{ config, pkgs, lib, ... }:
{
networking = {
  networkmanager.dns = "none";
  nameservers = [ "127.0.0.1" "::1" ];
  #resolvconf.enable = lib.mkForce false;
  resolvconf.useLocalResolver = true;
  dhcpcd.extraConfig = "nohook resolv.conf";
};

# Create a user for matching egress on it in the firewall
systemd.services.dnscrypt-proxy2.serviceConfig.User = "dnscrypt-proxy2";
users.users.dnscrypt-proxy2 = {
  isSystemUser = true;
  group = "dnscrypt-proxy2";
};
users.groups.dnscrypt-proxy2 = {};
services.dnscrypt-proxy2 = {
  enable = true;
  # https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml
  upstreamDefaults = true;
  settings = {
    cache = true;
    disabled_server_names = [
      "cloudflare"
    ];
    dnscrypt_servers = true;
    doh_servers = true;
    fallback_resolvers = [
      "9.9.9.9:53" # Quad9
      "8.8.8.8:53" # Google
    ];
    force_tcp = false;
    ignore_system_dns = true;
    ipv4_servers = true;
    ipv6_servers = true;
    log_level = 2;
    #proxy = "socks5://127.0.0.1:9050";
    max_clients = 250;
    netprobe_timeout = 60;
    query_log = {
      file = "/dev/stdout";
      format = "tsv";
      ignored_qtypes = [];
    };
    require_dnssec = true;
    require_nofilter = true;
    require_nolog = true;
    sources.public-resolvers = {
      urls = [
        "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
        "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
      ];
      cache_file = "/var/lib/dnscrypt-proxy/public-resolvers.md";
      minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
    };
    timeout = 5000;
    use_syslog = true;
  };
};
}