diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
index 061f1992cf12140745023882e1daaf1bce7a4d5e..87721eae4aa9f188814721a21c675074e58b0d57 100644
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@@ -11,6 +11,9 @@
   template:
     src: "nginx/snippets/{{ item }}.j2"
     dest: "/etc/nginx/snippets/{{ item }}"
+    owner: root
+    group: root
+    mode: 0644
   loop:
     - options-ssl.conf
     - options-proxypass.conf
@@ -19,6 +22,9 @@
   template:
     src: letsencrypt/dhparam.j2
     dest: /etc/letsencrypt/dhparam
+    owner: root
+    group: root
+    mode: 0644
 
 - name: Disable default site
   file:
@@ -30,6 +36,8 @@
   template:
     src: "nginx/sites-available/{{ item }}.j2"
     dest: "/etc/nginx/sites-available/{{ item }}"
+    owner: root
+    group: root
     mode: 0644
   loop:
     - reverseproxy
@@ -42,6 +50,8 @@
   file:
     src: "/etc/nginx/sites-available/{{ item }}"
     dest: "/etc/nginx/sites-enabled/{{ item }}"
+    owner: root
+    group: root
     state: link
   loop:
     - reverseproxy
@@ -55,6 +65,8 @@
   template:
     src: "nginx/sites-available/service.j2"
     dest: "/etc/nginx/sites-available/service"
+    owner: root
+    group: root
     mode: 0644
   notify: Reload nginx
 
@@ -63,6 +75,8 @@
   file:
     src: "/etc/nginx/sites-available/service"
     dest: "/etc/nginx/sites-enabled/service"
+    owner: root
+    group: root
     state: link
   notify: Reload nginx
   ignore_errors: "{{ ansible_check_mode }}"