{ lib, ... }:
with lib;
{
  networking = {
    networkmanager.dns = mkForce "none";
    nameservers = [ "127.0.0.1" "::1" ];
    #resolvconf.enable = lib.mkForce false;
    resolvconf.useLocalResolver = true;
    dhcpcd.extraConfig = "nohook resolv.conf";
  };
  services.resolved.enable = false;

  # Create a user for matching egress on it in the firewall
  systemd.services.dnscrypt-proxy2.serviceConfig.User = "dnscrypt-proxy2";
  users.users.dnscrypt-proxy2 = {
    isSystemUser = true;
    group = "dnscrypt-proxy2";
  };
  users.groups.dnscrypt-proxy2 = { };
  services.dnscrypt-proxy2 = {
    enable = true;
    # https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml
    upstreamDefaults = true;
    settings = {
      cache = true;
      disabled_server_names = [
        "cloudflare"
      ];
      dnscrypt_servers = true;
      doh_servers = true;
      fallback_resolvers = [
        "9.9.9.9:53" # Quad9
        "8.8.8.8:53" # Google
      ];
      force_tcp = false;
      ignore_system_dns = true;
      ipv4_servers = true;
      ipv6_servers = true;
      log_level = 2;
      #proxy = "socks5://127.0.0.1:9050";
      max_clients = 250;
      netprobe_timeout = 60;
      query_log = {
        file = "/dev/stdout";
        format = "tsv";
        ignored_qtypes = [ ];
      };
      require_dnssec = true;
      require_nofilter = true;
      require_nolog = true;
      sources.public-resolvers = {
        urls = [
          "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
          "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
        ];
        cache_file = "/var/lib/dnscrypt-proxy/public-resolvers.md";
        minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
      };
      timeout = 5000;
      use_syslog = true;
    };
  };
}