From e64c1dcad5e678e5efb23f6021f64ee04f83950b Mon Sep 17 00:00:00 2001
From: "Thomas A. Christensen II" <25492070+MillironX@users.noreply.github.com>
Date: Sat, 2 Aug 2025 19:18:46 -0500
Subject: [PATCH 1/2] fix: Use /etc policy for DNS

---
 playbook.yaml           | 21 ++++-----------------
 templates/policies.json | 10 ++++++++++
 2 files changed, 14 insertions(+), 17 deletions(-)
 create mode 100644 templates/policies.json

diff --git a/playbook.yaml b/playbook.yaml
index 59364f5..15d5d15 100644
--- a/playbook.yaml
+++ b/playbook.yaml
@@ -217,24 +217,11 @@
         name: "*"
         state: latest # noqa: package-latest
     # Install a policy file to force Firefox to use encrypted DNS
-    - name: Create Firefox DNS policy, line 1
-      ansible.builtin.lineinfile:
-        path: /usr/lib64/firefox/defaults/pref/autoconfig.js
+    - name: Create Firefox DNS policy
+      ansible.builtin.template:
+        src: templates/policies.json
+        dest: /etc/firefox/policies/policies.json
         mode: "644"
-        create: true
-        line: lockPref("network.trr.mode", 3);
-    - name: Create Firefox DNS policy, line 1
-      ansible.builtin.lineinfile:
-        path: /usr/lib64/firefox/defaults/pref/autoconfig.js
-        mode: "644"
-        create: true
-        line: lockPref("network.trr.url", "{{ dns_server }}");
-    - name: Create Firefox DNS policy, line 1
-      ansible.builtin.lineinfile:
-        path: /usr/lib64/firefox/defaults/pref/autoconfig.js
-        mode: "644"
-        create: true
-        line: lockPref("network.trr.custom_uri", "{{ dns_server }}");
 
 # Generally speaking, I try to install Flatpak applications at the user level
 # b/c that really gives more credence to the whole sandboxing idea (concept of
diff --git a/templates/policies.json b/templates/policies.json
new file mode 100644
index 0000000..72f87f5
--- /dev/null
+++ b/templates/policies.json
@@ -0,0 +1,10 @@
+{
+  "policies": {
+    "DNSOverHTTPS": {
+      "Enabled": true,
+      "ProviderURL": "{{ dns_server }}",
+      "Locked": true,
+      "Fallback": false
+    }
+  }
+}

From 9660522100d4ab5d1d33b0893759dbcf79057a20 Mon Sep 17 00:00:00 2001
From: "Thomas A. Christensen II" <25492070+MillironX@users.noreply.github.com>
Date: Sat, 2 Aug 2025 19:19:16 -0500
Subject: [PATCH 2/2] Remove DoH settings from Firefox profiles

---
 programs/firefox.nix | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/programs/firefox.nix b/programs/firefox.nix
index 89f2267..9512b83 100644
--- a/programs/firefox.nix
+++ b/programs/firefox.nix
@@ -237,9 +237,6 @@
           "extensions.formautofill.addresses.enabled" = false;
           "extensions.formautofill.creditCards.enabled" = false;
           "extensions.autoDisableScopes" = 0;
-          "network.trr.mode" = 3; # DNS over HTTPS always
-          "network.trr.uri" = "https://family.dns.mullvad.net/dns-query";
-          "network.trr.custom_uri" = "https://family.dns.mullvad.net/dns-query";
           "privacy.bounceTrackingProtection.mode" = 1;
           "privacy.clearOnShutdown_v2.browsingHistoryAndDownloads" = false;
           "privacy.clearOnShutdown_v2.cache" = true;