infra/nix/os/snippets/systemd-resolved.nix

{
  networking.nameservers = [
    # https://dnsforge.de/
    "176.9.93.198"
    "176.9.1.117"

    # TODO: enable IPv6
    # "2a01:4f8:151:34aa::198"
    # "2a01:4f8:141:316d::117"
  ];

  services.resolved = {
    enable = true;
    dnssec = "true";
    domains = ["~."];
    extraConfig = ''
      # TODO: figure out why "true" doesn't work
      DNSOverTLS=opportunistic
    '';
  };
}