{config, ...}:
/*
This module defines the VPN server using tailscale and a DNS-level filtering
service with AdGuard. It's fairly restrictive, but blocks lots of malicious and
inappropriate sites, as well as a ton of ads.
*/
let
  ports = import ../Cloud/Ports.nix;
  domain = "headscale.simatime.com";
in {
  services.headscale = {
    enable = false; # don't use headscale rn, just use tailscale.com
    address = "0.0.0.0";
    port = ports.headscale;
    settings = {dns.base_domain = "simatime.com";};
  };

  environment.systemPackages = [config.services.headscale.package];

  services.tailscale = {
    enable = true;
    extraUpFlags = [
      "--accept-dns=true"
      "--advertise-exit-node"
    ];
  };

  networking.firewall = {
    checkReversePath = "loose";
    trustedInterfaces = ["tailscale0"];
    allowedUDPPorts = [config.services.tailscale.port];
  };

  services.adguardhome = {
    enable = true;
    openFirewall = true;
    settings = {
      dns = {
        bind_host = "0.0.0.0";
        port = 53;
        bootstrap_dns = [
          "1.1.1.1"
          "8.8.8.8"
        ];
        upstream_dns = [
          "https://dns.cloudflare.com/dns-query"
          "https://dns.google/dns-query"
        ];
        timeout = "10s";
        all_servers = true;
        filtering_enabled = true;
        parental_enabled = true;
        safesearch_enabled = true;
        safe_search = {
          enabled = true;
          bing = true;
          duckduckgo = true;
          google = true;
          youtube = true;
        };
      };

      filters = [
        {
          enabled = true;
          name = "AdGuard NSFW Filter";
          url = "https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt";
        }
        {
          enabled = true;
          name = "oisd nsfw";
          url = "https://nsfw.oisd.nl/";
        }
        {
          enabled = true;
          name = "oisd big";
          url = "https://big.oisd.nl/";
        }
      ];
    };
  };
}