tailscale

hosts/server/modules/vaultwarden.nix

@@ -25,16 +25,16 @@
     };
   };
 
-  # Allow vaultwarden to write under /private/vaultwarden and ensure the directory exists.
+  # Allow vaultwarden to write under /private/vaultwarden and ensure the directories exist.
   systemd.services.vaultwarden.serviceConfig = {
     ReadWritePaths = [ "/private/vaultwarden" ];
   };
 
-  systemd.tmpfiles.settings."10-vaultwarden-private"."/private/vaultwarden/data".d = {
-    user = "vaultwarden";
-    group = "vaultwarden";
-    mode = "0750";
-  };
+  # Create parent/data directories with proper ownership before startup.
+  systemd.tmpfiles.rules = [
+    "d /private/vaultwarden 0750 vaultwarden vaultwarden -"
+    "d /private/vaultwarden/data 0750 vaultwarden vaultwarden -"
+  ];
 
   # cloudflared!!
   # networking.firewall.allowedTCPPorts = [