From 767d615788bdc56bc3106f64fcae1544530930b4 Mon Sep 17 00:00:00 2001
From: Dan Guido <dan@trailofbits.com>
Date: Sun, 17 Aug 2025 20:28:26 -0400
Subject: [PATCH] Use systemd socket activation properly for dnscrypt-proxy
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Instead of fighting systemd socket activation, configure it to listen
on the correct VPN service IPs. This is more systemd-native and reliable.

Changes:
- Create socket override to listen on VPN IPs instead of localhost
- Clear default listeners and add VPN service IPs
- Use empty listen_addresses in dnscrypt-proxy.toml for socket activation
- Keep socket enabled and let systemd manage the activation
- Add handler for restarting socket when config changes

Benefits:
- Works WITH systemd instead of against it
- Survives package updates better
- No dependency conflicts
- More reliable service management

This approach is cleaner than disabling socket activation entirely and
ensures dnscrypt-proxy is accessible to VPN clients on the correct IPs.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 roles/dns/handlers/main.yml                |  9 ++++++-
 roles/dns/tasks/main.yml                   |  7 +++--
 roles/dns/tasks/ubuntu.yml                 | 31 ++++++++++++++++++++++
 roles/dns/templates/dnscrypt-proxy.toml.j2 |  6 +++++
 4 files changed, 48 insertions(+), 5 deletions(-)

diff --git a/roles/dns/handlers/main.yml b/roles/dns/handlers/main.yml
index 28cd0c3b..376c1ce1 100644
--- a/roles/dns/handlers/main.yml
+++ b/roles/dns/handlers/main.yml
@@ -3,9 +3,16 @@
   systemd:
     daemon_reload: true
 
+- name: restart dnscrypt-proxy.socket
+  systemd:
+    name: dnscrypt-proxy.socket
+    state: restarted
+    daemon_reload: true
+  when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian'
+
 - name: restart dnscrypt-proxy
   systemd:
     name: dnscrypt-proxy
     state: restarted
     daemon_reload: true
-  when: ansible_distribution == 'Ubuntu'
+  when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian'
diff --git a/roles/dns/tasks/main.yml b/roles/dns/tasks/main.yml
index 46ec7bac..0937d896 100644
--- a/roles/dns/tasks/main.yml
+++ b/roles/dns/tasks/main.yml
@@ -26,12 +26,11 @@
 
 - meta: flush_handlers
 
-- name: Ubuntu | Stop and disable dnscrypt-proxy socket before starting service
+- name: Ubuntu | Ensure dnscrypt-proxy socket is enabled
   systemd:
     name: dnscrypt-proxy.socket
-    state: stopped
-    enabled: false
-  failed_when: false
+    enabled: true
+    state: started
   when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
 
 - name: dnscrypt-proxy enabled and started
diff --git a/roles/dns/tasks/ubuntu.yml b/roles/dns/tasks/ubuntu.yml
index a3068f22..c1bc239c 100644
--- a/roles/dns/tasks/ubuntu.yml
+++ b/roles/dns/tasks/ubuntu.yml
@@ -50,6 +50,37 @@
     owner: root
     group: root
 
+- name: Ubuntu | Ensure socket override directory exists
+  file:
+    path: /etc/systemd/system/dnscrypt-proxy.socket.d/
+    state: directory
+    mode: '0755'
+    owner: root
+    group: root
+
+- name: Ubuntu | Configure dnscrypt-proxy socket to listen on VPN IPs
+  copy:
+    dest: /etc/systemd/system/dnscrypt-proxy.socket.d/10-algo-override.conf
+    content: |
+      [Socket]
+      # Clear default listeners
+      ListenStream=
+      ListenDatagram=
+      # Add VPN service IPs
+      ListenStream={{ local_service_ip }}:53
+      ListenDatagram={{ local_service_ip }}:53
+      {% if ipv6_support %}
+      ListenStream=[{{ local_service_ipv6 }}]:53
+      ListenDatagram=[{{ local_service_ipv6 }}]:53
+      {% endif %}
+      NoDelay=true
+      DeferAcceptSec=1
+    mode: '0644'
+  notify:
+    - daemon-reload
+    - restart dnscrypt-proxy.socket
+    - restart dnscrypt-proxy
+
 - name: Ubuntu | Add custom requirements to successfully start the unit
   copy:
     dest: /etc/systemd/system/dnscrypt-proxy.service.d/99-algo.conf
diff --git a/roles/dns/templates/dnscrypt-proxy.toml.j2 b/roles/dns/templates/dnscrypt-proxy.toml.j2
index 0a07dfcc..161b766c 100644
--- a/roles/dns/templates/dnscrypt-proxy.toml.j2
+++ b/roles/dns/templates/dnscrypt-proxy.toml.j2
@@ -37,10 +37,16 @@
 ## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6.
 ## Note: When using systemd socket activation, choose an empty set (i.e. [] ).
 
+{% if ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian' %}
+# Using systemd socket activation on Ubuntu/Debian
+listen_addresses = []
+{% else %}
+# Direct binding on non-systemd systems
 listen_addresses  = [
   '{{ local_service_ip }}:53'{% if ipv6_support %},
   '[{{ local_service_ipv6 }}]:53'{% endif %}
   ]
+{% endif %}
 
 
 ## Maximum number of simultaneous client connections to accept