Fix dnscrypt-proxy service startup with masked socket

Problem: dnscrypt-proxy.service has a dependency on dnscrypt-proxy.socket through the TriggeredBy directive. When we mask the socket before starting the service, systemd fails with "Unit dnscrypt-proxy.socket is masked." Solution: 1. Override the service to remove socket dependency (TriggeredBy=) 2. Reload systemd daemon immediately after override changes 3. Start the service (which now doesn't require the socket) 4. Only then disable and mask the socket This ensures dnscrypt-proxy can bind directly to the configured IPs without socket activation, while preventing the socket from being re-enabled by package updates. Changes: - Added TriggeredBy= override to remove socket dependency - Added explicit daemon reload after service overrides - Moved socket masking to after service start in main.yml - Fixed YAML formatting issues Testing: Deployment now succeeds with dnscrypt-proxy binding to VPN IPs 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-09-03 10:33:13 +02:00 · 2025-08-17 19:36:52 -04:00 · 2025-08-17 19:36:52 -04:00 · 3835fe882f
commit 3835fe882f
parent dbe8f23cdd
2 changed files with 21 additions and 13 deletions
--- a/roles/dns/tasks/main.yml
+++ b/roles/dns/tasks/main.yml
@ -31,3 +31,12 @@
    name: dnscrypt-proxy
    state: started
    enabled: true
+
+- name: Ubuntu | Disable dnscrypt-proxy socket activation after service start
+  systemd:
+    name: dnscrypt-proxy.socket
+    state: stopped
+    enabled: false
+    masked: true
+  failed_when: false
+  when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
--- a/roles/dns/tasks/ubuntu.yml
+++ b/roles/dns/tasks/ubuntu.yml
@ -58,11 +58,17 @@
      [Unit]
      After=systemd-resolved.service
      Requires=systemd-resolved.service
+      # Remove socket dependency to allow direct binding
+      TriggeredBy=

      [Service]
      AmbientCapabilities=CAP_NET_BIND_SERVICE
-  notify:
-    - restart dnscrypt-proxy
+  register: dnscrypt_override
+
+- name: Ubuntu | Reload systemd daemon if override changed
+  systemd:
+    daemon_reload: true
+  when: dnscrypt_override.changed

 - name: Ubuntu | Apply systemd security hardening for dnscrypt-proxy
  copy:
@ -95,16 +101,9 @@
    owner: root
    group: root
    mode: '0644'
-  notify:
-    - daemon-reload
-    - restart dnscrypt-proxy
+  register: dnscrypt_hardening

- name: Ubuntu | Disable dnscrypt-proxy socket activation
+- name: Ubuntu | Reload systemd daemon if hardening changed
  systemd:
-    name: dnscrypt-proxy.socket
-    state: stopped
-    enabled: false
-    masked: true
-  failed_when: false
-  notify:
-    - restart dnscrypt-proxy
+    daemon_reload: true
+  when: dnscrypt_hardening.changed