algo/roles/dns_encryption/tasks/ubuntu.yml

---
- name: Add the repository
  apt_repository:
    state: present
    codename: bionic
    repo: ppa:shevchuk/dnscrypt-proxy
  register: result
  until: result is succeeded
  retries: 10
  delay: 3

- name: Install dnscrypt-proxy
  apt:
    name: dnscrypt-proxy
    state: latest
    update_cache: true

- name: Configure unattended-upgrades
  copy:
    src: 50-dnscrypt-proxy-unattended-upgrades
    dest: /etc/apt/apt.conf.d/50-dnscrypt-proxy-unattended-upgrades
    owner: root
    group: root
    mode: 0644

- block:
  - name: Ubuntu | Unbound profile for apparmor configured
    copy:
      src: apparmor.profile.dnscrypt-proxy
      dest: /etc/apparmor.d/usr.bin.dnscrypt-proxy
      owner: root
      group: root
      mode: 0600
    notify: restart dnscrypt-proxy

  - name: Ubuntu | Enforce the dnscrypt-proxy AppArmor policy
    command: aa-enforce usr.bin.dnscrypt-proxy
    changed_when: false
  tags: apparmor
  when: apparmor_enabled|default(false)|bool == true

- name: Ubuntu | Ensure that the dnscrypt-proxy service directory exist
  file:
    path: /etc/systemd/system/dnscrypt-proxy.service.d/
    state: directory
    mode: 0755
    owner: root
    group: root

- name: Ubuntu | Add capabilities to bind ports
  copy:
    dest: /etc/systemd/system/dnscrypt-proxy.service.d/99-capabilities.conf
    content: |
      [Service]
      AmbientCapabilities=CAP_NET_BIND_SERVICE      
  notify:
   - restart dnscrypt-proxy