diff --git a/roles/celerity/tasks/main.yml b/roles/celerity/tasks/main.yml
index 4adaea82ab529b3970f342d452095b43793981f1..bff774767b6f4fbf7b42d87eb4f486cbba995048 100644
--- a/roles/celerity/tasks/main.yml
+++ b/roles/celerity/tasks/main.yml
@@ -11,6 +11,9 @@
   template:
     src: celerity-config.py.j2
     dest: /etc/celerity/config.py
+    mode: 0600
+    owner: celerity
+    group: celerity
 
 - name: ensure celerity server is running
   service:
diff --git a/roles/mediaworker/tasks/main.yml b/roles/mediaworker/tasks/main.yml
index 29aed5a031bc6b3759e9e40f1aec93638c4a6d65..f352809932fe0de0af8c3635f146b8705bf5f010 100644
--- a/roles/mediaworker/tasks/main.yml
+++ b/roles/mediaworker/tasks/main.yml
@@ -11,6 +11,9 @@
   template:
     src: celerity-config.py.j2
     dest: /etc/celerity/config.py
+    mode: 0600
+    owner: celerity
+    group: celerity
 
 - name: ensure celerity worker is running
   service: