diff --git a/hosts/ward/microvms/influxdb.nix b/hosts/ward/microvms/influxdb.nix
index d44dd5c..d347330 100644
--- a/hosts/ward/microvms/influxdb.nix
+++ b/hosts/ward/microvms/influxdb.nix
@@ -100,8 +100,6 @@ in {
 
   environment.systemPackages = [pkgs.influxdb2-cli];
 
-  systemd.services.influxdb2 = {
-    after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"];
-    serviceConfig.RestartSec = "600"; # Retry every 10 minutes
-  };
+  # Do NOT configure RestartSec here, this must be left short to allow token manipulation
+  systemd.services.influxdb2.after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"];
 }
diff --git a/modules/meta/influxdb.nix b/modules/meta/influxdb.nix
index 34f8492..47fe26c 100644
--- a/modules/meta/influxdb.nix
+++ b/modules/meta/influxdb.nix
@@ -858,7 +858,7 @@ in {
         + ''
           if [[ $any_tokens_created == 1 ]]; then
             echo "Created new tokens, forcing service restart so we can manipulate secrets"
-            kill "$MAINPID"
+            exit 75 # TEMPFAIL
           fi
         '';
     };