{ config, pkgs, lib, ... }:

let
  domain = "adguard.architect.devs.giugl.io";
in
{
  architect = {
    firewall.openUDPVPN = [ 53 ];

    vhost.${domain} = {
      dnsInterfaces = [ "lan" "tailscale" ];

      locations."/" = with config; {
        port = services.adguardhome.settings.bind_port;
        allow = with architect.networks; [ lan.net tailscale.net ];
        deny = [
          architect.networks."lan".devices.router.address
        ];
      };
    };
  };

  services = {
    dnsmasq = {
      enable = true;
      settings = {
        server = [ "127.0.0.1#${toString config.services.adguardhome.settings.dns.port}" ];
        localise-queries = true;
        min-cache-ttl = 120;
        max-cache-ttl = 2400;
        domain = [
          "runas.rocks"
          "giugl.io"
          "devs.runas.rocks"
          "devs.giugl.io"
        ];
      };
    };

    adguardhome = {
      enable = true;
      settings = {
        bind_port = 5354;
        dns = {
          port = 5300;
        };
        upstream_dns = [
          "tls://architect.d65174.dns.nextdns.io"
          "https://dns.nextdns.io/d65174/architect"
        ];
      };
    };

    dnscrypt-proxy2 = {
      enable = true;
      settings = {
        listen_addresses = [ "127.0.0.1:5353" ];
        ipv4_servers = true;
        ipv6_servers = false;
        block_ipv6 = true;
        dnscrypt_servers = true;
        doh_servers = true;
        require_nolog = true;
        require_nofilter = true;
        timeout = 350;
        lb_strategy = "p4";
        lb_estimator = true;
        ignore_system_dns = true;
        fallback_resolvers = [ "1.1.1.1:53" "9.9.9.9:53" ];
        cache_min_ttl = 60;
        cache_max_ttl = 360;
      };
    };
  };
}