgedoc
 
@@ -84,6 +92,9 @@
   template:
     src: sequelizerc.j2
     dest: "/opt/hedgedoc/release/{{ hedgedoc.version }}/hedgedoc/.sequelizerc"
+    owner: hedgedoc
+    group: hedgedoc
+    mode: 0640
   notify:
     - restart hedgedoc
 
@@ -103,6 +114,9 @@
   template:
     src: hedgedoc.service.j2
     dest: /etc/systemd/system/hedgedoc.service
+    owner: root
+    group: root
+    mode: 0644
   notify:
     - restart hedgedoc
 
@@ -113,7 +127,8 @@
     daemon_reload: yes
     enabled: yes
 
-- meta: flush_handlers
+- name: ensure handlers are run
+  meta: flush_handlers
 
 - name: copy hedgedoc-util tool
   copy: