diff --git a/modules/adguard.nix b/modules/adguard.nix
index 2ac325e..87e0d0c 100644
--- a/modules/adguard.nix
+++ b/modules/adguard.nix
@@ -47,9 +47,42 @@ in
       default = [ "194.242.2.2" "2a07:e340::2" ];
       description = "Bootstrap DNS servers for resolving DoH upstream";
     };
+
+    filters = lib.mkOption {
+      type = lib.types.listOf (lib.types.submodule {
+        options = {
+          name = lib.mkOption {
+            type = lib.types.str;
+            description = "Friendly name for the filter list";
+          };
+          url = lib.mkOption {
+            type = lib.types.str;
+            description = "URL of the filter list (txt format)";
+          };
+          enabled = lib.mkOption {
+            type = lib.types.bool;
+            default = true;
+            description = "Whether the filter is enabled";
+          };
+        };
+      });
+      default = [
+        { name = "AdGuard DNS filter"; url = "https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt"; }
+        { name = "AdAway Default Blocklist"; url = "https://adguardteam.github.io/HostlistsRegistry/assets/filter_2.txt"; }
+        { name = "HaGeZi Multi Light"; url = "https://hagezi.github.io/dns-blocklists/wildcard/light.txt"; }
+        { name = "OISD Basic"; url = "https://small.oisd.nl/"; }
+        { name = "Peter Lowe's List"; url = "https://pgl.yoyo.org/adservers/serverlist.php?hostformat=adguard&showintro=0&mimetype=plaintext"; }
+      ];
+      description = "DNS blocklists to maintain in AdGuard Home";
+    };
   };
 
   config = lib.mkIf cfg.enable {
+    # Generate a temporary JSON file containing the filters for yq to inject
+    systemd.tmpfiles.rules = [
+      "f /run/adguardhome_filters.json 0644 root root - ${builtins.toJSON { filters = map (f: { inherit (f) name url enabled; id = (builtins.hashString "sha256" f.url); }) cfg.filters; }}"
+    ];
+
     services.adguardhome = {
       enable = true;
       host = "127.0.0.1";
@@ -104,11 +137,17 @@ in
       };
     };
 
-    # Give AdGuardHome access to ACME certificates
+    # Inject filters into AdGuardHome.yaml before starting
     systemd.services.adguardhome = {
       requires = [ "acme-${cfg.domain}.service" ];
       after = [ "acme-${cfg.domain}.service" ];
-      serviceConfig.SupplementaryGroups = [ "acme" "nginx" ];
+      serviceConfig.SupplementaryGroups = [ "acme" ];
+      serviceConfig.SystemCallFilter = lib.mkForce []; # Allow yq-go to run its syscalls
+      preStart = lib.mkAfter ''
+        if [ -f /var/lib/private/AdGuardHome/AdGuardHome.yaml ]; then
+          ${pkgs.yq-go}/bin/yq -i '.filters = load("/run/adguardhome_filters.json").filters' /var/lib/private/AdGuardHome/AdGuardHome.yaml
+        fi
+      '';
     };
 
     # Open firewall for DoT