The dev-sec.nginx-hardening role adapts the file permission mode for /etc/nginx with: mode: o-rw To have not everytime a changed state, the mode should be configurable in this role as well.