diff --git a/nixos/modules/issuer.nix b/nixos/modules/issuer.nix
index 2666f452f72d8deca85b68a93364c5f1b133d352..409f468a05ff99a36347d9147690fdd2011e93e9 100644
--- a/nixos/modules/issuer.nix
+++ b/nixos/modules/issuer.nix
@@ -168,6 +168,7 @@ in {
       # "The specified directory names must be relative" ... this
       # makes systemd create /var/lib/zkapissuer/ for us:
       serviceConfig.StateDirectory = "zkapissuer";
+      serviceConfig.StateDirectoryMode = "0750";
 
       script =
         let