From 0524908ba7c151b697966f0570f9fa98fac08cb2 Mon Sep 17 00:00:00 2001
From: Dan Guido <dan@trailofbits.com>
Date: Sun, 17 Aug 2025 19:54:20 -0400
Subject: [PATCH] Fix dnscrypt-proxy by not masking the socket
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Problem: Masking dnscrypt-proxy.socket prevents the service from starting
because the service has Requires=dnscrypt-proxy.socket dependency.

Solution: Simply stop and disable the socket without masking it. This
prevents socket activation while allowing the service to start and bind
directly to the configured IPs.

Changes:
- Removed socket masking (just disable it)
- Moved socket disabling before service start
- Removed invalid systemd directives from override

Testing: Confirmed dnscrypt-proxy now listens on VPN service IPs

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 roles/dns/tasks/main.yml   | 17 ++++++++---------
 roles/dns/tasks/ubuntu.yml |  2 --
 2 files changed, 8 insertions(+), 11 deletions(-)

diff --git a/roles/dns/tasks/main.yml b/roles/dns/tasks/main.yml
index 0a361856..46ec7bac 100644
--- a/roles/dns/tasks/main.yml
+++ b/roles/dns/tasks/main.yml
@@ -26,17 +26,16 @@
 
 - meta: flush_handlers
 
+- name: Ubuntu | Stop and disable dnscrypt-proxy socket before starting service
+  systemd:
+    name: dnscrypt-proxy.socket
+    state: stopped
+    enabled: false
+  failed_when: false
+  when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
+
 - name: dnscrypt-proxy enabled and started
   service:
     name: dnscrypt-proxy
     state: started
     enabled: true
-
-- name: Ubuntu | Disable dnscrypt-proxy socket activation after service start
-  systemd:
-    name: dnscrypt-proxy.socket
-    state: stopped
-    enabled: false
-    masked: true
-  failed_when: false
-  when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
diff --git a/roles/dns/tasks/ubuntu.yml b/roles/dns/tasks/ubuntu.yml
index 6f3d8781..a3068f22 100644
--- a/roles/dns/tasks/ubuntu.yml
+++ b/roles/dns/tasks/ubuntu.yml
@@ -58,8 +58,6 @@
       [Unit]
       After=systemd-resolved.service
       Requires=systemd-resolved.service
-      # Remove socket dependency to allow direct binding
-      TriggeredBy=
 
       [Service]
       AmbientCapabilities=CAP_NET_BIND_SERVICE