diff --git a/modules/consul.nix b/modules/consul.nix
index fd9efe6b..34390408 100644
--- a/modules/consul.nix
+++ b/modules/consul.nix
@@ -417,6 +417,33 @@ in {
 
       path = with pkgs; [ envoy ];
 
+      postStart = ''
+          set -exuo pipefail
+          PATH="${makeBinPath [ pkgs.jq cfg.package pkgs.coreutils ]}"
+          set +x
+
+          # During bootstrap the vault generated token are not yet available
+          if [ -s /run/keys/consul-default-token ]
+          then
+            CONSUL_HTTP_TOKEN="$(< /run/keys/consul-default-token)"
+            export CONSUL_HTTP_TOKEN
+          # Therefore, on core nodes, use the sops out-of-band bootstrapped master token
+          elif [ -s /etc/consul.d/secrets.json ]
+          then
+            # as of writing: core nodes are observed to posess the master token
+            # while clients do not
+            jq -e .acl.tokens.master /etc/consul.d/secrets.json || exit 5
+            CONSUL_HTTP_TOKEN="$(jq -e -r .acl.tokens.master /etc/consul.d/secrets.json)"
+            export CONSUL_HTTP_TOKEN
+          else
+            # Unknown state, should never reach this.
+            exit 6
+          fi
+
+          set -x
+          while ! consul info &>/dev/null; do sleep 3; done
+        '';
+
       serviceConfig = let
         preScript = let
           start-pre = pkgs.writeShellScriptBin "consul-start-pre" ''
@@ -427,35 +454,6 @@ in {
           '';
         in "!${start-pre}/bin/consul-start-pre";
 
-        postScript = let
-          start-post = pkgs.writeShellScriptBin "consul-start-post" ''
-            set -exuo pipefail
-            PATH="${makeBinPath [ pkgs.jq cfg.package pkgs.coreutils ]}"
-            set +x
-
-            # During bootstrap the vault generated token are not yet available
-            if [ -s /run/keys/consul-default-token ]
-            then
-              CONSUL_HTTP_TOKEN="$(< /run/keys/consul-default-token)"
-              export CONSUL_HTTP_TOKEN
-            # Therefore, on core nodes, use the sops out-of-band bootstrapped master token
-            elif [ -s /etc/consul.d/secrets.json ]
-            then
-              # as of writing: core nodes are observed to posess the master token
-              # while clients do not
-              jq -e .acl.tokens.master /etc/consul.d/secrets.json || exit 5
-              CONSUL_HTTP_TOKEN="$(jq -e -r .acl.tokens.master /etc/consul.d/secrets.json)"
-              export CONSUL_HTTP_TOKEN
-            else
-              # Unknown state, should never reach this.
-              exit 6
-            fi
-
-            set -x
-            while ! consul info &>/dev/null; do sleep 3; done
-          '';
-        in "!${start-post}/bin/consul-start-post";
-
         reloadScript = let
           reload = pkgs.writeShellScriptBin "consul-reload" ''
             set -exuo pipefail
@@ -492,7 +490,6 @@ in {
         ExecReload = reloadScript;
         ExecStart =
           "@${cfg.package}/bin/consul consul agent -config-dir /etc/${cfg.configDir}";
-        ExecStartPost = postScript;
         Restart = "on-failure";
         RestartSec = "10s";
         DynamicUser = true;