diff --git a/common.nix b/common.nix
index 22662bb..a5d95a3 100644
--- a/common.nix
+++ b/common.nix
@@ -32,6 +32,7 @@
     ./services/authelia.nix
     ./services/homepage.nix
     ./services/arr-interconnect.nix
+    ./services/adguard.nix
   ];
 
   ### Make build time quicker
diff --git a/services/adguard.nix b/services/adguard.nix
new file mode 100644
index 0000000..e8d4e05
--- /dev/null
+++ b/services/adguard.nix
@@ -0,0 +1,41 @@
+# services/adguard.nix — AdGuard Home network-wide DNS ad blocker
+{ config, lib, pkgs, ... }:
+{
+  config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") {
+
+    services.adguardhome = {
+      enable = true;
+      # Web UI bound to localhost; nginx reverse-proxies at adguard.nordhammer.it
+      host = "127.0.0.1";
+      port = 3000;
+      # Allow UI changes (blocklists, rules, clients) to persist
+      mutableSettings = true;
+      settings = {
+        dns = {
+          bind_hosts = [ "0.0.0.0" ];
+          port = 53;
+          # DNS-over-HTTPS upstreams — encrypts queries to resolvers
+          upstream_dns = [
+            "https://dns.cloudflare.com/dns-query"
+            "https://dns.quad9.net/dns-query"
+          ];
+          bootstrap_dns = [ "1.1.1.1" "9.9.9.9" ];
+          cache_size = 4194304;
+          cache_ttl_min = 60;
+        };
+        filters = [
+          { enabled = true; id = 1; name = "AdGuard DNS filter";
+            url = "https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt"; }
+          { enabled = true; id = 2; name = "AdAway Default Blocklist";
+            url = "https://adaway.org/hosts.txt"; }
+          { enabled = true; id = 3; name = "OISD Big";
+            url = "https://big.oisd.nl/"; }
+        ];
+      };
+    };
+
+    # LAN DNS — router blocks WAN:53 so this is effectively LAN-only
+    networking.firewall.allowedTCPPorts = [ 53 ];
+    networking.firewall.allowedUDPPorts = [ 53 ];
+  };
+}
diff --git a/services/nginx.nix b/services/nginx.nix
index ad64c30..08d62f3 100644
--- a/services/nginx.nix
+++ b/services/nginx.nix
@@ -101,8 +101,9 @@ in
         "torrent.nordhammer.it"  = proxy 8080;
 
         # --- Other ---
-        "games.nordhammer.it"  = proxy 8787;
-        "search.nordhammer.it" = proxy 8087;
+        "games.nordhammer.it"   = proxy 8787;
+        "search.nordhammer.it"  = proxy 8087;
+        "adguard.nordhammer.it" = proxy 3000;
 
         # --- Protected by Authelia ---
         "camera.nordhammer.it"   = protectedProxy 1984;