diff --git a/services/adguardhome.nix b/services/adguardhome.nix
index b979727..8537339 100644
--- a/services/adguardhome.nix
+++ b/services/adguardhome.nix
@@ -3,6 +3,12 @@
 let
   cfg = config.services.adguardhome;
   host = "dns.felschr.com";
+
+  ports = {
+    plain = 53;
+    tls = 853;
+    doh = 10443;
+  };
 in
 {
   services.adguardhome = {
@@ -22,14 +28,14 @@ in
         enabled = true;
         server_name = host;
         port_https = 0;
-        port_dns_over_tls = 853;
-        port_dns_over_quic = 853;
+        port_dns_over_tls = ports.tls;
+        port_dns_over_quic = ports.tls;
         port_dnscrypt = 0;
         force_https = false; # handled by nginx
         allow_unencrypted_doh = true;
         strict_sni_check = false;
-        certificate_path = "/run/credentials/adguardhome.service/fullchain.pem";
-        private_key_path = "/run/credentials/adguardhome.service/key.pem";
+        certificate_path = "${config.security.acme.certs."${host}".directory}/fullchain.pem";
+        private_key_path = "${config.security.acme.certs."${host}".directory}/key.pem";
       };
       # HINT: users needs to be set up manually:
       # https://github.com/AdguardTeam/AdGuardHome/wiki/Configuration#password-reset
@@ -76,22 +82,50 @@ in
           enabled = true;
         }
       ];
+      log.verbose = true;
+    };
+  };
+
+  # AdGuardHome's built-in DoH gives me Bad Request responses for some reason
+  # So, I instead use `doh-server` as a proxy for now.
+  services.doh-server = {
+    enable = true;
+    settings = {
+      listen = [ ":${toString ports.doh}" ];
+      upstream = [ "udp:127.0.0.1:${toString ports.plain}" ];
     };
   };
 
   systemd.services.adguardhome.serviceConfig = {
-    LoadCredential = [
-      "fullchain.pem:/var/lib/acme/${host}/fullchain.pem"
-      "key.pem:/var/lib/acme/${host}/key.pem"
+    SupplementaryGroups = [
+      "acme"
+      "nginx"
     ];
   };
 
-  services.nginx.virtualHosts."${host}" = {
-    enableACME = true;
-    forceSSL = true;
-    locations."/".proxyPass = "http://localhost:${toString cfg.port}";
+  services.nginx = {
+    virtualHosts."${host}" = {
+      enableACME = true;
+      forceSSL = true;
+      http3 = true;
+      locations = {
+        "/" = {
+          proxyPass = "http://localhost:${toString cfg.port}";
+          proxyWebsockets = true;
+        };
+        "/dns-query" = {
+          proxyPass = "http://localhost:${toString ports.doh}";
+        };
+      };
+    };
   };
 
-  networking.firewall.allowedTCPPorts = [ 853 ];
-  networking.firewall.allowedUDPPorts = [ 853 ];
+  networking.firewall.allowedTCPPorts = [
+    53 # Plain DNS
+    853 # DNS over TLS / QUIC
+  ];
+  networking.firewall.allowedUDPPorts = [
+    53 # Plain DNS
+    853 # DNS over TLS / QUIC
+  ];
 }