diff --git a/home/modules/seven/default.nix b/home/modules/seven/default.nix
new file mode 100644
index 0000000..67e1168
--- /dev/null
+++ b/home/modules/seven/default.nix
@@ -0,0 +1,22 @@
+{ config, lib, ... }:
+
+let
+  cfg = config.custom.seven;
+in
+{
+  imports = [ ./seven-ntfy.nix ];
+
+  options = {
+    custom.seven = {
+      enable = lib.mkEnableOption (lib.mdDoc "Seven");
+      ssh.enable = lib.mkEnableOption (lib.mdDoc "Seven SSH");
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    programs.ssh.extraConfig = lib.mkIf cfg.ssh.enable ''
+      Host *.factory.secunet.com
+      User fschroeter
+    '';
+  };
+}
diff --git a/home/modules/seven/ntfy.nix b/home/modules/seven/ntfy.nix
new file mode 100644
index 0000000..d4b54a9
--- /dev/null
+++ b/home/modules/seven/ntfy.nix
@@ -0,0 +1,40 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+
+let
+  cfg = config.custom.seven.ntfy;
+in
+{
+  options = {
+    custom.seven.ntfy = {
+      enable = lib.mkEnableOption (lib.mdDoc "ntfy service for seven");
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd.user = {
+      services.ntfy = {
+        Unit = {
+          Description = "ntfy alert scubscription";
+          After = "network-online.target";
+          PartOf = [ "graphical-session.target" ];
+        };
+        Service =
+          let
+            topic = "https://grafana.factory.secunet.com/ntfy/alerts";
+            notify-send = lib.getExe pkgs.libnotify;
+          in
+          {
+            Environment = "PATH=${pkgs.bash}/bin:\${PATH}";
+            ExecStart = "${pkgs.ntfy-sh}/bin/ntfy sub ${topic} '${notify-send} \"$t\" \"$m\"'";
+            Restart = "always";
+          };
+        Install.WantedBy = [ "default.target" ];
+      };
+    };
+  };
+}
diff --git a/hosts/home-server/default.nix b/hosts/home-server/default.nix
index a5a4471..3080828 100644
--- a/hosts/home-server/default.nix
+++ b/hosts/home-server/default.nix
@@ -24,6 +24,7 @@ in
     ../../virtualisation/containers.nix
     ../../virtualisation/podman.nix
     ../../modules/inadyn.nix
+    ../../services/adguardhome.nix
     ../../modules/systemdNotify.nix
     ../../services/postgres
     ../../services/mail.nix
@@ -87,6 +88,7 @@ in
   ''}";
   services.inadyn.domains = [
     "felschr.com"
+    "dns.felschr.com"
     "openpgpkey.felschr.com"
     "ldap.felschr.com"
     "auth.felschr.com"
diff --git a/modules/wg0.nix b/modules/wg0.nix
new file mode 100644
index 0000000..1ebcdfe
--- /dev/null
+++ b/modules/wg0.nix
@@ -0,0 +1,67 @@
+{ config, lib, ... }:
+
+let
+  cfg = config.custom.wg0;
+in
+{
+  options = {
+    custom.wg0 = {
+      enable = lib.mkEnableOption (lib.mdDoc "Wireguard config");
+
+      addresses = lib.mkOption {
+        type = lib.types.listOf lib.types.str;
+        description = "IP addresses for this machine within VPN.";
+      };
+
+      privateKeyFile = lib.mkOption {
+        type = lib.types.str;
+        example = "/path/to/secret.key";
+        description = "Private key file.";
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    age.secrets.wireguard-home-pc-key = {
+      file = ../secrets/wireguard/home-pc.key.age;
+      owner = "systemd-network";
+    };
+    age.secrets.wireguard-cmdframe-key = {
+      file = ../secrets/wireguard/cmdframe.key.age;
+      owner = "systemd-network";
+    };
+
+    systemd.network = {
+      enable = true;
+      # TODO cannot push this to public git like this
+      netdevs."40-wg0" = {
+        netdevConfig = {
+          Kind = "wireguard";
+          Name = "wg0";
+          MTUBytes = "1280";
+        };
+        wireguardConfig = {
+          PrivateKeyFile = cfg.privateKeyFile;
+        };
+        wireguardPeers = [
+          {
+            PublicKey = "ZVayNyJeOn848aus5bqYU2ujNxvnYtV3ACoerLtDpg8=";
+            AllowedIPs = [
+              "198.18.0.0/15"
+              "fd00:5ec::/48"
+            ];
+            # TODO remove endpoint from config
+            Endpoint = "gateway.seven.secunet.com:51821";
+          }
+        ];
+      };
+      networks."40-wg0" = {
+        matchConfig.Name = "wg0";
+        address = cfg.addresses;
+        networkConfig = {
+          IPMasquerade = "ipv4";
+        };
+      };
+    };
+  };
+}
diff --git a/secrets/wireguard/cmdframe.key.age b/secrets/wireguard/cmdframe.key.age
new file mode 100644
index 0000000..81f1bfa
--- /dev/null
+++ b/secrets/wireguard/cmdframe.key.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 OAZQhA yHDlGU8tW/fiMocPl0nldeEEn7NvPDMNCqL9hO7B5VY
+71ZALgVNzj0FJG4wW5qK+0rhF2hMMkkvqOl6wvpI1xo
+-> ssh-ed25519 lJaKnA 32vsGauSIeEy8gMq3rOuJV5OOVR/qbNCaJ96gvaYc38
+3f8ZLzGFg4g2XNfUPS+ePMc9AZHMLUjh6y0q2gaRwio
+--- PZeKDBBgibYk1Xl5Sd1S38kx322Gi6KnI0lj2NyhFUU
+?�y)�Sk*����gz�_�E�>|
J�׭*9�	�h����aI�9p�?�(�J���F�x:;�1yKP�]VQ2�J;Y��
\ No newline at end of file
diff --git a/secrets/wireguard/home-pc.key.age b/secrets/wireguard/home-pc.key.age
new file mode 100644
index 0000000..3b761bd
Binary files /dev/null and b/secrets/wireguard/home-pc.key.age differ
diff --git a/services/adguardhome.nix b/services/adguardhome.nix
new file mode 100644
index 0000000..2cbe302
--- /dev/null
+++ b/services/adguardhome.nix
@@ -0,0 +1,107 @@
+{ config, ... }:
+
+let
+  cfg = config.services.adguardhome;
+  host = "dns.felschr.com";
+in
+{
+  services.adguardhome = {
+    enable = true;
+    settings = {
+      dns = {
+        upstream_dns = [
+          "https://dns.mullvad.net/dns-query"
+        ];
+        fallback_dns = [
+          "https://1.1.1.1/dns-query"
+        ];
+        enable_dnssec = true;
+      };
+      # encryption
+      tls = {
+        enabled = true;
+        server_name = host;
+        port_https = 0;
+        port_dns_over_tls = 853;
+        port_dns_over_quic = 853;
+        port_dnscrypt = 0;
+        force_https = false; # handled by nginx
+        allow_unencrypted_doh = true;
+        strict_sni_check = false;
+        certificate_path = "/run/credentials/adguardhome.service/fullchain.pem";
+        private_key_path = "/run/credentials/adguardhome.service/key.pem";
+      };
+      # HINT: users needs to be set up manually:
+      # https://github.com/AdguardTeam/AdGuardHome/wiki/Configuration#password-reset
+      # users = [ { name = "felschr"; } ];
+      querylog = {
+        enabled = true;
+        interval = "24h";
+      };
+      statistics = {
+        enabled = true;
+        interval = "24h";
+      };
+      filtering = {
+        protection_enabled = true;
+        filtering_enabled = true;
+        safe_search.enabled = true;
+        rewrites = [
+          {
+            domain = "felschr.com";
+            answer = "home-server.tail05275.ts.net";
+          }
+          {
+            domain = "*.felschr.com";
+            answer = "home-server.tail05275.ts.net";
+          }
+        ];
+      };
+      filters = [
+        {
+          name = "HaGeZi Multi Pro";
+          url = "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/pro.txt";
+          enabled = true;
+        }
+        {
+          name = "OISD (Big)";
+          url = "https://big.oisd.nl";
+          enabled = false;
+        }
+        {
+          name = "AdGuard DNS filter";
+          url = "https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt";
+          enabled = false;
+        }
+      ];
+      whitelist_filters = [
+        {
+          name = "HaGeZi Whitelist-Referral";
+          url = "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/whitelist-referral.txt";
+          enabled = true;
+        }
+        {
+          name = "Hagezi Whitelist-UrlShortener";
+          url = "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/whitelist-urlshortener.txt";
+          enabled = true;
+        }
+      ];
+    };
+  };
+
+  systemd.services.adguardhome.serviceConfig = {
+    LoadCredential = [
+      "fullchain.pem:/var/lib/acme/${host}/fullchain.pem"
+      "key.pem:/var/lib/acme/${host}/key.pem"
+    ];
+  };
+
+  services.nginx.virtualHosts."${host}" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/".proxyPass = "http://localhost:${toString cfg.port}";
+  };
+
+  networking.firewall.allowedTCPPorts = [ 853 ];
+  networking.firewall.allowedUDPPorts = [ 853 ];
+}
diff --git a/system/networking.nix b/system/networking.nix
index 24e8003..3c50fc7 100644
--- a/system/networking.nix
+++ b/system/networking.nix
@@ -1,24 +1,49 @@
-{ config, ... }:
+{ config, lib, ... }:
 
+let
+  isAdguardHost = config.services.adguardhome.enable;
+  nameservers = {
+    local = [
+      "127.0.0.1"
+      "::1"
+    ];
+    remote = [
+      # LAN
+      "192.168.1.102#dns.felschr.com"
+      "fd1c:ca95:d74d::102#dns.felschr.com"
+
+      # Tailnet
+      "100.97.32.60#dns.felschr.com"
+      "fd7a:115c:a1e0::a0a1:203c#dns.felschr.com"
+    ];
+  };
+in
 {
-  networking.nameservers = [
-    "127.0.0.1"
-    "::1"
-  ];
-  networking.networkmanager.dns = "systemd-resolved";
+  networking.nameservers = if isAdguardHost then nameservers.local else nameservers.remote;
+
+  networking.nftables.enable = true;
+  networking.networkmanager = {
+    enable = true;
+    dns = "systemd-resolved";
+  };
+
+  systemd.network = {
+    enable = true;
+    wait-online.ignoredInterfaces = [ "tailscale0" ];
+  };
 
   services.dnsmasq.enable = false;
   services.resolved = {
     enable = true;
-    # don't use fallback resolvers
-    fallbackDns = [ ];
-  };
-
-  services.nextdns = {
-    enable = true;
-    arguments = [
-      "-config"
-      "b8e2f7"
+    dnsovertls = if isAdguardHost then "opportunistic" else "true";
+    fallbackDns = [
+      "194.242.2.2#dns.mullvad.net"
+      "194.242.2.4#base.dns.mullvad.net"
+      "1.1.1.1#one.one.one.one"
+      "1.0.0.1#one.one.one.one"
     ];
+    extraConfig = lib.mkIf isAdguardHost ''
+      DNSStubListener=no
+    '';
   };
 }
diff --git a/system/server.nix b/system/server.nix
index 2d466a8..f4cfa1a 100644
--- a/system/server.nix
+++ b/system/server.nix
@@ -15,14 +15,14 @@
     table inet allow-incoming-traffic {
       chain allow-incoming {
         type filter hook input priority -100; policy accept;
-        tcp dport {80, 443, 2222} meta mark set 0x80000;
-        udp dport {80, 443, 2222} meta mark set 0x80000;
+        tcp dport {80, 443, 853, 2222} meta mark set 0x80000;
+        udp dport {80, 443, 853, 2222} meta mark set 0x80000;
       }
 
       chain allow-outgoing {
         type route hook output priority -100; policy accept;
-        tcp sport {80, 443, 2222} meta mark set 0x80000;
-        udp sport {80, 443, 2222} meta mark set 0x80000;
+        tcp sport {80, 443, 853, 2222} meta mark set 0x80000;
+        udp sport {80, 443, 853, 2222} meta mark set 0x80000;
       }
     }
   '';