diff --git a/nixos/modules/issuer.nix b/nixos/modules/issuer.nix
index b21bce89684e15f5a42eb33f5767fd29af09f67d..93de02efb6c6d444356651e04b985bb8d117fb5d 100644
--- a/nixos/modules/issuer.nix
+++ b/nixos/modules/issuer.nix
@@ -170,19 +170,15 @@ in {
       serviceConfig.StateDirectory = "zkapissuer";
       serviceConfig.StateDirectoryMode = "0750";
 
-      # Move the DB from its former (root-owned) location if it exists.
-      # The "--verbose" option for cp and "--changes" for chown mean the
-      # tools will report if they do something, and stay silent if not.
+      # Bail if there is still an old (root-owned) DB file on this system.
+      # If you hit this, and this /var/db/ file is indeed current, move it to
+      # /var/lib/zkapissuer/vouchers.sqlite3 and chown it to zkapissuer:zkapissuer.
+      #
       # https://www.freedesktop.org/software/systemd/man/systemd.service.html#Command%20lines
-      # > If the executable path is prefixed with "-", an exit code of the
-      # > command normally considered a failure (i.e. non-zero exit status or
-      # > abnormal exit due to signal) is recorded, but has no further effect
-      # > and is considered equivalent to success.
-      # [...]
-      # > If the executable path is prefixed with "+" then the process is executed with full privileges.
+      # > If the executable path is prefixed with "+" then the process is
+      # > executed with full privileges.
       serviceConfig.ExecStartPre = [
-        "-+${pkgs.coreutils}/bin/cp --update --verbose /var/db/vouchers.sqlite3 /var/lib/zkapissuer/vouchers.sqlite3"
-        "-+${pkgs.coreutils}/bin/chown --changes zkapissuer:zkapissuer /var/lib/zkapissuer/vouchers.sqlite3"
+        "+${pkgs.bash}/bin/bash -c '[ ! -f /var/db/vouchers.sqlite3 ]'"
       ];
 
       script =