diff --git a/homes/common.nix b/homes/common.nix
index 20f18da..39b16be 100644
--- a/homes/common.nix
+++ b/homes/common.nix
@@ -76,9 +76,9 @@ in {
       hmb =
         "home-manager build --flake ~/.config/home-manager#$USER@$(hostname -s)";
       anp =
-        "ansible-playbook -i ~/.config/home-manager/inventory.yaml ~/.config/home-manager/playbook.yaml --limit $(hostname -s) --ask-become-pass";
+        "ansible-playbook -i ~/.config/home-manager/inventory.yaml -e @~/.config/home-manager/secrets_file.enc --vault-password-file $HM_AGENIX_SECRETS_DIR/ansible-vault-password ~/.config/home-manager/playbook.yaml --limit $(hostname -s) --ask-become-pass";
       anc =
-        "ansible-playbook -v -i ~/.config/home-manager/inventory.yaml --check ~/.config/home-manager/playbook.yaml --limit $(hostname -s) --ask-become-pass";
+        "ansible-playbook -v -i ~/.config/home-manager/inventory.yaml -e @~/.config/home-manager/secrets_file.enc --vault-password-file $HM_AGENIX_SECRETS_DIR/ansible-vault-password --check ~/.config/home-manager/playbook.yaml --limit $(hostname -s) --ask-become-pass";
     };
     sessionPath = [ "$HOME/.local/bin" ];
     activation = {
diff --git a/homes/linux.nix b/homes/linux.nix
index 4d9a701..9955dc1 100644
--- a/homes/linux.nix
+++ b/homes/linux.nix
@@ -1,4 +1,6 @@
 { config, lib, pkgs, pkgs-unstable, ... }: {
+  age.secrets.ansible-vault-password.file =
+    ./../secrets/ansible-vault-password.age;
   fonts = { fontconfig = { enable = true; }; };
   home = {
     # A notable exception here: R
@@ -14,7 +16,10 @@
     # Right now, I am using the distro's R on Linux, and Homebrew on MacOS.
     # This is less than ideal, but I'm willing to deal with it for now.
     packages = with pkgs; [ bitwarden-cli ];
-    sessionVariables = { JULIA_NUM_THREADS = "$(nproc)"; };
+    sessionVariables = {
+      JULIA_NUM_THREADS = "$(nproc)";
+      HM_AGENIX_SECRETS_DIR = "$XDG_RUNTIME_DIR/agenix";
+    };
     shellAliases = {
       nrun = ''
         __NV_PRIME_RENDER_OFFLOAD=1 __GLX_VENDOR_LIBRARY_NAME=nvidia __VK_LAYER_NV_optimus="NVIDIA_only"'';
diff --git a/playbook.yaml b/playbook.yaml
index 45b188a..59364f5 100644
--- a/playbook.yaml
+++ b/playbook.yaml
@@ -216,6 +216,25 @@
       ansible.builtin.dnf:
         name: "*"
         state: latest # noqa: package-latest
+    # Install a policy file to force Firefox to use encrypted DNS
+    - name: Create Firefox DNS policy, line 1
+      ansible.builtin.lineinfile:
+        path: /usr/lib64/firefox/defaults/pref/autoconfig.js
+        mode: "644"
+        create: true
+        line: lockPref("network.trr.mode", 3);
+    - name: Create Firefox DNS policy, line 1
+      ansible.builtin.lineinfile:
+        path: /usr/lib64/firefox/defaults/pref/autoconfig.js
+        mode: "644"
+        create: true
+        line: lockPref("network.trr.url", "{{ dns_server }}");
+    - name: Create Firefox DNS policy, line 1
+      ansible.builtin.lineinfile:
+        path: /usr/lib64/firefox/defaults/pref/autoconfig.js
+        mode: "644"
+        create: true
+        line: lockPref("network.trr.custom_uri", "{{ dns_server }}");
 
 # Generally speaking, I try to install Flatpak applications at the user level
 # b/c that really gives more credence to the whole sandboxing idea (concept of
diff --git a/secrets.nix b/secrets.nix
index 3c445ef..16d37c3 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -18,4 +18,5 @@ in {
   "secrets/network-information.age".publicKeys = system-administrators
     ++ [ bosephus-host ];
   "secrets/pihole.age".publicKeys = system-administrators ++ [ bosephus-host ];
+  "secrets/ansible-vault-password.age".publicKeys = system-administrators;
 }
diff --git a/secrets/ansible-vault-password.age b/secrets/ansible-vault-password.age
new file mode 100644
index 0000000..c6f637d
--- /dev/null
+++ b/secrets/ansible-vault-password.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 bN6E9A v/WLn5wj++mdWKQP0RAz5qgYNa3P+ako5i2ZrQU5MVg
+KmLPE7C5aFXNVZZEi2Cfxre2DzgeC4yDyvzKcC1cGzk
+-> ssh-ed25519 1g/xww l1rmdkJ9B3+FYXWbTWDFxF7enpxC+RPS5QkEExATdzI
+SMdPI0zMDDbWukQD83Hx12pp4UiVKh0AtpvGp2qJIWA
+-> ssh-ed25519 +kBihw EXqxoZjpZROGK3uoJjQsWHT+TXXgJiwN8NVxp0JoTSk
+840G/EiMQxvuft2++iGDwtAfiNsFGviqr5JiJECK0Bs
+-> ssh-ed25519 dbKeHw RHkpMrQpRWnr70FWT78mjStvcBpLku4RFdel/8QPOBQ
+I8V30k0X2wZUELhSm7CnnRrhjGwNWjq8VIW0OWVPIiU
+--- 3gWRhYAZNqriySifohEEy+0kwrp9qAntST+cKdE0vq8
+´³{ˆÃŒì®eåVzlM8¯ž¤RÂïFºL*C¬ÀÒµQ€¾tûƒCŸz7ºöøÀ<
a�¦ˆƒ0 V—'6Óx
\ No newline at end of file
diff --git a/secrets_file.enc b/secrets_file.enc
new file mode 100644
index 0000000..bb76675
--- /dev/null
+++ b/secrets_file.enc
@@ -0,0 +1,8 @@
+$ANSIBLE_VAULT;1.1;AES256
+35626563393033346332653338336363653831656234326433346531613831386235393633316566
+6436313935656662663361373538636537633763613839300a373939383862303731323136323864
+61303536663737626239313139356631336431326566366435333766653739376162616635336239
+6236316262653539320a346466306363643662636132383037326265643539373336366462343263
+39613930663536633665333931656332326633336639373937313833373632323539363336656365
+33633238376462393265313634633034663535376137353134306433383034353732646266303338
+303763386430363638303363336339363030