diff --git a/nix/modules/dnscrypt.nix b/nix/modules/dnscrypt.nix
index 8469ec2..ba36cf9 100644
--- a/nix/modules/dnscrypt.nix
+++ b/nix/modules/dnscrypt.nix
@@ -4,6 +4,50 @@
   ...
 }: let
   usr = "dnscrypt-proxy";
+  listenAddresses = [
+    "127.0.0.1:53"
+    "[::1]:53"
+  ];
+  disabledServerNames = [
+    "google-ipv6"
+    "cloudflare"
+    "cloudflare-ipv6"
+    "cisco"
+    "cisco-ipv6"
+    "cisco-familyshield"
+    "cisco-familyshield-ipv6"
+    "yandex"
+    "apple"
+    "doh.dns.apple.com"
+    "ffmuc.net"
+    # "dnswarden-uncensor-dc",
+    # "dnswarden-uncensor-dc-swiss",
+    # "techsaviours.org-dnscrypt",
+    "dns.watch"
+    "pryv8boi"
+    "dct-at1"
+    "dct-ru1"
+    "dct-de1"
+    # "dnscrypt.be",
+    # "meganerd",
+    "scaleway-ams"
+    "scaleway-fr"
+    "dnscrypt.pl"
+    "acsacsar-ams-ipv4"
+    "dnscrypt.uk-ipv4"
+    "adguard-dns-unfiltered"
+    "dnscry.pt-vienna-ipv4"
+  ];
+  bootstrapResolvers = [
+    "9.9.9.9:53"
+    "84.200.69.80:53"
+    "84.200.70.40:53"
+    "185.38.27.139:53"
+    "130.226.161.34:53"
+    # "[2a01:3a0:53:53::]:53"
+    # "[2001:67c:28a4::]:53"
+    # "[2001:1608:10:25::1c04:b12f]:53"
+  ];
 in {
   sops.secrets = {
     dnscrypt-proxy-forwardingRules = {
@@ -18,10 +62,7 @@ in {
     # don't go from scratch.
     upstreamDefaults = true;
     settings = {
-      listen_addresses = [
-        "127.0.0.1:53"
-        "[::1]:53"
-      ];
+      listen_addresses = listenAddresses;
       ipv4_servers = true;
       ipv6_servers = false;
       dnscrypt_servers = true;
@@ -30,35 +71,7 @@ in {
       require_dnssec = true;
       require_nolog = true;
       require_nofilter = true;
-      disabled_server_names = [
-        "google-ipv6"
-        "cloudflare"
-        "cloudflare-ipv6"
-        "cisco"
-        "cisco-ipv6"
-        "cisco-familyshield"
-        "cisco-familyshield-ipv6"
-        "yandex"
-        "apple"
-        "doh.dns.apple.com"
-        "ffmuc.net"
-        # "dnswarden-uncensor-dc",
-        # "dnswarden-uncensor-dc-swiss",
-        # "techsaviours.org-dnscrypt",
-        "dns.watch"
-        "pryv8boi"
-        "dct-at1"
-        "dct-ru1"
-        "dct-de1"
-        # "dnscrypt.be",
-        # "meganerd",
-        "scaleway-ams"
-        "scaleway-fr"
-        "dnscrypt.pl"
-        "acsacsar-ams-ipv4"
-        "dnscrypt.uk-ipv4"
-        "adguard-dns-unfiltered"
-      ];
+      disabled_server_names = disabledServerNames;
       http3 = true;
       timeout = 1000;
       keepalive = 30;
@@ -67,16 +80,7 @@ in {
       log_level = 2;
       use_syslog = true;
       cert_refresh_delay = 60;
-      bootstrap_resolvers = [
-        "9.9.9.9:53"
-        "84.200.69.80:53"
-        "84.200.70.40:53"
-        "185.38.27.139:53"
-        "130.226.161.34:53"
-        # "[2a01:3a0:53:53::]:53"
-        # "[2001:67c:28a4::]:53"
-        # "[2001:1608:10:25::1c04:b12f]:53"
-      ];
+      bootstrap_resolvers = bootstrapResolvers;
       ignore_system_dns = true;
       # never timeout;
       netprobe_timeout = -1;
@@ -123,15 +127,19 @@ in {
     };
   };
 
-  systemd.services.dnscrypt-proxy2.serviceConfig = {
-    StateDirectory = usr;
-    WorkingDirectory = "/";
-    # StartLimitIntervalSec = 5;
-    StartLimitBurst = 10;
-    Restart = "always";
-    RestartSec = 7;
-    User = usr;
-    Group = usr;
+  systemd.services.dnscrypt-proxy2 = {
+    after = ["sops-nix.service"];
+    wants = ["coredns.service"];
+    serviceConfig = {
+      StateDirectory = usr;
+      WorkingDirectory = "/";
+      # StartLimitIntervalSec = 5;
+      StartLimitBurst = 10;
+      Restart = "always";
+      RestartSec = 7;
+      User = usr;
+      Group = usr;
+    };
   };
 
   users.users.dnscrypt-proxy = {