{ config, pkgs, lib, ... }:

let
  adguard_dns_port = 5300;
  domain = "adguard.architect.devs.giugl.io";

  utilities = import ./utilities.nix { inherit lib config; };
  inherit (utilities) architectInterfaceAddress;
in
{
  architect.firewall.openUDPVPN = [ 53 ];

  networking.extraHosts = ''
    ${architectInterfaceAddress "lan"} ${domain}
    ${architectInterfaceAddress "wireguard"} ${domain}
    ${architectInterfaceAddress "tailscale"} ${domain}
  '';

  services = {
    nginx.virtualHosts.${domain} = {
      forceSSL = true;
      enableACME = true;
      extraConfig = ''
        allow ${config.architect.networks.lan.net};
        allow ${config.architect.networks.tailscale.net};
        deny all;
      '';

      locations."/" = {
        proxyPass = "http://127.0.0.1:${toString config.services.adguardhome.port}";
      };
    };

    dnsmasq = {
      enable = true;
      # adguard port
      servers = [ "127.0.0.1#${toString adguard_dns_port}" ];
      extraConfig = ''
        localise-queries
        min-cache-ttl=120
        max-cache-ttl=2400

        domain=runas.rocks
        domain=giugl.io
        domain=devs.runas.rocks
        domain=devs.giugl.io
      '';
    };

    adguardhome = {
      enable = true;
      port = 5353;
    };
  };
}