{pkgs, ...}: {
  project.name = "dns";

  networks.dmz = {
    name = "dmz";
    external = true;
  };

  networks.dns = {
    name = "dns";
    driver = "bridge";
    ipam.config = [
      {
        subnet = "172.28.1.0/24";
        ip_range = "172.28.1.5/30";
        gateway = "172.28.1.1";
      }
    ];
  };

  services = {
    pihole.service = {
      image = "pihole/pihole:2024.03.1";
      container_name = "pihole";
      hostname = "pihole";
      environment = {
        IPv6 = "True";
        TZ = "Europe/Berlin";
        SKIPGRAVITYONBOOT = 1;
        VIRTUAL_HOST = "pihole.ghoscht.com";
      };
      volumes = [
        "/storage/dataset/docker/dns/pihole_data:/etc/pihole"
        "/storage/dataset/docker/dns/pihole_dnsmasq:/etc/dnsmasq.d"
      ];
      labels = {
        "traefik.enable" = "true";
        "traefik.http.routers.pihole.entrypoints" = "websecure";
        "traefik.http.routers.pihole.rule" = "Host(`pihole.ghoscht.com`)";
        "traefik.http.services.pihole.loadbalancer.server.port" = "80";
        "traefik.docker.network" = "dmz";
        "traefik.http.routers.pihole.tls" = "true";
        "traefik.http.routers.pihole.tls.certresolver" = "letsencrypt";
      };
      restart = "always";
      networks = {
        dmz = {};
        dns = {
          ipv4_address = "172.28.1.6";
        };
      };
      capabilities = {
        NET_ADMIN = true;
      };
      ports = [
        "8420:80"
        "53:53/tcp"
        "53:53/udp"
      ];
    };
    unbound.service = {
      image = "mvance/unbound:1.19.3";
      container_name = "unbound";
      useHostStore = true;
      volumes = [
        "/storage/dataset/docker/dns/unbound_data:/opt/unbound/etc/unbound"
      ];
      restart = "always";
      networks = {
        dns = {
          ipv4_address = "172.28.1.5";
        };
      };
    };
  };
}