{
  config,
  tools,
  pkgs,
  ...
}:
let
  lib = pkgs.lib;
  master_login = config.globals.master.login;
  master_pass = config.globals.master.initial_htpasswd;
  ip = tools.build_ip;
  proxy_addr = ip "proxy";
  domain_ext = config.globals.domains.external;
  domain_int = config.globals.domains.internal;
  json = pkgs.formats.json { };
in
{
  environment.etc."alloy/logs-adguardhome.alloy".text =
    (import ./alloy/default-journal-logger.alloy.nix {
      inherit tools;
      container = "dns";
      service = "adguardhome";
      additional_stages = ''
        stage.regex {
          expression = "^(?P<timestamp>\\S+ \\S+) \\[(?P<level>\\w+)\\] (?P<message>.*)$"
        }

        stage.timestamp {
          source = "timestamp"
          format = "2006/01/02 15:04:05.999999"
          location = "${config.globals.default_tz}"
        }

        stage.labels {
          values = {
            level = "level",
          }
        }

        stage.output {
          source = "message"
        }
      '';
    }).out;
  environment.etc."AdGuardHome/data/leases.json".source = json.generate "leases.json" {
    version = 1;
    leases = (
      lib.filter (x: x.mac != null) (
        lib.mapAttrsToList (host: h: {
          expires = "";
          ip = tools.build_ip h.ip;
          hostname = host;
          mac = h.mac;
          static = true;
        }) config.globals.other_hosts
      )
    );
  };
  systemd.services.adguardhome.preStart = ''
    cp /etc/AdGuardHome/data/leases.json /var/lib/AdGuardHome/data/leases.json
    chown adguardhome:adguardhome /var/lib/AdGuardHome/data/leases.json
  '';
  services.adguardhome = {
    enable = true;
    allowDHCP = true;
    host = "0.0.0.0";
    port = 80;
    openFirewall = true;
    mutableSettings = true; # ??
    settings = {
      dhcp = {
        enabled = true;
        interface_name = "eth0";
        dhcpv4 = {
          gateway_ip = config.globals.gateway;
          subnet_mask = config.globals.mask;
          range_start = tools.build_ip 150;
          range_end = tools.build_ip 199;
        };
        local_domain_name = lib.removePrefix "." config.globals.domains.internal;
      };
      http = {
        address = "0.0.0.0:80";
        session_ttl = "720h";
      };
      users = [
        {
          name = master_login;
          password = master_pass;
        }
      ];
      filters = [
        {
          enabled = true;
          url = "https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt";
          name = "AdGuard DNS filter";
          id = 1;
        }
        {
          enabled = true;
          url = "https://adguardteam.github.io/HostlistsRegistry/assets/filter_2.txt";
          name = "AdAway Default Blocklist";
          id = 2;
        }
      ];

      auth_attempts = 5;
      block_auth_min = 15;
      language = "fr";
      dns = {
        bind_hosts = [ "0.0.0.0" ];
        port = 53;
        upstream_dns = [
          "127.0.0.1:5335"
          "https://dns10.quad9.net/dns-query"
        ];
        trusted_proxies = [
          "127.0.0.0/8"
          "::1/128"
          proxy_addr
        ];
      };
      filtering = {
        safe_search.enabled = false;
        blocking_mode = "nxdomain";
        rewrites = [
          {
            domain = "*${domain_ext}";
            answer = proxy_addr;
            enabled = true;
          }
        ]
        ++ (lib.mapAttrsToList (d: id: {
          domain = "${d}${domain_int}";
          answer = "${ip d}";
          enabled = true;
        }) config.id);
      };
    };
  };
}