feat(tmpfiles): defer per-service file permissions to reduce boot time

services/matrix.nix

@@ -9,6 +9,9 @@
     (lib.serviceMountWithZpool "continuwuity" service_configs.zpool_ssds [
       "/var/lib/private/continuwuity"
     ])
+    (lib.serviceFilePerms "continuwuity" [
+      "Z /var/lib/private/continuwuity 0770 ${config.services.matrix-continuwuity.user} ${config.services.matrix-continuwuity.group}"
+    ])
   ];
 
   services.matrix-continuwuity = {
@@ -58,10 +61,6 @@
   services.caddy.virtualHosts."${service_configs.matrix.domain}:${builtins.toString service_configs.ports.matrix_federation}".extraConfig =
     config.services.caddy.virtualHosts."${service_configs.matrix.domain}".extraConfig;
 
-  systemd.tmpfiles.rules = [
-    "Z /var/lib/private/continuwuity 0770 ${config.services.matrix-continuwuity.user} ${config.services.matrix-continuwuity.group}"
-  ];
-
   # for federation
   networking.firewall.allowedTCPPorts = [
     service_configs.ports.matrix_federation