openresolv patch setting up DNS-over-TLS if not connected over VPN

openresolv.patch

diff --git a/hooks/20-resolv.conf b/hooks/20-resolv.conf
index 7c29e27..d65892a 100644
--- a/hooks/20-resolv.conf
+++ b/hooks/20-resolv.conf
@@ -170,9 +170,36 @@ add_resolv_conf()
 	for x in ${new_domain_name_servers}; do
 		conf="${conf}nameserver $x$NL"
 	done
+
 	if $have_resolvconf; then
 		[ -n "$ifmetric" ] && export IF_METRIC="$ifmetric"
-		printf %s "$conf" | "$resolvconf" -a "$ifname"
+		if [ "$(su -l "$(id -nu 1000)" -c "curl -fs --connect-timeout 10 --proto '=https' --tlsv1.3 --cacert /etc/ssl/certs/4042bcee.0 --resolve all.dns.mullvad.net:443:194.242.2.9 --doh-url https://all.dns.mullvad.net/dns-query https://ipv4.am.i.mullvad.net/json | jq -r .mullvad_exit_ip")" = "true" ]; then
+			printf %s "$conf" | "$resolvconf" -a "$ifname"
+		elif my_unbound_conf="$(grep -Po "^unbound_conf=\K.*" /etc/resolvconf.conf)" && \
+		     [ -f "$my_unbound_conf" ]; then
+			if su -l "$(id -nu 1000)" -c 'echo Q | openssl s_client -connect 194.242.2.9:853 -servername all.dns.mullvad.net -CAfile /etc/ssl/certs/4042bcee.0 -verify_hostname all.dns.mullvad.net 2>/dev/null | grep -q "^Verify return code: 0 (ok)$"'; then
+				cat <<'EOF' > "$my_unbound_conf"
+forward-zone:
+        name: "."
+        forward-tls-upstream: yes
+        forward-first: no
+        forward-addr: 194.242.2.9@853#all.dns.mullvad.net
+        forward-addr: 2a07:e340::9@853#all.dns.mullvad.net
+EOF
+			else
+				cat <<'EOF' > "$my_unbound_conf"
+forward-zone:
+        name: "."
+        forward-tls-upstream: yes
+        forward-first: no
+        forward-addr: 5.1.66.255@853#dot.ffmuc.net
+        forward-addr: 185.150.99.255@853#dot.ffmuc.net
+        forward-addr: 2001:678:e68:f000::@853#dot.ffmuc.net
+        forward-addr: 2001:678:ed0:f000::@853#dot.ffmuc.net
+EOF
+			fi
+			systemctl restart unbound.service
+		fi
 		return $?
 	fi

resolvconf.conf

# Configuration for resolvconf(8)
# See resolvconf.conf(5) for details

resolv_conf=/etc/resolv.conf
# If you run a local name server, you should uncomment the below line and
# configure your subscribers configuration files below.
#name_servers=127.0.0.1

# Use the local name server
name_servers="::1 127.0.0.1"
resolv_conf_options="edns0 trust-ad"

# Write out unbound extended configuration
unbound_conf=/etc/unbound-resolv-conf.conf

unbound.conf

include: /etc/unbound-resolv-conf.conf
server:
	interface: 127.0.0.1
	interface: ::1
	interface: 10.0.0.1
	interface-action: 127.0.0.1 allow
	interface-action: ::1 allow
	interface-action: 10.0.0.1 allow
	chroot: "/etc/unbound"
	hide-identity: yes
	hide-version: yes
	harden-short-bufsize: yes
	harden-large-queries: yes
	harden-glue: yes
	harden-dnssec-stripped: yes
	harden-below-nxdomain: yes
	harden-referral-path: yes
	harden-algo-downgrade: yes
	harden-unknown-additional: yes
	qname-minimisation: yes
	qname-minimisation-strict: no
	use-caps-for-id: yes
	private-address: 10.0.0.0/8
	private-address: 172.16.0.0/12
	private-address: 192.168.0.0/16
	private-address: 169.254.0.0/16
	private-address: fd00::/8
	private-address: fe80::/10
	private-address: ::ffff:0:0/96
	minimal-responses: yes
	trust-anchor-file: "/etc/unbound/var/root-anchors.txt"
        tls-cert-bundle: "/etc/ssl/certs/4042bcee.0"
python:
dynlib:
remote-control: