{ config, lib, ... }:
with lib;
let
  cfg = config.eboskma.adguard;
in
{
  options.eboskma.adguard = {
    upstreams = mkOption {
      description = "Upstream DNS servers";
      type = types.listOf types.str;
      example = [
        "http://1.1.1.1"
        "tls://1.1.1.1"
        "1.1.1.1"
      ];
    };
  };

  config = {
    services.adguardhome = {
      enable = true;
      openFirewall = true;

      settings = {
        dns = {
          upstream_dns = cfg.upstreams;
        };
      };
    };

    # This is necessary to bind a raw socket for DHCP
    systemd.services.adguardhome.serviceConfig.AmbientCapabilities = [ "CAP_NET_RAW" ];

    networking.firewall = {
      allowedUDPPorts = [
        53
        67
      ];
    };
  };
}