VPN
To quickly install and configure wireguard you can use [this role]https://github.com/githubixx/ansible-role-wireguard.
A script from wireguard-tools that neatly sets up
wireguard from wg-quick.conf. It's essentially
reimplemented in NixOS afaik so you decide which to chose,
networking.wireguard or
networking.wg-quick.
DNS= option makes resolvconf use wireguard for dns
exclusively (resolvconf -x) which serves a clear purpose:
disallowing a system from making unencrypted dns requests. That
behaviour is not always desireable though, e.g. when you only need dns
in wireguard to resolve peers' names.