{ lib, ... }:

let dnsport = 53; in
{
  services.dnscrypt-proxy2.settings.listen_addresses = [ "127.0.0.1:51" "[::1]:51" ];

  # Forward loopback traffic on port 53 to dnscrypt-proxy2.
  networking.firewall.extraCommands = ''
    ip6tables --table nat --flush OUTPUT
    ${lib.flip (lib.concatMapStringsSep "\n") [ "udp" "tcp" ] (proto: ''
      ip6tables --table nat --append OUTPUT \
        --protocol ${proto} --destination ::1 --destination-port 53 \
        --jump REDIRECT --to-ports 51
    '')}
  '';

  networking.firewall = {
    allowedTCPPorts = [ dnsport ];
    allowedUDPPorts = [ dnsport ];
  };

  services.dnsmasq = {
    enable = true;
    settings = {
      interface = "wg0";
    };
  };
}