diff --git a/tasks/main.yml b/tasks/main.yml
index 9063534..6fb4516 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -282,6 +282,7 @@
     src: "/var/run/systemd/resolve/resolv.conf"
     dest: "/var/lib/machines/{{ inventory_hostname }}/etc/resolv.conf"
     force: true
+    follow: false
     state: link
   delegate_to: "{{ physical_host }}"
   when:
@@ -322,7 +323,7 @@
     daemon_reload: yes
     name: "systemd-nspawn@{{ systemd_escape.stdout }}"
     state: "{{ ((machinectl_container_clone is changed or container_config_new is changed or container_config_old is changed) | default(false)) | ternary('restarted', 'started') }}"
-    enabled: "{{ (nspawn_systemd_version | int > 219) | ternary('true', 'false') }}"
+    enabled: true
   register: machinectl_start
   retries: 5
   delay: 2
diff --git a/templates/container_config_old.nspawn.j2 b/templates/container_config_old.nspawn.j2
index c31a605..24ccb8b 100644
--- a/templates/container_config_old.nspawn.j2
+++ b/templates/container_config_old.nspawn.j2
@@ -45,6 +45,11 @@ Documentation=man:systemd-nspawn(1)
 PartOf=machines.target
 Before=machines.target
 After=network.target
+After=network-online.target
+After=systemd-networkd.service
+After=systemd-resolved.service
+After=nspawn-macvlan.service
+Wants=network-online.target
 
 [Service]
 ExecStart=/usr/bin/systemd-nspawn --keep-unit --boot --link-journal=try-host --machine={{ systemd_escape.stdout }} {{ cli_switches | unique | join(' ') }}
@@ -54,7 +59,7 @@ RestartForceExitStatus=133
 SuccessExitStatus=133
 Slice=machine.slice
 Delegate=yes
-TasksMax=8192
+TasksMax=16384
 
 # Enforce a strict device policy, similar to the one nspawn configures
 # when it allocates its own scope unit. Make sure to keep these
@@ -76,5 +81,10 @@ DeviceAllow=/dev/loop-control rw
 DeviceAllow=block-loop rw
 DeviceAllow=block-blkext rw
 
+# nspawn can set up LUKS encrypted loopback files, in which case it needs
+# access to /dev/mapper/control and the block devices /dev/mapper/*.
+DeviceAllow=/dev/mapper/control rw
+DeviceAllow=block-device-mapper rw
+
 [Install]
-WantedBy=multi-user.target
+WantedBy=machines.target