diff --git a/modules/programs/shadow.nix b/modules/programs/shadow.nix
index 3a348818a97c..869f4f85fb48 100644
--- a/modules/programs/shadow.nix
+++ b/modules/programs/shadow.nix
@@ -21,6 +21,9 @@ let
       TTYGROUP     tty
       TTYPERM      0620
 
+      # Ensure privacy for newly created home directories.
+      UMASK        077
+
       # Uncomment this to allow non-root users to change their account
       #information.  This should be made configurable.
       #CHFN_RESTRICT frwh