diff --git a/hosts/h002/nfs-data.nix b/hosts/h002/nfs-data.nix
index 48fd3fb1..c2fea7b2 100644
--- a/hosts/h002/nfs-data.nix
+++ b/hosts/h002/nfs-data.nix
@@ -20,21 +20,24 @@ lib.mkMerge [
     ];
 
     # One-shot fixup for existing files after migrations/rsync.
+    # Runs before `nfs-server` so clients always see correct perms.
     systemd.services.nfs-media-permissions = {
       description = "Fix NFS media permissions";
       after = [ "local-fs.target" ];
       before = [ "nfs-server.service" ];
-      wantedBy = [ "multi-user.target" ];
+      requiredBy = [ "nfs-server.service" ];
       serviceConfig.Type = "oneshot";
       path = [ pkgs.coreutils pkgs.findutils ];
       script = ''
         set -euo pipefail
 
+        getent group media >/dev/null
+
         for dir in /data/nixarr/media /data/pinchflat/media; do
           mkdir -p "$dir"
-          chgrp -R media "$dir" || true
-          chmod -R g+rwX "$dir" || true
-          find "$dir" -type d -print0 | xargs -0 chmod 2775 || true
+          chgrp -R media "$dir"
+          chmod -R g+rwX "$dir"
+          find "$dir" -type d -exec chmod 2775 {} +
         done
       '';
     };