diff --git a/modules/misc/ids.nix b/modules/misc/ids.nix
index 34b36859..ddab290a 100644
--- a/modules/misc/ids.nix
+++ b/modules/misc/ids.nix
@@ -39,11 +39,13 @@ in
     ids.uids = {
       nixbld = lib.mkDefault 350;
       _prometheus-node-exporter = 534;
+      _dnscrypt-proxy = 535;
     };
 
     ids.gids = {
       nixbld = lib.mkDefault (if config.system.stateVersion < 5 then 30000 else 350);
       _prometheus-node-exporter = 534;
+      _dnscrypt-proxy = 535;
     };
 
   };
diff --git a/modules/module-list.nix b/modules/module-list.nix
index 8b2215ba..d01bbdb9 100644
--- a/modules/module-list.nix
+++ b/modules/module-list.nix
@@ -62,6 +62,7 @@
   ./services/chunkwm.nix
   ./services/cachix-agent.nix
   ./services/dnsmasq.nix
+  ./services/dnscrypt-proxy.nix
   ./services/emacs.nix
   ./services/eternal-terminal.nix
   ./services/github-runner
diff --git a/modules/services/dnscrypt-proxy.nix b/modules/services/dnscrypt-proxy.nix
new file mode 100644
index 00000000..9073ff2a
--- /dev/null
+++ b/modules/services/dnscrypt-proxy.nix
@@ -0,0 +1,81 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+
+  cfg = config.services.dnscrypt-proxy;
+
+  format = pkgs.formats.toml { };
+
+  configFile = format.generate "dnscrypt-proxy.toml" cfg.settings;
+
+in
+
+{
+  options.services.dnscrypt-proxy = {
+
+    enable = lib.mkEnableOption "the dnscrypt-proxy service.";
+
+    package = lib.mkPackageOption pkgs "dnscrypt-proxy2" { };
+
+    settings = lib.mkOption {
+      description = ''
+        Attrset that is converted and passed as TOML config file.
+        For available params, see: <https://github.com/DNSCrypt/dnscrypt-proxy/blob/${pkgs.dnscrypt-proxy2.version}/dnscrypt-proxy/example-dnscrypt-proxy.toml>
+      '';
+      example = lib.literalExpression ''
+        {
+          sources.public-resolvers = {
+            urls = [ "https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md" ];
+            cache_file = "public-resolvers.md";
+            minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
+            refresh_delay = 72;
+          };
+        }
+      '';
+      type = format.type;
+      default = { };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    users.users._dnscrypt-proxy = {
+      uid = config.ids.uids._dnscrypt-proxy;
+      gid = config.ids.gids._dnscrypt-proxy;
+      home = "/var/lib/dnscrypt-proxy";
+      createHome = true;
+      shell = "/usr/bin/false";
+      description = "System user for dnscrypt-proxy";
+    };
+
+    users.groups._dnscrypt-proxy = {
+      gid = config.ids.gids._dnscrypt-proxy;
+      description = "System group for dnscrypt-proxy";
+    };
+
+    users.knownUsers = [ "_dnscrypt-proxy" ];
+    users.knownGroups = [ "_dnscrypt-proxy" ];
+
+    launchd.daemons.dnscrypt-proxy = {
+      script = ''
+        ${lib.getExe' cfg.package "dnscrypt-proxy"} -config ${configFile}
+      '';
+      serviceConfig =
+        let
+          logPath = config.users.users._dnscrypt-proxy.home + "/dnscrypt-proxy.log";
+        in
+        {
+          RunAtLoad = true;
+          KeepAlive = true;
+          StandardOutPath = logPath;
+          StandardErrorPath = logPath;
+          GroupName = "_dnscrypt-proxy";
+          UserName = "_dnscrypt-proxy";
+        };
+    };
+  };
+}
diff --git a/release.nix b/release.nix
index 115025ee..eaf30044 100644
--- a/release.nix
+++ b/release.nix
@@ -103,6 +103,7 @@ in {
   tests.sockets-nix-daemon = makeTest ./tests/sockets-nix-daemon.nix;
   tests.services-aerospace = makeTest ./tests/services-aerospace.nix;
   tests.services-dnsmasq = makeTest ./tests/services-dnsmasq.nix;
+  tests.services-dnscrypt-proxy = makeTest ./tests/services-dnscrypt-proxy.nix;
   tests.services-eternal-terminal = makeTest ./tests/services-eternal-terminal.nix;
   tests.services-nix-gc = makeTest ./tests/services-nix-gc.nix;
   tests.services-nix-optimise = makeTest ./tests/services-nix-optimise.nix;
diff --git a/tests/services-dnscrypt-proxy.nix b/tests/services-dnscrypt-proxy.nix
new file mode 100644
index 00000000..15d59739
--- /dev/null
+++ b/tests/services-dnscrypt-proxy.nix
@@ -0,0 +1,23 @@
+{
+  config,
+  pkgs,
+  ...
+}:
+
+let
+  dnscrypt-proxy = pkgs.runCommand "dnscrypt-proxy-0.0.0" { } "mkdir $out";
+in
+{
+  services.dnscrypt-proxy.enable = true;
+  services.dnscrypt-proxy.package = dnscrypt-proxy;
+
+  test = ''
+
+    echo >&2 "checking dnscrypt-proxy service in /Library/LaunchDaemons"
+    grep -q "org.nixos.dnscrypt-proxy" --  ${config.out}/Library/LaunchDaemons/org.nixos.dnscrypt-proxy.plist
+    grep -q "dnscrypt-proxy-start" -- ${config.out}/Library/LaunchDaemons/org.nixos.dnscrypt-proxy.plist
+
+    echo >&2 "checking dnscrypt-proxy system user in /Library/LaunchDaemons"
+    grep -q "_dnscrypt-proxy" -- ${config.out}/Library/LaunchDaemons/org.nixos.dnscrypt-proxy.plist
+  '';
+}