diff --git a/flake.lock b/flake.lock
index 87a41db..d670e4a 100644
--- a/flake.lock
+++ b/flake.lock
@@ -415,7 +415,7 @@
       },
       "locked": {
         "lastModified": 1687369979,
-        "narHash": "sha256-Dr6BQSKE1iX85h5kanhSPyJR9RSjJYa20T5PhukQTV8=",
+        "narHash": "sha256-rRV+VKRVb0N2xYLVMfAGk8FQnII3mCuH5JMTOCLlEnk=",
         "type": "git",
         "url": "file:///root/projects/microvm.nix"
       },
diff --git a/hosts/ward/default.nix b/hosts/ward/default.nix
index fcc9371..14c46cc 100644
--- a/hosts/ward/default.nix
+++ b/hosts/ward/default.nix
@@ -18,6 +18,7 @@
 
     ./fs.nix
     ./net.nix
+    ./kea.nix
   ];
 
   boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" "r8169"];
diff --git a/hosts/ward/kea.nix b/hosts/ward/kea.nix
new file mode 100644
index 0000000..71f4691
--- /dev/null
+++ b/hosts/ward/kea.nix
@@ -0,0 +1,77 @@
+{
+  config,
+  lib,
+  utils,
+  nodes,
+  ...
+}: let
+  inherit
+    (lib)
+    flip
+    mapAttrsToList
+    mkOption
+    net
+    types
+    ;
+
+  lanCidrv4 = "192.168.100.0/24";
+  dnsIp = net.cidr.host 2 lanCidrv4;
+in {
+  # TODO make meta.kea module?
+  # TODO reserve by default using assignIps algo?
+  options.networking.dhcp4Reservations = mkOption {
+    default = {};
+    type = types.attrsOf (types.net.ipv4-in lanCidrv4);
+    description = "Maps MAC addresses to their reserved ipv4 address.";
+  };
+
+  config = {
+    services.kea.dhcp4 = {
+      enable = true;
+      settings = {
+        lease-database = {
+          name = "/var/lib/kea/dhcp4.leases";
+          persist = true;
+          type = "memfile";
+        };
+        valid-lifetime = 4000;
+        renew-timer = 1000;
+        rebind-timer = 2000;
+        interfaces-config = {
+          # XXX: why does this bind other macvtaps?
+          interfaces = ["lan-self"];
+          service-sockets-max-retries = -1;
+        };
+        option-data = [
+          {
+            name = "domain-name-servers";
+            data = dnsIp;
+          }
+        ];
+        subnet4 = [
+          {
+            interface = "lan-self";
+            subnet = lanCidrv4;
+            pools = [
+              {pool = "${net.cidr.host 20 lanCidrv4} - ${net.cidr.host (-6) lanCidrv4}";}
+            ];
+            option-data = [
+              {
+                name = "routers";
+                data = net.cidr.host 1 lanCidrv4;
+              }
+            ];
+            reservations = [
+              {
+                hw-address = nodes.ward-adguardhome.config.lib.microvm.mac;
+                ip-address = dnsIp;
+              }
+            ];
+          }
+        ];
+      };
+    };
+
+    systemd.services.kea-dhcp4-server.after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "lan-self"}.device"];
+  };
+}
diff --git a/hosts/ward/microvms/adguardhome.nix b/hosts/ward/microvms/adguardhome.nix
index ad4c6ea..d2cd584 100644
--- a/hosts/ward/microvms/adguardhome.nix
+++ b/hosts/ward/microvms/adguardhome.nix
@@ -2,6 +2,7 @@
   config,
   lib,
   nodes,
+  pkgs,
   utils,
   ...
 }: let
@@ -34,23 +35,50 @@ in {
     };
   };
 
+  networking.firewall = {
+    allowedTCPPorts = [53];
+    allowedUDPPorts = [53];
+  };
+
   services.adguardhome = {
     enable = true;
+    mutableSettings = false;
     settings = {
       bind_host = config.meta.wireguard.proxy-sentinel.ipv4;
       bind_port = 3000;
-      #dns = {
-      #  edns_client_subnet.enabled = false;
-      #  bind_hosts = [ "127.0.0.1" ];
-      #  bootstrap_dns = [
-      #    "8.8.8.8"
-      #    "8.8.4.4"
-      #    "2001:4860:4860::8888"
-      #    "2001:4860:4860::8844"
-      #  ];
-      #};
+      dns = {
+        edns_client_subnet.enabled = false;
+        bind_hosts = [
+          # This dummy address passes the configuration check and will
+          # later be replaced by the actual interface address.
+          "123.123.123.123"
+        ];
+        # allowed_clients = [
+        # ];
+        #trusted_proxied = [];
+        ratelimit = 60;
+        upstream_dns = [
+          "8.8.8.8"
+          "8.8.4.4"
+          "2001:4860:4860::8888"
+          "2001:4860:4860::8844"
+        ];
+        bootstrap_dns = [
+          "8.8.8.8"
+          "8.8.4.4"
+          "2001:4860:4860::8888"
+          "2001:4860:4860::8844"
+        ];
+        dhcp.enabled = false;
+      };
     };
   };
 
-  systemd.services.influxdb.after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"];
+  systemd.services.adguardhome = {
+    after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "wan"}.device"];
+    preStart = lib.mkAfter ''
+      INTERFACE_ADDR=$(${pkgs.iproute2}/bin/ip -family inet -brief addr show wan | grep -o "[0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+")
+      sed -i -e "s/123.123.123.123/$INTERFACE_ADDR/" "$STATE_DIRECTORY/AdGuardHome.yaml"
+    '';
+  };
 }
diff --git a/hosts/ward/net.nix b/hosts/ward/net.nix
index a4d4cf5..7edd200 100644
--- a/hosts/ward/net.nix
+++ b/hosts/ward/net.nix
@@ -1,7 +1,6 @@
 {
   config,
   lib,
-  utils,
   ...
 }: let
   lanCidrv4 = "192.168.100.0/24";
@@ -125,51 +124,6 @@ in {
     };
   };
 
-  services.kea = {
-    dhcp4 = {
-      enable = true;
-      settings = {
-        lease-database = {
-          name = "/var/lib/kea/dhcp4.leases";
-          persist = true;
-          type = "memfile";
-        };
-        valid-lifetime = 4000;
-        renew-timer = 1000;
-        rebind-timer = 2000;
-        interfaces-config = {
-          # TODO why does this bind other macvtaps?
-          interfaces = ["lan-self"];
-          service-sockets-max-retries = -1;
-        };
-        option-data = [
-          {
-            name = "domain-name-servers";
-            # TODO pihole via self
-            data = "1.1.1.1, 8.8.8.8";
-          }
-        ];
-        subnet4 = [
-          {
-            interface = "lan-self";
-            subnet = lanCidrv4;
-            pools = [
-              {pool = "${lib.net.cidr.host 20 lanCidrv4} - ${lib.net.cidr.host (-6) lanCidrv4}";}
-            ];
-            option-data = [
-              {
-                name = "routers";
-                data = lib.net.cidr.host 1 lanCidrv4;
-              }
-            ];
-          }
-        ];
-      };
-    };
-  };
-
-  systemd.services.kea-dhcp4-server.after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "lan-self"}.device"];
-
   meta.microvms.networking = {
     baseMac = config.repo.secrets.local.networking.interfaces.lan.mac;
     macvtapInterface = "lan";
diff --git a/modules/meta/microvms.nix b/modules/meta/microvms.nix
index 08949b6..11d8809 100644
--- a/modules/meta/microvms.nix
+++ b/modules/meta/microvms.nix
@@ -111,6 +111,8 @@
       config = {config, ...}: {
         imports = cfg.commonImports ++ node.imports ++ vmCfg.modules;
 
+        lib.microvm.mac = mac;
+
         microvm = {
           hypervisor = mkDefault "cloud-hypervisor";
 
diff --git a/modules/meta/telegraf.nix b/modules/meta/telegraf.nix
index a558c4b..eaa7637 100644
--- a/modules/meta/telegraf.nix
+++ b/modules/meta/telegraf.nix
@@ -158,7 +158,8 @@ in {
     systemd.services.telegraf = {
       path = [
         # Make sensors refer to the correct wrapper
-        (mkIf config.services.smartd.enable (pkgs.writeShellScriptBin "sensors" config.security.elewrap.telegraf-sensors.path))
+        (mkIf config.services.smartd.enable
+          (pkgs.writeShellScriptBin "sensors" config.security.elewrap.telegraf-sensors.path))
       ];
       serviceConfig = {
         # For wireguard statistics