{lib, ...}: let
  domain = "adguard.everest.tailscale";
  port = 3001;
in {
  services = {
    adguardhome = {
      enable = true;
      host = "127.0.0.1";
      port = port;
      settings = {
        dns = {
          bind_hosts = [
            "10.0.0.2"
            "100.100.0.1"
          ];
          bootstrap_dns = ["9.9.9.9"];
        };
      };
    };

    headscale.settings.dns = {
      nameservers.global = lib.mkForce ["100.100.0.1"];
      extra_records = [
        {
          name = domain;
          type = "A";
          value = "100.100.0.1";
        }
      ];
    };

    caddy.virtualHosts.adguardhome = {
      hostName = domain;
      extraConfig = ''
        import tailscale
        reverse_proxy 127.0.0.1:${builtins.toString port}
      '';
    };
  };
  programs.rust-motd.settings.service_status."AdGuard Home" = "adguardhome";
}