{ config, ... }:
let port = "9123";
host = "pihole.${config.domainName}";
in {
  services.pihole-ftl = {
    enable = false;
    openFirewallDNS = true;
    lists = [ {
      url = "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/pro.txt";
      type = "block";
      enabled = true;
      description = "hagezi blocklist";
    } ];
    settings.dns.upstreams = [ "9.9.9.9" "1.1.1.1" ];
  };
  services.pihole-web = {
    enable = config.services.pihole-ftl.enable;
    ports = [ "${port}s" ];
    hostName = host;
  };

  security.acme.certs."${config.domainName}".extraDomainNames = [ host ];
  services.nginx.virtualHosts.${host} = {
    # TODO get secrets from sops
    basicAuth.admin = "";
    useACMEHost = config.domainName;
    addSSL = true;
    locations."/".proxyPass = "https://localhost:${port}";
  };
}