diff --git a/modules/services.nix b/modules/services.nix
index 54be5bc..e1df8f6 100644
--- a/modules/services.nix
+++ b/modules/services.nix
@@ -231,6 +231,35 @@ in
 
     # Systemd system services for VMs (run as root for PCI passthrough and sandboxing)
     systemd.services = lib.listToAttrs (
+      # Prep services (create runtime directories for each VM)
+      map (
+        vm:
+        lib.nameValuePair "vmsilo-${vm.name}-prep" {
+          description = "Create runtime directories for VM ${vm.name}";
+          before = [
+            "vmsilo-${vm.name}.socket"
+            "vmsilo-${vm.name}-vm.service"
+          ];
+          requiredBy = [
+            "vmsilo-${vm.name}.socket"
+            "vmsilo-${vm.name}-vm.service"
+          ];
+
+          serviceConfig = {
+            Type = "oneshot";
+            RemainAfterExit = true;
+            ExecStart = pkgs.writeShellScript "vmsilo-prep-${vm.name}" ''
+              ${pkgs.coreutils}/bin/install -d -m 0755 -o ${toString userUid} -g ${toString userGid} \
+                /run/vmsilo/${vm.name} \
+                /run/vmsilo/${vm.name}/gpu \
+                /run/vmsilo/${vm.name}/sound
+              ${pkgs.coreutils}/bin/install -d -m 0755 \
+                /run/vmsilo/${vm.name}/virtiofs
+            '';
+          };
+        }
+      ) (lib.attrValues cfg.nixosVms)
+      ++
       # VM services (run crosvm as root)
       map (
         vm:
@@ -301,6 +330,7 @@ in
           vm:
           lib.nameValuePair "vmsilo-${vm.name}-console-relay" {
             description = "Console relay for VM ${vm.name}";
+            after = [ "vmsilo-${vm.name}-prep.service" ];
             before = [ "vmsilo-${vm.name}-vm.service" ];
             requiredBy = [ "vmsilo-${vm.name}-vm.service" ];
             bindsTo = [ "vmsilo-${vm.name}-vm.service" ];
@@ -368,6 +398,7 @@ in
             tag: dirConfig:
             lib.nameValuePair "vmsilo-${vm.name}-virtiofsd-${tag}" {
               description = "virtiofsd ${tag} for VM ${vm.name}";
+              after = [ "vmsilo-${vm.name}-prep.service" ];
               before = [ "vmsilo-${vm.name}-vm.service" ];
               requiredBy = [ "vmsilo-${vm.name}-vm.service" ];
               bindsTo = [ "vmsilo-${vm.name}-vm.service" ];
@@ -402,6 +433,7 @@ in
           lib.optional soundEnabled (
             lib.nameValuePair "vmsilo-${vm.name}-sound" {
               description = "vhost-device-sound for VM ${vm.name}";
+              after = [ "vmsilo-${vm.name}-prep.service" ];
               before = [ "vmsilo-${vm.name}-vm.service" ];
               requiredBy = [ "vmsilo-${vm.name}-vm.service" ];
               bindsTo = [ "vmsilo-${vm.name}-vm.service" ];
@@ -477,6 +509,7 @@ in
           lib.optional (vm.gpu != false) (
             lib.nameValuePair "vmsilo-${vm.name}-wayland-seccontext" {
               description = "Wayland security context for VM ${vm.name}";
+              after = [ "vmsilo-${vm.name}-prep.service" ];
               before = [ "vmsilo-${vm.name}-gpu.service" ];
               requiredBy = [ "vmsilo-${vm.name}-gpu.service" ];
               bindsTo = [ "vmsilo-${vm.name}-vm.service" ];
@@ -528,7 +561,10 @@ in
           lib.optional (gpuConfig != null) (
             lib.nameValuePair "vmsilo-${vm.name}-gpu" {
               description = "GPU device backend for VM ${vm.name}";
-              after = [ "vmsilo-${vm.name}-wayland-seccontext.service" ];
+              after = [
+                "vmsilo-${vm.name}-prep.service"
+                "vmsilo-${vm.name}-wayland-seccontext.service"
+              ];
               before = [ "vmsilo-${vm.name}-vm.service" ];
               requiredBy = [ "vmsilo-${vm.name}-vm.service" ];
               bindsTo = [ "vmsilo-${vm.name}-vm.service" ];