You need to set them up when switching to the configuration.
I just add a service similar to this when I have to do something like this. As you can see I also generate a keyfile and populate it with random data.
systemd.services.roundcube-install = {
serviceConfig.Type = "oneshot";
wantedBy = [ "multi-user.target" ];
script = ''
mkdir -p /var/lib/roundcube/temp /var/lib/roundcube/logs
chown -Rc roundcube:root /var/lib/roundcube
chmod -c 700 /var/lib/roundcube
if [ ! -s "/var/lib/roundcube/des_key" ]; then
${pkgs.coreutils}/bin/dd if=/dev/urandom bs=32 count=1 2>/dev/null | ${pkgs.coreutils}/bin/base64 > "/var/lib/roundcube/des_key"
chown -c roundcube:root "/var/lib/roundcube/des_key"
chmod -c 400 "/var/lib/roundcube/des_key"
fi
if [ -s "/var/lib/roundcube/roundcube.sqlite" ]; then
# Just go ahead and remove the sessions on a boot
${pkgs.sqlite}/bin/sqlite3 "/var/lib/roundcube/roundcube.sqlite" "DELETE FROM session;"
fi
'';
};