diff --git a/hosts/bekkalokk/services/mediawiki/default.nix b/hosts/bekkalokk/services/mediawiki/default.nix
index 5d73088..ec37d89 100644
--- a/hosts/bekkalokk/services/mediawiki/default.nix
+++ b/hosts/bekkalokk/services/mediawiki/default.nix
@@ -275,6 +275,7 @@ in {
     serviceConfig = {
       BindReadOnlyPaths = [ "/run/credentials/mediawiki-init.service/secret-key:/var/lib/mediawiki/secret.key" ];
       LoadCredential = [ "secret-key:${config.sops.secrets."mediawiki/secret-key".path}" ];
+      UMask = lib.mkForce "0007";
     };
   };
 
@@ -283,6 +284,7 @@ in {
     serviceConfig = {
       BindReadOnlyPaths = [ "/run/credentials/phpfpm-mediawiki.service/secret-key:/var/lib/mediawiki/secret.key" ];
       LoadCredential = [ "secret-key:${config.sops.secrets."mediawiki/secret-key".path}" ];
+      UMask = lib.mkForce "0007";
     };
   };
 }