How should I deal with cyclic dependencies caused by a systemd dynamic user not existing before the service starts?

I would like for dnscrypt-proxy to run as a [dynamic user](http://0pointer.net/blog/dynamic-users-with-systemd.html) instead of as root. But I would also like to use a firewall rule in nftables where I specify the user dnscrypt-proxy, to allow it to connect to the upstream dns provider. Now the problem is that nftables wants to run before the network is up, which is good and needed, but it complains that the dnscrypt-proxy user doesn't exist. The dnscrypt-proxy service only runs after the network is up, and thus the user only gets created after the network is up. What would be the standard/best way to deal with it? - Should I try to specify a fixed user for the dnscrypt-proxy instead of a dynamic one and set the other security options mentioned [here](http://0pointer.net/blog/dynamic-users-with-systemd.html) manually? - Should I detect the service by some other means than it's user name in nftables? - Could I just manually create the dnscrypt-proxy user on my system and will systemd just use it without deleting it because it already existed? - Should I create a service that runs before nftables on every boot and creates that user, which would then be deleted by systemd when the dnscrypt service stops? What would happen if the firewall is already running and dnscrypt service is stopped? Would the firewall crash or get into some kind of trouble because a user-id mentioned in it's ruleset no longer exists?