{ config, pkgs, ... }:
{
  systemd = {
    services.adblock = {
      startAt = "daily";
      postStop = "systemctl try-reload-or-restart unbound";
      path = [
        pkgs.gawk
        pkgs.wget
      ];
      script = ''
        	wget -nv -O - https://raw.githubusercontent.com/hagezi/dns-blocklists/main/unbound/tif.blacklist.conf > /tmp/new.conf
                echo 'local-zone: "tiktok.com." always_nxdomain' >> /tmp/new.conf
        	echo 'local-zone: "iogames.space." always_nxdomain' >> /tmp/new.conf
        	echo 'local-zone: "taming.io." always_nxdomain' >> /tmp/new.conf
                awk '!seen[$0]++' /tmp/new.conf > /etc/unbound/ads.conf
                rm /tmp/new.conf
      '';
    };
  };

  networking = {
    firewall = {
      allowedUDPPorts = [
        53
      ];
      allowedTCPPorts = [ 53 ];
    };
  };

  services = {
    unbound = {
      enable = true;
      localControlSocketPath = "/var/lib/unbound/control.sock";
      settings = {
        server = {
          do-ip6 = "no";
          qname-minimisation = "yes";
          interface = [ config.mainInterface ];
          access-control = [
            "10.0.0.0/8 allow"
            "fc::/7 allow"
          ];
        };
        include = [
          "/etc/unbound/ads.conf"
          "${../configs/unbound-local.conf}"
        ];
      };
    };
  };
}