could even work without tmpfiles, by having a service that triggers on the non-existence of something in /var, then call the script to create the missing entries.