diff --git a/modules/crowdsec.nix b/modules/crowdsec.nix
index 82dfabd..1f3ffea 100644
--- a/modules/crowdsec.nix
+++ b/modules/crowdsec.nix
@@ -208,55 +208,52 @@ in
     };
 
     systemd = {
-      tmpfiles.settings."10-crowdsec" = {
+      tmpfiles.settings."10-crowdsec" = lib.mkIf (cfg.parserWhitelist != [ ]) {
         "${cfg.stateDirectory}".d = {
           user = "crowdsec";
           group = "crowdsec";
           mode = "0700";
         };
 
-        # This must be created for the setup service to work
         "${cfg.stateDirectory}/config".d = {
           user = "crowdsec";
           group = "crowdsec";
           mode = "0700";
         };
 
-        "${cfg.stateDirectory}/config/parsers".d = lib.mkIf (cfg.parserWhitelist != [ ]) {
+        "${cfg.stateDirectory}/config/parsers".d = {
           user = "crowdsec";
           group = "crowdsec";
           mode = "0700";
         };
 
-        "${cfg.stateDirectory}/config/parsers/s02-enrich".d = lib.mkIf (cfg.parserWhitelist != [ ]) {
+        "${cfg.stateDirectory}/config/parsers/s02-enrich".d = {
           user = "crowdsec";
           group = "crowdsec";
           mode = "0700";
         };
 
-        "${cfg.stateDirectory}/config/parsers/s02-enrich/nixos-whitelist.yaml" =
-          lib.mkIf (cfg.parserWhitelist != [ ])
-            {
-              "L+".argument =
-                (settingsFormat.generate "crowdsec-nixos-whitelist.yaml" {
-                  name = "nixos/parser-whitelist";
-                  description = "Parser whitelist generated by the crowdsec NixOS module";
-                  whitelist = {
-                    reason = "Filtered by NixOS whitelist";
-                    ip = lib.lists.filter (ip: !(lib.hasInfix "/" ip)) cfg.parserWhitelist;
-                    cidr = lib.lists.filter (ip: lib.hasInfix "/" ip) cfg.parserWhitelist;
-                  };
-                }).outPath;
-            };
+        "${cfg.stateDirectory}/config/parsers/s02-enrich/nixos-whitelist.yaml" = {
+          "L+".argument =
+            (settingsFormat.generate "crowdsec-nixos-whitelist.yaml" {
+              name = "nixos/parser-whitelist";
+              description = "Parser whitelist generated by the crowdsec NixOS module";
+              whitelist = {
+                reason = "Filtered by NixOS whitelist";
+                ip = lib.lists.filter (ip: !(lib.hasInfix "/" ip)) cfg.parserWhitelist;
+                cidr = lib.lists.filter (ip: lib.hasInfix "/" ip) cfg.parserWhitelist;
+              };
+            }).outPath;
+        };
       };
 
       services = {
         crowdsec-setup = {
-          # TODO(tlater): Depend on tmpfiles path for
-          # /var/lib/crowdsec/config
           description = "Crowdsec database and config preparation";
 
           script = ''
+            mkdir -p '${cfg.stateDirectory}/'{config,}
+
             if [ ! -e '${cfg.settings.config_paths.simulation_path}' ]; then
                 cp '${cfg.package}/share/crowdsec/config/simulation.yaml' '${cfg.settings.config_paths.simulation_path}'
             fi