{ config, pkgs, lib, ... }:

let
  adguard_dns_port = 5300;
  domain = "adguard.architect.devs.giugl.io";

  utilities = import ./utilities.nix { inherit lib config; };
  inherit (utilities) architectInterfaceAddress;
in
{
  architect.firewall.openUDPVPN = [ 53 ];

  networking.extraHosts = ''
    ${architectInterfaceAddress "lan"} ${domain}
    ${architectInterfaceAddress "wireguard"} ${domain}
    ${architectInterfaceAddress "tailscale"} ${domain}
  '';

  services = {
    nginx.virtualHosts.${domain} = {
      forceSSL = true;
      enableACME = true;
      extraConfig = ''
        allow ${config.architect.networks.lan.net};
        allow ${config.architect.networks.tailscale.net};
        deny all;
      '';

      locations."/" = {
        proxyPass = "http://127.0.0.1:${toString config.services.adguardhome.settings.bind_port}";
      };
    };

    dnsmasq = {
      enable = true;
      settings = {
        server = [ "127.0.0.1#${toString config.services.adguardhome.settings.dns.port}" ];
        localise-queries = true;
        min-cache-ttl = 120;
        max-cache-ttl = 2400;
        domain = [
          "runas.rocks"
          "giugl.io"
          "devs.runas.rocks"
          "devs.giugl.io"
        ];
      };
    };

    adguardhome = {
      enable = true;
      settings = {
        bind_port = 5353;
        dns = {
          port = 5300;
        };
        upstream_dns = [
          "tls://architect.d65174.dns.nextdns.io"
          "https://dns.nextdns.io/d65174/architect"
        ];
      };
    };
  };
}