Sharing my current workaround in case it is helpful to anyone. I just
created a hook for apt that runs a script to touch a file and puts a line
in /usr/lib/systemd/system/dnscrypt-proxy.socket so it only runs when that
touched file is not present. Note that this does cause the status of the
socket unit to show as failed.
$ ls -l /usr/local/bin/dnscrypt-proxy-fix.sh
-rwxr--r-- 1 root root 490 Jun 9 18:27 /usr/local/bin/dnscrypt-proxy-fix.sh
$ cat /usr/local/bin/dnscrypt-proxy-fix.sh
#!/usr/bin/env bash
set -o errexit
set -o pipefail
set -o nounset
sockfile='/usr/lib/systemd/system/dnscrypt-proxy.socket'
line='ConditionPathExists=!\/etc\/dnscrypt-proxy\/no_systemd_socket'
[[ ! -f "$sockfile" ]] && exit 0
/usr/bin/touch /etc/dnscrypt-proxy/no_systemd_socket
if ! /usr/bin/grep --quiet "$line" "$sockfile" ; then
/usr/bin/sed --in-place "/^\[Unit\]$/a $line" "$sockfile"
/usr/bin/systemctl daemon-reload
/usr/bin/systemctl restart dnscrypt-proxy.socket
fi
$ cat /etc/apt/apt.conf.d/100dnscrypt-proxy-patch
DPkg::Post-Invoke {"/usr/local/bin/dnscrypt-proxy-fix.sh";};
