From 44c3168a399ca20c8a607aecc52fa32dea723616 Mon Sep 17 00:00:00 2001
From: Aminda Suomalainen <suomalainen+git@mikaela.info>
Date: Sat, 13 Apr 2024 18:37:28 +0300
Subject: [PATCH] chromium policy: strip DnsOverHttpsMode to two different
 files, rename automatic to allowed for clarity & update README.md on these

---
 etc/opt/chromium/policies/managed/README.md   | 19 +++++++++++++------
 .../{doh-automatic.json => doh-allowed.json}  |  0
 .../chromium/policies/managed/doh-dns0.json   |  1 -
 .../chromium/policies/managed/doh-forced.json |  3 +++
 .../policies/managed/doh-mullvad-base.json    |  1 -
 .../policies/managed/doh-quad9-ecs.json       |  1 -
 .../chromium/policies/managed/doh-quad9.json  |  1 -
 7 files changed, 16 insertions(+), 10 deletions(-)
 rename etc/opt/chromium/policies/managed/{doh-automatic.json => doh-allowed.json} (100%)
 create mode 100644 etc/opt/chromium/policies/managed/doh-forced.json

diff --git a/etc/opt/chromium/policies/managed/README.md b/etc/opt/chromium/policies/managed/README.md
index 92c89bf2..f54265a6 100644
--- a/etc/opt/chromium/policies/managed/README.md
+++ b/etc/opt/chromium/policies/managed/README.md
@@ -30,8 +30,9 @@
 - [`disable-brave-vpn.json`](#disable-brave-vpnjson)
 - [`disable-floc.json`](#disable-flocjson)
 - [`disable-incognito.json`](#disable-incognitojson)
-- [`doh-automatic.json`](#doh-automaticjson)
+- [`doh-allowed.json`](#doh-allowedjson)
 - [`doh-dns0.json`](#doh-dns0json)
+- [`doh-forced.json`](#doh-forcedjson)
 - [`doh-mullvad-base.json`](#doh-mullvad-basejson)
 - [`doh-quad9-ecs.json`](#doh-quad9-ecsjson)
 - [`enable-ech-ocsp.json`](#enable-ech-ocspjson)
@@ -207,16 +208,22 @@ Disables floc or ad topics that are against privacy.
 
 Disables incognito mode. I don't recommend this.
 
-## `doh-automatic.json`
+## `doh-allowed.json`
 
-If no DNS over HTTPS policy is used, this unlocks the setting. Enabling managed policies disable it by default.
+If no DNS over HTTPS policy is used, this unlocks the setting while still allowing downgrade to system DNS
+(think of DoT opportunistic mode, kind of?). Enabling managed policies disable it by default.
 
-Incompatible with any actual DoH policy.
+Incompatible with `doh-forced.json`. This must be used together with any other `doh-*.json` file, but only one of them.
 
 ## `doh-dns0.json`
 
-Simply enables DNS-over-HTTPS with DNS0.eu. `automatic` means downgrade is
-allowed (the system resolver is encrypted), `secure` would lock it.
+Simply enables DNS-over-HTTPS with DNS0.eu.
+
+## `doh-forced.json`
+
+Enforces use of DNS-over-HTTPS disabling the downgrade.
+
+Incompatible with `doh-allowed.json`. Use this together with any other `doh-*.json` file, but only one of them.
 
 ## `doh-mullvad-base.json`
 
diff --git a/etc/opt/chromium/policies/managed/doh-automatic.json b/etc/opt/chromium/policies/managed/doh-allowed.json
similarity index 100%
rename from etc/opt/chromium/policies/managed/doh-automatic.json
rename to etc/opt/chromium/policies/managed/doh-allowed.json
diff --git a/etc/opt/chromium/policies/managed/doh-dns0.json b/etc/opt/chromium/policies/managed/doh-dns0.json
index b7f968b6..57f7cdb2 100644
--- a/etc/opt/chromium/policies/managed/doh-dns0.json
+++ b/etc/opt/chromium/policies/managed/doh-dns0.json
@@ -1,4 +1,3 @@
 {
-  "DnsOverHttpsMode": "automatic",
   "DnsOverHttpsTemplates": "https://dns0.eu"
 }
diff --git a/etc/opt/chromium/policies/managed/doh-forced.json b/etc/opt/chromium/policies/managed/doh-forced.json
new file mode 100644
index 00000000..578327c1
--- /dev/null
+++ b/etc/opt/chromium/policies/managed/doh-forced.json
@@ -0,0 +1,3 @@
+{
+  "DnsOverHttpsMode": "secure"
+}
diff --git a/etc/opt/chromium/policies/managed/doh-mullvad-base.json b/etc/opt/chromium/policies/managed/doh-mullvad-base.json
index 9cc913f8..f0b14c4c 100644
--- a/etc/opt/chromium/policies/managed/doh-mullvad-base.json
+++ b/etc/opt/chromium/policies/managed/doh-mullvad-base.json
@@ -1,4 +1,3 @@
 {
-  "DnsOverHttpsMode": "automatic",
   "DnsOverHttpsTemplates": "https://base.dns.mullvad.net/dns-query"
 }
diff --git a/etc/opt/chromium/policies/managed/doh-quad9-ecs.json b/etc/opt/chromium/policies/managed/doh-quad9-ecs.json
index a075f645..c7a2450b 100644
--- a/etc/opt/chromium/policies/managed/doh-quad9-ecs.json
+++ b/etc/opt/chromium/policies/managed/doh-quad9-ecs.json
@@ -1,4 +1,3 @@
 {
-  "DnsOverHttpsMode": "automatic",
   "DnsOverHttpsTemplates": "https://dns11.quad9.net/dns-query"
 }
diff --git a/etc/opt/chromium/policies/managed/doh-quad9.json b/etc/opt/chromium/policies/managed/doh-quad9.json
index e39a8952..11ed4fb1 100644
--- a/etc/opt/chromium/policies/managed/doh-quad9.json
+++ b/etc/opt/chromium/policies/managed/doh-quad9.json
@@ -1,4 +1,3 @@
 {
-  "DnsOverHttpsMode": "automatic",
   "DnsOverHttpsTemplates": "https://dns.quad9.net/dns-query"
 }