diff --git a/cluster/services/idm/modules/idm-nss-ready.nix b/cluster/services/idm/modules/idm-nss-ready.nix
new file mode 100644
index 0000000..f6b11b7
--- /dev/null
+++ b/cluster/services/idm/modules/idm-nss-ready.nix
@@ -0,0 +1,37 @@
+{ lib, pkgs, ... }:
+
+let
+  idmReady = pkgs.writers.writeHaskellBin "idm-nss-ready" {
+    libraries = with pkgs.haskellPackages; [ watchdog ];
+  } ''
+    import Control.Monad.IO.Class
+    import Control.Watchdog
+    import System.IO.Error
+    import System.Posix.User
+
+    main :: IO ()
+    main = watchdog $ do
+      setInitialDelay 300_000
+      setMaximumDelay 30_000_000
+      watch $ do
+        check <- liftIO $ tryIOError $ getGroupEntryForName "infra_admins"
+        case check of
+          Right _ -> return $ Right ()
+          Left _ -> return $ Left "group not found"
+  '';
+in
+
+{
+  systemd.services.idm-nss-ready = {
+    description = "Wait for IDM NSS";
+    requires = [ "kanidm-unixd.service" "nss-user-lookup.target" ];
+    after = [ "kanidm-unixd.service" ];
+    before = [ "nss-user-lookup.target" ];
+    serviceConfig = {
+      ExecStart = lib.getExe idmReady;
+      DynamicUser = true;
+      TimeoutStartSec = "2m";
+      Type = "oneshot";
+    };
+  };
+}
diff --git a/cluster/services/idm/modules/idm-tmpfiles.nix b/cluster/services/idm/modules/idm-tmpfiles.nix
new file mode 100644
index 0000000..ba449a6
--- /dev/null
+++ b/cluster/services/idm/modules/idm-tmpfiles.nix
@@ -0,0 +1,29 @@
+{ config, lib, pkgs, ... }:
+with lib;
+
+let
+  cfg = config.idm.tmpfiles;
+
+  rulesFile = pkgs.writeText "idm-tmpfiles.conf" (concatStringsSep "\n" cfg.rules);
+in
+
+{
+  options.idm.tmpfiles.rules = mkOption {
+    description = "systemd-tmpfiles rules to run after IDM is ready.";
+    type = with types; listOf str;
+    default = [];
+  };
+
+  config = mkIf (cfg.rules != []) {
+    systemd.services.idm-tmpfiles = {
+      description = "Set up tmpfiles after IDM";
+      requires = [ "idm-nss-ready.service" "nss-user-lookup.target" ];
+      after = [ "idm-nss-ready.service" "nss-user-lookup.target" ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        ExecStart = "${config.systemd.package}/bin/systemd-tmpfiles --create --remove ${rulesFile}";
+        Type = "oneshot";
+      };
+    };
+  };
+}