diff --git a/playbooks/roles/nginx/tasks/main.yml b/playbooks/roles/nginx/tasks/main.yml
index a80c461..be5aad7 100644
--- a/playbooks/roles/nginx/tasks/main.yml
+++ b/playbooks/roles/nginx/tasks/main.yml
@@ -15,7 +15,7 @@
 - include: nginx_site.yml state={{nginx_cfg.sites_enabled.basic_auth}} site_name=basic-auth
 
 - name: Write out default htpasswd file
-  copy: content={{ nginx_cfg.htpasswd }} dest=/etc/nginx/nginx.htpasswd
+  copy: content={{ nginx_cfg.htpasswd }} dest=/etc/nginx/nginx.htpasswd owner=www-data group=www-data mode=0600
   tags:
   - nginx
   - update