diff --git a/modules/crowdsec.nix b/modules/crowdsec.nix
index 1f3ffea..82dfabd 100644
--- a/modules/crowdsec.nix
+++ b/modules/crowdsec.nix
@@ -208,52 +208,55 @@ in
     };
 
     systemd = {
-      tmpfiles.settings."10-crowdsec" = lib.mkIf (cfg.parserWhitelist != [ ]) {
+      tmpfiles.settings."10-crowdsec" = {
         "${cfg.stateDirectory}".d = {
           user = "crowdsec";
           group = "crowdsec";
           mode = "0700";
         };
 
+        # This must be created for the setup service to work
         "${cfg.stateDirectory}/config".d = {
           user = "crowdsec";
           group = "crowdsec";
           mode = "0700";
         };
 
-        "${cfg.stateDirectory}/config/parsers".d = {
+        "${cfg.stateDirectory}/config/parsers".d = lib.mkIf (cfg.parserWhitelist != [ ]) {
           user = "crowdsec";
           group = "crowdsec";
           mode = "0700";
         };
 
-        "${cfg.stateDirectory}/config/parsers/s02-enrich".d = {
+        "${cfg.stateDirectory}/config/parsers/s02-enrich".d = lib.mkIf (cfg.parserWhitelist != [ ]) {
           user = "crowdsec";
           group = "crowdsec";
           mode = "0700";
         };
 
-        "${cfg.stateDirectory}/config/parsers/s02-enrich/nixos-whitelist.yaml" = {
-          "L+".argument =
-            (settingsFormat.generate "crowdsec-nixos-whitelist.yaml" {
-              name = "nixos/parser-whitelist";
-              description = "Parser whitelist generated by the crowdsec NixOS module";
-              whitelist = {
-                reason = "Filtered by NixOS whitelist";
-                ip = lib.lists.filter (ip: !(lib.hasInfix "/" ip)) cfg.parserWhitelist;
-                cidr = lib.lists.filter (ip: lib.hasInfix "/" ip) cfg.parserWhitelist;
-              };
-            }).outPath;
-        };
+        "${cfg.stateDirectory}/config/parsers/s02-enrich/nixos-whitelist.yaml" =
+          lib.mkIf (cfg.parserWhitelist != [ ])
+            {
+              "L+".argument =
+                (settingsFormat.generate "crowdsec-nixos-whitelist.yaml" {
+                  name = "nixos/parser-whitelist";
+                  description = "Parser whitelist generated by the crowdsec NixOS module";
+                  whitelist = {
+                    reason = "Filtered by NixOS whitelist";
+                    ip = lib.lists.filter (ip: !(lib.hasInfix "/" ip)) cfg.parserWhitelist;
+                    cidr = lib.lists.filter (ip: lib.hasInfix "/" ip) cfg.parserWhitelist;
+                  };
+                }).outPath;
+            };
       };
 
       services = {
         crowdsec-setup = {
+          # TODO(tlater): Depend on tmpfiles path for
+          # /var/lib/crowdsec/config
           description = "Crowdsec database and config preparation";
 
           script = ''
-            mkdir -p '${cfg.stateDirectory}/'{config,}
-
             if [ ! -e '${cfg.settings.config_paths.simulation_path}' ]; then
                 cp '${cfg.package}/share/crowdsec/config/simulation.yaml' '${cfg.settings.config_paths.simulation_path}'
             fi