From d90ba3d11a18bd0edfd5fc2c678420e234f55330 Mon Sep 17 00:00:00 2001
From: David Myers <dem@myersnet.net>
Date: Thu, 4 Oct 2018 18:12:48 -0400
Subject: [PATCH] Allow more flexible DNSCrypt configuration (#1120)

* Allow more flexible DNSCrypt configuration

* Correct permissions on files changed in #1120

I'm not sure why using BBEdit over SMB makes every file executable.

* Put the public resolvers cache file in /tmp.
---
 config.cfg                                    | 20 +++++++++++++++----
 roles/dns_encryption/defaults/main.yml        |  6 +++++-
 .../templates/dnscrypt-proxy.toml.j2          |  8 ++++++--
 3 files changed, 27 insertions(+), 7 deletions(-)

diff --git a/config.cfg b/config.cfg
index fe6bbfd..f1721e5 100644
--- a/config.cfg
+++ b/config.cfg
@@ -38,13 +38,25 @@ adblock_lists:
  - "https://www.malwaredomainlist.com/hostslist/hosts.txt"
  - "https://hosts-file.net/ad_servers.txt"
 
-# Enable DNS encryption. Use dns_encryption_provider to specify the provider. If false dns_servers should be specified
+# Enable DNS encryption.
+# If 'false', 'dns_servers' should be specified below.
 dns_encryption: true
 
-# Possible values: google, cloudflare
-dns_encryption_provider: cloudflare
+# DNS servers which will be used if 'dns_encryption' is 'true'. Multiple
+# providers may be specified, but avoid mixing providers that filter results
+# (like Cisco) with those that don't (like Cloudflare) or you could get
+# inconsistent results. The list of available public providers can be found
+# here:
+# https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v2/public-resolvers.md
+dnscrypt_servers:
+  ipv4:
+    - cloudflare
+#   - google
+  ipv6:
+    - cloudflare-ipv6
 
-# DNS servers which will be used if dns_encryption disabled
+# DNS servers which will be used if 'dns_encryption' is 'false'.
+# The default is to use Cloudflare.
 dns_servers:
   ipv4:
     - 1.1.1.1
diff --git a/roles/dns_encryption/defaults/main.yml b/roles/dns_encryption/defaults/main.yml
index 5997f58..1869e6a 100644
--- a/roles/dns_encryption/defaults/main.yml
+++ b/roles/dns_encryption/defaults/main.yml
@@ -5,5 +5,9 @@ listen_port: "{% if algo_local_dns %}5353{% else %}53{% endif %}"
 dnscrypt_proxy_version: 2.0.10
 apparmor_enabled: true
 dns_encryption: true
-dns_encryption_provider: "*"
 ipv6_support: false
+dnscrypt_servers:
+  ipv4:
+    - cloudflare
+  ipv6:
+    - cloudflare-ipv6
diff --git a/roles/dns_encryption/templates/dnscrypt-proxy.toml.j2 b/roles/dns_encryption/templates/dnscrypt-proxy.toml.j2
index aba1919..d954ff8 100644
--- a/roles/dns_encryption/templates/dnscrypt-proxy.toml.j2
+++ b/roles/dns_encryption/templates/dnscrypt-proxy.toml.j2
@@ -27,7 +27,11 @@
 ## The proxy will automatically pick the fastest, working servers from the list.
 ## Remove the leading # first to enable this; lines starting with # are ignored.
 
-server_names      = ['{{ dns_encryption_provider }}'{% if ipv6_support and dns_encryption_provider == "cloudflare" %}, '{{ dns_encryption_provider }}-ipv6' {% endif %} ]
+{# Allow either list to be empty. Output nothing if both are empty. #}
+{% set servers = [] %}
+{% if dnscrypt_servers.ipv4 %}{% set servers = dnscrypt_servers.ipv4 %}{% endif %}
+{% if ipv6_support and dnscrypt_servers.ipv6 %}{% set servers = servers + dnscrypt_servers.ipv6 %}{% endif %}
+{% if servers %}server_names = ['{{ servers | join("', '") }}']{% endif %}
 
 
 ## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6.
@@ -446,7 +450,7 @@ cache_neg_max_ttl = 600
 
   [sources.'public-resolvers']
   urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md']
-  cache_file = 'public-resolvers.md'
+  cache_file = '/tmp/public-resolvers.md'
   minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
   refresh_delay = 72
   prefix = ''