diff --git a/tasks/certpaths.yml b/tasks/certpaths.yml
index e2ef548b8e189a9299a5ac04426c91a792937617..f7af67d26aa339daf65ae1ec3732051a6fba4772 100644
--- a/tasks/certpaths.yml
+++ b/tasks/certpaths.yml
@@ -4,4 +4,7 @@
   template:
     src: certpaths.j2
     dest: "/etc/haproxy/{{ item.name }}.certpaths"
+    owner: root
+    group: root
+    mode: 0644
   when: item.ssl is defined and (item.ssl.cert is defined or item.ssl.acme_domains is defined)
diff --git a/tasks/configure.yml b/tasks/configure.yml
index daeb606daf60e2f1d4aeb86fac1dbac71036cf43..fcbac9c9993f259f8ee196346a64142e1126d6ed 100644
--- a/tasks/configure.yml
+++ b/tasks/configure.yml
@@ -37,6 +37,9 @@
   file:
     path: "{{ haproxy_config_dir }}/frontends.d"
     state: directory
+    owner: root
+    group: root
+    mode: 0755
 
 - name: "List files for the frontends"
   find:
@@ -56,6 +59,9 @@
   template:
     src: "frontend.cfg"
     dest: "{{ haproxy_config_dir }}/frontends.d/{{ item.name }}.cfg"
+    owner: root
+    group: root
+    mode: 0644
   loop: "{{ haproxy_frontends }}"
   when: haproxy_frontends is defined
 
@@ -65,6 +71,9 @@
   file:
     path: "{{ haproxy_config_dir }}/backends.d"
     state: directory
+    owner: root
+    group: root
+    mode: 0755
 
 - name: "List files for the backends"
   find:
@@ -84,6 +93,9 @@
   template:
     src: "backend.cfg"
     dest: "{{ haproxy_config_dir }}/backends.d/{{ item.name }}.cfg"
+    owner: root
+    group: root
+    mode: 0644
   loop: "{{ haproxy_backends }}"
   when: haproxy_backends is defined
 
@@ -93,6 +105,9 @@
   file:
     path: "{{ haproxy_config_dir }}/listen.d"
     state: directory
+    owner: root
+    group: root
+    mode: 0755
 
 - name: "List files the listen sections"
   find:
@@ -112,6 +127,9 @@
   template:
     src: "listen.cfg"
     dest: "{{ haproxy_config_dir }}/listen.d/{{ item.name }}.cfg"
+    owner: root
+    group: root
+    mode: 0644
   loop: "{{ haproxy_listen }}"
   when: haproxy_listen is defined
 
@@ -121,6 +139,9 @@
   file:
     path: "{{ haproxy_config_dir }}/userlists.d"
     state: directory
+    owner: root
+    group: root
+    mode: 0755
 
 - name: "List files for the userlists"
   find:
@@ -140,13 +161,21 @@
   template:
     src: userlist.cfg
     dest: "{{ haproxy_config_dir }}/userlists.d/{{ item.name }}.cfg"
+    owner: root
+    group: root
+    mode: 0644
   loop: "{{ haproxy_userlists }}"
   when: haproxy_userlists is defined
 
 ## ASSEMBLE CONFIG - GLOBAL & DEFAULT
 
 - name: 'Create  the compiled folder'
-  file: path={{ haproxy_config_dir }}/compiled state=directory
+  file:
+    path: "{{ haproxy_config_dir }}/compiled"
+    state: directory
+    owner: root
+    group: root
+    mode: 0755
 
 - name: 'Merge global config'
   set_fact:
@@ -156,6 +185,9 @@
   template:
     src: "global.cfg"
     dest: "{{ haproxy_config_dir }}/compiled/01-global.cfg"
+    owner: root
+    group: root
+    mode: 0644
 
 - name: 'Merge default config'
   set_fact:
@@ -165,6 +197,9 @@
   template:
     src: "defaults.cfg"
     dest: "{{ haproxy_config_dir }}/compiled/02-defaults.cfg"
+    owner: root
+    group: root
+    mode: 0644
   when: haproxy_defaults is defined
 
 ## ASSEMBLE FINAL CONFIG
@@ -173,25 +208,40 @@
   assemble:
     src: "{{ haproxy_config_dir }}/backends.d"
     dest: "{{ haproxy_config_dir }}/compiled/03-backends.cfg"
+    owner: root
+    group: root
+    mode: 0644
 
 - name: 'Assemble the frontends configuration file'
   assemble:
     src: "{{ haproxy_config_dir }}/frontends.d"
     dest: "{{ haproxy_config_dir }}/compiled/04-frontends.cfg"
+    owner: root
+    group: root
+    mode: 0644
 
 - name: 'Assemble the listen sections configuration file'
   assemble:
     src: "{{ haproxy_config_dir }}/listen.d"
     dest: "{{ haproxy_config_dir }}/compiled/05-listen.cfg"
+    owner: root
+    group: root
+    mode: 0644
 
 - name: 'Assemble the userlists sections configuration file'
   assemble:
     src: "{{ haproxy_config_dir }}/userlists.d"
     dest: "{{ haproxy_config_dir }}/compiled/06-userlists.cfg"
+    owner: root
+    group: root
+    mode: 0644
 
 - name: 'Assemble the final configuration file'
   assemble:
     src: "{{ haproxy_config_dir }}/compiled"
     dest: "{{ haproxy_config_file }}"
+    owner: root
+    group: root
+    mode: 0644
     backup: true
   notify: reload haproxy
diff --git a/tasks/install.yml b/tasks/install.yml
index 4fecaf3597da3f65fc73ea75e34ab4f267330106..915fbb2e85b3be383f309ffcb87493a3150b7c14 100644
--- a/tasks/install.yml
+++ b/tasks/install.yml
@@ -50,12 +50,18 @@
   file:
     name: "{{ haproxy_global.chroot }}"
     state: directory
+    owner: root
+    group: root
+    mode: 0755
   when: haproxy_global.chroot is defined and haproxy_global.chroot
 
 - name: Create service override directory
   file:
     path: /etc/systemd/system/haproxy.service.d
     state: directory
+    owner: root
+    group: root
+    mode: 0755
 
 - name: Copy service override
   copy:
@@ -64,3 +70,6 @@
       [Unit]
       Wants=network-online.target
       After=network-online.target
+    owner: root
+    group: root
+    mode: 0644
diff --git a/tasks/standalone_tls.yml b/tasks/standalone_tls.yml
index cb6544cf617066bd878b390b65ff0de021fd9994..32e7a17fe8a88385065d4ccc13b5492814753fad 100644
--- a/tasks/standalone_tls.yml
+++ b/tasks/standalone_tls.yml
@@ -3,6 +3,9 @@
   template:
     src: tls_temp.cfg
     dest: /etc/haproxy/haproxy.cfg
+    owner: root
+    group: root
+    mode: 0644
 
 - name: Restart haproxy
   systemd: