This solution feels janky [specifically, netplan-runner.service shouldn't be needed]
But... it works.
netplan-macaddress-watcher.path
[Path]
PathChanged=/run/systemd/network/
Unit=netplan-macaddress-watcher.service
[Unit]
Before=systemd-networkd.service
#[Install]
#WantedBy=systemd-networkd.service
netplan-macaddress-watcher.service
[Unit]
Description=Rewrites /run/systemd/network PermanentMACAddress to MACAddress
Before=systemd-networkd.service network-pre.target
[Service]
Type=oneshot
User=root
ExecStart=/bin/bash /usr/local/bin/netplan-macaddress-mangler.sh
netplan-runner.service - it runs netplan as late as possible...
[Unit]
Description=Runs netplan right after boot
After=multi-user.target
[Service]
Type=oneshot
User=root
ExecStart=/usr/sbin/netplan apply
[Install]
WantedBy=multi-user.target
netplan-macaddress-mangler.sh - This will need to be renamed if published/packaged.
#!/bin/bash -x
# can we use $TRIGGER_PATH ? https://man.archlinux.org/man/systemd.exec.5.en
# no, we can't, it only tells us the directory, not which file was changed.
#FIXME: can we skip this for initial boot?
sleep 5; # coalesce the calls
/usr/bin/sed -i -e 's/^PermanentMACAddress/MACAddress/' /run/systemd/network/*netplan*.{link,network}
#echo -n "networkd is: "
if systemctl is-active systemd-networkd >/dev/null; then
networkctl reload
fi
