diff --git a/hosts/architect/dns.nix b/hosts/architect/dns.nix
index 99507ab..801cbae 100644
--- a/hosts/architect/dns.nix
+++ b/hosts/architect/dns.nix
@@ -1,36 +1,26 @@
 { config, pkgs, lib, ... }:
 
 let
-  adguard_dns_port = 5300;
   domain = "adguard.architect.devs.giugl.io";
-
-  utilities = import ./utilities.nix { inherit lib config; };
-  inherit (utilities) architectInterfaceAddress;
 in
 {
-  architect.firewall.openUDPVPN = [ 53 ];
+  architect = {
+    firewall.openUDPVPN = [ 53 ];
 
-  networking.extraHosts = ''
-    ${architectInterfaceAddress "lan"} ${domain}
-    ${architectInterfaceAddress "wireguard"} ${domain}
-    ${architectInterfaceAddress "tailscale"} ${domain}
-  '';
+    vhost.${domain} = {
+      dnsInterfaces = [ "lan" "tailscale" "wireguard" ];
 
-  services = {
-    nginx.virtualHosts.${domain} = {
-      forceSSL = true;
-      enableACME = true;
-      extraConfig = ''
-        allow ${config.architect.networks.lan.net};
-        allow ${config.architect.networks.tailscale.net};
-        deny all;
-      '';
-
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:${toString config.services.adguardhome.settings.bind_port}";
+      locations."/" = with config; {
+        port = services.adguardhome.settings.bind_port;
+        allow = with architect.networks; [ lan.net tailscale.net ];
+        deny = [
+          architect.networks."lan".devices.router.address
+        ];
       };
     };
+  };
 
+  services = {
     dnsmasq = {
       enable = true;
       settings = {