# https://nixos.wiki/wiki/Encrypted_DNS
{
  lib,
  pkgs,
  ...
}: {
  networking = {
    nameservers = ["127.0.0.1" "::1"];
    dhcpcd.extraConfig = "nohook resolv.conf";
    # networkmanager.dns = "none";
  };

  services.resolved.enable = false;

  services.dnscrypt-proxy2 = {
    enable = true;
    # Settings reference:
    # https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml
    settings = {
      listen_addresses = ["127.0.0.1:53"];
      ipv4_servers = true;

      require_dnssec = true;
      require_nolog = true;
      require_nofilter = true;

      lb_strategy = "p2";
      lb_estimator = true;

      # Blocklists are made of one pattern per line.
      # https://github.com/DNSCrypt/dnscrypt-proxy/blob/fa59f990431a49b6485f63f96601bc7e64017bf8/dnscrypt-proxy/example-dnscrypt-proxy.toml#L583C4-L583C75
      blocked_names.blocked_names_file = let
        # Prevent building up reliance on chatbots
        # Gotta preserve that thinking ability of my smoof bwain
        ai_list = let
          src = pkgs.fetchFromGitHub {
            owner = "laylavish";
            repo = "uBlockOrigin-HUGE-AI-Blocklist";
            rev = "9bb188e2701138e03f73bacebd6b19b181ca0012";
            hash = "sha256-p3wfR28DH6V8BHn9DT10d09Yq3mdbBecWwlR1CdDYUA=";
          };
        in
          lib.pipe (builtins.readFile "${src}/noai_hosts.txt") [
            (lib.replaceStrings ["\r\n"] ["\n"]) # convert to unix ending just in case
            (lib.splitString "\n")
            (builtins.filter (x: ! (x == "" || lib.hasPrefix "#" x)))
            (builtins.map (x: builtins.elemAt (lib.splitString " " x) 1)) # remove 0.0.0.0
          ];

        hategroup_list = let
          src = pkgs.fetchFromGitHub {
            owner = "chigh";
            repo = "hategroup-dnsbl";
            rev = "cc19c050997d5f54014bb20c764b131e003dfb17";
            hash = "sha256-SZBrjIBUw687MdrbOV7WrP5IhAAtKvPL2GqdcICHNvQ=";
          };
        in
          lib.pipe (builtins.readFile "${src}/blocklist.txt") [
            (lib.replaceStrings ["\r\n"] ["\n"]) # convert to unix ending just in case
            (lib.splitString "\n")
            (builtins.filter (x: ! (x == "" || lib.hasPrefix "#" x)))
          ];

        combined_lists = ai_list ++ hategroup_list;
      in
        pkgs.writeText "dnsblocklist" (builtins.concatStringsSep "\n" combined_lists);

      # Add this to test if dnscrypt-proxy is actually used to resolve DNS requests
      # query_log.file = "/var/log/dnscrypt-proxy/query.log";
      sources.public-resolvers = {
        urls = [
          "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
          "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
        ];
        cache_file = "/var/cache/dnscrypt-proxy/public-resolvers.md";
        minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
      };
    };
  };
}