diff --git a/roles/service/meta/argument_specs.yaml b/roles/service/meta/argument_specs.yaml
index 6ac92a9..4fce6dc 100644
--- a/roles/service/meta/argument_specs.yaml
+++ b/roles/service/meta/argument_specs.yaml
@@ -150,6 +150,11 @@ argument_specs:
             type: str
             required: false
             default: ""
+          mode:
+            description: Templated file permissions
+            type: str
+            required: false
+            default: "0644"
           volume_device:
             description: >-
               The path of a device which is mounted for the volume.
diff --git a/roles/service/tasks/templates.yaml b/roles/service/tasks/templates.yaml
index c1c1be6..aa4736d 100644
--- a/roles/service/tasks/templates.yaml
+++ b/roles/service/tasks/templates.yaml
@@ -22,6 +22,6 @@
   ansible.builtin.template:
     src: "{{ item[0].source }}"
     dest: "{{ item[1] }}"
-    mode: "0644"
+    mode: "{{ item[0].mode | default('0644') }}"
   notify: Restart container service {{ service_name }}
   loop: "{{ _service_all_template_mounts | zip(_service_all_template_mount_host_files) }}"
diff --git a/roles/service/vars/main/additional.yaml b/roles/service/vars/main/additional.yaml
index 9b20fa1..6b71806 100644
--- a/roles/service/vars/main/additional.yaml
+++ b/roles/service/vars/main/additional.yaml
@@ -39,12 +39,13 @@ _service_additional_container_template_mounts: >-
   {{
     ([{'readonly': true}] * _service_additional_template_mounts | length) |
     zip(
-      _service_additional_template_mounts,
       _service_additional_template_mounts |
-      map(attribute='source') |
-      map('regex_replace', '\.j2$', '') |
-      map('regex_replace', '^', _service_host_directory ~ '/mounts/') |
-      map('community.general.dict_kv', 'source'),
+        community.general.remove_keys(['mode']),
+      _service_additional_template_mounts |
+        map(attribute='source') |
+        map('regex_replace', '\.j2$', '') |
+        map('regex_replace', '^', _service_host_directory ~ '/mounts/') |
+        map('community.general.dict_kv', 'source'),
       ([{'type': 'bind'}] * _service_additional_template_mounts | length)
     ) |
     map('combine')
diff --git a/roles/service/vars/main/mounts.yaml b/roles/service/vars/main/mounts.yaml
index f6a1561..f2ce332 100644
--- a/roles/service/vars/main/mounts.yaml
+++ b/roles/service/vars/main/mounts.yaml
@@ -19,12 +19,13 @@ _service_container_template_mounts: >-
   {{
     ([{'readonly': true}] * _service_template_mounts | length) |
     zip(
-      _service_template_mounts,
       _service_template_mounts |
-      map(attribute='source') |
-      map('regex_replace', '\.j2$', '') |
-      map('regex_replace', '^', _service_host_directory ~ '/mounts/') |
-      map('community.general.dict_kv', 'source'),
+        community.general.remove_keys(['mode']),
+      _service_template_mounts |
+        map(attribute='source') |
+        map('regex_replace', '\.j2$', '') |
+        map('regex_replace', '^', _service_host_directory ~ '/mounts/') |
+        map('community.general.dict_kv', 'source'),
       ([{'type': 'bind'}] * _service_template_mounts | length)
     ) |
     map('combine')