Use dnscrypt-proxy2 as resolver

modules/default.nix

@@ -21,7 +21,7 @@
     ./bluetooth.nix
     ./bootloader
     ./dji-goggles.nix
-    ./dnsmasq.nix
+    ./dns.nix
     ./fish.nix
     ./fonts.nix
     ./gnome.nix
@@ -45,7 +45,6 @@
     ./sshd.nix
     ./sudo.nix
     ./sway.nix
-    ./tor.nix
     ./udmx.nix
     ./uefi.nix
     ./unfree.nix

modules/dns.nix

@@ -1,7 +1,24 @@
 { lib, config, ... }:
 
+let
+  dnscryptListenAddress = "127.0.0.1";
+  dnscryptListenPort = 9053;
+in
 {
   config = lib.mkIf config.jalr.workstation.enable {
+    services.dnscrypt-proxy2 = {
+      enable = true;
+      settings = {
+        ipv6_servers = true;
+        require_dnssec = true;
+        require_nolog = true;
+        require_nofilter = true;
+        dnscrypt_ephemeral_keys = true;
+        tls_disable_session_tickets = true;
+        listen_addresses = [ "${dnscryptListenAddress}:${toString dnscryptListenPort}" ];
+        anonymized_dns.skip_incompatible = true;
+      };
+    };
     services.dnsmasq = {
       enable = true;
       resolveLocalQueries = true;
@@ -12,7 +29,7 @@
           "/lan.bw.jalr.de/192.168.42.1"
           "/lechner.zz/192.168.0.1"
           "/login.wifionice.de/172.18.0.1"
-          "127.0.0.1#9053"
+          "${dnscryptListenAddress}#${toString dnscryptListenPort}"
         ];
         no-resolv = true;
         interface = "lo";

modules/tor.nix

@@ -1,17 +0,0 @@
-{ lib, config, ... }:
-
-{
-  config = lib.mkIf config.jalr.workstation.enable {
-    services.tor = {
-      enable = true;
-      settings = {
-        DNSPort = 9053;
-        AutomapHostsOnResolve = true;
-        AutomapHostsSuffixes = [
-          ".exit"
-          ".onion"
-        ];
-      };
-    };
-  };
-}