diff --git a/profiles/servers/authentik.nix b/profiles/servers/authentik.nix
index d4a6c21..eace620 100644
--- a/profiles/servers/authentik.nix
+++ b/profiles/servers/authentik.nix
@@ -82,16 +82,17 @@ in {
     };
   };
 
+  systemd.tmpfiles.rules = [
+    "d ${data-dir}/db 0700 70 root -"
+    "d ${data-dir}/redis 0755 dhcpcd root -"
+    "d ${data-dir}/media 0755 ${owner} ${owner} -"
+    "d ${data-dir}/certs 0755 ${owner} ${owner} -"
+    "d ${data-dir}/custom-templates 0755 ${owner} ${owner} -"
+  ];
+
   systemd.services."podman-create-${pod-name}" = let
     portsMapping = lib.concatMapStrings (port: " -p " + port) open-ports;
     start = pkgs.writeShellScript "create-pod" ''
-      if [[ ! -d "${data-dir}" ]]; then
-        mkdir -p "${data-dir}/db"
-        mkdir -p "${data-dir}/redis"
-        mkdir -p "${data-dir}/media" && chown ${owner}:${owner} "${data-dir}/media"
-        mkdir -p "${data-dir}/certs" && chown ${owner}:${owner} "${data-dir}/certs"
-        mkdir -p "${data-dir}/custom-templates" && chown ${owner}:${owner} "${data-dir}/custom-templates"
-      fi
       podman pod exists ${pod-name} || podman pod create -n ${pod-name} ${portsMapping}
     '';
     stop = "podman pod rm -i -f ${pod-name}";
@@ -104,7 +105,7 @@ in {
       "${backend}-authentik-worker.service"
       "${backend}-authentik-ldap.service"
     ];
-    wantedBy = before;
+    requiredBy = before;
     partOf = before;
     serviceConfig = {
       Type = "oneshot";
diff --git a/profiles/servers/gitea.nix b/profiles/servers/gitea.nix
index 51fc7cc..67ba0ec 100644
--- a/profiles/servers/gitea.nix
+++ b/profiles/servers/gitea.nix
@@ -108,7 +108,7 @@ in {
     older-than = "3"; # in days
   in rec {
     before = [ "gitea-dump.service" ];
-    wantedBy = before;
+    requiredBy = before;
     script = ''
       ${pkgs.findutils}/bin/find ${config.services.gitea.dump.backupDir} \
         -mindepth 1 -type f -mtime +${older-than} -delete
diff --git a/profiles/servers/joplin-server.nix b/profiles/servers/joplin-server.nix
index 7d918c7..fd46362 100644
--- a/profiles/servers/joplin-server.nix
+++ b/profiles/servers/joplin-server.nix
@@ -32,18 +32,22 @@ in {
       volumes = [ "${joplin-db-data}:/var/lib/postgresql/data" ];
     };
   };
+
+  systemd.tmpfiles.rules = [
+    "d ${joplin-data} 0755 ${joplin-uid} ${joplin-uid} -"
+    "d ${joplin-db-data} 0700 dhcpcd dhcpcd -"
+  ];
+
   systemd.services."podman-create-${pod-name}" = let
     portsMapping = lib.concatMapStrings (port: " -p " + port) open-ports;
     start = pkgs.writeShellScript "create-pod" ''
-      mkdir -p ${joplin-data} && chown ${joplin-uid} ${joplin-data}
-      mkdir -p ${joplin-db-data}
       podman pod exists ${pod-name} || podman pod create -n ${pod-name} ${portsMapping}
     '';
     stop = "podman pod rm -i -f ${pod-name}";
   in rec {
     path = [ pkgs.coreutils config.virtualisation.podman.package ];
     before = [ "${backend}-joplin.service" "${backend}-joplin-db.service" ];
-    wantedBy = before;
+    requiredBy = before;
     serviceConfig = {
       Type = "oneshot";
       RemainAfterExit = "yes";
diff --git a/profiles/servers/media-stack/default.nix b/profiles/servers/media-stack/default.nix
index 60afdc7..cbb93e3 100644
--- a/profiles/servers/media-stack/default.nix
+++ b/profiles/servers/media-stack/default.nix
@@ -43,7 +43,7 @@ in {
       "${backend}-recyclarr.service"
       "${backend}-sonarr.service"
     ];
-    wantedBy = before;
+    requiredBy = before;
     partOf = before;
     serviceConfig = {
       Type = "oneshot";
diff --git a/profiles/servers/seafile.nix b/profiles/servers/seafile.nix
index 30288b9..a80b442 100644
--- a/profiles/servers/seafile.nix
+++ b/profiles/servers/seafile.nix
@@ -139,7 +139,7 @@ in {
       "${backend}-memcached.service"
       "${backend}-seafile-caddy.service"
     ];
-    wantedBy = before;
+    requiredBy = before;
     partOf = before;
     serviceConfig = {
       Type = "oneshot";