Add DNS setting to Firefox via autoconfig.js

Update Ansible aliases to use encrypted secrets
Configure Linux machines to decrypt Ansible password
2025-08-02 18:56:27 -05:00 · 2025-08-02 18:55:58 -05:00 · 2025-08-02 18:54:42 -05:00 · 2025-08-02 18:49:03 -05:00
6 changed files with 47 additions and 3 deletions
--- a/homes/common.nix
+++ b/homes/common.nix
@ -76,9 +76,9 @@ in {
      hmb =
        "home-manager build --flake ~/.config/home-manager#$USER@$(hostname -s)";
      anp =
-        "ansible-playbook -i ~/.config/home-manager/inventory.yaml ~/.config/home-manager/playbook.yaml --limit $(hostname -s) --ask-become-pass";
+        "ansible-playbook -i ~/.config/home-manager/inventory.yaml -e @~/.config/home-manager/secrets_file.enc --vault-password-file $HM_AGENIX_SECRETS_DIR/ansible-vault-password ~/.config/home-manager/playbook.yaml --limit $(hostname -s) --ask-become-pass";
      anc =
-        "ansible-playbook -v -i ~/.config/home-manager/inventory.yaml --check ~/.config/home-manager/playbook.yaml --limit $(hostname -s) --ask-become-pass";
+        "ansible-playbook -v -i ~/.config/home-manager/inventory.yaml -e @~/.config/home-manager/secrets_file.enc --vault-password-file $HM_AGENIX_SECRETS_DIR/ansible-vault-password --check ~/.config/home-manager/playbook.yaml --limit $(hostname -s) --ask-become-pass";
    };
    sessionPath = [ "$HOME/.local/bin" ];
    activation = {
--- a/homes/linux.nix
+++ b/homes/linux.nix
@ -1,4 +1,6 @@
 { config, lib, pkgs, pkgs-unstable, ... }: {
+  age.secrets.ansible-vault-password.file =
+    ./../secrets/ansible-vault-password.age;
  fonts = { fontconfig = { enable = true; }; };
  home = {
    # A notable exception here: R
@ -14,7 +16,10 @@
    # Right now, I am using the distro's R on Linux, and Homebrew on MacOS.
    # This is less than ideal, but I'm willing to deal with it for now.
    packages = with pkgs; [ bitwarden-cli ];
-    sessionVariables = { JULIA_NUM_THREADS = "$(nproc)"; };
+    sessionVariables = {
+      JULIA_NUM_THREADS = "$(nproc)";
+      HM_AGENIX_SECRETS_DIR = "$XDG_RUNTIME_DIR/agenix";
+    };
    shellAliases = {
      nrun = ''
        __NV_PRIME_RENDER_OFFLOAD=1 __GLX_VENDOR_LIBRARY_NAME=nvidia __VK_LAYER_NV_optimus="NVIDIA_only"'';
--- a/playbook.yaml
+++ b/playbook.yaml
@ -216,6 +216,25 @@
      ansible.builtin.dnf:
        name: "*"
        state: latest # noqa: package-latest
+    # Install a policy file to force Firefox to use encrypted DNS
+    - name: Create Firefox DNS policy, line 1
+      ansible.builtin.lineinfile:
+        path: /usr/lib64/firefox/defaults/pref/autoconfig.js
+        mode: "644"
+        create: true
+        line: lockPref("network.trr.mode", 3);
+    - name: Create Firefox DNS policy, line 1
+      ansible.builtin.lineinfile:
+        path: /usr/lib64/firefox/defaults/pref/autoconfig.js
+        mode: "644"
+        create: true
+        line: lockPref("network.trr.url", "{{ dns_server }}");
+    - name: Create Firefox DNS policy, line 1
+      ansible.builtin.lineinfile:
+        path: /usr/lib64/firefox/defaults/pref/autoconfig.js
+        mode: "644"
+        create: true
+        line: lockPref("network.trr.custom_uri", "{{ dns_server }}");

 # Generally speaking, I try to install Flatpak applications at the user level
 # b/c that really gives more credence to the whole sandboxing idea (concept of
--- a/secrets.nix
+++ b/secrets.nix
@ -18,4 +18,5 @@ in {
  "secrets/network-information.age".publicKeys = system-administrators
    ++ [ bosephus-host ];
  "secrets/pihole.age".publicKeys = system-administrators ++ [ bosephus-host ];
+  "secrets/ansible-vault-password.age".publicKeys = system-administrators;
 }
--- a/secrets/ansible-vault-password.age
+++ b/secrets/ansible-vault-password.age
@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 bN6E9A v/WLn5wj++mdWKQP0RAz5qgYNa3P+ako5i2ZrQU5MVg
+KmLPE7C5aFXNVZZEi2Cfxre2DzgeC4yDyvzKcC1cGzk
+-> ssh-ed25519 1g/xww l1rmdkJ9B3+FYXWbTWDFxF7enpxC+RPS5QkEExATdzI
+SMdPI0zMDDbWukQD83Hx12pp4UiVKh0AtpvGp2qJIWA
+-> ssh-ed25519 +kBihw EXqxoZjpZROGK3uoJjQsWHT+TXXgJiwN8NVxp0JoTSk
+840G/EiMQxvuft2++iGDwtAfiNsFGviqr5JiJECK0Bs
+-> ssh-ed25519 dbKeHw RHkpMrQpRWnr70FWT78mjStvcBpLku4RFdel/8QPOBQ
+I8V30k0X2wZUELhSm7CnnRrhjGwNWjq8VIW0OWVPIiU
+--- 3gWRhYAZNqriySifohEEy+0kwrp9qAntST+cKdE0vq8
+´³{ˆÃŒì®eåVzlM8¯ž¤RÂïFºL*C¬ÀÒµQ€¾tûƒCŸz7ºöøÀ<a<>¦ˆƒ0 V—'6Óx
--- a/secrets_file.enc
+++ b/secrets_file.enc
@ -0,0 +1,8 @@
+$ANSIBLE_VAULT;1.1;AES256
+35626563393033346332653338336363653831656234326433346531613831386235393633316566
+6436313935656662663361373538636537633763613839300a373939383862303731323136323864
+61303536663737626239313139356631336431326566366435333766653739376162616635336239
+6236316262653539320a346466306363643662636132383037326265643539373336366462343263
+39613930663536633665333931656332326633336639373937313833373632323539363336656365
+33633238376462393265313634633034663535376137353134306433383034353732646266303338
+303763386430363638303363336339363030
Author	SHA1	Message	Date
Thomas A. Christensen II	ce7c924944	Add DNS setting to Firefox via autoconfig.js	2025-08-02 18:56:27 -05:00
Thomas A. Christensen II	59e01cd65c	Update Ansible aliases to use encrypted secrets	2025-08-02 18:55:58 -05:00
Thomas A. Christensen II	cbe02acfd0	Configure Linux machines to decrypt Ansible password	2025-08-02 18:54:42 -05:00
Thomas A. Christensen II	389fafe268	add Ansible playbook password as secret	2025-08-02 18:49:03 -05:00