diff --git a/nixos/modules/services/web-apps/immich.nix b/nixos/modules/services/web-apps/immich.nix
index b81e27d245f5d2..9e34e2d6db8bec 100644
--- a/nixos/modules/services/web-apps/immich.nix
+++ b/nixos/modules/services/web-apps/immich.nix
@@ -37,6 +37,7 @@ let
     RestrictNamespaces = true;
     RestrictRealtime = true;
     RestrictSUIDSGID = true;
+    UMask = "0077";
   };
   inherit (lib)
     types
@@ -353,6 +354,21 @@ in
       };
     };
 
+    systemd.tmpfiles.settings = {
+      immich = {
+        # Redundant to the `UMask` service config setting on new installs, but installs made in
+        # early 24.11 created world-readable media storage by default, which is a privacy risk. This
+        # fixes those installs.
+        "${cfg.mediaLocation}" = {
+          d = {
+            user = cfg.user;
+            group = cfg.group;
+            mode = "0700";
+          };
+        };
+      };
+    };
+
     users.users = mkIf (cfg.user == "immich") {
       immich = {
         name = "immich";