diff --git a/modules/server/containers/default.nix b/modules/server/containers/default.nix
index b4890b4..4b8b034 100644
--- a/modules/server/containers/default.nix
+++ b/modules/server/containers/default.nix
@@ -29,10 +29,16 @@ in
     
     system.activationScripts.container-setup-dirs = {
       deps = [ "users" "groups" ];
-      text = lib.concatStringsSep "\n" (map (cfg: ''
-        ${pkgs.coreutils}/bin/mkdir -p "${cfg.path}"
-        ${pkgs.coreutils}/bin/chown ${cfg.owner} "${cfg.path}"
-        ${pkgs.coreutils}/bin/chmod ${cfg.mode} "${cfg.path}"
+      text = lib.concatStringsSep "\n" (map (cfg:
+      let
+        effectiveCfg = {
+          owner = "root:root";
+          mode = "0400";
+        } // cfg;
+      in ''
+        ${pkgs.coreutils}/bin/mkdir -p "${effectiveCfg.path}"
+        ${pkgs.coreutils}/bin/chown ${effectiveCfg.owner} "${effectiveCfg.path}"
+        ${pkgs.coreutils}/bin/chmod ${effectiveCfg.mode} "${effectiveCfg.path}"
       '') allPathConfigs);
     };