services/nscd: use tmpfiles for proper lifetime guarantees

nixos/profiles/services/nscd/default.nix

@@ -1,4 +1,9 @@
-{ lib, mylib, ... }:
+{
+  config,
+  lib,
+  mylib,
+  ...
+}:
 {
   services.nscd = {
     enable = true;
@@ -6,7 +11,15 @@
   };
 
   systemd.services.nscd.serviceConfig = mylib.misc.serviceHardened // {
-    RuntimeDirectoryPreserve = true;
+    RuntimeDirectory = lib.mkForce "";
     ProtectHome = lib.mkForce true;
   };
+
+  systemd.tmpfiles.settings."20-nscd" = {
+    "/run/nscd".d = {
+      mode = "0755";
+      user = config.services.nscd.user;
+      group = config.services.nscd.group;
+    };
+  };
 }