From d83d53c7e8e5c218dd19ef9a0cfe3941820fdf96 Mon Sep 17 00:00:00 2001
From: Dmitry Ilvokhin <d@ilvokhin.com>
Date: Sun, 4 Jan 2026 15:59:47 +0000
Subject: Wait for /run/xtables.lock for wireguard rules

When box is restarted seems like there is a race to take iptables lock
file and some units can not start because of that.

In the log error looks like this.

    Can't lock /run/xtables.lock: Resource temporarily unavailable
    Another app is currently holding the xtables lock. Perhaps you want
    to use the -w option?

Take iptables suggestion and wait for the xtables lock.

Downside is if something is not going to release the lock, then we stall
forever.
---
 roles/wgvpn/templates/wgvpn0.conf.j2 | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'roles/wgvpn/templates')

diff --git a/roles/wgvpn/templates/wgvpn0.conf.j2 b/roles/wgvpn/templates/wgvpn0.conf.j2
index d70832c..090d4b2 100644
--- a/roles/wgvpn/templates/wgvpn0.conf.j2
+++ b/roles/wgvpn/templates/wgvpn0.conf.j2
@@ -3,9 +3,9 @@ PrivateKey = {{ wireguard_private_key }}
 Address = 10.0.1.1/24
 ListenPort = 51821
 
-PostUp = iptables -A FORWARD -i %i -j ACCEPT
-PostUp = iptables -A FORWARD -o %i -j ACCEPT
-PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+PostUp = iptables --wait -A FORWARD -i %i -j ACCEPT
+PostUp = iptables --wait -A FORWARD -o %i -j ACCEPT
+PostUp = iptables --wait -t nat -A POSTROUTING -o eth0 -j MASQUERADE
 
 PostDown = iptables -D FORWARD -i %i -j ACCEPT
 PostDown = iptables -D FORWARD -o %i -j ACCEPT
-- 
cgit v1.2.3-70-g09d2