nixos-config/modules/nixos/services/nameservers/blocking.nix

{
  config,
  lib,
  allHosts,
  ...
}:
let
  cfg = config.custom.services.blocking-nameserver;
  netCfg = config.custom.networking;

  recursiveNameservers =
    allHosts
    |> lib.attrValues
    |> lib.filter (host: host.config.custom.services.recursive-nameserver.enable)
    |> lib.map (
      host:
      "${host.config.custom.networking.overlay.address}:${toString host.config.custom.services.recursive-nameserver.port}"
    );
in
{
  options.custom.services.blocking-nameserver = {
    enable = lib.mkEnableOption "";
    port = lib.mkOption {
      type = lib.types.port;
      default = 53;
    };
    gui = {
      domain = lib.mkOption {
        type = lib.types.nonEmptyStr;
        default = "";
      };
      port = lib.mkOption {
        type = lib.types.port;
        default = 58479;
      };
    };
  };

  config = lib.mkIf cfg.enable {
    services = {
      adguardhome = {
        enable = true;
        mutableSettings = false;

        host = "127.0.0.1";
        inherit (cfg.gui) port;

        settings = {
          dns = {
            bind_hosts = [ netCfg.overlay.address ];
            inherit (cfg) port;

            upstream_dns =
              if (recursiveNameservers != [ ]) then recursiveNameservers else [ "9.9.9.9#dns.quad9.net" ];
            upstream_mode = "parallel";
            bootstrap_dns = [
              "1.1.1.1"
              "8.8.8.8"
            ];
          };

          filtering = {
            protection_enabled = true;
            filtering_enabled = true;
          };
          filters = lib.singleton {
            enabled = true;
            url = "https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt";
          };
        };
      };

      nebula.networks.mesh.firewall.inbound = lib.singleton {
        inherit (cfg) port;
        proto = "any";
        host = "any";
      };
    };

    systemd.services.adguardhome = {
      enableStrictShellChecks = false;
      requires = [ netCfg.overlay.systemdUnit ];
      after = [ netCfg.overlay.systemdUnit ];
    };

    custom = {
      services.caddy.virtualHosts.${cfg.gui.domain}.port = lib.mkIf (cfg.gui.domain != null) cfg.gui.port;

      meta.sites.${cfg.gui.domain} = lib.mkIf (cfg.gui.domain != null) {
        title = "Adguard Home";
        icon = "sh:adguard-home";
      };
    };
  };
}