* Adding nss-lookup.target to the socket Before and Wants directive. Adding current upstream wiki as documentation to service and socket file.
Adding DynamicUser=yes to the service file, alongside various hardening settings (Protect{ControlGroups,KernelModules}. Allowing the service to bind to ports below 1024 by setting CAP_NET_BIND_SERVICE. Adding {Cache,Logs,Runtime}Directory for dnscrypt-proxy. Removing (default) Type=simple. Adding a more default ExecStart location and usage of configuration.
* systemd/dnscrypt-proxy.socket: Adding back ipv6 functionality.
* systemd/dnscrypt-proxy.service: Updating Description to match project name.
Explicitely setting ProtectHome=yes. Adding information on the DynamicUser settings.
* systemd/dnscrypt-proxy.socket: Updating description to match project name.
* systemd/dnscrypt-proxy.service: Adding Requires= and Also= for dnscrypt-proxy.socket in favor of CAP_NET_BIND_SERVICE capabilities.
* dnscrypt-proxy/example-dnscrypt-proxy.toml: Clarifying how to set listen_addresses, when using systemd socket activation.
According to systemd.special(7), nss-lookup.target is a Special Passive System Unit. This means that services depending on its functionality should order themselves after the target with an After= type dependency, but should not have a Wants= dependency for them. Therefore, nss-lookup.target should be pulled in by the providing services instead, or the consumer services will never be able to order themselves after the providing services since nss-lookup.target would not be pulled in at any point in the boot process. dnscrypt-proxy.service provides name lookup functionality, and has a Before= dependency on nss-lookup.target. However, it should have a Wants= dependency on it as well in order to indicate readiness of name lookup functionality.
David Runge
FedericoYundt
Adrián Laviós Gomis
Frank Denis