From 11b9a08635fec7b375587ef2e228973e6d9a9892 Mon Sep 17 00:00:00 2001
From: Tom Alexander <tom@fizz.buzz>
Date: Sat, 18 Mar 2023 13:40:43 -0400
Subject: [PATCH] Add expect for aurutils.

---
 ansible/roles/build/tasks/linux.yaml                   | 1 +
 ansible/roles/network/files/mullvlad_dns_over_tls.conf | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/ansible/roles/build/tasks/linux.yaml b/ansible/roles/build/tasks/linux.yaml
index caa5271..c727089 100644
--- a/ansible/roles/build/tasks/linux.yaml
+++ b/ansible/roles/build/tasks/linux.yaml
@@ -13,6 +13,7 @@
       - base-devel
       - vifm # For aurutils
       - vim # For aurutils
+      - expect # For aurutils
     state: present
 
 - name: Extract aurutils aur entry
diff --git a/ansible/roles/network/files/mullvlad_dns_over_tls.conf b/ansible/roles/network/files/mullvlad_dns_over_tls.conf
index 81b18b5..ca6a9b6 100644
--- a/ansible/roles/network/files/mullvlad_dns_over_tls.conf
+++ b/ansible/roles/network/files/mullvlad_dns_over_tls.conf
@@ -1,3 +1,6 @@
 [Resolve]
+Domains=~. # Use this instead of the per-link DNS servers
 DNS=194.242.2.2#doh.mullvad.net [2a07:e340::2]#doh.mullvad.net
 DNSOverTLS=yes
+# DNSSEC=allow-downgrade # Validate DNSSEC only if upstream DNS server supports it
+# DNSSEC=true # Always validate DNSSEC which breaks name resolution for servers that do not support it