diff --git a/systems/aarch64-linux/pi5/adguard.nix b/systems/aarch64-linux/pi5/adguard.nix
new file mode 100644
index 0000000..d4b78cb
--- /dev/null
+++ b/systems/aarch64-linux/pi5/adguard.nix
@@ -0,0 +1,57 @@
+{ ... }:
+{
+  services.adguardhome = {
+    enable = true;
+    openFirewall = true;
+    allowDHCP = true;
+    mutableSettings = true;
+    settings = {
+      http.address = "0.0.0.0:0";
+      users = [
+        {
+          name = "mjallen";
+          password = "$2a$10$G07P7V1EnBQxWtMNGyfgTOTpAgr4d.uqYoG.cGSFCv9jQdiYWCsfq";
+        }
+      ];
+      dns = {
+        upstream_dns = [
+          "https://dns10.quad9.net/dns-query"
+          "1.1.1.1"
+          "8.8.8.8"
+        ];
+        bootstrap_dns = [
+          "9.9.9.10"
+          "149.112.112.10"
+          "2620:fe::10"
+          "2620:fe::fe:10"
+        ];
+        upstream_mode = "load_balance";
+        trusted_proxies = [
+          "127.0.0.0/8"
+          "::1/128"
+          "10.0.1.3"
+        ];
+        cache_optimistic = true;
+      };
+      dhcp = {
+        enabled = false;
+        interface_name = "end0";
+        local_domain_name = "lan";
+        dhcpv4 = {
+          gateway_ip = "10.0.1.1";
+          subnet_mask = "255.255.255.0";
+          range_start = "10.0.1.100";
+          range_end = "10.0.1.254";
+          lease_duration = 86400;
+          icmp_timeout_msec = 1000;
+        };
+        dhcpv6 = {
+          range_start = "2001::1";
+          lease_duration = 86400;
+          ra_slaac_only = false;
+          ra_allow_slaac = false;
+        };
+      };
+    };
+  };
+}
diff --git a/systems/aarch64-linux/pi5/default.nix b/systems/aarch64-linux/pi5/default.nix
index 56eed2f..12ba2b4 100644
--- a/systems/aarch64-linux/pi5/default.nix
+++ b/systems/aarch64-linux/pi5/default.nix
@@ -8,6 +8,7 @@
 }:
 {
   imports = [
+    ./adguard.nix
     ./boot.nix
     ./services.nix
     ./sops.nix