diff --git a/hosts/shan/adguard.nix b/hosts/shan/adguard.nix
new file mode 100644
index 0000000..f977e5d
--- /dev/null
+++ b/hosts/shan/adguard.nix
@@ -0,0 +1,50 @@
+{
+  config,
+  ...
+}:
+{
+  config = {
+    services.adguardhome = {
+      enable = true;
+      port = 3001;
+      openFirewall = true;
+      settings = {
+        http = {
+          address = "0.0.0.0:3000";
+        };
+        auth_attempts = 5;
+        block_auth_min = 10;
+        dns = {
+          bind_hosts = [ "0.0.0.0" ];
+          port = 53;
+          upstream_mode = "load_balance";
+          upstream_dns_file = config.age.secrets.adguard-dns-list.path;
+        };
+        clients = {
+          persistent = [
+            {
+              ids = [ "100.64.0.1" ];
+              name = "brontes";
+              tags = [ "device_pc" ];
+            }
+            {
+              ids = [ "100.64.0.2" ];
+              name = "oneplus9";
+              tags = [ "device_phone" ];
+            }
+            {
+              ids = [ "100.64.0.5" ];
+              name = "marr";
+              tags = [ "device_laptop" ];
+            }
+            {
+              ids = [ "100.64.0.4" ];
+              name = "shan";
+              tags = [ "device_pc" ];
+            }
+          ];
+        };
+      };
+    };
+  };
+}
diff --git a/hosts/shan/configuration.nix b/hosts/shan/configuration.nix
index ecf2aff..2dbfb47 100644
--- a/hosts/shan/configuration.nix
+++ b/hosts/shan/configuration.nix
@@ -10,9 +10,14 @@
     (modulesPath + "/profiles/qemu-guest.nix")
     ./disk-config.nix
     ../../modules
+    ./adguard.nix
   ];
 
   age.secrets.navidrome.file = ../../secrets/navidrome.age;
+  age.secrets.adguard-dns-list = {
+    file = ../../secrets/adguard-dns-list.age;
+    mode = "444";
+  };
 
   boot.loader.grub = {
     efiSupport = true;
diff --git a/secrets/adguard-dns-list.age b/secrets/adguard-dns-list.age
new file mode 100644
index 0000000..90d3d30
--- /dev/null
+++ b/secrets/adguard-dns-list.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 biwZXw /NmraADUuvsyZdUeXQaNPZa/2t5Wzw/gxPZ5X07sWko
+4YIalbrY+bIw5KPYjdZQ+2Ee6lWU615UxAl7yUh0TLk
+-> ssh-ed25519 b3HlPA BaN7hgkrsptRcB6zrlQwPPvF4AQxbtEqULUlhLCqhiU
+ezUUXTYOTUL4yz1onviM5aIqKdMgmlHgzSFsTuULLpg
+-> ssh-ed25519 cdUqUg Ll/EQkQDMecJVo1Ww6XjsSWuO1+D4n3TQr4rFbf77FE
+0NirirvYChbpzL4DxPdab4VlmxqvQJP/M1qec9dITiU
+-> ssh-ed25519 a1hgwg tiyV9+UND5BfewirzPDtPqbhPa9/xxoBxzMBzFOZ5Ww
+Zg5HBOFjDv4scsKjYFVNI/WzXGNLrP4nCqDSrQGQZNk
+--- 9mLbkpSrNWKhQKbkAHE8JjjL+w8dhFfG6XJBdeaWR+8
+j���W��Yȓ�����N�������i���W�!2�Yt�oK{rf7(ъ�g}�X ��,���8�y���Ј*a��@�m}@o8L2/�f#��?���ep��v2$%�1W���Ac�>��	�!:7����ρ��2�sRӽY�7�q78���m�Pl
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 46d0481..0c7b49e 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -14,4 +14,5 @@ in
   "couchdb.age".publicKeys = devices;
   "rustypaste.age".publicKeys = devices;
   "navidrome.age".publicKeys = devices;
+  "adguard-dns-list.age".publicKeys = devices;
 }