{ config, lib, ... }:
let
  cfg = config.services.tailscaledAdguardhome;
  fqdn = "${cfg.subdomain}.${config.networking.domain}";
  tailscaleIps = [
    "100.84.105.63"
    "fd7a:115c:a1e0::7901:693f"
  ];
  acme = config.security.acme;
in
{
  imports = [
    (lib.mkAliasOptionModule
      [ "services" "tailscaledAdguardhome" "settings" ]
      [ "services" "adguardhome" "settings" ]
    )
    (lib.mkAliasOptionModule
      [ "services" "tailscaledAdguardhome" "port" ]
      [ "services" "adguardhome" "port" ]
    )
  ];

  options.services.tailscaledAdguardhome = {
    enable = lib.mkEnableOption "Enable tailscaled adguardhome";
    subdomain = lib.mkOption {
      type = lib.types.str;
    };
  };

  config = lib.mkIf cfg.enable {
    services.tailscale.enable = true;
    modules.firewall.interfaces.${config.services.tailscale.interfaceName} = [ "dns" ];

    systemd.services.adguardhome.serviceConfig.LoadCredential = [
      "fullchain.pem:${acme.certs.${fqdn}.directory}/fullchain.pem"
      "key.pem:${acme.certs.${fqdn}.directory}/key.pem"
    ];

    services.adguardhome = {
      enable = cfg.enable;
      settings = {
        tls = {
          enabled = true;
          server_name = fqdn;
          port_https = 4443;
          certificate_chain_path = "/run/credentials/adguardhome.service/fullchain.pem";
          private_key_path = "/run/credentials/adguardhome.service/key.pem";
        };
        dns.bind_hosts = tailscaleIps;
      };
    };

    systemd.services.adguardhome = {
      requires = [ "tailscaled.service" ];
      after = [ "tailscaled.service" ];
    };

    services.webserver.vHosts.${fqdn} = {
      tailscaleAuth = true;
      locations."/".proxyPort = cfg.port;
    };
  };
}