[Unit]
Description=DNSCrypt-proxy client
Documentation=https://github.com/jedisct1/dnscrypt-proxy/wiki

## Use systemd sockets. Disable on TCP_NODELAY fail. Then define ip address in dnscrypt-proxy.toml.
Requires=dnscrypt-proxy.socket

## Start service after the network is online.
## Requires a wait service such as NetworkManager or systemd-networkd.
## Verify using: 
## systemctl is-enabled NetworkManager-wait-online.service systemd-networkd-wait-online.service
## Then enable:
## systemctl enable NetworkManager-wait-online.service
## Or alternatively: 
## systemctl enable systemd-networkd-wait-online.service
After=network-online.target
Wants=network-online.target

## DNSCrypt-proxy provides and requires name resolution. 
Before=nss-lookup.target
Wants=nss-lookup.target

[Service]
## Set O_NONBLOCK flag for socket unit.
NonBlocking=true

## Execute dnscrypt-proxy with configuration file.
ExecStart=/usr/bin/dnscrypt-proxy --config /etc/dnscrypt-proxy/dnscrypt-proxy.toml

## Make /home, /root and /run/user read only.
ProtectHome=yes

## Make Linux control groups read only.
ProtectControlGroups=yes

## Deny explicit module loading.
ProtectKernelModules=yes

## Run dnscrypt-proxy as unprivileged user with
## temporary assigned UID/GID. See man:systemd.exec
## for more info. Requires systemd 232+.
DynamicUser=yes
CacheDirectory=dnscrypt-proxy
LogsDirectory=dnscrypt-proxy
RuntimeDirectory=dnscrypt-proxy

[Install]
## Install socket unit.
Also=dnscrypt-proxy.socket

## Create symlink for systemd to pull in the unit when starting multi-user.target
## Can be found in /etc/systemd/system/multi-user.target.wants/
WantedBy=multi-user.target