linux – Why does this systemd service not run at the right time (loading encryption keys from a network drive which are required for lxc containers)?

In Debian with systemd, I use zfs and lxc. My zfs datasets are encrypted and their keys can be loaded from a network host via my /etc/zfs/ script. My LXC containers are started by lxc.service.

Loading the keys requires the network up and running (otherwise I get the error “no route to host”) but lxc.service requires the keys to be loaded.

Sounds trivial, but isn’t. I created this file /etc/systemd/system/zfs-load-keyfile@.service:

Description=Load %I encryption keys from network host
Before=zfs-mount.service lxc.service

ExecStart=/etc/zfs/ %I

WantedBy=zfs-mount.service lxc.service

and enabled them via:

systemctl enable zfs-load-keyfile@tank-dataset1.service
systemctl enable zfs-load-keyfile@tank-dataset2.service

For for some reason, my LXC containers do not start because the keys were not yet loaded, ALTHOUGH I have Before=... lxc.service!

Why does this service not run at the right time, i.e. after the network is up and before lxc?

How to fix it?