{ config, pkgs, lib, ... }: let domain = "adguard.architect.devs.giugl.io"; in { architect = { firewall.openUDPVPN = [ 53 ]; vhost.${domain} = { dnsInterfaces = [ "lan" "tailscale" ]; locations."/" = with config; { port = services.adguardhome.settings.bind_port; allow = with architect.networks; [ lan.net tailscale.net ]; deny = [ architect.networks."lan".devices.router.address ]; }; }; }; services = { dnsmasq = { enable = true; settings = { server = [ "127.0.0.1#${toString config.services.adguardhome.settings.dns.port}" ]; localise-queries = true; min-cache-ttl = 120; max-cache-ttl = 2400; domain = [ "runas.rocks" "giugl.io" "devs.runas.rocks" "devs.giugl.io" ]; }; }; adguardhome = { enable = true; settings = { bind_port = 5354; dns = { port = 5300; }; upstream_dns = [ "tls://architect.d65174.dns.nextdns.io" "https://dns.nextdns.io/d65174/architect" ]; }; }; dnscrypt-proxy2 = { enable = true; settings = { listen_addresses = [ "127.0.0.1:5353" ]; ipv4_servers = true; ipv6_servers = false; block_ipv6 = true; dnscrypt_servers = true; doh_servers = true; require_nolog = true; require_nofilter = true; timeout = 350; lb_strategy = "p4"; lb_estimator = true; ignore_system_dns = true; fallback_resolvers = [ "1.1.1.1:53" "9.9.9.9:53" ]; cache_min_ttl = 60; cache_max_ttl = 360; }; }; }; }