adblock.sh as an unprivileged user; Store the whitelists in /var/; #64

roles/dns_adblocking/tasks/main.yml

@@ -8,6 +8,9 @@
   template: src=usr.sbin.dnsmasq.j2 dest=/etc/apparmor.d/usr.sbin.dnsmasq owner=root group=root mode=0600
   notify:
   - restart dnsmasq
+  
+- name: The dnsmasq directory created
+  file: dest=/var/lib/dnsmasq state=directory mode=755 owner=dnsmasq group=nogroup
 
 - name: Enforce the dnsmasq AppArmor policy
   shell: aa-enforce usr.sbin.dnsmasq
@@ -21,11 +24,18 @@
   template: src=adblock.sh dest=/opt/adblock.sh owner=root group=root mode=0755
 
 - name: Adblock script added to cron
-  cron: name="Adblock hosts update" minute="10" hour="2" job="/opt/adblock.sh"
+  cron: 
+    name: Adblock hosts update
+    minute: 10
+    hour: 2
+    job: /opt/adblock.sh
+    user: dnsmasq
 
 - name: Update adblock hosts
   shell: >
     /opt/adblock.sh
+  become: true
+  become_user: dnsmasq
 
 - name: Dnsmasq enabled and started
   service: name=dnsmasq state=started enabled=yes

roles/dns_adblocking/templates/adblock.sh

@@ -7,7 +7,7 @@ ENDPOINT_IP6="::"
 IPV6="Y"
 
 #Delete the old block.hosts to make room for the updates
-rm -f /etc/block.hosts
+rm -f /var/lib/dnsmasq/block.hosts
 
 echo 'Downloading hosts lists...'
 #Download and process the files needed to make the lists (enable/add more, if you want)
@@ -32,9 +32,9 @@ then
     #Filter the blacklist, supressing whitelist matches
     #  This is relatively slow =-(
     echo 'Filtering white list...'
-    egrep -v "^[[:space:]]*$" /etc/white.list | awk '/^[^#]/ {sub(/\r$/,"");print $1}' | grep -vf - /tmp/block.build.before > /etc/block.hosts
+    egrep -v "^[[:space:]]*$" /etc/white.list | awk '/^[^#]/ {sub(/\r$/,"");print $1}' | grep -vf - /tmp/block.build.before > /var/lib/dnsmasq/block.hosts
 else
-    cat /tmp/block.build.before > /etc/block.hosts
+    cat /tmp/block.build.before > /var/lib/dnsmasq/block.hosts
 fi
 
 if [ "$IPV6" = "Y" ]
@@ -42,7 +42,7 @@ then
     safe_pattern=$(printf '%s\n' "$ENDPOINT_IP4" | sed 's/[[\.*^$(){}?+|/]/\\&/g')
     safe_addition=$(printf '%s\n' "$ENDPOINT_IP6" | sed 's/[\&/]/\\&/g')
     echo 'Adding ipv6 support...'
-    sed -i -re "s/^(${safe_pattern}) (.*)$/\1 \2\n${safe_addition} \2/g" /etc/block.hosts
+    sed -i -re "s/^(${safe_pattern}) (.*)$/\1 \2\n${safe_addition} \2/g" /var/lib/dnsmasq/block.hosts
 fi
 
 service dnsmasq restart

roles/dns_adblocking/templates/dnsmasq.conf.j2

@@ -130,7 +130,7 @@ bind-interfaces
 #no-hosts
 # or if you want it to read another file, as well as /etc/hosts, use
 # this.
-addn-hosts=/etc/block.hosts
+addn-hosts=/var/lib/dnsmasq/block.hosts
 
 # Set this (and domain: see below) if you want to have a domain
 # automatically added to simple names in a hosts-file.

roles/dns_adblocking/templates/usr.sbin.dnsmasq.j2

@@ -13,7 +13,8 @@
   /etc/dnsmasq.conf r,
   /etc/dnsmasq.d/ r,
   /etc/dnsmasq.d/* r,
-  /etc/block.hosts r,
+  /var/lib/dnsmasq/ r,
+  /var/lib/dnsmasq/block.hosts r,
 
   /usr/sbin/dnsmasq mr,