{ config, lib, ... }:
{
  services = {
    adguardhome = {
      enable = true;
      openFirewall = false;
      mutableSettings = false;

      settings = {
        http = {
          address = "127.0.0.1:3000";
        };

        dns = {
          bind_hosts = [ "127.0.0.1" ];
          port = 53;

          upstream_dns = [
            "https://de-fra-dns-001.mullvad.net/dns-query"
            "https://gb-lon-dns-001.mullvad.net/dns-query"
            "https://gb-lon-dns-301.mullvad.net/dns-query"
          ];
          fallback_dns = [
            "9.9.9.9"
            "149.112.112.112"
          ];
          bootstrap_dns = [
            "9.9.9.9"
            "149.112.112.112"
          ];
        };

        filtering = {
          rewrites = [
            # searxng
            {
              domain = "search.internal";
              answer = "127.0.0.1";
            } 
            # adguard
            {
              domain = "dns.internal";
              answer = "127.0.0.1";
            } 
          ];
          
          protection_enabled = true;
          filtering_enabled = true;

          parental_enabled = false;  # Parental control-based DNS requests filtering.

          safe_search = {
            enabled = false;  # Enforcing "Safe search" option for search engines, when possible.
          };
        };
      };
    };

    nginx ={
			enable = true;
	    recommendedGzipSettings = true;
	    recommendedOptimisation = true;
	    recommendedProxySettings = true;

      virtualHosts = {
        "dns.internal" = {
          locations."/" = {
            proxyPass = "http://127.0.0.1:3000";
            proxyWebsockets = true;
          };
        };
      };
    };
  };

  networking = {
    nameservers = [
      "127.0.0.1"
    ];

    hosts = {
      "127.0.0.1" = [
        "dns.internal"
        "search.internal"
      ];
    };
  };
}