From 8b85956f7cd9bcbbb84560fd3bd6ae3a4a34b11e Mon Sep 17 00:00:00 2001
From: ediblerope <fredrik@nordhammer.it>
Date: Sun, 5 Apr 2026 23:17:35 +0100
Subject: [PATCH] Fix CrowdSec race: order crowdsec after tmpfiles-resetup

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 services/crowdsec.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/services/crowdsec.nix b/services/crowdsec.nix
index be432d7..1feb160 100644
--- a/services/crowdsec.nix
+++ b/services/crowdsec.nix
@@ -31,6 +31,9 @@
       "L+ /etc/crowdsec/config.yaml - - - - ${(pkgs.formats.yaml { }).generate "crowdsec.yaml" config.services.crowdsec.settings.general}"
     ];
 
+    # Ensure /var/lib/crowdsec exists before crowdsec starts (race with tmpfiles-resetup)
+    systemd.services.crowdsec.after = [ "systemd-tmpfiles-resetup.service" ];
+
     # Firewall bouncer — auto-registers to local CrowdSec LAPI
     services.crowdsec-firewall-bouncer = {
       enable = true;