{ config, pkgs, lib, ... }:
let
  # https://github.com/AdguardTeam/AdGuardHome/wiki/Configuration#configuration-file
  baseconf = {
    bind_host = "0.0.0.0";
    bind_port = 3000;
    users = [{
      name = "dnsadmin";
      password =
        "$2a$10$.pGOj.bhC1PmGvIs1z8MVuRibYFMh5JzWeArJWKSfpFPkWhv8zL6G"; # TODO: secret
    }];
    dns = {
      # bind_hosts on next version
      bind_host = "0.0.0.0";
      port = 53;
      bootstrap_dns = "1.1.1.1";
      # List won't work here somehow
      # [
      #   "1.1.1.1"
      #   "9.9.9.10"
      #   "149.112.112.10"
      #   "2620:fe::10"
      #   "2620:fe::fe:10"
      # ];
      upstream_dns = [
        "8.8.8.8"
        "tls://1.1.1.1"
        "https://dns.cloudflare.com/dns-query"
        "https://dns10.quad9.net/dns-query"
      ];
    };
  };

  baseconfFile = pkgs.writeTextFile {
    name = "baseconf.yaml";
    text = builtins.toJSON baseconf;
    checkPhase = "${pkgs.adguardhome}/bin/adguardhome -c $out --check-config";
  };
in {
  networking.firewall = {
    allowedUDPPorts = [ baseconf.dns.port ];
    allowedTCPPorts = [ baseconf.dns.port baseconf.bind_port ];
  };

  systemd.services.adguard = {
    description = "AdGuard Home";
    wantedBy = [ "multi-user.target" ];

    preStart = ''
      if [ -e "$STATE_DIRECTORY/AdGuardHome.yaml" ]; then
        ${pkgs.yaml-merge}/bin/yaml-merge "$STATE_DIRECTORY/AdGuardHome.yaml" "${baseconfFile}" > "$STATE_DIRECTORY/AdGuardH
        mv "$STATE_DIRECTORY/AdGuardHome.yaml.tmp" "$STATE_DIRECTORY/AdGuardHome.yaml"
      else
        cp "${baseconfFile}" "$STATE_DIRECTORY/AdGuardHome.yaml"
        chmod 600 "$STATE_DIRECTORY/AdGuardHome.yaml"
      fi
    '';

    serviceConfig = {
      ExecStart = "${pkgs.adguardhome}/bin/adguardhome -w $STATE_DIRECTORY";
      DynamicUser = true;
      StateDirectory = "adguard";

      # allow binding to ports below 1024
      AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
    };
  };
}