diff --git a/nixos/modules/issuer.nix b/nixos/modules/issuer.nix
index 409f468a05ff99a36347d9147690fdd2011e93e9..eac52e1e8ee3d6d3c7853b8d398ea8434fbf0e68 100644
--- a/nixos/modules/issuer.nix
+++ b/nixos/modules/issuer.nix
@@ -170,6 +170,21 @@ in {
       serviceConfig.StateDirectory = "zkapissuer";
       serviceConfig.StateDirectoryMode = "0750";
 
+      # Move the DB from its former (root-owned) location if it exists.
+      # The "--verbose" option for cp and "--changes" for chown mean the
+      # tools will report if they to something, and stay silent if not.
+      # https://www.freedesktop.org/software/systemd/man/systemd.service.html#Command%20lines
+      # > If the executable path is prefixed with "-", an exit code of the
+      # > command normally considered a failure (i.e. non-zero exit status or
+      # > abnormal exit due to signal) is recorded, but has no further effect
+      # > and is considered equivalent to success.
+      # [...]
+      # > If the executable path is prefixed with "+" then the process is executed with full privileges.
+      serviceConfig.ExecStartPre = [
+        "-+${pkgs.coreutils}/bin/cp --update --verbose /var/db/vouchers.sqlite3 /var/lib/zkapissuer/vouchers.sqlite3"
+        "-+${pkgs.coreutils}/bin/chown --changes zkapissuer:zkapissuer /var/lib/zkapissuer/vouchers.sqlite3"
+      ];
+
       script =
         let
           # Compute the right command line arguments to pass to it.  The