dhcpcd: fix race between namespace setup and resolvconf

systemd requires paths in `ReadWritePaths=` to exist before setting up
the service sandbox and there is apparently no way to control this with
the usual `After=`, `Wants=` etc.
Instead, we have to mark all the paths as optional, even if they're not,
then manually check if they exist, fail if they don't and wait for the
service to be restarted.

nixos/modules/services/networking/dhcpcd.nix

@@ -210,7 +210,8 @@ in
       { description = "DHCP Client";
 
         wantedBy = [ "multi-user.target" ] ++ lib.optional (!hasDefaultGatewaySet) "network-online.target";
-        wants = [ "network.target" ];
+        wants = [ "network.target" ] ++ lib.optional useResolvConf "resolvconf.service";
+        after = lib.optional useResolvConf "resolvconf.service";
         before = [ "network-online.target" ];
 
         restartTriggers = [ cfg.runHook ];
@@ -242,14 +243,20 @@ in
                 rmdir /var/db/dhcpcd || true
                 echo done
               fi
+              ${lib.optionalString useResolvConf ''
+                # wait for resolvconf files, which must exists before setting up the sandbox
+                if ! test -f /etc/resolv.conf; then
+                  exit 1
+                fi
+              ''}
             ''}";
 
             ExecStart = "@${dhcpcd}/sbin/dhcpcd dhcpcd --quiet ${lib.optionalString cfg.persistent "--persistent"} --config ${dhcpcdConf}";
             ExecReload = "${dhcpcd}/sbin/dhcpcd --rebind";
             Restart = "always";
             AmbientCapabilities = [ "CAP_NET_ADMIN" "CAP_NET_RAW" "CAP_NET_BIND_SERVICE" ];
             ReadWritePaths = [ "/proc/sys/net/ipv6" ]
-              ++ lib.optionals useResolvConf [ "/etc/resolv.conf" "/run/resolvconf" ];
+              ++ lib.optionals useResolvConf [ "-/etc/resolv.conf" "-/run/resolvconf" ];
             DeviceAllow = "";
             LockPersonality = true;
             MemoryDenyWriteExecute = true;