diff --git a/modules/sv1.nix b/modules/sv1.nix
index 54c7e85..0415c72 100644
--- a/modules/sv1.nix
+++ b/modules/sv1.nix
@@ -155,7 +155,6 @@
     firewall.allowedTCPPorts = [
       80
       443
-      8096
     ];
   };
 
@@ -262,16 +261,23 @@
     persistence."/persist" = {
       hideMounts = true;
       directories = [
-        "/var/lib/nixos"
+        {
+          directory = "/var/lib/nixos";
+          user = "root";
+          group = "root";
+          mode = "u=rwx,g=rx,o=rx";
+        }
         {
           directory = "/var/lib/gitea";
           user = "gitea";
           group = "gitea";
+          mode = "u=rwx,g=rx,o=";
         }
         {
           directory = "/var/lib/jellyfin";
           user = "jellyfin";
           group = "jellyfin";
+          mode = "u=rwx,g=rx,o=";
         }
       ];
     };