#!/bin/bash

set -e

if [ ! -e /var/run/qubes-service/vpn-exclude-domains ]; then
    rm -f /etc/dnsmasq.d/50-qubes-vpn-exclude.conf
    exit 0
fi

if [ ! -e /rw/config/qubes-vpn-exclude.list ]; then
    echo "# List of domains that should be excluded from the VPN proxy." \
        > /rw/config/qubes-vpn-exclude.list
fi

temp="$(mktemp)"
trap 'rm "$temp"' EXIT

cat > "$temp" <<EOF
# Autogenerated file by qubes-vpn-exclude.

# For ease of use we enable the query log.
log-queries

# We don't want to use resolv.conf as the VPN DNS should handle queries.
no-resolv
no-hosts

domain-needed
bogus-priv

cache-size=0
EOF

source /var/run/qubes/qubes-ns

domains=
while IFS= read -r domain; do
    domain="$(echo "$domain" | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//')"
    if [ -n "$domain" ] && [[ "$domain" != "#"* ]]; then
        domains="$domains/$domain"
        echo "ipset=/$domain/qubes-vpn-exclude-4,qubes-vpn-exclude-6" >> "$temp"
        for dns in $NS1 $NS2; do
            echo "server=/$domain/$dns" >> "$temp"
        done
        echo >> "$temp"
    fi
done < /rw/config/qubes-vpn-exclude.list

if [ -z "$domains" ]; then
    rm -f /etc/dnsmasq.d/50-qubes-vpn-exclude.conf
    exit 0
fi

# For all other domains that are not excluded we fall back to the DNS provided
# by the VPN.
for dns in $(cat /var/run/qubes/qubes-vpn-ns); do
    echo "server=$dns" >> "$temp"
done

cp "$temp" /etc/dnsmasq.d/50-qubes-vpn-exclude.conf