tinc@ service should notify systemd once it is ready
At the moment a tinc@
unit is ready as soon as it starts from systemd's POV, although the interface and its addresses might not be up yet. This makes dependent units fail to start as well, typically because they can't bind the vpn addresses.
A solution to make tinc units race-free is to notify systemd once the vpn is ready:
In tinc@.service
turn the unit into notify type:
Type=notify
NotifyAccess=all
In the tinc-up
scripts then call systemd-notify --ready
after addresses are up