diff --git a/tasks/main.yml b/tasks/main.yml
index b084bd6..dd5ebd0 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -71,9 +71,10 @@
     path: "{{ item }}"
     state: directory
   with_items:
-    - /etc/systemd/nspawn
-    - /etc/systemd/network
     - /etc/systemd/journald.conf.d
+    - /etc/systemd/network
+    - /etc/systemd/nspawn
+    - /etc/systemd/system/machines.target.wants
     - /var/log/journal
 
 - name: Create journald directories
diff --git a/templates/systemd-nspawn@.service.j2 b/templates/systemd-nspawn@.service.j2
index 16fa6b1..b3f9a43 100644
--- a/templates/systemd-nspawn@.service.j2
+++ b/templates/systemd-nspawn@.service.j2
@@ -15,11 +15,12 @@ Before=machines.target
 After=network.target
 After=network-online.target
 After=systemd-networkd.service
+After=systemd-resolved.service
 After=nspawn-macvlan.service
 Wants=network-online.target
 
 [Service]
-ExecStart=/usr/bin/systemd-nspawn --keep-unit --boot --link-journal=try-host --private-network {{ (nspawn_systemd_version | int > 219) | ternary('--settings=override --machine=%I', '--machine=%I') }}
+ExecStart=/usr/bin/systemd-nspawn --keep-unit --boot --link-journal=try-host --private-network {{ ((nspawn_systemd_version | int) > 219) | ternary('--settings=override --machine=%I', '--machine=%I') }}
 KillMode=mixed
 Type=notify
 RestartForceExitStatus=133
@@ -48,5 +49,10 @@ DeviceAllow=/dev/loop-control rw
 DeviceAllow=block-loop rw
 DeviceAllow=block-blkext rw
 
+# nspawn can set up LUKS encrypted loopback files, in which case it needs
+# access to /dev/mapper/control and the block devices /dev/mapper/*.
+DeviceAllow=/dev/mapper/control rw
+DeviceAllow=block-device-mapper rw
+
 [Install]
 WantedBy=machines.target