linux – Why does this systemd service not run at the right time (loading encryption keys from a network drive which are required for lxc containers)?

In Debian with systemd, I use zfs and lxc. My zfs datasets are encrypted and their keys can be loaded from a network host via my /etc/zfs/zfs-load-key.sh script. My LXC containers are started by lxc.service.

Loading the keys requires the network up and running (otherwise I get the error “no route to host”) but lxc.service requires the keys to be loaded.

Sounds trivial, but isn’t. I created this file /etc/systemd/system/zfs-load-keyfile@.service:

(Unit)
Description=Load %I encryption keys from network host
DefaultDependencies=no
Before=zfs-mount.service lxc.service
After=zfs-import.target network-online.target
Requires=zfs-import.target
Wants=network-online.target

(Service)
Type=oneshot
RemainAfterExit=yes
ExecStart=/etc/zfs/zfs-load-key.sh %I

(Install)
WantedBy=zfs-mount.service lxc.service

and enabled them via:

systemctl enable zfs-load-keyfile@tank-dataset1.service
systemctl enable zfs-load-keyfile@tank-dataset2.service

For for some reason, my LXC containers do not start because the keys were not yet loaded, ALTHOUGH I have Before=... lxc.service!

Why does this service not run at the right time, i.e. after the network is up and before lxc?

How to fix it?