diff --git a/microceph/ceph/bootstrap.go b/microceph/ceph/bootstrap.go
index b85ac68f..22836ed8 100644
--- a/microceph/ceph/bootstrap.go
+++ b/microceph/ceph/bootstrap.go
@@ -37,6 +37,7 @@ func Bootstrap(s common.StateInterface) error {
 			"monitors": s.ClusterState().Address().Hostname(),
 			"addr":     s.ClusterState().Address().Hostname(),
 		},
+		0644,
 	)
 	if err != nil {
 		return err
diff --git a/microceph/ceph/config.go b/microceph/ceph/config.go
index adf38a4d..d7b93680 100644
--- a/microceph/ceph/config.go
+++ b/microceph/ceph/config.go
@@ -216,6 +216,7 @@ func updateConfig(s common.StateInterface) error {
 			"ipv4":     strings.Contains(address, "."),
 			"ipv6":     strings.Contains(address, ":"),
 		},
+		0644,
 	)
 	if err != nil {
 		return fmt.Errorf("Couldn't render ceph.conf: %w", err)
@@ -228,6 +229,7 @@ func updateConfig(s common.StateInterface) error {
 			"name": "client.admin",
 			"key":  config["keyring.client.admin"],
 		},
+		0640,
 	)
 	if err != nil {
 		return fmt.Errorf("Couldn't render ceph.client.admin.keyring: %w", err)
diff --git a/microceph/ceph/configwriter.go b/microceph/ceph/configwriter.go
index 08d34d0b..98ee9f8f 100644
--- a/microceph/ceph/configwriter.go
+++ b/microceph/ceph/configwriter.go
@@ -24,9 +24,8 @@ func (c *Config) GetPath() string {
 	return filepath.Join(c.configDir, c.configFile)
 }
 
-// WriteConfig writes the configuration file given a data bag
-func (c *Config) WriteConfig(data map[string]any) error {
-	mode := int(0640) // rw: user, r: group, others: none.
+// WriteConfig writes the configuration file given a data bag and a filemode
+func (c *Config) WriteConfig(data map[string]any, mode int) error {
 	fd, err := os.OpenFile(c.GetPath(), os.O_CREATE|os.O_TRUNC|os.O_RDWR, os.FileMode(mode))
 	if err != nil {
 		return fmt.Errorf("Couldn't write %s: %w", c.configFile, err)
diff --git a/microceph/ceph/configwriter_test.go b/microceph/ceph/configwriter_test.go
index 038c3b60..ea03d647 100644
--- a/microceph/ceph/configwriter_test.go
+++ b/microceph/ceph/configwriter_test.go
@@ -31,6 +31,7 @@ func (s *configWriterSuite) TestWriteCephConfig() {
 			"monitors": "foohost",
 			"addr":     "foohost",
 		},
+		0644,
 	)
 	assert.Equal(s.T(), nil, err)
 	// Check that the file exists
@@ -49,6 +50,7 @@ func (s *configWriterSuite) TestWriteRadosGWConfig() {
 		map[string]any{
 			"monitors": "foohost",
 		},
+		0644,
 	)
 	assert.Equal(s.T(), nil, err)
 	// Check that the file exists
@@ -68,6 +70,7 @@ func (s *configWriterSuite) TestWriteCephKeyring() {
 			"name": "client.admin",
 			"key":  "secretkey",
 		},
+		0644,
 	)
 	assert.Equal(s.T(), nil, err)
 	// Check that the file exists and has the right contents
diff --git a/microceph/ceph/rgw.go b/microceph/ceph/rgw.go
index e6f6e02d..6177005c 100644
--- a/microceph/ceph/rgw.go
+++ b/microceph/ceph/rgw.go
@@ -23,6 +23,7 @@ func EnableRGW(s common.StateInterface, port int) error {
 			"monitors": s.ClusterState().Address().Hostname(),
 			"rgwPort":  port,
 		},
+		0644,
 	)
 	if err != nil {
 		return err