diff --git a/roles/base/tasks/sudo.yml b/roles/base/tasks/sudo.yml
index 0d0467d..26913bc 100644
--- a/roles/base/tasks/sudo.yml
+++ b/roles/base/tasks/sudo.yml
@@ -1,4 +1,13 @@
 ---
+- name: Configure sudoers umask
+  lineinfile:
+    dest: /etc/sudoers
+    insertafter: '# Defaults specification'
+    line: 'Defaults umask=0077'
+    validate: 'visudo -cf %s'
+  tags:
+    - sudo
+
 # dont't break the tab!
 - name: Allow wheel group to run command as root in sudo
   lineinfile: