diff --git a/nixosModules/clanCore/vars/default.nix b/nixosModules/clanCore/vars/default.nix
index 453aa740b..3a7fe5db2 100644
--- a/nixosModules/clanCore/vars/default.nix
+++ b/nixosModules/clanCore/vars/default.nix
@@ -51,6 +51,9 @@ in
             _name: file: {
               inherit (file)
                 name
+                owner
+                group
+                mode
                 deploy
                 secret
                 neededForUsers
diff --git a/nixosModules/clanCore/vars/interface.nix b/nixosModules/clanCore/vars/interface.nix
index 4067254f4..dee8c5561 100644
--- a/nixosModules/clanCore/vars/interface.nix
+++ b/nixosModules/clanCore/vars/interface.nix
@@ -206,13 +206,18 @@ in
                       default = false;
                     };
                     owner = lib.mkOption {
-                      description = "The user name or id that will own the secret file.";
+                      description = "The user name or id that will own the file.";
                       default = "root";
                     };
                     group = lib.mkOption {
-                      description = "The group name or id that will own the secret file.";
+                      description = "The group name or id that will own the file.";
                       default = "root";
                     };
+                    mode = lib.mkOption {
+                      type = lib.types.strMatching "^[0-7]{3}$";
+                      description = "The unix file mode of the file. Must be a 3-digit octal number.";
+                      default = "400";
+                    };
                     value =
                       lib.mkOption {
                         description = ''
diff --git a/pkgs/clan-cli/clan_cli/vars/secret_modules/password_store.py b/pkgs/clan-cli/clan_cli/vars/secret_modules/password_store.py
index 7053f8d50..97e4e0f5e 100644
--- a/pkgs/clan-cli/clan_cli/vars/secret_modules/password_store.py
+++ b/pkgs/clan-cli/clan_cli/vars/secret_modules/password_store.py
@@ -161,7 +161,7 @@ class SecretStore(SecretStoreBase):
                         continue
                     if not file.secret:
                         continue
-                    if not dir_exists:
+                    if not dir_exists and not file.needed_for_users:
                         tar_dir = tarfile.TarInfo(name=generator.name)
                         tar_dir.type = tarfile.DIRTYPE
                         tar_dir.mode = 0o511
@@ -170,7 +170,7 @@ class SecretStore(SecretStoreBase):
                     tar_file = tarfile.TarInfo(name=f"{generator.name}/{file.name}")
                     content = self.get(generator, file.name)
                     tar_file.size = len(content)
-                    tar_file.mode = 0o440
+                    tar_file.mode = file.mode
                     tar_file.uname = file.owner
                     tar_file.gname = file.group
                     if file.needed_for_users:
diff --git a/pkgs/clan-cli/clan_cli/vars/var.py b/pkgs/clan-cli/clan_cli/vars/var.py
index d562623d6..74324a406 100644
--- a/pkgs/clan-cli/clan_cli/vars/var.py
+++ b/pkgs/clan-cli/clan_cli/vars/var.py
@@ -15,6 +15,7 @@ class Var:
     deploy: bool = False
     owner: str = "root"
     group: str = "root"
+    mode: int = 0o400
     needed_for_users: bool = False
 
     # TODO: those shouldn't be set here
@@ -75,5 +76,6 @@ class Var:
             deploy=data["deploy"],
             owner=data.get("owner", "root"),
             group=data.get("group", "root"),
+            mode=int(data.get("mode", "400"), 8),
             needed_for_users=data.get("neededForUsers", False),
         )