sj-vps-htz0,containers/dns: remove IPv6, opportunistic TLS

nix/os/devices/sj-vps-htz0/system.nix

@@ -8,6 +8,10 @@
 }: let
   wireguardPort = 51820;
 in {
+  imports = [
+    ../../snippets/systemd-resolved.nix
+  ];
+
   networking.firewall.enable = true;
   networking.nftables.enable = true;
 
@@ -47,18 +51,6 @@ in {
     interface = "eth0";
   };
 
-  networking.nameservers = ["1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one"];
-
-  services.resolved = {
-    enable = true;
-    dnssec = "true";
-    domains = ["~."];
-    fallbackDns = ["1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one"];
-    extraConfig = ''
-      DNSOverTLS=yes
-    '';
-  };
-
   networking.nat = {
     enable = true;
     internalInterfaces = ["ve-*" "wg*"];

nix/os/profiles/containers/configuration.nix

@@ -1,19 +1,8 @@
 {...}: {
   networking.useHostResolvConf = false;
 
-  networking.nameservers = ["1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one"];
-
-  services.resolved = {
-    enable = true;
-    dnssec = "true";
-    domains = ["~."];
-    fallbackDns = ["1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one"];
-    extraConfig = ''
-      DNSOverTLS=yes
-    '';
-  };
-
   imports = [
+    ../../snippets/systemd-resolved.nix
     # ../../modules/ddclient-ovh.nix
     # ../../modules/ddclient-hetzner.nix
   ];

nix/os/snippets/systemd-resolved.nix

@@ -0,0 +1,21 @@
+{
+  networking.nameservers = [
+    # https://dnsforge.de/
+    "176.9.93.198"
+    "176.9.1.117"
+
+    # TODO: enable IPv6
+    # "2a01:4f8:151:34aa::198"
+    # "2a01:4f8:141:316d::117"
+  ];
+
+  services.resolved = {
+    enable = true;
+    dnssec = "true";
+    domains = ["~."];
+    extraConfig = ''
+      # TODO: figure out why "true" doesn't work
+      DNSOverTLS=opportunistic
+    '';
+  };
+}