fix(netbird): add systemd ordering to start after Docker

When Docker is installed in the same LXC, Docker sets the FORWARD chain
policy to DROP on startup. If Netbird starts before Docker finishes
initializing its iptables rules, Docker overrides the Netbird routing
rules, causing traffic routing to fail despite the tunnel being up.

Add a systemd drop-in override that ensures netbird.service starts after
docker.service (only if Docker is installed). This prevents the race
condition and ensures correct iptables ordering after reboot.

Closes #11354

tools/addon/add-netbird-lxc.sh

@@ -84,6 +84,15 @@ curl -fsSL "https://pkgs.netbird.io/debian/public.key" | gpg --dearmor >/usr/sha
 echo "deb [signed-by=/usr/share/keyrings/netbird-archive-keyring.gpg] https://pkgs.netbird.io/debian stable main" >/etc/apt/sources.list.d/netbird.list
 apt-get update &>/dev/null
 apt-get install -y netbird-ui &>/dev/null
+if systemctl list-unit-files docker.service &>/dev/null; then
+  mkdir -p /etc/systemd/system/netbird.service.d
+  cat <<OVERRIDE >/etc/systemd/system/netbird.service.d/after-docker.conf
+[Unit]
+After=docker.service
+Wants=docker.service
+OVERRIDE
+  systemctl daemon-reload
+fi
 '
 msg "\e[1;32m ✔ Installed NetBird.\e[0m"
 sleep 2