diff --git a/scripts/deploy.sh b/scripts/deploy.sh
index d1f3fa8..e91e54e 100755
--- a/scripts/deploy.sh
+++ b/scripts/deploy.sh
@@ -72,6 +72,14 @@ for svc in nextcloud gitea monitoring; do
   fi
 done
 
+# ------------------------------------------------------------------
+# Lock down .env files (readable only by root)
+# ------------------------------------------------------------------
+echo "==> Securing .env files..."
+for envfile in "$REPO_ROOT"/.env "$REPO_ROOT"/*/.env; do
+  [ -f "$envfile" ] && chmod 600 "$envfile" && chown root:root "$envfile"
+done
+
 # ------------------------------------------------------------------
 # Start all stacks
 # ------------------------------------------------------------------