{
  config,
  lib,
  pkgs,
  ...
}: let
  StateDirectory = "dnscrypt-proxy";
  inherit (lib.modules) mkForce;
in {
  networking = {
    networkmanager.dns = mkForce "none";
    nameservers = [
      "127.0.0.1"
      "::1"
    ];
  };

  # See https://wiki.nixos.org/wiki/Encrypted_DNS
  services.dnscrypt-proxy2 = {
    enable = true;
    # See https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml
    settings = {
      sources.public-resolvers = {
        urls = [
          "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
          "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
        ];
        minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"; # See https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/public-resolvers.md
        cache_file = "/var/lib/${StateDirectory}/public-resolvers.md";
      };

      # Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity
      ipv6_servers = true;

      # Server must support DNS security extensions (DNSSEC)
      require_dnssec = true;

      # Server must not log user queries (declarative)
      require_nolog = true;

      # Server must not enforce its own blocklist (for parental control, ads blocking...)
      require_nofilter = true;

      ## Enable *experimental* support for HTTP/3 (DoH3, HTTP over QUIC)
      ## Note that, like DNSCrypt but unlike other HTTP versions, this uses
      ## UDP and (usually) port 443 instead of TCP.
      http3 = false;

      ## Enable a DNS cache to reduce latency and outgoing traffic.
      cache = true;
    };
  };

  systemd.services.dnscrypt-proxy2.serviceConfig.StateDirectory = StateDirectory;
}