From 3835fe882fe931afdb6990ed4ed86b7a56828683 Mon Sep 17 00:00:00 2001 From: Dan Guido Date: Sun, 17 Aug 2025 19:36:52 -0400 Subject: [PATCH] Fix dnscrypt-proxy service startup with masked socket MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Problem: dnscrypt-proxy.service has a dependency on dnscrypt-proxy.socket through the TriggeredBy directive. When we mask the socket before starting the service, systemd fails with "Unit dnscrypt-proxy.socket is masked." Solution: 1. Override the service to remove socket dependency (TriggeredBy=) 2. Reload systemd daemon immediately after override changes 3. Start the service (which now doesn't require the socket) 4. Only then disable and mask the socket This ensures dnscrypt-proxy can bind directly to the configured IPs without socket activation, while preventing the socket from being re-enabled by package updates. Changes: - Added TriggeredBy= override to remove socket dependency - Added explicit daemon reload after service overrides - Moved socket masking to after service start in main.yml - Fixed YAML formatting issues Testing: Deployment now succeeds with dnscrypt-proxy binding to VPN IPs 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude --- roles/dns/tasks/main.yml | 9 +++++++++ roles/dns/tasks/ubuntu.yml | 25 ++++++++++++------------- 2 files changed, 21 insertions(+), 13 deletions(-) diff --git a/roles/dns/tasks/main.yml b/roles/dns/tasks/main.yml index 724db679..0a361856 100644 --- a/roles/dns/tasks/main.yml +++ b/roles/dns/tasks/main.yml @@ -31,3 +31,12 @@ name: dnscrypt-proxy state: started enabled: true + +- name: Ubuntu | Disable dnscrypt-proxy socket activation after service start + systemd: + name: dnscrypt-proxy.socket + state: stopped + enabled: false + masked: true + failed_when: false + when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu' diff --git a/roles/dns/tasks/ubuntu.yml b/roles/dns/tasks/ubuntu.yml index 072f8bb6..6f3d8781 100644 --- a/roles/dns/tasks/ubuntu.yml +++ b/roles/dns/tasks/ubuntu.yml @@ -58,11 +58,17 @@ [Unit] After=systemd-resolved.service Requires=systemd-resolved.service + # Remove socket dependency to allow direct binding + TriggeredBy= [Service] AmbientCapabilities=CAP_NET_BIND_SERVICE - notify: - - restart dnscrypt-proxy + register: dnscrypt_override + +- name: Ubuntu | Reload systemd daemon if override changed + systemd: + daemon_reload: true + when: dnscrypt_override.changed - name: Ubuntu | Apply systemd security hardening for dnscrypt-proxy copy: @@ -95,16 +101,9 @@ owner: root group: root mode: '0644' - notify: - - daemon-reload - - restart dnscrypt-proxy + register: dnscrypt_hardening -- name: Ubuntu | Disable dnscrypt-proxy socket activation +- name: Ubuntu | Reload systemd daemon if hardening changed systemd: - name: dnscrypt-proxy.socket - state: stopped - enabled: false - masked: true - failed_when: false - notify: - - restart dnscrypt-proxy + daemon_reload: true + when: dnscrypt_hardening.changed