Use systemd socket activation properly for dnscrypt-proxy

Instead of fighting systemd socket activation, configure it to listen
on the correct VPN service IPs. This is more systemd-native and reliable.

Changes:
- Create socket override to listen on VPN IPs instead of localhost
- Clear default listeners and add VPN service IPs
- Use empty listen_addresses in dnscrypt-proxy.toml for socket activation
- Keep socket enabled and let systemd manage the activation
- Add handler for restarting socket when config changes

Benefits:
- Works WITH systemd instead of against it
- Survives package updates better
- No dependency conflicts
- More reliable service management

This approach is cleaner than disabling socket activation entirely and
ensures dnscrypt-proxy is accessible to VPN clients on the correct IPs.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

roles/dns/handlers/main.yml

@@ -3,9 +3,16 @@
   systemd:
     daemon_reload: true
 
+- name: restart dnscrypt-proxy.socket
+  systemd:
+    name: dnscrypt-proxy.socket
+    state: restarted
+    daemon_reload: true
+  when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian'
+
 - name: restart dnscrypt-proxy
   systemd:
     name: dnscrypt-proxy
     state: restarted
     daemon_reload: true
-  when: ansible_distribution == 'Ubuntu'
+  when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian'

roles/dns/tasks/main.yml

@@ -26,12 +26,11 @@
 
 - meta: flush_handlers
 
-- name: Ubuntu | Stop and disable dnscrypt-proxy socket before starting service
+- name: Ubuntu | Ensure dnscrypt-proxy socket is enabled
   systemd:
     name: dnscrypt-proxy.socket
-    state: stopped
+    enabled: true
-    enabled: false
+    state: started
-  failed_when: false
   when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
 
 - name: dnscrypt-proxy enabled and started

roles/dns/tasks/ubuntu.yml

@@ -50,6 +50,37 @@
     owner: root
     group: root
 
+- name: Ubuntu | Ensure socket override directory exists
+  file:
+    path: /etc/systemd/system/dnscrypt-proxy.socket.d/
+    state: directory
+    mode: '0755'
+    owner: root
+    group: root
+
+- name: Ubuntu | Configure dnscrypt-proxy socket to listen on VPN IPs
+  copy:
+    dest: /etc/systemd/system/dnscrypt-proxy.socket.d/10-algo-override.conf
+    content: |
+      [Socket]
+      # Clear default listeners
+      ListenStream=
+      ListenDatagram=
+      # Add VPN service IPs
+      ListenStream={{ local_service_ip }}:53
+      ListenDatagram={{ local_service_ip }}:53
+      {% if ipv6_support %}
+      ListenStream=[{{ local_service_ipv6 }}]:53
+      ListenDatagram=[{{ local_service_ipv6 }}]:53
+      {% endif %}
+      NoDelay=true
+      DeferAcceptSec=1
+    mode: '0644'
+  notify:
+    - daemon-reload
+    - restart dnscrypt-proxy.socket
+    - restart dnscrypt-proxy
+
 - name: Ubuntu | Add custom requirements to successfully start the unit
   copy:
     dest: /etc/systemd/system/dnscrypt-proxy.service.d/99-algo.conf

roles/dns/templates/dnscrypt-proxy.toml.j2

@@ -37,10 +37,16 @@
 ## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6.
 ## Note: When using systemd socket activation, choose an empty set (i.e. [] ).
 
+{% if ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian' %}
+# Using systemd socket activation on Ubuntu/Debian
+listen_addresses = []
+{% else %}
+# Direct binding on non-systemd systems
 listen_addresses  = [
   '{{ local_service_ip }}:53'{% if ipv6_support %},
   '[{{ local_service_ipv6 }}]:53'{% endif %}
   ]
+{% endif %}
 
 
 ## Maximum number of simultaneous client connections to accept