Make sure krb database belongs to krb user

config/service/fudo-auth.nix

@@ -73,6 +73,7 @@ in {
     systemd = {
       tmpfiles.rules = mkIf (kerberos-master || kerberos-slave) [
         "d ${cfg.kerberos.state-directory} 0700 ${krb-user} ${krb-group} - -"
+        "f ${cfg.fudo.auth.kerberos.kdc.database} 0700 ${krb-user} ${krb-group} - -"
       ];
 
       paths.heimdal-kdc-initialize = mkIf kerberos-master {
@@ -88,6 +89,10 @@ in {
             host-secrets.kdc-principals.service
             host-secrets.realm-master-key.service
           ];
+          after = [
+            host-secrets.kdc-principals.service
+            host-secrets.realm-master-key.service
+          ];
           description = "Initialize and update the Heimdal KDC database.";
           path = with pkgs; [ kdcMergePrincipals coreutils ];
           serviceConfig = let
@@ -98,7 +103,6 @@ in {
             User = krb-user;
             Group = krb-group;
             Restart = "always";
-            ConditionPathExists = [ db principals master-key ];
             ExecStart = let
               init-db-cmd = concatStringsSep " " [
                 "${pkgs.kdcMergePrincipals}/bin/kdc-merge-principals"
@@ -116,6 +120,7 @@ in {
               '';
             in "+${script}";
           };
+          unitConfig.ConditionPathExists = [ db principals master-key ];
         };
         heimdal-kdc = mkIf kerberos-master {
           requires = [ "heimdal-kdc-initialize.service" ];