{
  services = {
    blocky = {
      enable = true;
      settings = {
        ports = {
          dns = 53;
          http = 4000;
        };
        upstreams = {
          groups = {
            default = [ "127.0.0.1:5455" ];
            "100.64.0.0/10" = [ "127.0.0.1:5454" ];
            "fd7a:115c:a1e0::/96" = [ "127.0.0.1:5454" ];
            "fd7a:115c:a1e0:ab12::/64" = [ "127.0.0.1:5454" ];
          };
        };

        blocking = {
          blackLists = {
            ads = [
              "https://big.oisd.nl/domainswild"
              "https://adguardteam.github.io/HostlistsRegistry/assets/filter_2.txt" # AdAway
              "https://adguardteam.github.io/HostlistsRegistry/assets/filter_8.txt" # browser-based crypto miners
              "https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews/hosts"
              ./extra-deny.txt
            ];
          };

          clientGroupsBlock = {
            default = [ "ads" ];
          };
        };

        caching = {
          maxTime = -1;
        };

        customDNS = {
          mapping = {
            # Horus
            "vaultserver.horus.nu" = "192.168.4.32";
          };
        };

        prometheus = {
          enable = true;
        };

        queryLog = {
          type = "csv";
          target = "/var/lib/blocky/querylog";
          logRetentionDays = 7;
        };
      };
    };
  };
}