{ ... }:
let
  domain = "adguard.vpn.rfive.de";
  port = 3000;
in
{
  networking.firewall.allowedTCPPorts = [ 53 ];
  networking.firewall.allowedUDPPorts = [ 53 ];
  services.adguardhome = {
    enable = true;
    settings = {
      dns.bind_hosts = [ "192.168.42.2" ];
      http.address = "127.0.0.1:${toString port}";
    };
  };
  services.caddy.virtualHosts."${domain}".extraConfig = ''
    # for some reason this only works with http and not with https so we send every request through our wireguard tunnel
    reverse_proxy /outpost.goauthentik.io/* http://nuc.vpn.rfive.de:9000 

    # forward authentication to authentik
    forward_auth http://nuc.vpn.rfive.de:9000 {
      uri /outpost.goauthentik.io/auth/caddy

      # capitalization of the headers is important, otherwise they will be empty
      copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
    }
    reverse_proxy 127.0.0.1:${toString port}
  '';
}