feat: sync tls config (#651 )

* feat: implement tls config sync * feat: implement workaround for #633 * extend feature test * add tests
feat: implement workaround for #633 (#650 )
2025-09-14 18:25:36 +02:00 · 2025-09-14 18:03:32 +02:00 · 2025-09-11 07:31:17 +02:00 · 2025-09-08 08:07:23 +02:00 · 2025-09-08 07:02:36 +02:00 · 2025-09-05 17:51:15 +02:00
138 changed files with 22341 additions and 1075 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -0,0 +1,2 @@
+dist
+bin
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@@ -0,0 +1,3 @@
+# These are supported funding model platforms
+
+github: [bakito]
--- a/.github/ISSUE_TEMPLATE/bug_report.yaml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yaml
@@ -0,0 +1,78 @@
+name: Bug report
+description: Create a report to help us improve
+labels: ['bug']
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to fill out this issue report! If you have usage questions, please try the [FAQ](https://github.com/bakito/adguardhome-sync/wiki/FAQ) first.
+  - type: textarea
+    id: what-happened
+    attributes:
+      label: What happened?
+      description: Also tell us, what did you expect to happen?
+    validations:
+      required: true
+  - type: textarea
+    id: adguardhome-sync-version
+    attributes:
+      label: AdguardHome-Sync Version
+      description: |
+        - What version of adguardhome-sync was running when you discovered this issue?
+        - Are you running the docker or binary version?
+    validations:
+      required: true
+  - type: textarea
+    id: adguardhome-version
+    attributes:
+      label: AdguardHome Version
+      description: What version of adguardhome was running when you discovered this issue?
+    validations:
+      required: true
+  - type: textarea
+    id: os-information
+    attributes:
+      label: OS Information
+      description: |
+        - What Operating System are you running? `cat /etc/os-release`
+        - What is the architecture of your CPU? `uname -m`
+    validations:
+      required: true
+  - type: textarea
+    id: config
+    attributes:
+      label: Configuration
+      description: |
+        - How did you configure adguardhome-sync?
+        - Please provide your configuration
+      render: shell
+    validations:
+      required: true
+  - type: textarea
+    id: applied-config
+    attributes:
+      label: Current Applied Configuration
+      description: |
+        - Run adguardhome-sync with environment variable `PRINT_CONFIG_ONLY=true` and provide the output here
+      render: shell
+  - type: textarea
+    id: logs
+    attributes:
+      label: Relevant DEBUG log output
+      description: |
+        Please copy and paste any relevant **debug** log output. This will be automatically formatted into code, so no need for backticks.
+        Enable debug logs by defining the following environment variable `LOG_LEVEL=debug`.
+
+        Please also check adguardhome logs and paste any relevant logs/errors to this issue.
+      render: shell
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Anything else?
+      description: |
+        Links? References? Anything that will provide more context about the issue you are encountering!
+
+        Tip: You can attach images or log files by clicking this area to highlight it and then dragging files in.
+    validations:
+      required: false
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -0,0 +1 @@
+blank_issues_enabled: false
--- a/.github/ISSUE_TEMPLATE/feature_request.yaml
+++ b/.github/ISSUE_TEMPLATE/feature_request.yaml
@@ -0,0 +1,36 @@
+name: Feature request
+description: Suggest an idea for this project
+labels: ['enhancement']
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to fill out this issue report!
+  - type: textarea
+    id: relation
+    attributes:
+      label: Is your feature request related to a problem? Please describe.
+      description: A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+    validations:
+      required: true
+  - type: textarea
+    id: solution
+    attributes:
+      label: Describe the solution you'd like*
+      description: |
+        A clear and concise description of what you want to happen.
+    validations:
+      required: true
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Describe alternatives you've considered
+      description: |
+        A clear and concise description of any alternative solutions or features you've considered.
+  - type: textarea
+    attributes:
+      label: Anything else?
+      description: |
+        Add any other context or screenshots about the feature request here.
+    validations:
+      required: false
--- a/.github/ISSUE_TEMPLATE/general_issue.yaml
+++ b/.github/ISSUE_TEMPLATE/general_issue.yaml
@@ -0,0 +1,60 @@
+name: General Issue
+description: Report an issue with your setup
+labels: []
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to fill out this issue report! If you have usage questions, please try the [FAQ](https://github.com/bakito/adguardhome-sync/wiki/FAQ) first.
+  - type: textarea
+    id: what-happened
+    attributes:
+      label: What happened?
+      description: Also tell us, what did you expect to happen?
+    validations:
+      required: true
+  - type: textarea
+    id: adguardhome-sync-version
+    attributes:
+      label: AdguardHome-Sync Version
+      description: What version of adguardhome-sync was running when you discovered this issue?
+    validations:
+      required: true
+  - type: textarea
+    id: adguardhome-version
+    attributes:
+      label: AdguardHome Version
+      description: What version of adguardhome was running when you discovered this issue?
+    validations:
+      required: true
+  - type: textarea
+    id: config
+    attributes:
+      label: Configuration
+      description: |
+        - How did you configure adguardhome-sync?
+        - Please provide your configuration
+      render: shell
+    validations:
+      required: true
+  - type: textarea
+    id: logs
+    attributes:
+      label: Relevant log output
+      description: |
+        Please copy and paste any relevant **debug** log output. This will be automatically formatted into code, so no need for backticks.
+        Enable debug logs by defining the following environment variable `LOG_LEVEL=debug`.
+
+        Please also check adguardhome logs and paste any relevant logs/errors to this issue.
+      render: shell
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Anything else?
+      description: |
+        Links? References? Anything that will provide more context about the issue you are encountering!
+
+        Tip: You can attach images or log files by clicking this area to highlight it and then dragging files in.
+    validations:
+      required: false
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,11 +0,0 @@
-# To get started with Dependabot version updates, you'll need to specify which
-# package ecosystems to update and where the package manifests are located.
-# Please see the documentation for all configuration options:
-# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
-
-version: 2
-updates:
-  - package-ecosystem: "gomod" # See documentation for possible values
-    directory: "/" # Location of package manifests
-    schedule:
-      interval: "weekly"
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -0,0 +1,80 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ main ]
+  schedule:
+    - cron: '32 19 * * 6'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'go' ]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
+        # Learn more about CodeQL language support at https://git.io/codeql-language-support
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    
+    - name: Set up Go
+      uses: actions/setup-go@v6
+      with:
+        go-version-file: "go.mod"
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v3
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+        # queries: ./path/to/local/query, your-org/your-repo/queries@main
+
+    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v3
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 https://git.io/JvXDl
+
+    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+    #    and modify them (or add more) to build your code if your project
+    #    uses a compiled language
+
+    #- run: |
+    #   make bootstrap
+    #   make release
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3
--- a/.github/workflows/docker-images.yml
+++ b/.github/workflows/docker-images.yml
@@ -0,0 +1,89 @@
+name: docker-images
+
+on:
+  workflow_dispatch: # allows manual triggering
+  schedule:
+    - cron: '0 0 * * *'
+  #pull_request:
+  #  branches:
+  #    - main
+  release:
+    types:
+      - published
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  images:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        build:
+          - fromImage: scratch
+            tagPrefix: ""
+          - fromImage: alpine:latest
+            tagPrefix: "alpine-"
+    steps:
+      - name: Get current date
+        run: echo "curr_date=$(date --utc +%Y-%m-%dT%H:%M:%SZ)" >> $GITHUB_ENV
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Login to Quay
+        uses: docker/login-action@v3
+        with:
+          registry: quay.io
+          username: ${{ secrets.REGISTRY_USERNAME }}
+          password: ${{ secrets.REGISTRY_PASSWORD }}
+      - name: Login to ghcr.io
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Modify Dockerfile
+        run: |
+          sed -i -e "s|FROM scratch|FROM ${{ matrix.build.fromImage }}|g" Dockerfile
+
+      - name: Build images ${{github.event.release.tag_name }}
+        id: docker_build_release
+        uses: docker/build-push-action@v6
+        if: ${{ github.event.release.tag_name != '' }}
+        with:
+          context: .
+          pull: true
+          push: true
+          tags: quay.io/bakito/adguardhome-sync:${{ matrix.build.tagPrefix }}latest,quay.io/bakito/adguardhome-sync:${{ matrix.build.tagPrefix }}${{ github.event.release.tag_name }},ghcr.io/bakito/adguardhome-sync:${{ matrix.build.tagPrefix }}latest,ghcr.io/bakito/adguardhome-sync:${{ matrix.build.tagPrefix }}${{ github.event.release.tag_name }}
+          platforms: linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64/v8,linux/arm64,linux/ppc64le
+          provenance: false
+          build-args: |
+            VERSION=${{ github.event.release.tag_name }}
+            BUILD=${{ env.curr_date }}
+
+      - name: Check for commits in the last 24 hours
+        run: echo "NEW_COMMIT_COUNT=$(git log --oneline --since '24 hours ago' | wc -l)" >> $GITHUB_ENV
+        if: ${{ github.event.release.tag_name == '' }}
+
+      - name: Build images
+        id: docker_build_main
+        uses: docker/build-push-action@v6
+        if: ${{ github.event.release.tag_name == '' && env.NEW_COMMIT_COUNT > 0  }}
+        with:
+          context: .
+          pull: true
+          push: ${{ github.ref == 'refs/heads/main' }}
+          tags: quay.io/bakito/adguardhome-sync:${{ matrix.build.tagPrefix }}main,ghcr.io/bakito/adguardhome-sync:${{ matrix.build.tagPrefix }}main
+          platforms: linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64/v8,linux/arm64,linux/ppc64le
+          provenance: false
+          build-args: |
+            VERSION=main
+            BUILD=${{ env.curr_date }}
+
+      - name: Image digest
+        run: echo ${{ steps.docker_build.outputs.digest }}
--- a/.github/workflows/e2e.yaml
+++ b/.github/workflows/e2e.yaml
@@ -0,0 +1,55 @@
+name: e2e tests
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  e2e:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        build:
+          - mode: env
+            protocol: https
+          - mode: file
+            protocol: http
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup jq
+        uses: dcarbone/install-jq-action@v3
+
+      - name: Install kind with registry
+        uses: bakito/kind-with-registry-action@main
+
+      - name: Build image
+        run: ./testdata/e2e/bin/build-image.sh
+
+      - name: Install Helm Chart
+        run: ./testdata/e2e/bin/install-chart.sh ${{ matrix.build.mode }}
+      - name: Wait for pod to start
+        run: ./testdata/e2e/bin/wait-for-start.sh ${{ matrix.build.protocol }}
+      - name: Show origin pre Logs
+        run: ./testdata/e2e/bin/show-origin-logs.sh pre
+      - name: Wait for sync to finish
+        run: ./testdata/e2e/bin/wait-for-sync.sh ${{ matrix.build.protocol }}
+      - name: Show origin post Logs
+        run: ./testdata/e2e/bin/show-origin-logs.sh post
+      - name: Show Replica Logs
+        run: ./testdata/e2e/bin/show-replica-logs.sh
+      - name: Show Sync Logs
+        run: ./testdata/e2e/bin/show-sync-logs.sh
+      - name: Show Sync Metrics
+        run: ./testdata/e2e/bin/show-sync-metrics.sh ${{ matrix.build.protocol }}
+      - name: Read latest replica config
+        run: ./testdata/e2e/bin/read-latest-replica-config.sh
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -6,36 +6,52 @@ on:
  pull_request:
    branches: [ main ]

+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 jobs:
  golangci:
    name: lint
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
-      - name: golangci-lint
-        uses: golangci/golangci-lint-action@v2
+      - uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v6
        with:
-          # Required: the version of golangci-lint is required and must be specified without patch version: we always use the latest patch version.
-          version: v1.36
+          go-version-file: "go.mod"
+
+      - name: Lint
+        run: make lint

  test:
    name: test
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [ubuntu-latest, windows-latest, macos-latest]
+        
    steps:

-      - name: Set up Go 1.x
-        uses: actions/setup-go@v2
-        with:
-          go-version: ^1.16
-
      - name: Check out code into the Go module directory
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v6
+        with:
+          go-version-file: "go.mod"
+
+      - name: Model
+        run: make model

      - name: Test
-        run: go test ./...  -coverprofile=coverage.out
+        run: make test-ci

      - name: Send coverage
+        if: runner.os == 'Linux'
        uses: shogo82148/actions-goveralls@v1
+        continue-on-error: true
        with:
          path-to-profile: coverage.out

@@ -44,16 +60,13 @@ jobs:
    runs-on: ubuntu-latest
    steps:

-      - name: Set up Go 1.x
-        uses: actions/setup-go@v2
-        with:
-          go-version: ^1.16
-
      - name: Check out code into the Go module directory
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v6
+        with:
+          go-version-file: "go.mod"

      - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v2
-        with:
-          version: latest
-          args: --skip-publish --snapshot --rm-dist
+        run: make test-release
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -0,0 +1,17 @@
+name: Mark stale issues and pull requests
+
+on:
+  schedule:
+  - cron: "0 0 * * *"
+
+jobs:
+  stale:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/stale@v10
+      with:
+        repo-token: ${{ secrets.GITHUB_TOKEN }}
+        stale-issue-message: 'This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.'
+        stale-pr-message: 'This pull request has been inactive for 60 days. If the pull request is still relevant please comment to re-activate the pull request. If no action is taken within 7 days, the pull request will be marked closed.'
--- a/.github/workflows/virustotal.yaml
+++ b/.github/workflows/virustotal.yaml
@@ -0,0 +1,16 @@
+name: Scan GitHub Release with VirusTotal
+
+on:
+  release:
+    types: [released]
+
+jobs:
+  scan_release:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Analyze Build Assets
+        uses: bakito/virustotal-action@main
+        with:
+          release_name: ${{github.event.release.tag_name}}
+          vt_api_key: ${{secrets.VT_API_KEY}}
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,15 @@
+.vscode
 .idea
-coverage.out
+.fleet
+.run
+coverage.out*
 dist
 adguardhome-sync
 main
 .adguardhome-sync.yaml
+tmp
+bin
+!testdata/e2e/bin
+config*.yaml
+*.log
+wiki
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -0,0 +1,213 @@
+version: '2'
+linters:
+  enable:
+    - asciicheck
+    - bidichk
+    - bodyclose
+    - canonicalheader
+    - containedctx
+    - copyloopvar
+    - decorder
+    - dogsled
+    - dupword
+    - durationcheck
+    - err113
+    - errname
+    - errorlint
+    - exptostd
+    - fatcontext
+    - forcetypeassert
+    - gocheckcompilerdirectives
+    - gochecksumtype
+    - gocritic
+    - godot
+    - gomodguard
+    - goprintffuncname
+    - gosmopolitan
+    - grouper
+    - iface
+    - importas
+    - inamedparam
+    - interfacebloat
+    - intrange
+    - loggercheck
+    - makezero
+    - mirror
+    - misspell
+    - nilerr
+    - nilnesserr
+    - noctx
+    - nolintlint
+    - nosprintfhostport
+    - perfsprint
+    - predeclared
+    - promlinter
+    - protogetter
+    - reassign
+    - revive
+    - rowserrcheck
+    - sloglint
+    - spancheck
+    - sqlclosecheck
+    - staticcheck
+    - tagalign
+    - testableexamples
+    - testifylint
+    - thelper
+    - unconvert
+    - unparam
+    - usestdlibvars
+    - usetesting
+    - wastedassign
+    - whitespace
+    - zerologlint
+  disable:
+    - asasalint
+    - contextcheck
+    - cyclop
+    - depguard
+    - dupl
+    - errchkjson
+    - exhaustive
+    - exhaustruct
+    - forbidigo
+    - funlen
+    - ginkgolinter
+    - gochecknoglobals
+    - gochecknoinits
+    - gocognit
+    - goconst
+    - gocyclo
+    - godox
+    - goheader
+    - gomoddirectives
+    - gosec
+    - ireturn
+    - lll
+    - maintidx
+    - musttag
+    - nakedret
+    - nestif
+    - nilnil
+    - nlreturn
+    - nonamedreturns
+    - paralleltest
+    - prealloc
+    - recvcheck
+    - tagliatelle
+    - testpackage
+    - tparallel
+    - varnamelen
+    - wrapcheck
+    - wsl
+  settings:
+    gocritic:
+      enable-all: true
+      disabled-checks:
+        - emptyFallthrough
+        - hugeParam
+        - rangeValCopy
+        - unnamedResult
+        - whyNoLint
+    govet:
+      disable:
+        - fieldalignment
+        - shadow
+      enable-all: true
+    misspell:
+      locale: US
+    revive:
+      enable-all-rules: true
+      rules:
+        - name: add-constant
+          disabled: true
+        - name: cognitive-complexity
+          disabled: true
+        - name: cyclomatic
+          disabled: true
+        - name: deep-exit
+          disabled: true
+        - name: dot-imports
+          severity: warning
+          disabled: false
+          exclude: [""]
+          arguments:
+            - allowedPackages: ["github.com/onsi/ginkgo/v2", "github.com/onsi/gomega"]
+        - name: empty-block
+          disabled: true
+        - name: exported
+          disabled: true
+        - name: filename-format
+          arguments:
+            - ^[a-z][-0-9_a-z]*(?:\.gen)?\.go$
+        - name: flag-parameter
+          disabled: true
+        - name: function-length
+          disabled: true
+        - name: function-result-limit
+          disabled: true
+        - name: import-shadowing
+          disabled: true
+        - name: line-length-limit
+          disabled: true
+        - name: max-control-nesting
+          disabled: true
+        - name: max-public-structs
+          disabled: true
+        - name: nested-structs
+          disabled: true
+        - name: package-comments
+          disabled: true
+        - name: unused-parameter
+          disabled: true
+        - name: unused-receiver
+          disabled: true
+        - name: var-naming
+          disabled: true
+        - name: enforce-switch-style
+          disabled: true
+    staticcheck:
+      checks:
+       - 'all'
+       - '-ST1000'
+  exclusions:
+    generated: lax
+    presets:
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    rules:
+      - linters:
+          - err113
+        text: do not define dynamic errors, use wrapped static errors instead
+      - linters:
+          - forbidigo
+        path: ^internal/cmds/
+      - linters:
+          - forcetypeassert
+        path: _test\.go$
+      - linters:
+          - forbidigo
+        path: assets/scripts/generate-commit.go
+formatters:
+  enable:
+    - gci
+    - gofmt
+    - gofumpt
+    - goimports
+    - golines
+  settings:
+    gci:
+      sections:
+        - standard
+        - default
+        - prefix(github.com/bakito/adguardhome-sync)
+    gofumpt:
+      module-path: github.com/bakito/adguardhome-sync
+      extra-rules: true
+    goimports:
+      local-prefixes:
+        - github.com/bakito/adguardhome-sync
+    golines:
+      max-len: 128
+      tab-len: 4
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -1,36 +1,52 @@
+version: 2
 # This is an example goreleaser.yaml file with some sane defaults.
 # Make sure to check the documentation at http://goreleaser.com
 builds:
- env:
-  - CGO_ENABLED=0
-  ldflags:
-    - -s -w -X github.com/bakito/adguardhome-sync/version.Version={{.Version}}
-  goos:
-  - linux
-  - windows
-  - darwin
-  goarch:
-    - 386
-    - amd64
-    - arm
-    - arm64
-  goarm:
-    - 5
-    - 6
-    - 7
-  hooks:
-    post: upx {{ .Path }}
-archives:
- replacements:
-    386: i386
-    amd64: x86_64
+  - env:
+      - CGO_ENABLED=0
+    ldflags:
+      - -s -w -X github.com/bakito/adguardhome-sync/version.Version={{.Version}} -X github.com/bakito/adguardhome-sync/version.Build={{.Date}}
+    goos:
+      - linux
+      - windows
+      - darwin
+      - openbsd
+    goarch:
+      - 386
+      - amd64
+      - arm
+      - arm64
+    goarm:
+      - 5
+      - 6
+      - 7
+    ignore:
+      - goos: darwin
+        goarch: arm
+      - goos: darwin
+        goarch: arm64
+      - goos: windows
+        goarch: arm
+      - goos: windows
+        goarch: arm64
+      - goos: openbsd
+        goarch: 386
+      - goos: openbsd
+        goarch: arm
+    hooks:
+      post:
+        # don't upx windows binaries as they make trouble with virus scanners
+        - bash -c 'if [[ "{{ .Path }}" != *.exe ]] && [[ "{{ .Path }}" != *darwin* ]] && [[ "{{ .Path }}" != *openbsd* ]]; then upx {{ .Path }}; fi'
 checksum:
  name_template: 'checksums.txt'
 snapshot:
-  name_template: "{{ .Tag }}-next"
+  version_template: "{{ .Tag }}-next"
 changelog:
  sort: asc
  filters:
    exclude:
-    - '^docs:'
-    - '^test:'
+      - '^docs:'
+      - '^test:'
+      - '^chore'
+release:
+  prerelease: auto
--- a/.oapi-codegen.yaml
+++ b/.oapi-codegen.yaml
@@ -0,0 +1,3 @@
+output-options:
+  client-type-name: AdguardHomeClient
+  response-type-suffix: Resp
--- a/.toolbox.mk
+++ b/.toolbox.mk
@@ -0,0 +1,92 @@
+## toolbox - start
+## Generated with https://github.com/bakito/toolbox
+
+## Current working directory
+TB_LOCALDIR ?= $(shell which cygpath > /dev/null 2>&1 && cygpath -m $$(pwd) || pwd)
+## Location to install dependencies to
+TB_LOCALBIN ?= $(TB_LOCALDIR)/bin
+$(TB_LOCALBIN):
+	if [ ! -e $(TB_LOCALBIN) ]; then mkdir -p $(TB_LOCALBIN); fi
+
+# Helper functions
+STRIP_V = $(patsubst v%,%,$(1))
+
+## Tool Binaries
+TB_CONTROLLER_GEN ?= $(TB_LOCALBIN)/controller-gen
+TB_GINKGO ?= $(TB_LOCALBIN)/ginkgo
+TB_GOLANGCI_LINT ?= $(TB_LOCALBIN)/golangci-lint
+TB_GORELEASER ?= $(TB_LOCALBIN)/goreleaser
+TB_MOCKGEN ?= $(TB_LOCALBIN)/mockgen
+TB_OAPI_CODEGEN ?= $(TB_LOCALBIN)/oapi-codegen
+TB_SEMVER ?= $(TB_LOCALBIN)/semver
+
+## Tool Versions
+# renovate: packageName=github.com/kubernetes-sigs/controller-tools
+TB_CONTROLLER_GEN_VERSION ?= v0.19.0
+# renovate: packageName=github.com/golangci/golangci-lint/v2
+TB_GOLANGCI_LINT_VERSION ?= v2.4.0
+TB_GOLANGCI_LINT_VERSION_NUM ?= $(call STRIP_V,$(TB_GOLANGCI_LINT_VERSION))
+# renovate: packageName=github.com/goreleaser/goreleaser/v2
+TB_GORELEASER_VERSION ?= v2.12.0
+TB_GORELEASER_VERSION_NUM ?= $(call STRIP_V,$(TB_GORELEASER_VERSION))
+# renovate: packageName=github.com/uber-go/mock
+TB_MOCKGEN_VERSION ?= v0.6.0
+# renovate: packageName=github.com/oapi-codegen/oapi-codegen/v2
+TB_OAPI_CODEGEN_VERSION ?= v2.5.0
+# renovate: packageName=github.com/bakito/semver
+TB_SEMVER_VERSION ?= v1.1.7
+TB_SEMVER_VERSION_NUM ?= $(call STRIP_V,$(TB_SEMVER_VERSION))
+
+## Tool Installer
+.PHONY: tb.controller-gen
+tb.controller-gen: ## Download controller-gen locally if necessary.
+	@test -s $(TB_CONTROLLER_GEN) || \
+		GOBIN=$(TB_LOCALBIN) go install sigs.k8s.io/controller-tools/cmd/controller-gen@$(TB_CONTROLLER_GEN_VERSION)
+.PHONY: tb.ginkgo
+tb.ginkgo: ## Download ginkgo locally if necessary.
+	@test -s $(TB_GINKGO) || \
+		GOBIN=$(TB_LOCALBIN) go install github.com/onsi/ginkgo/v2/ginkgo
+.PHONY: tb.golangci-lint
+tb.golangci-lint: ## Download golangci-lint locally if necessary.
+	@test -s $(TB_GOLANGCI_LINT) && $(TB_GOLANGCI_LINT) --version | grep -q $(TB_GOLANGCI_LINT_VERSION_NUM) || \
+		GOBIN=$(TB_LOCALBIN) go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@$(TB_GOLANGCI_LINT_VERSION)
+.PHONY: tb.goreleaser
+tb.goreleaser: ## Download goreleaser locally if necessary.
+	@test -s $(TB_GORELEASER) && $(TB_GORELEASER) --version | grep -q $(TB_GORELEASER_VERSION_NUM) || \
+		GOBIN=$(TB_LOCALBIN) go install github.com/goreleaser/goreleaser/v2@$(TB_GORELEASER_VERSION)
+.PHONY: tb.mockgen
+tb.mockgen: ## Download mockgen locally if necessary.
+	@test -s $(TB_MOCKGEN) || \
+		GOBIN=$(TB_LOCALBIN) go install go.uber.org/mock/mockgen@$(TB_MOCKGEN_VERSION)
+.PHONY: tb.oapi-codegen
+tb.oapi-codegen: ## Download oapi-codegen locally if necessary.
+	@test -s $(TB_OAPI_CODEGEN) || \
+		GOBIN=$(TB_LOCALBIN) go install github.com/oapi-codegen/oapi-codegen/v2/cmd/oapi-codegen@$(TB_OAPI_CODEGEN_VERSION)
+.PHONY: tb.semver
+tb.semver: ## Download semver locally if necessary.
+	@test -s $(TB_SEMVER) && $(TB_SEMVER) -version | grep -q $(TB_SEMVER_VERSION_NUM) || \
+		GOBIN=$(TB_LOCALBIN) go install github.com/bakito/semver@$(TB_SEMVER_VERSION)
+
+## Reset Tools
+.PHONY: tb.reset
+tb.reset:
+	@rm -f \
+		$(TB_CONTROLLER_GEN) \
+		$(TB_GINKGO) \
+		$(TB_GOLANGCI_LINT) \
+		$(TB_GORELEASER) \
+		$(TB_MOCKGEN) \
+		$(TB_OAPI_CODEGEN) \
+		$(TB_SEMVER)
+
+## Update Tools
+.PHONY: tb.update
+tb.update: tb.reset
+	toolbox makefile --renovate -f $(TB_LOCALDIR)/Makefile \
+		sigs.k8s.io/controller-tools/cmd/controller-gen@github.com/kubernetes-sigs/controller-tools \
+		github.com/golangci/golangci-lint/v2/cmd/golangci-lint?--version \
+		github.com/goreleaser/goreleaser/v2?--version \
+		go.uber.org/mock/mockgen@github.com/uber-go/mock \
+		github.com/oapi-codegen/oapi-codegen/v2/cmd/oapi-codegen \
+		github.com/bakito/semver?-version
+## toolbox - end
--- a/32
+++ b/32
@@ -0,0 +1,32 @@
+FROM golang:1.25-alpine AS builder
+
+WORKDIR /go/src/app
+
+RUN apk update && apk add upx ca-certificates tzdata
+
+ARG VERSION=main
+ARG BUILD="N/A"
+
+ENV GO111MODULE=on \
+  CGO_ENABLED=0 \
+  GOOS=linux
+
+COPY . /go/src/app/
+
+
+RUN go build -a -installsuffix cgo -ldflags="-w -s -X github.com/bakito/adguardhome-sync/version.Version=${VERSION} -X github.com/bakito/adguardhome-sync/version.Build=${BUILD}" -o adguardhome-sync .
+
+RUN go version && upx -q adguardhome-sync
+
+# application image
+FROM scratch
+WORKDIR /opt/go
+
+LABEL maintainer="bakito <github@bakito.ch>"
+EXPOSE 8080
+ENTRYPOINT ["/opt/go/adguardhome-sync"]
+CMD ["run", "--config", "/config/adguardhome-sync.yaml"]
+COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+COPY --from=builder /usr/share/zoneinfo/ /usr/share/zoneinfo/
+COPY --from=builder /go/src/app/adguardhome-sync  /opt/go/adguardhome-sync
+USER 1001
--- a/2
+++ b/2
@@ -186,7 +186,7 @@
      same "printed page" as the copyright notice for easier
      identification within third-party archives.

-   Copyright [yyyy] [name of copyright owner]
+   Copyright 2021 bakito

   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
--- a/101
+++ b/101
@@ -1,34 +1,91 @@
-# Run go fmt against code
-fmt:
-	go fmt ./...
-	gofmt -s -w .
+# Include toolbox tasks
+include ./.toolbox.mk

-# Run go vet against code
-vet:
-	go vet ./...
-
-# Run golangci-lint
-lint:
-	golangci-lint run
+# Run go lint against code
+lint: tb.golangci-lint
+	$(TB_GOLANGCI_LINT) run --fix

 # Run go mod tidy
 tidy:
 	go mod tidy

+generate: model mocks deepcopy-gen
+deepcopy-gen: tb.controller-gen
+	@mkdir -p ./tmp
+	@touch ./tmp/deepcopy-gen-boilerplate.go.txt
+	$(TB_CONTROLLER_GEN) paths=./pkg/types object
+
+.PHONY: docs
+docs:
+	go run docs/main.go
+
 # Run tests
-test: tidy fmt vet
-	go test ./...  -coverprofile=coverage.out
+test: generate lint test-ci
+
+fuzz:
+	 go test -fuzz=FuzzMask -v ./pkg/types/ -fuzztime=60s
+
+# Run ci tests
+test-ci: mocks tidy tb.ginkgo
+	$(TB_GINKGO) --cover --coverprofile coverage.out.tmp ./...
+	cat coverage.out.tmp | grep -v "_generated.go" > coverage.out
 	go tool cover -func=coverage.out

-release: semver
-	@version=$$(semver); \
+mocks: tb.mockgen
+	$(TB_MOCKGEN) -package client -destination pkg/mocks/client/mock.go github.com/bakito/adguardhome-sync/pkg/client Client
+	$(TB_MOCKGEN) -package client -destination pkg/mocks/flags/mock.go github.com/bakito/adguardhome-sync/pkg/config Flags
+
+release: tb.semver tb.goreleaser
+	@version=$$($(TB_SEMVER)); \
 	git tag -s $$version -m"Release $$version"
-	goreleaser --rm-dist
+	$(TB_GORELEASER) --clean --parallelism 2

-test-release:
-	goreleaser --skip-publish --snapshot --rm-dist
+test-release: tb.goreleaser
+	$(TB_GORELEASER) --skip=publish --snapshot --clean --parallelism 2

-semver:
-ifeq (, $(shell which semver))
- $(shell go get -u github.com/bakito/semver)
-endif
+start-replica:
+	docker rm -f adguardhome-replica
+	docker run --pull always --name adguardhome-replica -p 9091:3000 --rm adguard/adguardhome:latest
+#	docker run --pull always --name adguardhome-replica -p 9090:80 -p 9091:3000 --rm adguard/adguardhome:v0.107.13
+
+copy-replica-config:
+	docker cp adguardhome-replica:/opt/adguardhome/conf/AdGuardHome.yaml tmp/AdGuardHome.yaml
+
+start-replica2:
+	docker rm -f adguardhome-replica2
+	docker run --pull always --name adguardhome-replica2 -p 9093:3000 --rm adguard/adguardhome:latest
+#	docker run --pull always --name adguardhome-replica -p 9090:80 -p 9091:3000 --rm adguard/adguardhome:v0.107.13
+
+check_defined = \
+    $(strip $(foreach 1,$1, \
+        $(call __check_defined,$1,$(strip $(value 2)))))
+__check_defined = \
+    $(if $(value $1),, \
+      $(error Undefined $1$(if $2, ($2))))
+
+build-image:
+	$(call check_defined, AGH_SYNC_VERSION)
+	docker build --build-arg VERSION=${AGH_SYNC_VERSION} --build-arg BUILD=$(shell date -u +'%Y-%m-%dT%H:%M:%S.%3NZ') --name adgardhome-replica -t ghcr.io/bakito/adguardhome-sync:${AGH_SYNC_VERSION} .
+
+kind-create:
+	kind delete cluster
+	kind create  cluster
+
+kind-test:
+	@./testdata/e2e/bin/install-chart.sh
+
+# renovate: packageName=AdguardTeam/AdGuardHome
+ADGUARD_HOME_VERSION ?= v0.107.65
+
+model: tb.oapi-codegen
+	@mkdir -p tmp
+	go run openapi/main.go $(ADGUARD_HOME_VERSION)
+	$(TB_OAPI_CODEGEN) -package model -generate types,client -config .oapi-codegen.yaml tmp/schema.yaml > pkg/client/model/model_generated.go
+
+model-diff:
+	go run openapi/main.go $(ADGUARD_HOME_VERSION)
+	go run openapi/main.go
+	diff tmp/schema.yaml tmp/schema-master.yaml
+
+zellij:
+	zellij -l ./testdata/test-layout.kdl
--- a/README.md
+++ b/README.md
@@ -1,47 +1,266 @@
-[![Go](https://github.com/bakito/adguardhome-sync/actions/workflows/go.yml/badge.svg)](https://github.com/bakito/adguardhome-sync/actions/workflows/go.yml) [![Go Report Card](https://goreportcard.com/badge/github.com/bakito/adguardhome-sync)](https://goreportcard.com/report/github.com/bakito/adguardhome-sync)
+[![Go](https://github.com/bakito/adguardhome-sync/actions/workflows/go.yml/badge.svg)](https://github.com/bakito/adguardhome-sync/actions/workflows/go.yml)
+[![e2e tests](https://github.com/bakito/adguardhome-sync/actions/workflows/e2e.yaml/badge.svg)](https://github.com/bakito/adguardhome-sync/actions/workflows/e2e.yaml)
+[![Go Report Card](https://goreportcard.com/badge/github.com/bakito/adguardhome-sync)](https://goreportcard.com/report/github.com/bakito/adguardhome-sync)
+[![Coverage Status](https://coveralls.io/repos/github/bakito/adguardhome-sync/badge.svg?branch=main&service=github)](https://coveralls.io/github/bakito/adguardhome-sync?branch=main)

-# AdGuardHome sync

-Synchronize [AdGuardHome](https://github.com/AdguardTeam/AdGuardHome) config to a replica instance.
+
+# <img src="./media/adguardhome-sync.svg" alt="AdGuardHome sync" width="50"/> AdGuardHome sync
+
+Synchronize [AdGuardHome](https://github.com/AdguardTeam/AdGuardHome) config to replica instances.
+
+## FAQ & Deprecations
+
+Please check the wiki
+for [FAQ](https://github.com/bakito/adguardhome-sync/wiki/FAQ)
+and [Deprecations](https://github.com/bakito/adguardhome-sync/wiki/Deprecations).

 ## Current sync features

+- General Settings
 - Filters
 - Rewrites
 - Services
 - Clients
+- DNS Config
+- DHCP Config
+- Theme
+
+By default, all features are enabled. Single features can be disabled in the config.
+
+### Setup of initial instances
+
+New AdGuardHome replica instances can be automatically installed if enabled via the config autoSetup. During automatic
+installation, the admin interface will be listening on port 3000 in runtime.
+
+To skip automatic setup

 ## Install

+Get from [releases](https://github.com/bakito/adguardhome-sync/releases) or install from source
+
 ```bash
-go get -u github.com/bakito/adguardhome-sync
+go install github.com/bakito/adguardhome-sync@latest
 ```

-## Run
+## Prerequisites
+
+Both the origin instance and replica(s) must be initially set up with AdguardHome via the AdguardHome installation wizard.
+
+## Username / Password vs. Cookie
+
+Some instances of AdGuard Home do not support basic authentication. For instance, many routers with built-in Adguard
+Home support do not. If this is the case, a valid cookie may be provided instead. If the router protects the AdGuard
+instance behind its own authentication, the cookie from an authenticated request may allow the sync to succeed.
+
+- This has been tested successfully against GL.Inet routers with AdGuard Home.
+- Note: due to the short validity of cookies, this approach is likely only suitable for one-time syncs
+
+## Run Linux/Mac

 ```bash

+export LOG_LEVEL=info
 export ORIGIN_URL=https://192.168.1.2:3000
 export ORIGIN_USERNAME=username
 export ORIGIN_PASSWORD=password
-export REPLICA_URL=http://192.168.1.3
-export REPLICA_USERNAME=username
-export REPLICA_PASSWORD=password
+# export ORIGIN_COOKIE=Origin-Cookie-Name=CCCOOOKKKIIIEEE
+export REPLICA1_URL=http://192.168.1.3
+export REPLICA1_USERNAME=username
+export REPLICA1_PASSWORD=password
+# export REPLICA_COOKIE=Replica-Cookie-Name=CCCOOOKKKIIIEEE

 # run once
 adguardhome-sync run

 # run as daemon
-adguardhome-sync run --cron "*/10 * * * *"
+adguardhome-sync run --cron "0 */2 * * *"
 ```

+### Run as Linux Service via Systemd
+
+> Verified on Ubuntu Linux 24.04
+
+Assume you have downloaded the the `adguardhome-sync` binary to `/opt/adguardhome-sync`.
+
+Create systemd service file `/opt/adguardhome-sync/adguardhome-sync.service`:
+
+```
+[Unit]
+Description = AdGuardHome Sync
+After = network.target
+
+[Service]
+ExecStart = /opt/adguardhome-sync/adguardhome-sync --config /opt/adguardhome-sync/adguardhome-sync.yaml run
+
+[Install]
+WantedBy = multi-user.target
+
+```
+
+Create a configuration file `/opt/adguardhome-sync/adguardhome-sync.yaml`, please follow [Config file](#config-file-1)
+section below for details.
+
+Install and enable service:
+
+```bash
+sudo cp /opt/adguardhome-sync/adguardhome-sync.service /etc/systemd/system/
+
+sudo systemctl enable adguardhome-sync.service
+
+sudo systemctl start adguardhome-sync.service
+
+```
+
+Then you can check the status:
+
+```bash
+sudo systemctl status adguardhome-sync.service
+
+```
+
+If web UI has been enabled in configuration (default port is 8080), can also check the status via
+`http://<server-IP>:8080`
+
+## Run Windows
+
+```bash
+@ECHO OFF
+@TITLE AdGuardHome-Sync
+
+REM set LOG_LEVEL=debug
+set LOG_LEVEL=info
+REM set LOG_LEVEL=warn
+REM set LOG_LEVEL=error
+
+set ORIGIN_URL=http://192.168.1.2:3000
+set ORIGIN_USERNAME=username
+set ORIGIN_PASSWORD=password
+# set ORIGIN_COOKIE=Origin-Cookie-Name=CCCOOOKKKIIIEEE
+
+set REPLICA1_URL=http://192.168.2.2:3000
+set REPLICA1_USERNAME=username
+set REPLICA1_PASSWORD=password
+# set REPLICA1_COOKIE=Replica-Cookie-Name=CCCOOOKKKIIIEEE
+
+set FEATURES_DHCP_SERVER_CONFIG=false
+set FEATURES_DHCP_STATIC_LEASES=false
+
+# run once
+adguardhome-sync run
+
+# run as daemon
+adguardhome-sync run --cron "0 */2 * * *"
+```
+
+## docker cli
+
+```bash
+docker run -d \
+  --name=adguardhome-sync \
+  -p 8080:8080 \
+  -v /path/to/appdata/config/adguardhome-sync.yaml:/config/adguardhome-sync.yaml \
+  --restart unless-stopped \
+  ghcr.io/bakito/adguardhome-sync:latest
+```
+
+## docker compose
+
+### config file
+
+```yaml
+---
+version: "2.1"
+services:
+  adguardhome-sync:
+    image: ghcr.io/bakito/adguardhome-sync
+    container_name: adguardhome-sync
+    command: run --config /config/adguardhome-sync.yaml
+    volumes:
+      - /path/to/appdata/config/adguardhome-sync.yaml:/config/adguardhome-sync.yaml
+    ports:
+      - 8080:8080
+    restart: unless-stopped
+```
+
+## Config via environment variables
+
+For Replicas replace `#` with the index number for the replica. E.g.: `REPLICA#_URL` -> `REPLICA1_URL`
+<!-- env-doc-start -->
+| Name | Type | Description |
+| :--- | ---- |:----------- |
+| ORIGIN_URL (string) | string | URL of adguardhome instance |
+| ORIGIN_WEB_URL (string) | string | Web URL of adguardhome instance |
+| ORIGIN_API_PATH (string) | string | API Path |
+| ORIGIN_USERNAME (string) | string | Adguardhome username |
+| ORIGIN_PASSWORD (string) | string | Adguardhome password |
+| ORIGIN_COOKIE (string) | string | Adguardhome cookie |
+| ORIGIN_REQUEST_HEADERS (map) | map | Request Headers 'key1:value1,key2:value2' |
+| ORIGIN_INSECURE_SKIP_VERIFY (bool) | bool | Skip TLS verification |
+| ORIGIN_AUTO_SETUP (bool) | bool | Automatically setup the instance if it is not initialized |
+| ORIGIN_INTERFACE_NAME (string) | string | Network interface name |
+| ORIGIN_DHCP_SERVER_ENABLED (bool) | bool | Enable DHCP server |
+| REPLICA#_URL (string) | string | URL of adguardhome instance |
+| REPLICA#_WEB_URL (string) | string | Web URL of adguardhome instance |
+| REPLICA#_API_PATH (string) | string | API Path |
+| REPLICA#_USERNAME (string) | string | Adguardhome username |
+| REPLICA#_PASSWORD (string) | string | Adguardhome password |
+| REPLICA#_COOKIE (string) | string | Adguardhome cookie |
+| REPLICA#_REQUEST_HEADERS (map) | map | Request Headers 'key1:value1,key2:value2' |
+| REPLICA#_INSECURE_SKIP_VERIFY (bool) | bool | Skip TLS verification |
+| REPLICA#_AUTO_SETUP (bool) | bool | Automatically setup the instance if it is not initialized |
+| REPLICA#_INTERFACE_NAME (string) | string | Network interface name |
+| REPLICA#_DHCP_SERVER_ENABLED (bool) | bool | Enable DHCP server |
+| CRON (string) | string | Cron expression for the sync interval |
+| RUN_ON_START (bool) | bool | Run the sung on startup |
+| PRINT_CONFIG_ONLY (bool) | bool | Print current config only and stop the application |
+| CONTINUE_ON_ERROR (bool) | bool | Continue sync on errors |
+| API_PORT (int) | int | API port |
+| API_USERNAME (string) | string | API username |
+| API_PASSWORD (string) | string | API password |
+| API_DARK_MODE (bool) | bool | API dark mode |
+| API_METRICS_ENABLED (bool) | bool | Enable metrics |
+| API_METRICS_SCRAPE_INTERVAL (int64) | int64 | Interval for metrics scraping |
+| API_METRICS_QUERY_LOG_LIMIT (int) | int | Metrics log query limit |
+| API_TLS_CERT_DIR (string) | string | API TLS certificate directory |
+| API_TLS_CERT_NAME (string) | string | API TLS certificate file name |
+| API_TLS_KEY_NAME (string) | string | API TLS key file name |
+| FEATURES_DNS_ACCESS_LISTS (bool) | bool | Sync DNS access lists |
+| FEATURES_DNS_SERVER_CONFIG (bool) | bool | Sync DNS server config |
+| FEATURES_DNS_REWRITES (bool) | bool | Sync DNS rewrites |
+| FEATURES_DHCP_SERVER_CONFIG (bool) | bool | Sync DHCP server config |
+| FEATURES_DHCP_STATIC_LEASES (bool) | bool | Sync DHCP static leases |
+| FEATURES_GENERAL_SETTINGS (bool) | bool | Sync general settings |
+| FEATURES_QUERY_LOG_CONFIG (bool) | bool | Sync query log config |
+| FEATURES_STATS_CONFIG (bool) | bool | Sync stats config |
+| FEATURES_CLIENT_SETTINGS (bool) | bool | Sync client settings |
+| FEATURES_SERVICES (bool) | bool | Sync services |
+| FEATURES_FILTERS (bool) | bool | Sync filters |
+| FEATURES_THEME (bool) | bool | Sync the web UI theme |
+| FEATURES_TLS_CONFIG (bool) | bool | Sync the TLS config |
+<!-- env-doc-end -->
+
+### Unraid
+
+⚠️ Disclaimer: Tere exists an unraid tepmlate for this application. This template is not managed by this project.
+Also, as unraid is not known to me, I can not give any support on unraind templates.
+
+Note when running the Docker container in Unraid please remove unneeded env variables if don't needed.
+If replica2 isn't used this can cause sync errors.
+
 ### Config file

 location: $HOME/.adguardhome-sync.yaml

 ```yaml
 # cron expression to run in daemon mode. (default; "" = runs only once)
-cron: "*/10 * * * *"
+cron: "0 */2 * * *"
+
+# runs the synchronisation on startup
+runOnStart: true
+
+# If enabled, the synchronisation task will not fail on single errors, but will log the errors and continue
+continueOnError: false

 origin:
  # url of the origin instance
@@ -50,30 +269,108 @@ origin:
  # insecureSkipVerify: true # disable tls check
  username: username
  password: password
+  # cookie: Origin-Cookie-Name=CCCOOOKKKIIIEEE
+  # requestHeaders: # Additional request headers
+  #   AAA: bbb

-# replica instance (optional, if only one)
-replica:
-  # url of the replica instance
-  url: http://192.168.1.3
-  username: username
-  password: password
-
-# replicas instances (optional, if more than one)
+# replicas instances
 replicas:
  # url of the replica instance
  - url: http://192.168.1.3
    username: username
    password: password
+    # cookie: Replica1-Cookie-Name=CCCOOOKKKIIIEEE
  - url: http://192.168.1.4
    username: username
    password: password
+    # cookie: Replica2-Cookie-Name=CCCOOOKKKIIIEEE
+    # autoSetup: true # if true, AdGuardHome is automatically initialized.
+    # webURL: "https://some-other.url" # used in the web interface (default: <replica-url>
+    # requestHeaders: # Additional request headers
+    #   AAA: bbb

 # Configure the sync API server, disabled if api port is 0
 api:
  # Port, default 8080
  port: 8080
-  # if username and password are defined, basic auth is applied to the sync API 
+  # if username and password are defined, basic auth is applied to the sync API
  username: username
  password: password
+  # enable api dark mode
+  darkMode: true

+  # enable metrics on path '/metrics' (api port must be != 0)
+  # metrics:
+  #   enabled: true
+  #   scrapeInterval: 30s 
+  #   queryLogLimit: 10000
+
+  # enable tls for the api server
+  # tls:
+  #   # the directory of the provided tls certs
+  #   certDir: /path/to/certs
+  #   # the name of the cert file (default: tls.crt)
+  #   certName: foo.crt
+  #   # the name of the key file (default: tls.key)
+  #   keyName: bar.key
+
+# Configure sync features; by default all features are enabled.
+features:
+  generalSettings: true
+  queryLogConfig: true
+  statsConfig: true
+  clientSettings: true
+  services: true
+  filters: true
+  dhcp:
+    serverConfig: true
+    staticLeases: true
+  dns:
+    serverConfig: true
+    accessLists: true
+    rewrites: true
 ```
+
+## Home Assistant AdGuard Home Add-on users
+
+To enable syncing with a Home Assistant instance using
+the [AdGuard Home Add-on](https://github.com/hassio-addons/addon-adguard-home), you will need to enable the disabled
+ports, under the Network heading
+
+![show-disabled-ports](https://github.com/user-attachments/assets/1df5f352-37a2-4508-82ec-7f270087d0b4)
+
+And then set the port of your choice for the Web interface
+
+![web-interface-port](https://github.com/user-attachments/assets/286ed030-4831-4f49-8b29-53e8802129c3)
+
+Don't forget to save and restart the add-on.
+
+Depending on your setup, you may also need to disable SSL for the add-on.
+
+The username:password required for the Home Assistant replica is the one you use to login to your instance, however it's
+recommended to setup a new local only user with minimal permissions.
+
+All credit for this method goes to [Brunty](https://github.com/brunty) who has a far
+more [detailed write up](https://brunty.me/post/replicate-adguard-home-settings-into-home-assistant-adguard-home-addon/)
+about this on his blog.
+
+## Log Level
+
+The log level can be set with the environment variable: `LOG_LEVEL`
+
+The following log levels are supported (default: info)
+
+- debug
+- info
+- warn
+- error
+
+## Log Format
+
+Default log format is `console`.
+It can be changed to `json` by setting the environment variable: `LOG_FORMAT=json`.
+
+## Video Tutorials
+
+- [Como replicar la configuración de tu servidor DNS Adguard automáticamente - Tu servidor Part #12](https://www.youtube.com/watch?v=1LPeu_JG064) (
+  Spanish) by [Jonatan Castro](https://github.com/jcastro)
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -3,34 +3,11 @@ package cmd
 import (
 	"fmt"
 	"os"
-	"strings"
-
-	"github.com/bakito/adguardhome-sync/pkg/log"

 	"github.com/spf13/cobra"

-	homedir "github.com/mitchellh/go-homedir"
-	"github.com/spf13/viper"
-)
-
-const (
-	configCron = "cron"
-
-	configAPIPort     = "api.port"
-	configAPIUsername = "api.username"
-	configAPIPassword = "api.password"
-
-	configOriginURL                = "origin.url"
-	configOriginAPIPath            = "origin.apiPath"
-	configOriginUsername           = "origin.username"
-	configOriginPassword           = "origin.password"
-	configOriginInsecureSkipVerify = "origin.insecureSkipVerify"
-
-	configReplicaURL                = "replica.url"
-	configReplicaAPIPath            = "replica.apiPath"
-	configReplicaUsername           = "replica.username"
-	configReplicaPassword           = "replica.password"
-	configReplicaInsecureSkipVerify = "replica.insecureSkipVerify"
+	"github.com/bakito/adguardhome-sync/pkg/log"
+	"github.com/bakito/adguardhome-sync/version"
 )

 var (
@@ -38,24 +15,23 @@ var (
 	logger  = log.GetLogger("root")
 )

-// rootCmd represents the base command when called without any subcommands
+// rootCmd represents the base command when called without any subcommands.
 var rootCmd = &cobra.Command{
-	Use:   "adguardhome-sync",
-	Short: "Synchronize config from one AdGuardHome instance to another",
+	Use:     "adguardhome-sync",
+	Short:   "Synchronize config from one AdGuardHome instance to another",
+	Version: version.Version,
 }

 // Execute adds all child commands to the root command and sets flags appropriately.
 // This is called by main.main(). It only needs to happen once to the rootCmd.
 func Execute() {
 	if err := rootCmd.Execute(); err != nil {
-		fmt.Println(err)
+		_, _ = fmt.Println(err)
 		os.Exit(1)
 	}
 }

 func init() {
-	cobra.OnInitialize(initConfig)
-
 	// Here you will define your flags and configuration settings.
 	// Cobra supports persistent flags, which, if defined here,
 	// will be global for your application.
@@ -66,30 +42,3 @@ func init() {
 	// when this action is called directly.
 	rootCmd.Flags().BoolP("toggle", "t", false, "Help message for toggle")
 }
-
-// initConfig reads in config file and ENV variables if set.
-func initConfig() {
-	if cfgFile != "" {
-		// Use config file from the flag.
-		viper.SetConfigFile(cfgFile)
-	} else {
-		// Find home directory.
-		home, err := homedir.Dir()
-		if err != nil {
-			fmt.Println(err)
-			os.Exit(1)
-		}
-
-		// Search config in home directory with name ".adguardhome-sync" (without extension).
-		viper.AddConfigPath(home)
-		viper.SetConfigName(".adguardhome-sync")
-		viper.SetEnvKeyReplacer(strings.NewReplacer("-", "_", ".", "_"))
-	}
-
-	viper.AutomaticEnv() // read in environment variables that match
-
-	// If a config file is found, read it in.
-	if err := viper.ReadInConfig(); err == nil {
-		logger.Info("Using config file:", viper.ConfigFileUsed())
-	}
-}
--- a/cmd/run.go
+++ b/cmd/run.go
@@ -1,61 +1,93 @@
 package cmd

 import (
+	"github.com/spf13/cobra"
+
+	"github.com/bakito/adguardhome-sync/pkg/config"
 	"github.com/bakito/adguardhome-sync/pkg/log"
 	"github.com/bakito/adguardhome-sync/pkg/sync"
-	"github.com/bakito/adguardhome-sync/pkg/types"
-	"github.com/spf13/viper"
-
-	"github.com/spf13/cobra"
 )

-// runCmd represents the run command
+// runCmd represents the run command.
 var doCmd = &cobra.Command{
 	Use:   "run",
-	Short: "Start a synchronisation from origin to replica",
+	Short: "Start a synchronization from origin to replica",
 	Long:  `Synchronizes the configuration form an origin instance to a replica`,
-	Run: func(cmd *cobra.Command, args []string) {
+	RunE: func(cmd *cobra.Command, args []string) error {
 		logger = log.GetLogger("run")
-		cfg := &types.Config{}
-		if err := viper.Unmarshal(cfg); err != nil {
+		cfg, err := config.Get(cfgFile, cmd.Flags())
+		if err != nil {
 			logger.Error(err)
-			return
+			return err
 		}

-		sync.Sync(cfg)
+		if err := cfg.Init(); err != nil {
+			logger.Error(err)
+			return err
+		}
+
+		if cfg.PrintConfigOnly() {
+			if err := cfg.Print(); err != nil {
+				logger.Error(err)
+				return err
+			}
+
+			return nil
+		}
+
+		return sync.Sync(cfg.Get())
 	},
 }

 func init() {
 	rootCmd.AddCommand(doCmd)
-	doCmd.PersistentFlags().String("cron", "", "The cron expression to run in daemon mode")
-	_ = viper.BindPFlag(configCron, doCmd.PersistentFlags().Lookup("cron"))
-	doCmd.PersistentFlags().Int("api-port", 8080, "Sync API Port, the API endpoint will be started to enable remote triggering; if 0 port API is disabled.")
-	_ = viper.BindPFlag(configAPIPort, doCmd.PersistentFlags().Lookup("api-port"))
-	doCmd.PersistentFlags().String("api-username", "", "Sync API username")
-	_ = viper.BindPFlag(configAPIUsername, doCmd.PersistentFlags().Lookup("api-username"))
-	doCmd.PersistentFlags().String("api-password", "", "Sync API password")
-	_ = viper.BindPFlag(configAPIPassword, doCmd.PersistentFlags().Lookup("api-password"))
+	doCmd.PersistentFlags().String(config.FlagCron, "", "The cron expression to run in daemon mode")
+	doCmd.PersistentFlags().Bool(config.FlagRunOnStart, true, "Run the sync job on start.")
+	doCmd.PersistentFlags().Bool(config.FlagPrintConfigOnly, false, "Prints the configuration only and exists. "+
+		"Can be used to debug the config E.g: when having authentication issues.")
+	doCmd.PersistentFlags().Bool(config.FlagContinueOnError, false, "If enabled, the synchronization task "+
+		"will not fail on single errors, but will log the errors and continue.")

-	doCmd.PersistentFlags().String("origin-url", "", "Origin instance url")
-	_ = viper.BindPFlag(configOriginURL, doCmd.PersistentFlags().Lookup("origin-url"))
-	doCmd.PersistentFlags().String("origin-api-path", "/control", "Origin instance API path")
-	_ = viper.BindPFlag(configOriginAPIPath, doCmd.PersistentFlags().Lookup("origin-api-path"))
-	doCmd.PersistentFlags().String("origin-username", "", "Origin instance username")
-	_ = viper.BindPFlag(configOriginUsername, doCmd.PersistentFlags().Lookup("origin-username"))
-	doCmd.PersistentFlags().String("origin-password", "", "Origin instance password")
-	_ = viper.BindPFlag(configOriginPassword, doCmd.PersistentFlags().Lookup("origin-password"))
-	doCmd.PersistentFlags().String("origin-insecure-skip-verify", "", "Enable Origin instance InsecureSkipVerify")
-	_ = viper.BindPFlag(configOriginInsecureSkipVerify, doCmd.PersistentFlags().Lookup("origin-insecure-skip-verify"))
+	doCmd.PersistentFlags().
+		Int(config.FlagAPIPort, 8080, "Sync API Port, the API endpoint will be started to enable remote triggering; if 0 port API is disabled.")
+	doCmd.PersistentFlags().String(config.FlagAPIUsername, "", "Sync API username")
+	doCmd.PersistentFlags().String(config.FlagAPIPassword, "", "Sync API password")
+	doCmd.PersistentFlags().String(config.FlagAPIDarkMode, "", "API UI in dark mode")

-	doCmd.PersistentFlags().String("replica-url", "", "Replica instance url")
-	_ = viper.BindPFlag(configReplicaURL, doCmd.PersistentFlags().Lookup("replica-url"))
-	doCmd.PersistentFlags().String("replica-api-path", "/control", "Replica instance API path")
-	_ = viper.BindPFlag(configReplicaAPIPath, doCmd.PersistentFlags().Lookup("replica-api-path"))
-	doCmd.PersistentFlags().String("replica-username", "", "Replica instance username")
-	_ = viper.BindPFlag(configReplicaUsername, doCmd.PersistentFlags().Lookup("replica-username"))
-	doCmd.PersistentFlags().String("replica-password", "", "Replica instance password")
-	_ = viper.BindPFlag(configReplicaPassword, doCmd.PersistentFlags().Lookup("replica-password"))
-	doCmd.PersistentFlags().String("replica-insecure-skip-verify", "", "Enable Replica instance InsecureSkipVerify")
-	_ = viper.BindPFlag(configReplicaInsecureSkipVerify, doCmd.PersistentFlags().Lookup("replica-insecure-skip-verify"))
+	doCmd.PersistentFlags().Bool(config.FlagFeatureDhcpServerConfig, true, "Enable DHCP server config feature")
+	doCmd.PersistentFlags().Bool(config.FlagFeatureDhcpStaticLeases, true, "Enable DHCP server static leases feature")
+
+	doCmd.PersistentFlags().Bool(config.FlagFeatureDNSServerConfig, true, "Enable DNS server config feature")
+	doCmd.PersistentFlags().Bool(config.FlagFeatureDNSAccessLists, true, "Enable DNS server access lists feature")
+	doCmd.PersistentFlags().Bool(config.FlagFeatureDNSRewrites, true, "Enable DNS rewrites feature")
+
+	doCmd.PersistentFlags().Bool(config.FlagFeatureGeneral, true, "Enable general settings feature")
+	doCmd.PersistentFlags().Bool(config.FlagFeatureQueryLog, true, "Enable query log config feature")
+	doCmd.PersistentFlags().Bool(config.FlagFeatureStats, true, "Enable stats config feature")
+	doCmd.PersistentFlags().Bool(config.FlagFeatureClient, true, "Enable client settings feature")
+	doCmd.PersistentFlags().Bool(config.FlagFeatureServices, true, "Enable services sync feature")
+	doCmd.PersistentFlags().Bool(config.FlagFeatureFilters, true, "Enable filters sync feature")
+	doCmd.PersistentFlags().Bool(config.FlagFeatureTLSConfig, true, "Enable TLS config sync feature")
+
+	doCmd.PersistentFlags().String(config.FlagOriginURL, "", "Origin instance url")
+	doCmd.PersistentFlags().
+		String(config.FlagOriginWebURL, "", "Origin instance web url used in the web interface (default: <origin-url>)")
+	doCmd.PersistentFlags().String(config.FlagOriginAPIPath, "/control", "Origin instance API path")
+	doCmd.PersistentFlags().String(config.FlagOriginUsername, "", "Origin instance username")
+	doCmd.PersistentFlags().String(config.FlagOriginPassword, "", "Origin instance password")
+	doCmd.PersistentFlags().String(config.FlagOriginCookie, "", "If Set, uses a cookie for authentication")
+	doCmd.PersistentFlags().Bool(config.FlagOriginISV, false, "Enable Origin instance InsecureSkipVerify")
+
+	doCmd.PersistentFlags().String(config.FlagReplicaURL, "", "Replica instance url")
+	doCmd.PersistentFlags().
+		String(config.FlagReplicaWebURL, "", "Replica instance web url used in the web interface (default: <replica-url>)")
+	doCmd.PersistentFlags().String(config.FlagReplicaAPIPath, "/control", "Replica instance API path")
+	doCmd.PersistentFlags().String(config.FlagReplicaUsername, "", "Replica instance username")
+	doCmd.PersistentFlags().String(config.FlagReplicaPassword, "", "Replica instance password")
+	doCmd.PersistentFlags().String(config.FlagReplicaCookie, "", "If Set, uses a cookie for authentication")
+	doCmd.PersistentFlags().Bool(config.FlagReplicaISV, false, "Enable Replica instance InsecureSkipVerify")
+	doCmd.PersistentFlags().
+		Bool(config.FlagReplicaAutoSetup, false, "Enable automatic setup of new AdguardHome instances. This replaces the setup wizard.")
+	doCmd.PersistentFlags().
+		String(config.FlagReplicaInterfaceName, "", "Optional change the interface name of the replica if it differs from the master")
 }
--- a/docs/main.go
+++ b/docs/main.go
@@ -0,0 +1,103 @@
+// Print the available environment variables
+package main
+
+import (
+	"fmt"
+	"io"
+	"log"
+	"os"
+	"reflect"
+	"strings"
+
+	"github.com/bakito/adguardhome-sync/pkg/types"
+)
+
+func main() {
+	// Read the README.md file
+	content, err := os.ReadFile("README.md")
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	// Convert to string for easier manipulation
+	fileContent := string(content)
+
+	// Generate the environment variables documentation
+	var buf strings.Builder
+	_, _ = buf.WriteString("| Name | Type | Description |\n")
+	_, _ = buf.WriteString("| :--- | ---- |:----------- |\n")
+	oldStdout := os.Stdout
+	r, w, _ := os.Pipe()
+	os.Stdout = w
+	printEnvTags(reflect.TypeOf(types.Config{}), "")
+	_ = w.Close()
+	envDoc, _ := io.ReadAll(r)
+	os.Stdout = oldStdout
+	_, _ = buf.Write(envDoc)
+
+	// Find the markers and replace content between them
+	startMarker := "<!-- env-doc-start -->"
+	endMarker := "<!-- env-doc-end -->"
+
+	start := strings.Index(fileContent, startMarker)
+	end := strings.Index(fileContent, endMarker)
+
+	if start == -1 || end == -1 {
+		log.Fatal("Could not find markers in README.md")
+	}
+
+	// Construct new content
+	newContent := fileContent[:start+len(startMarker)] + "\n" + buf.String() + fileContent[end:]
+
+	// Write back to README.md
+	err = os.WriteFile("README.md", []byte(newContent), 0o644)
+	if err != nil {
+		log.Fatal(err)
+	}
+}
+
+// printEnvTags recursively prints all fields with `env` tags.
+func printEnvTags(t reflect.Type, prefix string) {
+	if t.Kind() == reflect.Ptr {
+		t = t.Elem()
+	}
+	if t.Kind() != reflect.Struct {
+		return
+	}
+
+	for _, field := range reflect.VisibleFields(t) {
+		if field.PkgPath != "" { // unexported field
+			continue
+		}
+
+		envTag := field.Tag.Get("env")
+		if envTag == "" {
+			switch field.Name {
+			case "Origin":
+				envTag = "ORIGIN"
+			case "Replica":
+				envTag = "REPLICA#"
+			}
+		}
+		combinedTag := envTag
+		if prefix != "" && envTag != "" {
+			combinedTag = prefix + "_" + envTag
+		} else if prefix != "" {
+			combinedTag = prefix
+		}
+
+		ft := field.Type
+		if ft.Kind() == reflect.Ptr {
+			ft = ft.Elem()
+		}
+
+		if ft.Kind() == reflect.Struct && ft.Name() != "Time" { // skip time.Time
+			printEnvTags(ft, strings.TrimSuffix(combinedTag, "_"))
+		} else if envTag != "" {
+			envVar := strings.Trim(combinedTag, "_") + " (" + ft.Kind().String() + ")"
+			docs := field.Tag.Get("documentation")
+
+			_, _ = fmt.Printf("| %s | %s | %s |\n", envVar, ft.Kind().String(), docs)
+		}
+	}
+}
--- a/go.mod
+++ b/go.mod
@@ -1,13 +1,79 @@
 module github.com/bakito/adguardhome-sync

-go 1.16
+go 1.25.1

 require (
-	github.com/go-resty/resty/v2 v2.5.0
-	github.com/mitchellh/go-homedir v1.1.0
+	github.com/caarlos0/env/v11 v11.3.1
+	github.com/gin-gonic/gin v1.10.1
+	github.com/go-faker/faker/v4 v4.6.1
+	github.com/go-resty/resty/v2 v2.16.5
+	github.com/google/uuid v1.6.0
+	github.com/jinzhu/copier v0.4.0
+	github.com/oapi-codegen/runtime v1.1.2
+	github.com/onsi/ginkgo/v2 v2.25.3
+	github.com/onsi/gomega v1.38.2
+	github.com/prometheus/client_golang v1.23.2
 	github.com/robfig/cron/v3 v3.0.1
-	github.com/spf13/cobra v1.1.3
-	github.com/spf13/viper v1.7.1
-	go.uber.org/zap v1.16.0
-	golang.org/x/net v0.0.0-20210119194325-5f4716e94777 // indirect
+	github.com/santhosh-tekuri/jsonschema/v6 v6.0.2
+	github.com/spf13/cobra v1.10.1
+	go.uber.org/mock v0.6.0
+	go.uber.org/zap v1.27.0
+	golang.org/x/mod v0.28.0
+	gopkg.in/yaml.v3 v3.0.1
+	k8s.io/apimachinery v0.34.1
+	k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d
+)
+
+require (
+	github.com/Masterminds/semver/v3 v3.4.0 // indirect
+	github.com/apapsch/go-jsonmerge/v2 v2.0.0 // indirect
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/bytedance/sonic v1.13.2 // indirect
+	github.com/bytedance/sonic/loader v0.2.4 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/cloudwego/base64x v0.1.5 // indirect
+	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.9 // indirect
+	github.com/gin-contrib/sse v1.1.0 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
+	github.com/go-playground/locales v0.14.1 // indirect
+	github.com/go-playground/universal-translator v0.18.1 // indirect
+	github.com/go-playground/validator/v10 v10.26.0 // indirect
+	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
+	github.com/goccy/go-json v0.10.5 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/google/go-cmp v0.7.0 // indirect
+	github.com/google/pprof v0.0.0-20250820193118-f64d9cf942d6 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.10 // indirect
+	github.com/leodido/go-urn v1.4.0 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
+	github.com/prometheus/client_model v0.6.2 // indirect
+	github.com/prometheus/common v0.66.1 // indirect
+	github.com/prometheus/procfs v0.16.1 // indirect
+	github.com/spf13/pflag v1.0.9 // indirect
+	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
+	github.com/ugorji/go/codec v1.2.12 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
+	go.uber.org/automaxprocs v1.6.0 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
+	go.yaml.in/yaml/v2 v2.4.2 // indirect
+	go.yaml.in/yaml/v3 v3.0.4 // indirect
+	golang.org/x/arch v0.16.0 // indirect
+	golang.org/x/crypto v0.41.0 // indirect
+	golang.org/x/net v0.43.0 // indirect
+	golang.org/x/sys v0.35.0 // indirect
+	golang.org/x/text v0.28.0 // indirect
+	golang.org/x/tools v0.36.0 // indirect
+	google.golang.org/protobuf v1.36.8 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	k8s.io/klog/v2 v2.130.1 // indirect
+	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
+	sigs.k8s.io/randfill v1.0.0 // indirect
+	sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
 )
--- a/go.sum
+++ b/go.sum
@@ -1,339 +1,225 @@
-cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
-cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU=
-cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY=
-cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc=
-cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0=
-cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
-cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
-cloud.google.com/go/firestore v1.1.0/go.mod h1:ulACoGHTpvq5r8rxGJ4ddJZBZqakUQqClKRT5SZwBmk=
-cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=
-cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw=
-dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
-github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
-github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
-github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
-github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
-github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
-github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
-github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=
-github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
-github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
-github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
-github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
-github.com/bketelsen/crypt v0.0.3-0.20200106085610-5cbc8cc4026c/go.mod h1:MKsuJmJgSg28kpZDP6UIiPt0e0Oz0kqKNGyRaWEPv84=
-github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
-github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
-github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
-github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
-github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
-github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
-github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
-github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
+github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0=
+github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
+github.com/RaveNoX/go-jsoncommentstrip v1.0.0/go.mod h1:78ihd09MekBnJnxpICcwzCMzGrKSKYe4AqU6PDYYpjk=
+github.com/apapsch/go-jsonmerge/v2 v2.0.0 h1:axGnT1gRIfimI7gJifB699GoE/oq+F2MU7Dml6nw9rQ=
+github.com/apapsch/go-jsonmerge/v2 v2.0.0/go.mod h1:lvDnEdqiQrp0O42VQGgmlKpxL1AP2+08jFMw88y4klk=
+github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
+github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
+github.com/bmatcuk/doublestar v1.1.1/go.mod h1:UD6OnuiIn0yFxxA2le/rnRU1G4RaI4UvFv1sNto9p6w=
+github.com/bytedance/sonic v1.13.2 h1:8/H1FempDZqC4VqjptGo14QQlJx8VdZJegxs6wwfqpQ=
+github.com/bytedance/sonic v1.13.2/go.mod h1:o68xyaF9u2gvVBuGHPlUVCy+ZfmNNO5ETf1+KgkJhz4=
+github.com/bytedance/sonic/loader v0.1.1/go.mod h1:ncP89zfokxS5LZrJxl5z0UJcsk4M4yY2JpfqGeCtNLU=
+github.com/bytedance/sonic/loader v0.2.4 h1:ZWCw4stuXUsn1/+zQDqeE7JKP+QO47tz7QCNan80NzY=
+github.com/bytedance/sonic/loader v0.2.4/go.mod h1:N8A3vUdtUebEY2/VQC0MyhYeKUFosQU6FxH2JmUe6VI=
+github.com/caarlos0/env/v11 v11.3.1 h1:cArPWC15hWmEt+gWk7YBi7lEXTXCvpaSdCiZE2X5mCA=
+github.com/caarlos0/env/v11 v11.3.1/go.mod h1:qupehSf/Y0TUTsxKywqRt/vJjN5nz6vauiYEUUr8P4U=
+github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
+github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/cloudwego/base64x v0.1.5 h1:XPciSp1xaq2VCSt6lF0phncD4koWyULpl5bUxbfCyP4=
+github.com/cloudwego/base64x v0.1.5/go.mod h1:0zlkT4Wn5C6NdauXdJRhSKRlJvmclQ1hhJgA0rcu/8w=
+github.com/cloudwego/iasm v0.2.0/go.mod h1:8rXZaNYT2n95jn+zTI1sDr+IgcD2GVs0nlbbQPiEFhY=
+github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
-github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
-github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
-github.com/fsnotify/fsnotify v1.4.7 h1:IXs+QLmnXW2CcXuY+8Mzv/fWEsPGWxqefPtCP5CnV9I=
-github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
-github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
-github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
-github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
-github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
-github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
-github.com/go-resty/resty/v2 v2.5.0 h1:WFb5bD49/85PO7WgAjZ+/TJQ+Ty1XOcWEfD1zIFCM1c=
-github.com/go-resty/resty/v2 v2.5.0/go.mod h1:B88+xCTEwvfD94NOuE6GS1wMlnoKNY8eEiNizfNwOwA=
-github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
-github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
-github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
-github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
-github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
-github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
-github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y=
-github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
-github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
-github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
-github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
-github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
-github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
-github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
-github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
-github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
-github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8=
-github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
-github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
-github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs=
-github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
-github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
-github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q=
-github.com/hashicorp/consul/sdk v0.1.1/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8=
-github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
-github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
-github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
-github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM=
-github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
-github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa6eBIzfwKfwNnHU=
-github.com/hashicorp/go-sockaddr v1.0.0/go.mod h1:7Xibr9yA9JjQq1JpNB2Vw7kxv8xerXegt+ozgdvDeDU=
-github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdvsLplgctolz4=
-github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
-github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
-github.com/hashicorp/go.net v0.0.1/go.mod h1:hjKkEWcCURg++eb33jQU7oqQcI9XDCnUzHA0oac0k90=
-github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
-github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
-github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
-github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
-github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64=
-github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ=
-github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I=
-github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc=
-github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM=
-github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
-github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
-github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
-github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
-github.com/jtolds/gls v4.20.0+incompatible h1:xdiiI2gbIgH/gLH7ADydsJ1uDOEzR8yvV7C0MuV77Wo=
-github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
-github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
-github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
+github.com/dlclark/regexp2 v1.11.0 h1:G/nrcoOa7ZXlpoa/91N3X7mM3r8eIlMBBJZvsz/mxKI=
+github.com/dlclark/regexp2 v1.11.0/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
+github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=
+github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
+github.com/gabriel-vasile/mimetype v1.4.9 h1:5k+WDwEsD9eTLL8Tz3L0VnmVh9QxGjRmjBvAG7U/oYY=
+github.com/gabriel-vasile/mimetype v1.4.9/go.mod h1:WnSQhFKJuBlRyLiKohA/2DtIlPFAbguNaG7QCHcyGok=
+github.com/gin-contrib/sse v1.1.0 h1:n0w2GMuUpWDVp7qSpvze6fAu9iRxJY4Hmj6AmBOU05w=
+github.com/gin-contrib/sse v1.1.0/go.mod h1:hxRZ5gVpWMT7Z0B0gSNYqqsSCNIJMjzvm6fqCz9vjwM=
+github.com/gin-gonic/gin v1.10.1 h1:T0ujvqyCSqRopADpgPgiTT63DUQVSfojyME59Ei63pQ=
+github.com/gin-gonic/gin v1.10.1/go.mod h1:4PMNQiOhvDRa013RKVbsiNwoyezlm2rm0uX/T7kzp5Y=
+github.com/go-faker/faker/v4 v4.6.1 h1:xUyVpAjEtB04l6XFY0V/29oR332rOSPWV4lU8RwDt4k=
+github.com/go-faker/faker/v4 v4.6.1/go.mod h1:arSdxNCSt7mOhdk8tEolvHeIJ7eX4OX80wXjKKvkKBY=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-playground/assert/v2 v2.2.0 h1:JvknZsQTYeFEAhQwI4qEt9cyV5ONwRHC+lYKSsYSR8s=
+github.com/go-playground/assert/v2 v2.2.0/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
+github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/oXslEjJA=
+github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY=
+github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY=
+github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
+github.com/go-playground/validator/v10 v10.26.0 h1:SP05Nqhjcvz81uJaRfEV0YBSSSGMc/iMaVtFbr3Sw2k=
+github.com/go-playground/validator/v10 v10.26.0/go.mod h1:I5QpIEbmr8On7W0TktmJAumgzX4CA1XNl4ZmDuVHKKo=
+github.com/go-resty/resty/v2 v2.16.5 h1:hBKqmWrr7uRc3euHVqmh1HTHcKn99Smr7o5spptdhTM=
+github.com/go-resty/resty/v2 v2.16.5/go.mod h1:hkJtXbA2iKHzJheXYvQ8snQES5ZLGKMwQ07xAwp/fiA=
+github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
+github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
+github.com/goccy/go-json v0.10.5 h1:Fq85nIqj+gXn/S5ahsiTlK3TmC85qgirsdTP/+DeaC4=
+github.com/goccy/go-json v0.10.5/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
+github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
+github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
+github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/pprof v0.0.0-20250820193118-f64d9cf942d6 h1:EEHtgt9IwisQ2AZ4pIsMjahcegHh6rmhqxzIRQIyepY=
+github.com/google/pprof v0.0.0-20250820193118-f64d9cf942d6/go.mod h1:I6V7YzU0XDpsHqbsyrghnFZLO1gwK6NPTNvmetQIk9U=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
+github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/jinzhu/copier v0.4.0 h1:w3ciUoD19shMCRargcpm0cm91ytaBhDvuRpz1ODO/U8=
+github.com/jinzhu/copier v0.4.0/go.mod h1:DfbEm0FYsaqBcKcFuvmOZb218JkPGtvSHsKg8S8hyyg=
+github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
+github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
+github.com/juju/gnuflag v0.0.0-20171113085948-2ce1bb71843d/go.mod h1:2PavIy+JPciBPrBUjwbNvtwB6RQlve+hkpll6QSNmOE=
+github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
-github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
-github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
-github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
-github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
-github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
-github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
-github.com/magiconair/properties v1.8.1 h1:ZC2Vc7/ZFkGmsVC9KvOjumD+G5lXy2RtTKyzRKO2BQ4=
-github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
-github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
-github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
-github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
-github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
-github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
-github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
-github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
-github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
-github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI=
-github.com/mitchellh/gox v0.4.0/go.mod h1:Sd9lOJ0+aimLBi73mGofS1ycjY8lL3uZM3JPS42BGNg=
-github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY=
-github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
-github.com/mitchellh/mapstructure v1.1.2 h1:fmNYVwqnSfB9mZU6OS2O6GsXM+wcskZDuKQzvN1EDeE=
-github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
+github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
+github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
+github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
+github.com/klauspost/cpuid/v2 v2.2.10 h1:tBs3QSyvjDyFTq3uoc/9xFpCuOsJQFNPiAhYdw2skhE=
+github.com/klauspost/cpuid/v2 v2.2.10/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
+github.com/knz/go-libedit v1.10.1/go.mod h1:MZTVkCWyz0oBc7JOWP3wNAzd002ZbM/5hgShxwh4x8M=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
+github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
+github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ=
+github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI=
+github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
-github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
-github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
-github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
-github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
-github.com/pelletier/go-toml v1.2.0 h1:T5zMGML61Wp+FlcbWjRDT7yAxhJNAiPPLOFECq181zc=
-github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
-github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I=
-github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFdJifH4BDsTlE89Zl93FEloxaWZfGcifgq8=
+github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
+github.com/oapi-codegen/runtime v1.1.2 h1:P2+CubHq8fO4Q6fV1tqDBZHCwpVpvPg7oKiYzQgXIyI=
+github.com/oapi-codegen/runtime v1.1.2/go.mod h1:SK9X900oXmPWilYR5/WKPzt3Kqxn/uS/+lbpREv+eCg=
+github.com/onsi/ginkgo/v2 v2.25.3 h1:Ty8+Yi/ayDAGtk4XxmmfUy4GabvM+MegeB4cDLRi6nw=
+github.com/onsi/ginkgo/v2 v2.25.3/go.mod h1:43uiyQC4Ed2tkOzLsEYm7hnrb7UJTWHYNsuy3bG/snE=
+github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A=
+github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k=
+github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=
+github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI=
-github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
-github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso=
-github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
-github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
-github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
-github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
-github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
-github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
+github.com/prashantv/gostub v1.1.0 h1:BTyx3RfQjRHnUWaGF9oQos79AlQ5k8WNktv7VGvVH4g=
+github.com/prashantv/gostub v1.1.0/go.mod h1:A5zLQHz7ieHGG7is6LLXLz7I8+3LZzsrV0P1IAHhP5U=
+github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h0RJWRi/o0o=
+github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg=
+github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
+github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
+github.com/prometheus/common v0.66.1 h1:h5E0h5/Y8niHc5DlaLlWLArTQI7tMrsfQjHV+d9ZoGs=
+github.com/prometheus/common v0.66.1/go.mod h1:gcaUsgf3KfRSwHY4dIMXLPV0K/Wg1oZ8+SbZk/HH/dA=
+github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzMyRg=
+github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is=
 github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs=
 github.com/robfig/cron/v3 v3.0.1/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro=
-github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
-github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
-github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
-github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc=
-github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
-github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
-github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d h1:zE9ykElWQ6/NYmHa3jpm/yHnI4xSofP+UP6SpjHcSeM=
-github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
-github.com/smartystreets/goconvey v1.6.4 h1:fv0U8FUIMPNf1L9lnHLvLhgicrIVChEkdzIKYqbNC9s=
-github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
-github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM=
-github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
-github.com/spf13/afero v1.1.2 h1:m8/z1t7/fwjysjQRYbP0RD+bUIF/8tJwPdEZsI83ACI=
-github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
-github.com/spf13/cast v1.3.0 h1:oget//CVOEoFewqQxwr0Ej5yjygnqGkvggSE/gB35Q8=
-github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
-github.com/spf13/cobra v1.1.3 h1:xghbfqPkxzxP3C/f3n5DdpAbdKLj4ZE4BWQI362l53M=
-github.com/spf13/cobra v1.1.3/go.mod h1:pGADOWyqRD/YMrPZigI/zbliZ2wVD/23d+is3pSWzOo=
-github.com/spf13/jwalterweatherman v1.0.0 h1:XHEdyB+EcvlqZamSM4ZOMGlc93t6AcsBEu9Gc1vn7yk=
-github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
-github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
-github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
-github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-github.com/spf13/viper v1.7.0/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg=
-github.com/spf13/viper v1.7.1 h1:pM5oEahlgWv/WnHXpgbKz7iLIxRf65tye2Ci+XFK5sk=
-github.com/spf13/viper v1.7.1/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg=
+github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
+github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
+github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/santhosh-tekuri/jsonschema/v6 v6.0.2 h1:KRzFb2m7YtdldCEkzs6KqmJw4nqEVZGK7IN2kJkjTuQ=
+github.com/santhosh-tekuri/jsonschema/v6 v6.0.2/go.mod h1:JXeL+ps8p7/KNMjDQk3TCwPpBy0wYklyWTfbkIzdIFU=
+github.com/spf13/cobra v1.10.1 h1:lJeBwCfmrnXthfAupyUTzJ/J4Nc1RsHC/mSRU2dll/s=
+github.com/spf13/cobra v1.10.1/go.mod h1:7SmJGaTHFVBY0jW4NXGluQoLvhqFQM+6XSKD+P4XaB0=
+github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spkg/bom v0.0.0-20160624110644-59b7046e48ad/go.mod h1:qLr4V1qq6nMqFKkMo8ZTx3f+BZEkzsRUY10Xsm2mwU0=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
+github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
-github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk=
-github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
-github.com/subosito/gotenv v1.2.0 h1:Slr1R9HxAlEKefgq5jn9U+DnETlIUa6HfgEzj0g5d7s=
-github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
-github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
-github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
-go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
-go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
-go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
-go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
-go.uber.org/atomic v1.6.0 h1:Ezj3JGmsOnG1MoRWQkPBsKLe9DwWD9QeXzTRzzldNVk=
-go.uber.org/atomic v1.6.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
-go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
-go.uber.org/multierr v1.5.0 h1:KCa4XfM8CWFCpxXRGok+Q0SS/0XBhMDbHHGABQLvD2A=
-go.uber.org/multierr v1.5.0/go.mod h1:FeouvMocqHpRaaGuG9EjoKcStLC43Zu/fmqdUMPcKYU=
-go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee h1:0mgffUl7nfd+FpvXMVz4IDEaUSmT1ysygQC7qYo7sG4=
-go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee/go.mod h1:vJERXedbb3MVM5f9Ejo0C68/HhF8uaILCdgjnY+goOA=
-go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
-go.uber.org/zap v1.16.0 h1:uFRZXykJGK9lLY4HtgSw44DnIcAM+kRBP7x5m+NpAOM=
-go.uber.org/zap v1.16.0/go.mod h1:MA8QOfq0BHJwdXa996Y4dYkAqRKB8/1K1QMMZVaNZjQ=
-golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
-golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS4MhqMhdFk5YI=
+github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=
+github.com/ugorji/go/codec v1.2.12 h1:9LC83zGrHhuUA9l16C9AHXAqEV/2wBQ4nkvumAE65EE=
+github.com/ugorji/go/codec v1.2.12/go.mod h1:UNopzCgEMSXjBc6AOMqYvWC1ktqTAfzJZUZgYf6w6lg=
+github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
+github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
+github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs=
+go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8=
+go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
+go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
+go.uber.org/mock v0.6.0 h1:hyF9dfmbgIX5EfOdasqLsWD6xqpNZlXblLB/Dbnwv3Y=
+go.uber.org/mock v0.6.0/go.mod h1:KiVJ4BqZJaMj4svdfmHM0AUx4NJYO8ZNpPnZn1Z+BBU=
+go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
+go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
+go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
+go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
+go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
+go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
+go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
+go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
+golang.org/x/arch v0.16.0 h1:foMtLTdyOmIniqWCHjY6+JxuC54XP1fDwx4N0ASyW+U=
+golang.org/x/arch v0.16.0/go.mod h1:JmwW7aLIoRUKgaTzhkiEFxvcEiQGyOg9BMonBJUS7EE=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
-golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek=
-golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY=
-golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
-golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
-golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
-golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
-golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
-golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/lint v0.0.0-20190930215403-16217165b5de h1:5hukYrvBGR8/eNkX5mdUezrA6JiaEZDtJb9Ei+1LlBs=
-golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
-golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o=
-golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
-golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY=
-golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20181201002055-351d144fa1fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.41.0 h1:WKYxWedPGCTVVl5+WHSSrOBT0O8lx32+zxmHxijgXp4=
+golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc=
+golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.28.0 h1:gQBtGhjxykdjY9YhZpSlZIsbnaE2+PgjfLWUQTnoZ1U=
+golang.org/x/mod v0.28.0/go.mod h1:yfB/L0NOf/kmEbXjzCPOx1iK1fRutOydrCMsqRhEBxI=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20210119194325-5f4716e94777 h1:003p0dJM77cxMSyCPFphvZf/Y5/NXf5fzg6ufd1/Oew=
-golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
-golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
+golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20181026203630-95b1ffbd15a5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201119102817-f84b799fce68 h1:nxC68pudNYkKU6jWhgrqdreuFiOQWj1Fs7T3VrH4Pjw=
-golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI=
+golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
-golang.org/x/text v0.3.3 h1:cokOdA+Jmi5PJGXLlLllQSgYigAEfHXJAERHVMaCc2k=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/text v0.28.0 h1:rhazDwis8INMIwQ4tpjLDzUhx6RlXqZNPEM0huQojng=
+golang.org/x/text v0.28.0/go.mod h1:U8nCwOR8jO/marOQ0QbDiOngZVEBB7MAiitBuMjXiNU=
+golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
+golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
-golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191029041327-9cc4af7d6b2c/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191029190741-b9c20aec41a5/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191112195655-aa38f8e97acc h1:NCy3Ohtk6Iny5V/reW2Ktypo4zIpWBdRJ1uFMjBxdg8=
-golang.org/x/tools v0.0.0-20191112195655-aa38f8e97acc/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg=
+golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
-google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
-google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
-google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
-google.golang.org/api v0.13.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
-google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
-google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
-google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
-google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0=
-google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
-google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
-google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
-google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8=
-google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
-google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
-google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
-gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
+google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
-gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
-gopkg.in/ini.v1 v1.51.0 h1:AQvPpx3LzTDM0AjnIRlVFwFFGC+npRopjZxLJj6gdno=
-gopkg.in/ini.v1 v1.51.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
-gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo=
-gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74=
-gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
-gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
-honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.1-2019.2.3 h1:3JgtbtFHMiCmsznwGVTUWbgGov+pVqnlf1dEJTNAXeM=
-honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
-rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
+gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
+gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+k8s.io/apimachinery v0.34.1 h1:dTlxFls/eikpJxmAC7MVE8oOeP1zryV7iRyIjB0gky4=
+k8s.io/apimachinery v0.34.1/go.mod h1:/GwIlEcWuTX9zKIg2mbw0LRFIsXwrfoVxn+ef0X13lw=
+k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
+k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
+k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d h1:wAhiDyZ4Tdtt7e46e9M5ZSAJ/MnPGPs+Ki1gHw4w1R0=
+k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+nullprogram.com/x/optparse v1.0.0/go.mod h1:KdyPE+Igbe0jQUrVfMqDMeJQIJZEuyV7pjYmp6pbG50=
+sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=
+sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
+sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
+sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
+sigs.k8s.io/structured-merge-diff/v6 v6.3.0 h1:jTijUJbW353oVOd9oTlifJqOGEkUw2jB/fXCbTiQEco=
+sigs.k8s.io/structured-merge-diff/v6 v6.3.0/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099YozAsymCo/wrT5ohRUE=
+sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs=
+sigs.k8s.io/yaml v1.6.0/go.mod h1:796bPqUfzR/0jLAl6XjHl3Ck7MiyVv8dbTdyT3/pMf4=
--- a/media/adguardhome-sync.svg
+++ b/media/adguardhome-sync.svg
@@ -0,0 +1,190 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg
+   version="1.2"
+   viewBox="0 0 1000 1000"
+   id="svg3"
+   sodipodi:docname="adguardhome-sync.svg"
+   inkscape:version="1.4.2 (f4327f4, 2025-05-13)"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:svg="http://www.w3.org/2000/svg">
+  <defs
+     id="defs3">
+    <inkscape:path-effect
+       effect="fillet_chamfer"
+       id="path-effect1"
+       nodesatellites_param="F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 | F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1"
+       is_visible="true"
+       lpeversion="1"
+       radius="0"
+       unit="px"
+       method="auto"
+       mode="F"
+       chamfer_steps="1"
+       flexible="false"
+       use_knot_distance="true"
+       apply_no_radius="true"
+       apply_with_radius="true"
+       only_selected="false"
+       hide_knots="false" />
+    <inkscape:path-effect
+       effect="fillet_chamfer"
+       id="path-effect18"
+       is_visible="true"
+       lpeversion="1"
+       nodesatellites_param="F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,54.646215,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 | F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,54.646212,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1"
+       radius="0"
+       unit="px"
+       method="auto"
+       mode="F"
+       chamfer_steps="1"
+       flexible="false"
+       use_knot_distance="true"
+       apply_no_radius="true"
+       apply_with_radius="true"
+       only_selected="false"
+       hide_knots="false" />
+    <inkscape:path-effect
+       effect="skeletal"
+       id="path-effect13"
+       is_visible="true"
+       lpeversion="1"
+       pattern="m 78.30448,0.02132 c -1.76356,0.0996 -3.48821,0.55822 -5.06836,1.34765 L 5.80252,35.08773 c -18.554321,9.281429 -18.766576,9.393634 0,18.78124 l 67.4336,33.71876 c 8.62996,4.31519 18.78393,-1.9607 18.7832,-11.60938 v -11.5 h 213 c 6.62742,0 12,-5.372583 12,-12 v -16 c 0,-6.627417 -5.37258,-12 -12,-12 h -213 v -11.5 C 92.01887,5.52137 85.74946,-0.40162 78.30448,0.02132 Z"
+       copytype="repeated_stretched"
+       prop_scale="1"
+       scale_y_rel="false"
+       spacing="100"
+       normal_offset="0"
+       tang_offset="0"
+       prop_units="false"
+       vertical_pattern="false"
+       hide_knot="false"
+       fuse_tolerance="0"
+       pattern-nodetypes="cccccccssssccc" />
+    <inkscape:path-effect
+       effect="fillet_chamfer"
+       id="path-effect11"
+       is_visible="true"
+       lpeversion="1"
+       nodesatellites_param="F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,12,0,1 @ F,0,1,1,0,12,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1"
+       radius="0"
+       unit="px"
+       method="auto"
+       mode="F"
+       chamfer_steps="1"
+       flexible="false"
+       use_knot_distance="true"
+       apply_no_radius="true"
+       apply_with_radius="true"
+       only_selected="false"
+       hide_knots="false" />
+    <inkscape:path-effect
+       effect="fillet_chamfer"
+       id="path-effect33"
+       is_visible="true"
+       lpeversion="1"
+       nodesatellites_param=""
+       radius="0"
+       unit="px"
+       method="auto"
+       mode="F"
+       chamfer_steps="1"
+       flexible="false"
+       use_knot_distance="true"
+       apply_no_radius="true"
+       apply_with_radius="true"
+       only_selected="false"
+       hide_knots="false" />
+    <linearGradient
+       id="swatch26"
+       inkscape:swatch="solid">
+      <stop
+         style="stop-color:#000000;stop-opacity:1;"
+         offset="0"
+         id="stop26" />
+    </linearGradient>
+    <linearGradient
+       id="swatch25"
+       inkscape:swatch="solid">
+      <stop
+         style="stop-color:#407b28;stop-opacity:1;"
+         offset="0"
+         id="stop25" />
+    </linearGradient>
+    <inkscape:perspective
+       sodipodi:type="inkscape:persp3d"
+       inkscape:vp_x="0 : 500 : 1"
+       inkscape:vp_y="0 : 1000 : 0"
+       inkscape:vp_z="1000 : 500 : 1"
+       inkscape:persp3d-origin="500 : 333.33333 : 1"
+       id="perspective6" />
+    <inkscape:path-effect
+       effect="skeletal"
+       id="path-effect13-9"
+       is_visible="true"
+       lpeversion="1"
+       pattern="m -435.41689,700.31394 -82.73956,27.87776 82.73956,31.49534 v -23.8092 l 434.54687,9.11337 v -33.59902 l -434.54687,9.11337 z"
+       copytype="repeated_stretched"
+       prop_scale="2"
+       scale_y_rel="false"
+       spacing="100"
+       normal_offset="0"
+       tang_offset="0"
+       prop_units="false"
+       vertical_pattern="false"
+       hide_knot="false"
+       fuse_tolerance="0"
+       pattern-nodetypes="sccccccs" />
+  </defs>
+  <sodipodi:namedview
+     id="namedview3"
+     pagecolor="#505050"
+     bordercolor="#eeeeee"
+     borderopacity="1"
+     inkscape:showpageshadow="0"
+     inkscape:pageopacity="0"
+     inkscape:pagecheckerboard="0"
+     inkscape:deskcolor="#505050"
+     inkscape:zoom="0.70710678"
+     inkscape:cx="540.93669"
+     inkscape:cy="502.04582"
+     inkscape:window-width="1556"
+     inkscape:window-height="1360"
+     inkscape:window-x="1868"
+     inkscape:window-y="0"
+     inkscape:window-maximized="0"
+     inkscape:current-layer="svg3" />
+  <path
+     fill="#68bc71"
+     d="m 993.75002,114.1 c 0,171.8 3.1,595.3 -493.8,885.9 C 3.0500233,709.4 6.2500233,285.9 6.2500233,114.1 159.35002,35.9 345.25002,0 499.95002,0 c 154.7,0 340.6,35.9 493.8,114.1 z"
+     id="path1"
+     inkscape:label="shield" />
+  <path
+     fill="#67b279"
+     d="M500 1000C3.1 709.4 6.2 285.9 6.2 114.1 159.4 35.9 345.3 0 500 0z"
+     id="path2"
+     inkscape:label="half-shield" />
+  <path
+     fill="#ffffff"
+     d="m 225,449.6 c 15,-11.7 80,-53.4 128.3,1.6 L 453.3,569.6 720,297.9 c 11.7,-10 31.7,-23.3 55,-5 L 455,716.2 Z"
+     id="path3"
+     inkscape:label="checkmark"
+     style="display:none" />
+  <circle
+     style="display:none;fill:#ffffff;fill-opacity:0.5;stroke:#ffffff;stroke-width:8e-08;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:100;stroke-dasharray:none;stroke-opacity:0.502604"
+     id="path18"
+     cx="-500"
+     cy="426"
+     r="400"
+     inkscape:label="badge"
+     transform="scale(-1,1)" />
+  <path
+     id="path12-8"
+     style="fill:#ffffff;fill-opacity:1;stroke:#ffffff;stroke-width:4.00001;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:100;stroke-dasharray:none;stroke-opacity:1"
+     d="m -75.867249,555.75073 c -1.469322,-39.92741 -12.296964,-76.43624 -30.823861,-104.61661 -21.05517,28.18037 -47.89663,45.38022 -75.18829,53.68483 l 42.51192,20.42415 c -33.35434,61.94297 -101.60764,105.3289 -167.51689,101.23666 -42.42317,-1.43193 -82.3318,-22.18867 -112.01355,-52.33871 -21.09944,-21.43232 -53.37423,-31.44115 -79.38397,-16.1329 l -10.3958,6.11853 c 43.49744,68.86447 120.54256,113.80911 201.79332,112.04834 87.97224,-4.41047 162.60077,-62.73987 194.96448,-137.74518 z M -537.90127,346.51705 c 1.46924,39.92741 12.29681,76.43626 30.82364,104.61667 21.05523,-28.18031 47.89674,-45.38011 75.18842,-53.68467 l -42.51189,-20.42423 c 33.35441,-61.94281 101.60759,-105.32857 167.51673,-101.23635 42.4233,1.43194 82.33203,22.18879 112.01381,52.33897 21.0994,21.43235 53.37417,31.44124 79.38393,16.13305 l 10.39581,-6.11852 c -43.49739,-68.86468 -120.54264,-113.8095 -201.79355,-112.04872 -87.97208,4.41046 -162.60049,62.73965 -194.96429,137.74477 z"
+     transform="matrix(0,-1.3167476,1.3167476,0,-94.029776,21.910887)"
+     inkscape:label="double-arrow"
+     inkscape:path-effect="#path-effect1"
+     inkscape:original-d="m -75.867249,555.75073 c -1.469322,-39.92741 -12.296964,-76.43624 -30.823861,-104.61661 -21.05517,28.18037 -47.89663,45.38022 -75.18829,53.68483 l 42.51192,20.42415 c -33.35434,61.94297 -101.60764,105.3289 -167.51689,101.23666 -42.42317,-1.43193 -82.3318,-22.18867 -112.01355,-52.33871 -21.09944,-21.43232 -53.37423,-31.44115 -79.38397,-16.1329 l -10.3958,6.11853 c 43.49744,68.86447 120.54256,113.80911 201.79332,112.04834 87.97224,-4.41047 162.60077,-62.73987 194.96448,-137.74518 z M -537.90127,346.51705 c 1.46924,39.92741 12.29681,76.43626 30.82364,104.61667 21.05523,-28.18031 47.89674,-45.38011 75.18842,-53.68467 l -42.51189,-20.42423 c 33.35441,-61.94281 101.60759,-105.32857 167.51673,-101.23635 42.4233,1.43194 82.33203,22.18879 112.01381,52.33897 21.0994,21.43235 53.37417,31.44124 79.38393,16.13305 l 10.39581,-6.11852 c -43.49739,-68.86468 -120.54264,-113.8095 -201.79355,-112.04872 -87.97208,4.41046 -162.60049,62.73965 -194.96429,137.74477 z" />
+</svg>
--- a/openapi/main.go
+++ b/openapi/main.go
@@ -0,0 +1,110 @@
+package main
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"log"
+	"net/http"
+	"os"
+
+	"gopkg.in/yaml.v3"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+)
+
+func main() {
+	version := "master"
+	fileName := "schema-master.yaml"
+	if len(os.Args) > 1 {
+		version = os.Args[1]
+		fileName = "schema.yaml"
+	}
+	log.Printf("Patching schema version %s\n", version)
+
+	ctx := context.Background() // Or use context.WithTimeout
+	req, err := http.NewRequestWithContext(
+		ctx,
+		http.MethodGet,
+		fmt.Sprintf("https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/%s/openapi/openapi.yaml", version),
+		http.NoBody,
+	)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	client := &http.Client{}
+	resp, err := client.Do(req)
+	if err != nil {
+		log.Fatalln(err)
+	}
+	defer func() { _ = resp.Body.Close() }()
+	data, err := io.ReadAll(resp.Body)
+	if err != nil {
+		log.Println(err)
+		return
+	}
+	schema := make(map[string]any)
+	err = yaml.Unmarshal(data, &schema)
+	if err != nil {
+		log.Println(err)
+		return
+	}
+
+	if requestBodies, ok, _ := unstructured.NestedMap(schema, "components", "requestBodies"); ok {
+		for k := range requestBodies {
+			_ = unstructured.SetNestedField(schema, k+"Body", "components", "requestBodies", k, "x-go-name")
+		}
+	}
+
+	if dnsInfo, ok, _ := unstructured.NestedMap(schema,
+		"paths", "/dns_info", "get", "responses", "200", "content", "application/json", "schema"); ok {
+		if allOf, ok, _ := unstructured.NestedSlice(dnsInfo, "allOf"); ok && len(allOf) == 2 {
+			delete(dnsInfo, "allOf")
+			//nolint:forcetypeassert
+			if err := unstructured.SetNestedMap(schema, allOf[0].(map[string]any),
+				"paths", "/dns_info", "get", "responses", "200", "content", "application/json", "schema"); err != nil {
+				log.Println(err)
+				return
+			}
+		}
+	}
+
+	correctEntries(schema)
+
+	addFakeTags(schema)
+
+	b, err := yaml.Marshal(&schema)
+	if err != nil {
+		log.Println(err)
+		return
+	}
+	log.Printf("Writing schema file tmp/%s", fileName)
+	err = os.WriteFile("tmp/"+fileName, b, 0o600)
+	if err != nil {
+		log.Println(err)
+		return
+	}
+}
+
+func correctEntries(schema map[string]any) {
+	// https://github.com/AdguardTeam/AdGuardHome/pull/7678
+	if err := unstructured.SetNestedField(schema, "string", "components", "schemas", "QueryLogItem", "properties", "client_proto", "type"); err != nil {
+		log.Fatalln(err)
+	}
+}
+
+func addFakeTags(schema map[string]any) {
+	fake := map[string]any{"faker": `slice_len=24`}
+	if err := unstructured.SetNestedMap(schema, fake, "components", "schemas", "Stats", "properties", "blocked_filtering", "x-oapi-codegen-extra-tags"); err != nil {
+		log.Fatalln(err)
+	}
+	if err := unstructured.SetNestedMap(schema, fake, "components", "schemas", "Stats", "properties", "dns_queries", "x-oapi-codegen-extra-tags"); err != nil {
+		log.Fatalln(err)
+	}
+	if err := unstructured.SetNestedMap(schema, fake, "components", "schemas", "Stats", "properties", "replaced_parental", "x-oapi-codegen-extra-tags"); err != nil {
+		log.Fatalln(err)
+	}
+	if err := unstructured.SetNestedMap(schema, fake, "components", "schemas", "Stats", "properties", "replaced_safebrowsing", "x-oapi-codegen-extra-tags"); err != nil {
+		log.Fatalln(err)
+	}
+}
--- a/pkg/client/client-methods.go
+++ b/pkg/client/client-methods.go
@@ -0,0 +1,105 @@
+package client
+
+import (
+	"encoding/json"
+	"net/http"
+
+	"github.com/go-resty/resty/v2"
+	"go.uber.org/zap"
+)
+
+func (cl *client) doGet(req *resty.Request, url string) error {
+	rl := cl.log.With("method", "GET", "path", url)
+	if cl.client.UserInfo != nil {
+		rl = rl.With("username", cl.client.UserInfo.Username)
+	}
+	req.ForceContentType("application/json")
+	rl.Debug("do get")
+	resp, err := req.Get(url)
+	if err != nil {
+		l := rl
+		if resp != nil {
+			if resp.StatusCode() == http.StatusFound {
+				loc := resp.Header().Get("Location")
+				if loc == "/install.html" || loc == "/control/install.html" {
+					return ErrSetupNeeded
+				}
+			}
+			l = l.With("status", resp.StatusCode(), "body", string(resp.Body()), "error", err)
+		}
+
+		l.Debug("error in do get")
+		return detailedError(resp, err)
+	}
+
+	checkAuthenticationIssue(resp, rl)
+
+	rl.With(
+		"status", resp.StatusCode(),
+		"body", string(resp.Body()),
+		"content-type", resp.Header()["Content-Type"],
+	).Debug("got response")
+	if resp.StatusCode() != http.StatusOK {
+		return detailedError(resp, nil)
+	}
+	return nil
+}
+
+func (cl *client) doPost(req *resty.Request, url string) error {
+	rl := cl.log.With("method", "POST", "path", url)
+	if cl.client.UserInfo != nil {
+		rl = rl.With("username", cl.client.UserInfo.Username)
+	}
+	b, _ := json.Marshal(req.Body)
+	rl.With("body", string(b)).Debug("do post")
+	resp, err := req.Post(url)
+	if err != nil {
+		rl.With("status", resp.StatusCode(), "body", string(resp.Body()), "error", err).Debug("error in do post")
+		return detailedError(resp, err)
+	}
+
+	checkAuthenticationIssue(resp, rl)
+
+	rl.With(
+		"status", resp.StatusCode(),
+		"body", string(resp.Body()),
+		"content-type", contentType(resp),
+	).Debug("got response")
+	if resp.StatusCode() != http.StatusOK {
+		return detailedError(resp, nil)
+	}
+	return nil
+}
+
+func (cl *client) doPut(req *resty.Request, url string) error {
+	rl := cl.log.With("method", "PUT", "path", url)
+	if cl.client.UserInfo != nil {
+		rl = rl.With("username", cl.client.UserInfo.Username)
+	}
+	b, _ := json.Marshal(req.Body)
+	rl.With("body", string(b)).Debug("do put")
+	resp, err := req.Put(url)
+	if err != nil {
+		rl.With("status", resp.StatusCode(), "body", string(resp.Body()), "error", err).Debug("error in do put")
+		return detailedError(resp, err)
+	}
+
+	checkAuthenticationIssue(resp, rl)
+
+	rl.With(
+		"status", resp.StatusCode(),
+		"body", string(resp.Body()),
+		"content-type", contentType(resp),
+	).Debug("got response")
+	if resp.StatusCode() != http.StatusOK {
+		return detailedError(resp, nil)
+	}
+	return nil
+}
+
+func checkAuthenticationIssue(resp *resty.Response, rl *zap.SugaredLogger) {
+	if resp != nil && (resp.StatusCode() == http.StatusUnauthorized || resp.StatusCode() == http.StatusForbidden) {
+		rl.With("status", resp.StatusCode()).Error("there seems to be an authentication issue - " +
+			"please check https://github.com/bakito/adguardhome-sync/wiki/FAQ")
+	}
+}
--- a/pkg/client/client.go
+++ b/pkg/client/client.go
@@ -2,25 +2,64 @@ package client

 import (
 	"crypto/tls"
+	"errors"
 	"fmt"
+	"net/http"
 	"net/url"
+	"os"
 	"path"
+	"strconv"
+	"strings"

-	"github.com/bakito/adguardhome-sync/pkg/log"
-	"github.com/bakito/adguardhome-sync/pkg/types"
 	"github.com/go-resty/resty/v2"
 	"go.uber.org/zap"
+
+	"github.com/bakito/adguardhome-sync/pkg/client/model"
+	"github.com/bakito/adguardhome-sync/pkg/log"
+	"github.com/bakito/adguardhome-sync/pkg/types"
+	"github.com/bakito/adguardhome-sync/pkg/utils"
 )

+const envRedirectPolicyNoOfRedirects = "REDIRECT_POLICY_NO_OF_REDIRECTS"
+
+type Error struct {
+	message   string
+	errorCode int
+}
+
+func (e *Error) Error() string {
+	return e.message
+}
+
+func (e *Error) Code() int {
+	return e.errorCode
+}
+
 var (
 	l = log.GetLogger("client")
+	// ErrSetupNeeded custom error.
+	ErrSetupNeeded = errors.New("setup needed")
 )

-func New(config types.AdGuardInstance) (Client, error) {
+func detailedError(resp *resty.Response, err error) error {
+	e := resp.Status()
+	if len(resp.Body()) > 0 {
+		e += fmt.Sprintf("(%s)", string(resp.Body()))
+	}
+	if err != nil {
+		e += ": " + err.Error()
+	}
+	return &Error{
+		message:   e,
+		errorCode: resp.StatusCode(),
+	}
+}

+// New create a new client.
+func New(config types.AdGuardInstance) (Client, error) {
 	var apiURL string
 	if config.APIPath == "" {
-		apiURL = fmt.Sprintf("%s/control", config.URL)
+		apiURL = config.URL + "/control"
 	} else {
 		apiURL = fmt.Sprintf("%s/%s", config.URL, config.APIPath)
 	}
@@ -29,77 +68,142 @@ func New(config types.AdGuardInstance) (Client, error) {
 		return nil, err
 	}
 	u.Path = path.Clean(u.Path)
-	cl := resty.New().SetHostURL(u.String()).SetDisableWarn(true)
+	cl := resty.New().SetBaseURL(u.String()).SetDisableWarn(true).SetHeaders(config.RequestHeaders)

-	if config.InsecureSkipVerify {
-		cl.SetTLSClientConfig(&tls.Config{InsecureSkipVerify: true})
-	}
+	// #nosec G402 has to be explicitly enabled
+	cl.SetTLSClientConfig(&tls.Config{InsecureSkipVerify: config.InsecureSkipVerify})

-	if config.Username != "" && config.Password != "" {
+	cookieParts := strings.Split(config.Cookie, "=")
+	if len(cookieParts) == 2 {
+		cl.SetCookie(&http.Cookie{
+			Name:  cookieParts[0],
+			Value: cookieParts[1],
+		})
+	} else if config.Username != "" && config.Password != "" {
 		cl = cl.SetBasicAuth(config.Username, config.Password)
 	}

+	if v, ok := os.LookupEnv(envRedirectPolicyNoOfRedirects); ok {
+		nbr, err := strconv.Atoi(v)
+		if err != nil {
+			return nil, fmt.Errorf("error parsing env var %q value must be an integer", envRedirectPolicyNoOfRedirects)
+		}
+		cl.SetRedirectPolicy(resty.FlexibleRedirectPolicy(nbr))
+	} else {
+		// no redirect
+		cl.SetRedirectPolicy(resty.NoRedirectPolicy())
+	}
+
 	return &client{
-		host:   u.Host,
+		host:   config.Host,
 		client: cl,
-		log:    l.With("host", u.Host),
+		log:    l.With("host", config.Host),
 	}, nil
 }

+// Client AdguardHome API client interface.
+//
+//nolint:interfacebloat
 type Client interface {
 	Host() string
-
-	Status() (*types.Status, error)
-	RewriteList() (*types.RewriteEntries, error)
-	AddRewriteEntries(e ...types.RewriteEntry) error
-	DeleteRewriteEntries(e ...types.RewriteEntry) error
-
-	Filtering() (*types.FilteringStatus, error)
+	Status() (*model.ServerStatus, error)
+	Stats() (*model.Stats, error)
+	QueryLog(limit int) (*model.QueryLog, error)
+	ToggleProtection(enable bool) error
+	RewriteList() (*model.RewriteEntries, error)
+	AddRewriteEntries(e ...model.RewriteEntry) error
+	DeleteRewriteEntries(e ...model.RewriteEntry) error
+	Filtering() (*model.FilterStatus, error)
 	ToggleFiltering(enabled bool, interval int) error
-	AddFilters(whitelist bool, e ...types.Filter) error
-	DeleteFilters(whitelist bool, e ...types.Filter) error
+	AddFilter(whitelist bool, f model.Filter) error
+	DeleteFilter(whitelist bool, f model.Filter) error
+	UpdateFilter(whitelist bool, f model.Filter) error
 	RefreshFilters(whitelist bool) error
-	SetCustomRules(rules types.UserRules) error
-
-	ToggleSaveBrowsing(enable bool) error
+	SetCustomRules(rules *[]string) error
+	SafeBrowsing() (bool, error)
+	ToggleSafeBrowsing(enable bool) error
+	Parental() (bool, error)
 	ToggleParental(enable bool) error
-	ToggleSafeSearch(enable bool) error
-
-	Services() (*types.Services, error)
-	SetServices(services types.Services) error
-
-	Clients() (*types.Clients, error)
-	AddClients(client ...types.Client) error
-	UpdateClients(client ...types.Client) error
-	DeleteClients(client ...types.Client) error
+	SafeSearchConfig() (*model.SafeSearchConfig, error)
+	SetSafeSearchConfig(settings *model.SafeSearchConfig) error
+	ProfileInfo() (*model.ProfileInfo, error)
+	SetProfileInfo(settings *model.ProfileInfo) error
+	BlockedServicesSchedule() (*model.BlockedServicesSchedule, error)
+	SetBlockedServicesSchedule(schedule *model.BlockedServicesSchedule) error
+	Clients() (*model.Clients, error)
+	AddClient(client *model.Client) error
+	UpdateClient(client *model.Client) error
+	DeleteClient(client *model.Client) error
+	QueryLogConfig() (*model.QueryLogConfigWithIgnored, error)
+	SetQueryLogConfig(ql *model.QueryLogConfigWithIgnored) error
+	StatsConfig() (*model.GetStatsConfigResponse, error)
+	SetStatsConfig(sc *model.PutStatsConfigUpdateRequest) error
+	Setup() error
+	AccessList() (*model.AccessList, error)
+	SetAccessList(accessList *model.AccessList) error
+	DNSConfig() (*model.DNSConfig, error)
+	SetDNSConfig(config *model.DNSConfig) error
+	DhcpConfig() (*model.DhcpStatus, error)
+	SetDhcpConfig(status *model.DhcpStatus) error
+	AddDHCPStaticLease(lease model.DhcpStaticLease) error
+	DeleteDHCPStaticLease(lease model.DhcpStaticLease) error
+	TLSConfig() (*model.TlsConfig, error)
+	SetTLSConfig(tls *model.TlsConfig) error
 }

 type client struct {
-	client *resty.Client
-	log    *zap.SugaredLogger
-	host   string
+	client  *resty.Client
+	log     *zap.SugaredLogger
+	host    string
+	version string
 }

 func (cl *client) Host() string {
 	return cl.host
 }
-func (cl *client) Status() (*types.Status, error) {
-	status := &types.Status{}
-	_, err := cl.client.R().EnableTrace().SetResult(status).Get("status")
-	return status, err

+func contentType(resp *resty.Response) string {
+	if ct, ok := resp.Header()["Content-Type"]; ok {
+		if len(ct) != 1 {
+			return fmt.Sprintf("%v", ct)
+		}
+		return ct[0]
+	}
+	return ""
 }

-func (cl *client) RewriteList() (*types.RewriteEntries, error) {
-	rewrites := &types.RewriteEntries{}
-	_, err := cl.client.R().EnableTrace().SetResult(&rewrites).Get("/rewrite/list")
+func (cl *client) Status() (*model.ServerStatus, error) {
+	status := &model.ServerStatus{}
+	err := cl.doGet(cl.client.R().EnableTrace().SetResult(status), "status")
+	cl.version = status.Version
+	return status, err
+}
+
+func (cl *client) Stats() (*model.Stats, error) {
+	stats := &model.Stats{}
+	err := cl.doGet(cl.client.R().EnableTrace().SetResult(stats), "stats")
+	return stats, err
+}
+
+func (cl *client) QueryLog(limit int) (*model.QueryLog, error) {
+	ql := &model.QueryLog{}
+	err := cl.doGet(
+		cl.client.R().EnableTrace().SetResult(ql),
+		fmt.Sprintf(`querylog?limit=%d&response_status="all"`, limit),
+	)
+	return ql, err
+}
+
+func (cl *client) RewriteList() (*model.RewriteEntries, error) {
+	rewrites := &model.RewriteEntries{}
+	err := cl.doGet(cl.client.R().EnableTrace().SetResult(&rewrites), "/rewrite/list")
 	return rewrites, err
 }

-func (cl *client) AddRewriteEntries(entries ...types.RewriteEntry) error {
+func (cl *client) AddRewriteEntries(entries ...model.RewriteEntry) error {
 	for _, e := range entries {
-		cl.log.With("domain", e.Domain, "answer", e.Answer).Info("Add rewrite entry")
-		_, err := cl.client.R().EnableTrace().SetBody(&e).Post("/rewrite/add")
+		cl.log.With("domain", e.Domain, "answer", e.Answer).Info("Add DNS rewrite entry")
+		err := cl.doPost(cl.client.R().EnableTrace().SetBody(&e), "/rewrite/add")
 		if err != nil {
 			return err
 		}
@@ -107,10 +211,10 @@ func (cl *client) AddRewriteEntries(entries ...types.RewriteEntry) error {
 	return nil
 }

-func (cl *client) DeleteRewriteEntries(entries ...types.RewriteEntry) error {
+func (cl *client) DeleteRewriteEntries(entries ...model.RewriteEntry) error {
 	for _, e := range entries {
-		cl.log.With("domain", e.Domain, "answer", e.Answer).Info("Delete rewrite entry")
-		_, err := cl.client.R().EnableTrace().SetBody(&e).Post("/rewrite/delete")
+		cl.log.With("domain", e.Domain, "answer", e.Answer).Info("Delete DNS rewrite entry")
+		err := cl.doPost(cl.client.R().EnableTrace().SetBody(&e), "/rewrite/delete")
 		if err != nil {
 			return err
 		}
@@ -118,125 +222,260 @@ func (cl *client) DeleteRewriteEntries(entries ...types.RewriteEntry) error {
 	return nil
 }

-func (cl *client) ToggleSaveBrowsing(enable bool) error {
-	return cl.toggle("safebrowsing", enable)
+func (cl *client) SafeBrowsing() (bool, error) {
+	return cl.toggleStatus("safebrowsing")
+}
+
+func (cl *client) ToggleSafeBrowsing(enable bool) error {
+	return cl.toggleBool("safebrowsing", enable)
+}
+
+func (cl *client) Parental() (bool, error) {
+	return cl.toggleStatus("parental")
 }

 func (cl *client) ToggleParental(enable bool) error {
-	return cl.toggle("parental", enable)
+	return cl.toggleBool("parental", enable)
 }

-func (cl *client) ToggleSafeSearch(enable bool) error {
-	return cl.toggle("safesearch", enable)
+func (cl *client) toggleStatus(mode string) (bool, error) {
+	fs := &model.EnableConfig{}
+	err := cl.doGet(cl.client.R().EnableTrace().SetResult(fs), fmt.Sprintf("/%s/status", mode))
+	return fs.Enabled, err
 }

-func (cl *client) toggle(mode string, enable bool) error {
-	cl.log.With("mode", mode, "enable", enable).Info("Toggle")
+func (cl *client) toggleBool(mode string, enable bool) error {
+	cl.log.With("enable", enable).Info("Toggle " + mode)
 	var target string
 	if enable {
 		target = "enable"
 	} else {
 		target = "disable"
 	}
-	_, err := cl.client.R().EnableTrace().Post(fmt.Sprintf("/%s/%s", mode, target))
-	return err
+	return cl.doPost(cl.client.R().EnableTrace(), fmt.Sprintf("/%s/%s", mode, target))
 }

-func (cl *client) Filtering() (*types.FilteringStatus, error) {
-	f := &types.FilteringStatus{}
-	_, err := cl.client.R().EnableTrace().SetResult(f).Get("/filtering/status")
+func (cl *client) Filtering() (*model.FilterStatus, error) {
+	f := &model.FilterStatus{}
+	err := cl.doGet(cl.client.R().EnableTrace().SetResult(f), "/filtering/status")
 	return f, err
 }

-func (cl *client) AddFilters(whitelist bool, filters ...types.Filter) error {
-	for _, f := range filters {
-		cl.log.With("url", f.URL, "whitelist", whitelist).Info("Add filter")
-		ff := &types.Filter{Name: f.Name, URL: f.URL, Whitelist: whitelist}
-		_, err := cl.client.R().EnableTrace().SetBody(ff).Post("/filtering/add_url")
-		if err != nil {
-			return err
-		}
-	}
-	return nil
+func (cl *client) AddFilter(whitelist bool, f model.Filter) error {
+	cl.log.With("url", f.Url, "whitelist", whitelist, "enabled", f.Enabled).Info("Add filter")
+	ff := &model.AddUrlRequest{Name: utils.Ptr(f.Name), Url: utils.Ptr(f.Url), Whitelist: utils.Ptr(whitelist)}
+	return cl.doPost(cl.client.R().EnableTrace().SetBody(ff), "/filtering/add_url")
 }

-func (cl *client) DeleteFilters(whitelist bool, filters ...types.Filter) error {
-	for _, f := range filters {
-		cl.log.With("url", f.URL, "whitelist", whitelist).Info("Delete filter")
-		ff := &types.Filter{URL: f.URL, Whitelist: whitelist}
-		_, err := cl.client.R().EnableTrace().SetBody(ff).Post("/filtering/remove_url")
-		if err != nil {
-			return err
-		}
+func (cl *client) DeleteFilter(whitelist bool, f model.Filter) error {
+	cl.log.With("url", f.Url, "whitelist", whitelist, "enabled", f.Enabled).Info("Delete filter")
+	ff := &model.RemoveUrlRequest{Url: utils.Ptr(f.Url), Whitelist: utils.Ptr(whitelist)}
+	return cl.doPost(cl.client.R().EnableTrace().SetBody(ff), "/filtering/remove_url")
+}
+
+func (cl *client) UpdateFilter(whitelist bool, f model.Filter) error {
+	cl.log.With("url", f.Url, "whitelist", whitelist, "enabled", f.Enabled).Info("Update filter")
+	fu := &model.FilterSetUrl{
+		Whitelist: utils.Ptr(whitelist), Url: utils.Ptr(f.Url),
+		Data: &model.FilterSetUrlData{Name: f.Name, Url: f.Url, Enabled: f.Enabled},
 	}
-	return nil
+	return cl.doPost(cl.client.R().EnableTrace().SetBody(fu), "/filtering/set_url")
 }

 func (cl *client) RefreshFilters(whitelist bool) error {
 	cl.log.With("whitelist", whitelist).Info("Refresh filter")
-	_, err := cl.client.R().EnableTrace().SetBody(&types.RefreshFilter{Whitelist: whitelist}).Post("/filtering/refresh")
-	return err
+	return cl.doPost(
+		cl.client.R().EnableTrace().SetBody(&model.FilterRefreshRequest{Whitelist: utils.Ptr(whitelist)}),
+		"/filtering/refresh",
+	)
 }

-func (cl *client) SetCustomRules(rules types.UserRules) error {
-	cl.log.With("rules", len(rules)).Info("Set user rules")
-	_, err := cl.client.R().EnableTrace().SetBody(rules.String()).Post("/filtering/set_rules")
-	return err
+func (cl *client) ToggleProtection(enable bool) error {
+	cl.log.With("enable", enable).Info("Toggle protection")
+	return cl.doPost(cl.client.R().EnableTrace().SetBody(&types.Protection{ProtectionEnabled: enable}), "/dns_config")
+}
+
+func (cl *client) SetCustomRules(rules *[]string) error {
+	var l int
+	if rules != nil {
+		l = len(*rules)
+	}
+	cl.log.With("rules", l).Info("Set user rules")
+	return cl.doPost(cl.client.R().EnableTrace().SetBody(&model.SetRulesRequest{Rules: rules}), "/filtering/set_rules")
 }

 func (cl *client) ToggleFiltering(enabled bool, interval int) error {
 	cl.log.With("enabled", enabled, "interval", interval).Info("Toggle filtering")
-	_, err := cl.client.R().EnableTrace().SetBody(&types.FilteringConfig{Enabled: enabled, Interval: interval}).Post("/filtering/config")
-	return err
+	return cl.doPost(cl.client.R().EnableTrace().SetBody(&model.FilterConfig{
+		Enabled:  utils.Ptr(enabled),
+		Interval: utils.Ptr(interval),
+	}), "/filtering/config")
 }

-func (cl *client) Services() (*types.Services, error) {
-	svcs := &types.Services{}
-	_, err := cl.client.R().EnableTrace().SetResult(svcs).Get("/blocked_services/list")
-	return svcs, err
+func (cl *client) BlockedServicesSchedule() (*model.BlockedServicesSchedule, error) {
+	sched := &model.BlockedServicesSchedule{}
+	err := cl.doGet(cl.client.R().EnableTrace().SetResult(sched), "/blocked_services/get")
+	return sched, err
 }

-func (cl *client) SetServices(services types.Services) error {
-	cl.log.With("services", len(services)).Info("Set services")
-	_, err := cl.client.R().EnableTrace().SetBody(&services).Post("/blocked_services/set")
-	return err
+func (cl *client) SetBlockedServicesSchedule(schedule *model.BlockedServicesSchedule) error {
+	cl.log.With("services", schedule.ServicesString()).Info("Set blocked services schedule")
+	return cl.doPut(cl.client.R().EnableTrace().SetBody(schedule), "/blocked_services/update")
 }

-func (cl *client) Clients() (*types.Clients, error) {
-	clients := &types.Clients{}
-	_, err := cl.client.R().EnableTrace().SetResult(clients).Get("/clients")
+func (cl *client) Clients() (*model.Clients, error) {
+	clients := &model.Clients{}
+	err := cl.doGet(cl.client.R().EnableTrace().SetResult(clients), "/clients")
 	return clients, err
 }

-func (cl *client) AddClients(clients ...types.Client) error {
-	for _, client := range clients {
-		cl.log.With("name", client.Name).Info("Add client")
-		_, err := cl.client.R().EnableTrace().SetBody(&client).Post("/clients/add")
-		if err != nil {
-			return err
-		}
+func (cl *client) AddClient(client *model.Client) error {
+	cl.log.With("name", *client.Name).Info("Add client settings")
+	return cl.doPost(cl.client.R().EnableTrace().SetBody(client), "/clients/add")
+}
+
+func (cl *client) UpdateClient(client *model.Client) error {
+	cl.log.With("name", *client.Name).Info("Update client settings")
+	return cl.doPost(
+		cl.client.R().EnableTrace().SetBody(&model.ClientUpdate{Name: client.Name, Data: client}),
+		"/clients/update",
+	)
+}
+
+func (cl *client) DeleteClient(client *model.Client) error {
+	cl.log.With("name", *client.Name).Info("Delete client settings")
+	return cl.doPost(cl.client.R().EnableTrace().SetBody(client), "/clients/delete")
+}
+
+func (cl *client) QueryLogConfig() (*model.QueryLogConfigWithIgnored, error) {
+	qlc := &model.QueryLogConfigWithIgnored{}
+	err := cl.doGet(cl.client.R().EnableTrace().SetResult(qlc), "/querylog/config")
+	return qlc, err
+}
+
+func (cl *client) SetQueryLogConfig(qlc *model.QueryLogConfigWithIgnored) error {
+	cl.log.With("enabled", *qlc.Enabled, "interval", *qlc.Interval, "anonymizeClientIP", *qlc.AnonymizeClientIp).
+		Info("Set query log config")
+	return cl.doPut(cl.client.R().EnableTrace().SetBody(qlc), "/querylog/config/update")
+}
+
+func (cl *client) StatsConfig() (*model.GetStatsConfigResponse, error) {
+	stats := &model.GetStatsConfigResponse{}
+	err := cl.doGet(cl.client.R().EnableTrace().SetResult(stats), "/stats/config")
+	return stats, err
+}
+
+func (cl *client) SetStatsConfig(sc *model.PutStatsConfigUpdateRequest) error {
+	cl.log.With("interval", sc.Interval).Info("Set stats config")
+	return cl.doPut(cl.client.R().EnableTrace().SetBody(sc), "/stats/config/update")
+}
+
+func (cl *client) Setup() error {
+	cl.log.Info("Setup new AdguardHome instance")
+	cfg := &types.InstallConfig{
+		Web: types.InstallPort{
+			IP:         "0.0.0.0",
+			Port:       3000,
+			Status:     "",
+			CanAutofix: false,
+		},
+		DNS: types.InstallPort{
+			IP:         "0.0.0.0",
+			Port:       53,
+			Status:     "",
+			CanAutofix: false,
+		},
+	}
+
+	if cl.client.UserInfo != nil {
+		cfg.Username = cl.client.UserInfo.Username
+		cfg.Password = cl.client.UserInfo.Password
+	}
+	req := cl.client.R().EnableTrace().SetBody(cfg)
+	req.UserInfo = nil
+	return cl.doPost(req, "/install/configure")
+}
+
+func (cl *client) AccessList() (*model.AccessList, error) {
+	al := &model.AccessList{}
+	err := cl.doGet(cl.client.R().EnableTrace().SetResult(al), "/access/list")
+	return al, err
+}
+
+func (cl *client) SetAccessList(list *model.AccessList) error {
+	cl.log.Info("Set access list")
+	return cl.doPost(cl.client.R().EnableTrace().SetBody(list), "/access/set")
+}
+
+func (cl *client) DNSConfig() (*model.DNSConfig, error) {
+	cfg := &model.DNSConfig{}
+	err := cl.doGet(cl.client.R().EnableTrace().SetResult(cfg), "/dns_info")
+	return cfg, err
+}
+
+func (cl *client) SetDNSConfig(config *model.DNSConfig) error {
+	cl.log.Info("Set dns config list")
+	return cl.doPost(cl.client.R().EnableTrace().SetBody(config), "/dns_config")
+}
+
+func (cl *client) DhcpConfig() (*model.DhcpStatus, error) {
+	cfg := &model.DhcpStatus{}
+	err := cl.doGet(cl.client.R().EnableTrace().SetResult(cfg), "/dhcp/status")
+	return cfg, err
+}
+
+func (cl *client) SetDhcpConfig(config *model.DhcpStatus) error {
+	cl.log.Info("Set dhcp server config")
+	return cl.doPost(cl.client.R().EnableTrace().SetBody(config), "/dhcp/set_config")
+}
+
+func (cl *client) AddDHCPStaticLease(l model.DhcpStaticLease) error {
+	cl.log.With("mac", l.Mac, "ip", l.Ip, "hostname", l.Hostname).Info("Add static dhcp lease")
+	err := cl.doPost(cl.client.R().EnableTrace().SetBody(l), "/dhcp/add_static_lease")
+	if err != nil {
+		return err
 	}
 	return nil
 }

-func (cl *client) UpdateClients(clients ...types.Client) error {
-	for _, client := range clients {
-		cl.log.With("name", client.Name).Info("Update client")
-		_, err := cl.client.R().EnableTrace().SetBody(&types.ClientUpdate{Name: client.Name, Data: client}).Post("/clients/update")
-		if err != nil {
-			return err
-		}
+func (cl *client) DeleteDHCPStaticLease(l model.DhcpStaticLease) error {
+	cl.log.With("mac", l.Mac, "ip", l.Ip, "hostname", l.Hostname).Info("Delete static dhcp lease")
+	err := cl.doPost(cl.client.R().EnableTrace().SetBody(l), "/dhcp/remove_static_lease")
+	if err != nil {
+		return err
 	}
 	return nil
 }

-func (cl *client) DeleteClients(clients ...types.Client) error {
-	for _, client := range clients {
-		cl.log.With("name", client.Name).Info("Delete client")
-		_, err := cl.client.R().EnableTrace().SetBody(&client).Post("/clients/delete")
-		if err != nil {
-			return err
-		}
-	}
-	return nil
+func (cl *client) SafeSearchConfig() (*model.SafeSearchConfig, error) {
+	sss := &model.SafeSearchConfig{}
+	err := cl.doGet(cl.client.R().EnableTrace().SetResult(sss), "/safesearch/status")
+	return sss, err
+}
+
+func (cl *client) SetSafeSearchConfig(settings *model.SafeSearchConfig) error {
+	cl.log.With("enabled", *settings.Enabled).Info("Set safesearch settings")
+	return cl.doPut(cl.client.R().EnableTrace().SetBody(settings), "/safesearch/settings")
+}
+
+func (cl *client) ProfileInfo() (*model.ProfileInfo, error) {
+	p := &model.ProfileInfo{}
+	err := cl.doGet(cl.client.R().EnableTrace().SetResult(p), "/profile")
+	return p, err
+}
+
+func (cl *client) SetProfileInfo(profile *model.ProfileInfo) error {
+	cl.log.With("language", profile.Language, "theme", profile.Theme).Info("Set profile")
+	return cl.doPut(cl.client.R().EnableTrace().SetBody(profile), "/profile/update")
+}
+
+func (cl *client) TLSConfig() (*model.TlsConfig, error) {
+	tlsc := &model.TlsConfig{}
+	err := cl.doGet(cl.client.R().EnableTrace().SetResult(tlsc), "/tls/status")
+	return tlsc, err
+}
+
+func (cl *client) SetTLSConfig(tlsc *model.TlsConfig) error {
+	cl.log.With("enabled", tlsc.Enabled).Info("Set TLS config")
+	return cl.doPost(cl.client.R().EnableTrace().SetBody(tlsc), "/tls/configure")
 }
--- a/pkg/client/client_suite_test.go
+++ b/pkg/client/client_suite_test.go
@@ -0,0 +1,13 @@
+package client_test
+
+import (
+	"testing"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+)
+
+func TestClient(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "Client Suite")
+}
--- a/pkg/client/client_test.go
+++ b/pkg/client/client_test.go
@@ -0,0 +1,419 @@
+package client_test
+
+import (
+	"fmt"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"path/filepath"
+
+	"github.com/google/uuid"
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+
+	"github.com/bakito/adguardhome-sync/pkg/client"
+	"github.com/bakito/adguardhome-sync/pkg/client/model"
+	"github.com/bakito/adguardhome-sync/pkg/types"
+	"github.com/bakito/adguardhome-sync/pkg/utils"
+)
+
+var (
+	username = uuid.NewString()
+	password = uuid.NewString()
+)
+
+var _ = Describe("Client", func() {
+	var (
+		cl client.Client
+		ts *httptest.Server
+	)
+	AfterEach(func() {
+		if ts != nil {
+			ts.Close()
+		}
+	})
+
+	Context("Host", func() {
+		It("should read the current host", func() {
+			inst := types.AdGuardInstance{URL: "https://foo.bar:3000"}
+			err := inst.Init()
+			Ω(err).ShouldNot(HaveOccurred())
+			cl, _ := client.New(inst)
+			host := cl.Host()
+			Ω(host).Should(Equal("foo.bar:3000"))
+		})
+	})
+
+	Context("Filter", func() {
+		It("should read filter status", func() {
+			ts, cl = ClientGet("filtering-status.json", "/filtering/status")
+			fs, err := cl.Filtering()
+			Ω(err).ShouldNot(HaveOccurred())
+			Ω(*fs.Enabled).Should(BeTrue())
+			Ω(*fs.Filters).Should(HaveLen(2))
+		})
+		It("should enable protection", func() {
+			ts, cl = ClientPost("/filtering/config", `{"enabled":true,"interval":123}`)
+			err := cl.ToggleFiltering(true, 123)
+			Ω(err).ShouldNot(HaveOccurred())
+		})
+		It("should disable protection", func() {
+			ts, cl = ClientPost("/filtering/config", `{"enabled":false,"interval":123}`)
+			err := cl.ToggleFiltering(false, 123)
+			Ω(err).ShouldNot(HaveOccurred())
+		})
+		It("should call RefreshFilters", func() {
+			ts, cl = ClientPost("/filtering/refresh", `{"whitelist":true}`)
+			err := cl.RefreshFilters(true)
+			Ω(err).ShouldNot(HaveOccurred())
+		})
+		It("should add Filters", func() {
+			ts, cl = ClientPost("/filtering/add_url",
+				`{"name":"","url":"foo","whitelist":true}`,
+				`{"name":"","url":"bar","whitelist":true}`,
+			)
+			err := cl.AddFilter(true, model.Filter{Url: "foo"})
+			Ω(err).ShouldNot(HaveOccurred())
+			err = cl.AddFilter(true, model.Filter{Url: "bar"})
+			Ω(err).ShouldNot(HaveOccurred())
+		})
+		It("should update Filters", func() {
+			ts, cl = ClientPost("/filtering/set_url",
+				`{"data":{"enabled":false,"name":"","url":"foo"},"url":"foo","whitelist":true}`,
+				`{"data":{"enabled":false,"name":"","url":"bar"},"url":"bar","whitelist":true}`,
+			)
+			err := cl.UpdateFilter(true, model.Filter{Url: "foo"})
+			Ω(err).ShouldNot(HaveOccurred())
+			err = cl.UpdateFilter(true, model.Filter{Url: "bar"})
+			Ω(err).ShouldNot(HaveOccurred())
+		})
+		It("should delete Filters", func() {
+			ts, cl = ClientPost("/filtering/remove_url",
+				`{"url":"foo","whitelist":true}`,
+				`{"url":"bar","whitelist":true}`,
+			)
+			err := cl.DeleteFilter(true, model.Filter{Url: "foo"})
+			Ω(err).ShouldNot(HaveOccurred())
+			err = cl.DeleteFilter(true, model.Filter{Url: "bar"})
+			Ω(err).ShouldNot(HaveOccurred())
+		})
+		It("should set empty filter rules", func() {
+			ts, cl = ClientPost("/filtering/set_rules",
+				`{"rules":[]}`,
+			)
+			err := cl.SetCustomRules(utils.Ptr([]string{}))
+			Ω(err).ShouldNot(HaveOccurred())
+		})
+		It("should set nil filter rules", func() {
+			ts, cl = ClientPost("/filtering/set_rules",
+				`{}`,
+			)
+			err := cl.SetCustomRules(nil)
+			Ω(err).ShouldNot(HaveOccurred())
+		})
+	})
+
+	Context("Status", func() {
+		It("should read status", func() {
+			ts, cl = ClientGet("status.json", "/status")
+			fs, err := cl.Status()
+			Ω(err).ShouldNot(HaveOccurred())
+			Ω(fs.DnsAddresses).Should(HaveLen(1))
+			Ω(fs.DnsAddresses[0]).Should(Equal("192.168.1.2"))
+			Ω(fs.Version).Should(Equal("v0.105.2"))
+		})
+		It("should return ErrSetupNeeded", func() {
+			ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				w.Header().Set("Location", "/install.html")
+				w.WriteHeader(http.StatusFound)
+			}))
+			cl, err := client.New(types.AdGuardInstance{URL: ts.URL})
+			Ω(err).ShouldNot(HaveOccurred())
+			_, err = cl.Status()
+			Ω(err).Should(HaveOccurred())
+			Ω(err).Should(Equal(client.ErrSetupNeeded))
+		})
+	})
+
+	Context("Setup", func() {
+		It("should add setup the instance", func() {
+			ts, cl = ClientPost(
+				"/install/configure",
+				fmt.Sprintf(
+					`{"web":{"ip":"0.0.0.0","port":3000,"status":"","can_autofix":false},"dns":{"ip":"0.0.0.0","port":53,"status":"","can_autofix":false},"username":%q,"password":%q}`,
+					username,
+					password,
+				),
+			)
+			err := cl.Setup()
+			Ω(err).ShouldNot(HaveOccurred())
+		})
+	})
+
+	Context("RewriteList", func() {
+		It("should read RewriteList", func() {
+			ts, cl = ClientGet("rewrite-list.json", "/rewrite/list")
+			rwl, err := cl.RewriteList()
+			Ω(err).ShouldNot(HaveOccurred())
+			Ω(*rwl).Should(HaveLen(2))
+		})
+		It("should add RewriteList", func() {
+			ts, cl = ClientPost("/rewrite/add", `{"answer":"foo","domain":"foo"}`, `{"answer":"bar","domain":"bar"}`)
+			err := cl.AddRewriteEntries(
+				model.RewriteEntry{Answer: utils.Ptr("foo"), Domain: utils.Ptr("foo")},
+				model.RewriteEntry{Answer: utils.Ptr("bar"), Domain: utils.Ptr("bar")},
+			)
+			Ω(err).ShouldNot(HaveOccurred())
+		})
+		It("should delete RewriteList", func() {
+			ts, cl = ClientPost("/rewrite/delete", `{"answer":"foo","domain":"foo"}`, `{"answer":"bar","domain":"bar"}`)
+			err := cl.DeleteRewriteEntries(
+				model.RewriteEntry{Answer: utils.Ptr("foo"), Domain: utils.Ptr("foo")},
+				model.RewriteEntry{Answer: utils.Ptr("bar"), Domain: utils.Ptr("bar")},
+			)
+			Ω(err).ShouldNot(HaveOccurred())
+		})
+	})
+
+	Context("SafeBrowsing", func() {
+		It("should read safebrowsing status", func() {
+			ts, cl = ClientGet("safebrowsing-status.json", "/safebrowsing/status")
+			sb, err := cl.SafeBrowsing()
+			Ω(err).ShouldNot(HaveOccurred())
+			Ω(sb).Should(BeTrue())
+		})
+		It("should enable safebrowsing", func() {
+			ts, cl = ClientPost("/safebrowsing/enable", "")
+			err := cl.ToggleSafeBrowsing(true)
+			Ω(err).ShouldNot(HaveOccurred())
+		})
+		It("should disable safebrowsing", func() {
+			ts, cl = ClientPost("/safebrowsing/disable", "")
+			err := cl.ToggleSafeBrowsing(false)
+			Ω(err).ShouldNot(HaveOccurred())
+		})
+	})
+
+	Context("SafeSearchConfig", func() {
+		It("should read safesearch status", func() {
+			ts, cl = ClientGet("safesearch-status.json", "/safesearch/status")
+			ss, err := cl.SafeSearchConfig()
+			Ω(err).ShouldNot(HaveOccurred())
+			Ω(ss.Enabled).ShouldNot(BeNil())
+			Ω(*ss.Enabled).Should(BeTrue())
+		})
+		It("should enable safesearch", func() {
+			ts, cl = ClientPut("/safesearch/settings", `{"enabled":true}`)
+			err := cl.SetSafeSearchConfig(&model.SafeSearchConfig{Enabled: utils.Ptr(true)})
+			Ω(err).ShouldNot(HaveOccurred())
+		})
+		It("should disable safesearch", func() {
+			ts, cl = ClientPut("/safesearch/settings", `{"enabled":false}`)
+			err := cl.SetSafeSearchConfig(&model.SafeSearchConfig{Enabled: utils.Ptr(false)})
+			Ω(err).ShouldNot(HaveOccurred())
+		})
+	})
+
+	Context("Parental", func() {
+		It("should read parental status", func() {
+			ts, cl = ClientGet("parental-status.json", "/parental/status")
+			p, err := cl.Parental()
+			Ω(err).ShouldNot(HaveOccurred())
+			Ω(p).Should(BeTrue())
+		})
+		It("should enable parental", func() {
+			ts, cl = ClientPost("/parental/enable", "")
+			err := cl.ToggleParental(true)
+			Ω(err).ShouldNot(HaveOccurred())
+		})
+		It("should disable parental", func() {
+			ts, cl = ClientPost("/parental/disable", "")
+			err := cl.ToggleParental(false)
+			Ω(err).ShouldNot(HaveOccurred())
+		})
+	})
+
+	Context("Protection", func() {
+		It("should enable protection", func() {
+			ts, cl = ClientPost("/dns_config", `{"protection_enabled":true}`)
+			err := cl.ToggleProtection(true)
+			Ω(err).ShouldNot(HaveOccurred())
+		})
+		It("should disable protection", func() {
+			ts, cl = ClientPost("/dns_config", `{"protection_enabled":false}`)
+			err := cl.ToggleProtection(false)
+			Ω(err).ShouldNot(HaveOccurred())
+		})
+	})
+
+	Context("BlockedServicesSchedule", func() {
+		It("should read BlockedServicesSchedule", func() {
+			ts, cl = ClientGet("blockedservicesschedule-get.json", "/blocked_services/get")
+			s, err := cl.BlockedServicesSchedule()
+			Ω(err).ShouldNot(HaveOccurred())
+			Ω(*s.Ids).Should(HaveLen(3))
+		})
+		It("should set BlockedServicesSchedule", func() {
+			ts, cl = ClientPost("/blocked_services/update",
+				`{"ids":["bar","foo"],"schedule":{"mon":{"end":99,"start":1}}}`)
+			err := cl.SetBlockedServicesSchedule(&model.BlockedServicesSchedule{
+				Ids: utils.Ptr([]string{"foo", "bar"}),
+				Schedule: &model.Schedule{
+					Mon: &model.DayRange{
+						Start: utils.Ptr(float32(1.0)),
+						End:   utils.Ptr(float32(99.0)),
+					},
+				},
+			})
+			Ω(err).ShouldNot(HaveOccurred())
+		})
+	})
+
+	Context("Clients", func() {
+		It("should read Clients", func() {
+			ts, cl = ClientGet("clients.json", "/clients")
+			c, err := cl.Clients()
+			Ω(err).ShouldNot(HaveOccurred())
+			Ω(*c.Clients).Should(HaveLen(2))
+		})
+		It("should add Clients", func() {
+			ts, cl = ClientPost("/clients/add",
+				`{"ids":["id"],"name":"foo"}`,
+			)
+			err := cl.AddClient(&model.Client{Name: utils.Ptr("foo"), Ids: utils.Ptr([]string{"id"})})
+			Ω(err).ShouldNot(HaveOccurred())
+		})
+		It("should update Clients", func() {
+			ts, cl = ClientPost("/clients/update",
+				`{"data":{"ids":["id"],"name":"foo"},"name":"foo"}`,
+			)
+			err := cl.UpdateClient(&model.Client{Name: utils.Ptr("foo"), Ids: utils.Ptr([]string{"id"})})
+			Ω(err).ShouldNot(HaveOccurred())
+		})
+		It("should delete Clients", func() {
+			ts, cl = ClientPost("/clients/delete",
+				`{"ids":["id"],"name":"foo"}`,
+			)
+			err := cl.DeleteClient(&model.Client{Name: utils.Ptr("foo"), Ids: utils.Ptr([]string{"id"})})
+			Ω(err).ShouldNot(HaveOccurred())
+		})
+	})
+
+	Context("QueryLogConfig", func() {
+		It("should read QueryLogConfig", func() {
+			ts, cl = ClientGet("querylog_config.json", "/querylog/config")
+			qlc, err := cl.QueryLogConfig()
+			Ω(err).ShouldNot(HaveOccurred())
+			Ω(qlc.Enabled).ShouldNot(BeNil())
+			Ω(*qlc.Enabled).Should(BeTrue())
+			Ω(qlc.Interval).ShouldNot(BeNil())
+			Ω(*qlc.Interval).Should(Equal(model.QueryLogConfigInterval(90)))
+		})
+		It("should set QueryLogConfig", func() {
+			ts, cl = ClientPut(
+				"/querylog/config/update",
+				`{"anonymize_client_ip":true,"enabled":true,"interval":123,"ignored":["foo.bar"]}`,
+			)
+
+			var interval model.QueryLogConfigInterval = 123
+			err := cl.SetQueryLogConfig(&model.QueryLogConfigWithIgnored{
+				QueryLogConfig: model.QueryLogConfig{
+					AnonymizeClientIp: utils.Ptr(true),
+					Interval:          &interval,
+					Enabled:           utils.Ptr(true),
+				},
+				Ignored: []string{"foo.bar"},
+			})
+			Ω(err).ShouldNot(HaveOccurred())
+		})
+	})
+	Context("StatsConfig", func() {
+		It("should read StatsConfig", func() {
+			ts, cl = ClientGet("stats_info.json", "/stats/config")
+			sc, err := cl.StatsConfig()
+			Ω(err).ShouldNot(HaveOccurred())
+			Ω(sc.Interval).ShouldNot(BeNil())
+			Ω(sc.Interval).Should(Equal(float32(1)))
+		})
+		It("should set StatsConfig", func() {
+			ts, cl = ClientPost("/stats/config/update", `{"enabled":false,"ignored":null,"interval":123}`)
+
+			var interval float32 = 123
+			err := cl.SetStatsConfig(&model.PutStatsConfigUpdateRequest{Interval: interval})
+			Ω(err).ShouldNot(HaveOccurred())
+		})
+	})
+
+	Context("helper functions", func() {
+		var cl client.Client
+		BeforeEach(func() {
+			ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				w.WriteHeader(http.StatusUnauthorized)
+			}))
+			var err error
+			cl, err = client.New(types.AdGuardInstance{URL: ts.URL})
+			Ω(err).ShouldNot(HaveOccurred())
+		})
+		Context("doGet", func() {
+			It("should return an error on status code != 200", func() {
+				_, err := cl.Status()
+				Ω(err).Should(HaveOccurred())
+				Ω(err.Error()).Should(Equal("401 Unauthorized"))
+			})
+		})
+
+		Context("doPost", func() {
+			It("should return an error on status code != 200", func() {
+				var interval float32 = 123
+				err := cl.SetStatsConfig(&model.PutStatsConfigUpdateRequest{Interval: interval})
+				Ω(err).Should(HaveOccurred())
+				Ω(err.Error()).Should(Equal("401 Unauthorized"))
+			})
+		})
+	})
+})
+
+func ClientGet(file, path string) (*httptest.Server, client.Client) {
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		Ω(r.URL.Path).Should(Equal(types.DefaultAPIPath + path))
+		b, err := os.ReadFile(filepath.Join("..", "..", "testdata", file))
+		Ω(err).ShouldNot(HaveOccurred())
+		w.Header().Set("Content-Type", "application/json")
+		_, err = w.Write(b)
+		Ω(err).ShouldNot(HaveOccurred())
+	}))
+	cl, err := client.New(types.AdGuardInstance{URL: ts.URL})
+	Ω(err).ShouldNot(HaveOccurred())
+	return ts, cl
+}
+
+func ClientPost(path string, content ...string) (*httptest.Server, client.Client) {
+	index := 0
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		Ω(r.URL.Path).Should(Equal(types.DefaultAPIPath + path))
+		body, err := io.ReadAll(r.Body)
+		Ω(err).ShouldNot(HaveOccurred())
+		Ω(body).Should(Equal([]byte(content[index])))
+		index++
+	}))
+
+	cl, err := client.New(types.AdGuardInstance{URL: ts.URL, Username: username, Password: password})
+	Ω(err).ShouldNot(HaveOccurred())
+	return ts, cl
+}
+
+func ClientPut(path string, content ...string) (*httptest.Server, client.Client) {
+	index := 0
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		Ω(r.URL.Path).Should(Equal(types.DefaultAPIPath + path))
+		body, err := io.ReadAll(r.Body)
+		Ω(err).ShouldNot(HaveOccurred())
+		Ω(body).Should(Equal([]byte(content[index])))
+		index++
+	}))
+
+	cl, err := client.New(types.AdGuardInstance{URL: ts.URL, Username: username, Password: password})
+	Ω(err).ShouldNot(HaveOccurred())
+	return ts, cl
+}
--- a/pkg/client/model/client/client.go
+++ b/pkg/client/model/client/client.go
@@ -0,0 +1,144 @@
+package client
+
+import (
+	"context"
+	"crypto/tls"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"path"
+
+	"go.uber.org/zap"
+
+	"github.com/bakito/adguardhome-sync/pkg/client/model"
+	"github.com/bakito/adguardhome-sync/pkg/log"
+	"github.com/bakito/adguardhome-sync/pkg/types"
+)
+
+var l = log.GetLogger("client")
+
+// New create a new api client.
+func New(config types.AdGuardInstance) (Client, error) {
+	var apiURL string
+	if config.APIPath == "" {
+		apiURL = config.URL + "/control"
+	} else {
+		apiURL = fmt.Sprintf("%s/%s", config.URL, config.APIPath)
+	}
+	u, err := url.Parse(apiURL)
+	if err != nil {
+		return nil, err
+	}
+	u.Path = path.Clean(u.Path)
+
+	httpClient := &http.Client{
+		Transport: &http.Transport{
+			// #nosec G402 has to be explicitly enabled
+			TLSClientConfig: &tls.Config{InsecureSkipVerify: config.InsecureSkipVerify},
+		},
+	}
+
+	aghClient, err := model.NewClient(u.String(), func(client *model.AdguardHomeClient) error {
+		client.Client = httpClient
+		client.RequestEditors = append(client.RequestEditors, func(ctx context.Context, req *http.Request) error {
+			if config.Username != "" && config.Password != "" {
+				req.Header.Add("Authorization", "Basic "+basicAuth(config.Username, config.Password))
+			}
+			return nil
+		})
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return &apiClient{
+		host:   u.Host,
+		client: aghClient,
+		log:    l.With("host", u.Host),
+	}, nil
+}
+
+func basicAuth(username, password string) string {
+	auth := username + ":" + password
+	return base64.StdEncoding.EncodeToString([]byte(auth))
+}
+
+type apiClient struct {
+	host   string
+	client *model.AdguardHomeClient
+	log    *zap.SugaredLogger
+}
+
+func (a apiClient) Host(context.Context) string {
+	return a.host
+}
+
+func (a apiClient) GetServerStatus(ctx context.Context) (*model.ServerStatus, error) {
+	sr, err := read(ctx, a.client.Status, model.ParseStatusResp)
+	if err != nil {
+		return nil, err
+	}
+	return sr.JSON200, nil
+}
+
+func (a apiClient) GetFilteringStatus(ctx context.Context) (*model.FilterStatus, error) {
+	sr, err := read(ctx, a.client.FilteringStatus, model.ParseFilteringStatusResp)
+	if err != nil {
+		return nil, err
+	}
+	return sr.JSON200, nil
+}
+
+func (a apiClient) SetFilteringConfig(ctx context.Context, config model.FilterConfig) error {
+	return write(ctx, config, a.client.FilteringConfig)
+}
+
+func write[B any](
+	ctx context.Context,
+	body B,
+	req func(ctx context.Context, body B, reqEditors ...model.RequestEditorFn) (*http.Response, error),
+) error {
+	resp, err := req(ctx, body)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		return detailedError(resp)
+	}
+	return nil
+}
+
+func read[I any](
+	ctx context.Context,
+	req func(ctx context.Context, reqEditors ...model.RequestEditorFn) (*http.Response, error),
+	parse func(rsp *http.Response) (*I, error),
+) (*I, error) {
+	resp, err := req(ctx)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		return nil, detailedError(resp)
+	}
+	return parse(resp)
+}
+
+func detailedError(resp *http.Response) error {
+	e := resp.Status
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return err
+	}
+
+	if len(body) > 0 {
+		e += fmt.Sprintf("(%s)", string(body))
+	}
+	return errors.New(e)
+}
--- a/pkg/client/model/client/interface.go
+++ b/pkg/client/model/client/interface.go
@@ -0,0 +1,15 @@
+package client
+
+import (
+	"context"
+
+	"github.com/bakito/adguardhome-sync/pkg/client/model"
+)
+
+type Client interface {
+	Host(ctx context.Context) string
+	GetServerStatus(ctx context.Context) (*model.ServerStatus, error)
+
+	GetFilteringStatus(ctx context.Context) (*model.FilterStatus, error)
+	SetFilteringConfig(ctx context.Context, config model.FilterConfig) error
+}
--- a/pkg/client/model/client/resty.go
+++ b/pkg/client/model/client/resty.go
@@ -0,0 +1,28 @@
+package client
+
+import (
+	"net/http"
+
+	"github.com/go-resty/resty/v2"
+
+	"github.com/bakito/adguardhome-sync/pkg/client/model"
+)
+
+var _ model.HttpRequestDoer = &adapter{}
+
+func RestyAdapter(r *resty.Client) model.HttpRequestDoer {
+	return &adapter{
+		client: r,
+	}
+}
+
+type adapter struct {
+	client *resty.Client
+}
+
+func (a adapter) Do(req *http.Request) (*http.Response, error) {
+	r, err := a.client.R().
+		SetHeaderMultiValues(req.Header).
+		Execute(req.Method, req.URL.String())
+	return r.RawResponse, err
+}
--- a/pkg/client/model/model-functions.go
+++ b/pkg/client/model/model-functions.go
@@ -0,0 +1,496 @@
+package model
+
+import (
+	"fmt"
+	"sort"
+	"strings"
+
+	"github.com/jinzhu/copier"
+	"go.uber.org/zap"
+	"k8s.io/utils/ptr"
+
+	"github.com/bakito/adguardhome-sync/pkg/utils"
+)
+
+// Clone the config.
+func (c *DhcpStatus) Clone() *DhcpStatus {
+	clone := &DhcpStatus{}
+	_ = copier.Copy(clone, c)
+	return clone
+}
+
+func (c *DhcpStatus) cleanV4V6() {
+	if c.V4 != nil && !c.V4.isValid() {
+		c.V4 = nil
+	}
+	if c.V6 != nil && !c.V6.isValid() {
+		c.V6 = nil
+	}
+}
+
+// CleanAndEquals dhcp server config equal check where V4 and V6 are cleaned in advance.
+func (c *DhcpStatus) CleanAndEquals(o *DhcpStatus) bool {
+	c.cleanV4V6()
+	o.cleanV4V6()
+	return c.Equals(o)
+}
+
+// Equals dhcp server config equal check.
+func (c *DhcpStatus) Equals(o *DhcpStatus) bool {
+	return utils.JSONEquals(c, o)
+}
+
+func (c *DhcpStatus) HasConfig() bool {
+	return (c.V4 != nil && c.V4.isValid()) || (c.V6 != nil && c.V6.isValid())
+}
+
+func (j DhcpConfigV4) isValid() bool {
+	return j.GatewayIp != nil && *j.GatewayIp != "" &&
+		j.SubnetMask != nil && *j.SubnetMask != "" &&
+		j.RangeStart != nil && *j.RangeStart != "" &&
+		j.RangeEnd != nil && *j.RangeEnd != ""
+}
+
+func (j DhcpConfigV6) isValid() bool {
+	return j.RangeStart != nil && *j.RangeStart != ""
+}
+
+type DhcpStaticLeases []DhcpStaticLease
+
+// MergeDhcpStaticLeases the leases.
+func MergeDhcpStaticLeases(l, other *[]DhcpStaticLease) (adds, removes DhcpStaticLeases) {
+	var thisLeases []DhcpStaticLease
+	var otherLeases []DhcpStaticLease
+
+	if l != nil {
+		thisLeases = *l
+	}
+	if other != nil {
+		otherLeases = *other
+	}
+	current := make(map[string]DhcpStaticLease)
+
+	for _, le := range thisLeases {
+		current[le.Mac] = le
+	}
+
+	for _, le := range otherLeases {
+		if _, ok := current[le.Mac]; ok {
+			delete(current, le.Mac)
+		} else {
+			adds = append(adds, le)
+		}
+	}
+
+	for _, rr := range current {
+		removes = append(removes, rr)
+	}
+
+	return adds, removes
+}
+
+// Equals dns config equal check.
+func (c *DNSConfig) Equals(o *DNSConfig) bool {
+	cc := c.Clone()
+	oo := o.Clone()
+	cc.Sort()
+	oo.Sort()
+
+	return utils.JSONEquals(cc, oo)
+}
+
+func (c *DNSConfig) Clone() *DNSConfig {
+	return utils.Clone(c, &DNSConfig{})
+}
+
+// Sort dns config.
+func (c *DNSConfig) Sort() {
+	if c.UpstreamDns != nil {
+		sort.Strings(*c.UpstreamDns)
+	}
+
+	if c.UpstreamDns != nil {
+		sort.Strings(*c.BootstrapDns)
+	}
+
+	if c.UpstreamDns != nil {
+		sort.Strings(*c.LocalPtrUpstreams)
+	}
+}
+
+// Equals access list equal check.
+func (al *AccessList) Equals(o *AccessList) bool {
+	return EqualsStringSlice(al.AllowedClients, o.AllowedClients, true) &&
+		EqualsStringSlice(al.DisallowedClients, o.DisallowedClients, true) &&
+		EqualsStringSlice(al.BlockedHosts, o.BlockedHosts, true)
+}
+
+func EqualsStringSlice(a, b *[]string, sortIt bool) bool {
+	if a == nil && b == nil {
+		return true
+	}
+
+	if a == nil || b == nil {
+		return false
+	}
+
+	aa := *a
+	bb := *b
+	if sortIt {
+		sort.Strings(aa)
+		sort.Strings(bb)
+	}
+	if len(aa) != len(bb) {
+		return false
+	}
+	for i, v := range aa {
+		if v != bb[i] {
+			return false
+		}
+	}
+	return true
+}
+
+// Sort clients.
+func (cl *Client) Sort() {
+	if cl.Ids != nil {
+		sort.Strings(*cl.Ids)
+	}
+	if cl.Tags != nil {
+		sort.Strings(*cl.Tags)
+	}
+	if cl.BlockedServices != nil {
+		sort.Strings(*cl.BlockedServices)
+	}
+	if cl.Upstreams != nil {
+		sort.Strings(*cl.Upstreams)
+	}
+}
+
+// PrepareDiff so we skip it in diff.
+func (cl *Client) PrepareDiff() *string {
+	var tz *string
+	bss := cl.BlockedServicesSchedule
+	if bss != nil && bss.Mon == nil && bss.Tue == nil && bss.Wed == nil &&
+		bss.Thu == nil && bss.Fri == nil && bss.Sat == nil && bss.Sun == nil {
+		tz = cl.BlockedServicesSchedule.TimeZone
+		cl.BlockedServicesSchedule.TimeZone = nil
+	}
+	return tz
+}
+
+// AfterDiff reset after diff.
+func (cl *Client) AfterDiff(tz *string) {
+	if cl.BlockedServicesSchedule != nil {
+		cl.BlockedServicesSchedule.TimeZone = tz
+	}
+}
+
+// Equals Clients equal check.
+func (cl *Client) Equals(o *Client) bool {
+	cl.Sort()
+	o.Sort()
+
+	bssCl := cl.PrepareDiff()
+	bssO := o.PrepareDiff()
+
+	defer func() {
+		cl.AfterDiff(bssCl)
+		o.AfterDiff(bssO)
+	}()
+
+	return utils.JSONEquals(cl, o)
+}
+
+// Add ac client.
+func (clients *Clients) Add(cl Client) {
+	if clients.Clients == nil {
+		clients.Clients = &ClientsArray{cl}
+	} else {
+		a := append(*clients.Clients, cl)
+		clients.Clients = &a
+	}
+}
+
+// Merge merge Clients.
+func (clients *Clients) Merge(other *Clients) (adds, removes, updates []*Client) {
+	current := make(map[string]*Client)
+	if clients.Clients != nil {
+		cc := *clients.Clients
+		for _, client := range cc {
+			current[*client.Name] = &client
+		}
+	}
+
+	expected := make(map[string]*Client)
+	if other.Clients != nil {
+		oc := *other.Clients
+		for _, client := range oc {
+			expected[*client.Name] = &client
+		}
+	}
+
+	for _, cl := range expected {
+		if oc, ok := current[*cl.Name]; ok {
+			if !cl.Equals(oc) {
+				updates = append(updates, cl)
+			}
+			delete(current, *cl.Name)
+		} else {
+			adds = append(adds, cl)
+		}
+	}
+
+	for _, rr := range current {
+		removes = append(removes, rr)
+	}
+
+	return adds, updates, removes
+}
+
+// Key RewriteEntry key.
+func (re *RewriteEntry) Key() string {
+	var d string
+	var a string
+	if re.Domain != nil {
+		d = *re.Domain
+	}
+	if re.Answer != nil {
+		a = *re.Answer
+	}
+	return fmt.Sprintf("%s#%s", d, a)
+}
+
+// RewriteEntries list of RewriteEntry.
+type RewriteEntries []RewriteEntry
+
+// Merge RewriteEntries.
+func (rwe *RewriteEntries) Merge(other *RewriteEntries) (adds, removes, duplicates RewriteEntries) {
+	current := make(map[string]RewriteEntry)
+
+	processed := make(map[string]bool)
+	for _, rr := range *rwe {
+		if _, ok := processed[rr.Key()]; !ok {
+			current[rr.Key()] = rr
+			processed[rr.Key()] = true
+		} else {
+			// remove duplicate
+			removes = append(removes, rr)
+		}
+	}
+
+	for _, rr := range *other {
+		if _, ok := current[rr.Key()]; ok {
+			delete(current, rr.Key())
+		} else {
+			if _, ok := processed[rr.Key()]; !ok {
+				adds = append(adds, rr)
+				processed[rr.Key()] = true
+			} else {
+				//	skip duplicate
+				duplicates = append(duplicates, rr)
+			}
+		}
+	}
+
+	for _, rr := range current {
+		removes = append(removes, rr)
+	}
+
+	return adds, removes, duplicates
+}
+
+func MergeFilters(this, other *[]Filter) (adds, updates, removes []Filter) {
+	if this == nil && other == nil {
+		return nil, nil, nil
+	}
+
+	current := make(map[string]*Filter)
+
+	if this != nil {
+		for _, fi := range *this {
+			current[fi.Url] = &fi
+		}
+	}
+
+	if other != nil {
+		for _, rr := range *other {
+			if c, ok := current[rr.Url]; ok {
+				if !c.Equals(&rr) {
+					updates = append(updates, rr)
+				}
+				delete(current, rr.Url)
+			} else {
+				adds = append(adds, rr)
+			}
+		}
+	}
+
+	for _, rr := range current {
+		removes = append(removes, *rr)
+	}
+
+	return adds, updates, removes
+}
+
+// Equals Filter equal check.
+func (f *Filter) Equals(o *Filter) bool {
+	return f.Enabled == o.Enabled && f.Url == o.Url && f.Name == o.Name
+}
+
+type QueryLogConfigWithIgnored struct {
+	QueryLogConfig
+
+	// Ignored List of host names, which should not be written to log
+	Ignored []string `json:"ignored,omitempty"`
+}
+
+// Equals QueryLogConfig equal check.
+func (qlc *QueryLogConfigWithIgnored) Equals(o *QueryLogConfigWithIgnored) bool {
+	return utils.JSONEquals(qlc, o)
+}
+
+// Equals QueryLogConfigInterval equal check.
+func (qlc *QueryLogConfigInterval) Equals(o *QueryLogConfigInterval) bool {
+	return ptrEquals(qlc, o)
+}
+
+func ptrEquals[T comparable](a, b *T) bool {
+	if a == nil && b == nil {
+		return true
+	}
+	var aa T
+	if a != nil {
+		aa = *a
+	}
+	var bb T
+	if b != nil {
+		bb = *b
+	}
+
+	return aa == bb
+}
+
+// EnableConfig API struct.
+type EnableConfig struct {
+	Enabled bool `json:"enabled"`
+}
+
+func (ssc *SafeSearchConfig) Equals(o *SafeSearchConfig) bool {
+	return ptrEquals(ssc.Enabled, o.Enabled) &&
+		ptrEquals(ssc.Bing, o.Bing) &&
+		ptrEquals(ssc.Duckduckgo, o.Duckduckgo) &&
+		ptrEquals(ssc.Google, o.Google) &&
+		ptrEquals(ssc.Pixabay, o.Pixabay) &&
+		ptrEquals(ssc.Yandex, o.Yandex) &&
+		ptrEquals(ssc.Youtube, o.Youtube)
+}
+
+func (pi *ProfileInfo) Equals(o *ProfileInfo, withTheme bool) bool {
+	return pi.Language == o.Language && (!withTheme || pi.Theme == o.Theme)
+}
+
+func (pi *ProfileInfo) ShouldSyncFor(o *ProfileInfo, withTheme bool) *ProfileInfo {
+	if pi.Equals(o, withTheme) {
+		return nil
+	}
+	merged := &ProfileInfo{Name: pi.Name, Language: pi.Language, Theme: pi.Theme}
+	if o.Language != "" {
+		merged.Language = o.Language
+	}
+	if withTheme && o.Theme != "" {
+		merged.Theme = o.Theme
+	}
+	if merged.Name == "" || merged.Language == "" || merged.Equals(pi, false) {
+		return nil
+	}
+	return merged
+}
+
+func (bss *BlockedServicesSchedule) Equals(o *BlockedServicesSchedule) bool {
+	return utils.JSONEquals(bss, o)
+}
+
+func (bss *BlockedServicesSchedule) ServicesString() string {
+	return ArrayString(bss.Ids)
+}
+
+func ArrayString(a *[]string) string {
+	if a == nil {
+		return "[]"
+	}
+	sorted := *a
+	sort.Strings(sorted)
+	return fmt.Sprintf("[%s]", strings.Join(sorted, ","))
+}
+
+func (c *DNSConfig) Sanitize(l *zap.SugaredLogger) {
+	// disable UsePrivatePtrResolvers if not configured
+	// https://github.com/AdguardTeam/AdGuardHome/issues/6820
+	if c.UsePrivatePtrResolvers != nil && *c.UsePrivatePtrResolvers &&
+		(c.LocalPtrUpstreams == nil || len(*c.LocalPtrUpstreams) == 0) {
+		l.Warn(
+			"disabling replica 'Use private reverse DNS resolvers' as no 'Private reverse DNS servers' are configured on origin",
+		)
+		c.UsePrivatePtrResolvers = utils.Ptr(false)
+	}
+}
+
+// Equals GetStatsConfigResponse equal check.
+func (sc *GetStatsConfigResponse) Equals(o *GetStatsConfigResponse) bool {
+	return utils.JSONEquals(sc, o)
+}
+
+func NewStats() *Stats {
+	return &Stats{
+		NumBlockedFiltering:     ptr.To(0),
+		NumReplacedParental:     ptr.To(0),
+		NumReplacedSafesearch:   ptr.To(0),
+		NumReplacedSafebrowsing: ptr.To(0),
+		NumDnsQueries:           ptr.To(0),
+
+		BlockedFiltering:     ptr.To(make([]int, 24)),
+		DnsQueries:           ptr.To(make([]int, 24)),
+		ReplacedParental:     ptr.To(make([]int, 24)),
+		ReplacedSafebrowsing: ptr.To(make([]int, 24)),
+	}
+}
+
+func (s *Stats) Add(other *Stats) {
+	s.NumBlockedFiltering = addInt(s.NumBlockedFiltering, other.NumBlockedFiltering)
+	s.NumReplacedSafebrowsing = addInt(s.NumReplacedSafebrowsing, other.NumReplacedSafebrowsing)
+	s.NumDnsQueries = addInt(s.NumDnsQueries, other.NumDnsQueries)
+	s.NumReplacedSafesearch = addInt(s.NumReplacedSafesearch, other.NumReplacedSafesearch)
+	s.NumReplacedParental = addInt(s.NumReplacedParental, other.NumReplacedParental)
+
+	s.BlockedFiltering = sumUp(s.BlockedFiltering, other.BlockedFiltering)
+	s.DnsQueries = sumUp(s.DnsQueries, other.DnsQueries)
+	s.ReplacedParental = sumUp(s.ReplacedParental, other.ReplacedParental)
+	s.ReplacedSafebrowsing = sumUp(s.ReplacedSafebrowsing, other.ReplacedSafebrowsing)
+}
+
+func addInt(t, add *int) *int {
+	if add != nil {
+		return ptr.To(*t + *add)
+	}
+	return t
+}
+
+func sumUp(t, o *[]int) *[]int {
+	if o != nil {
+		tt := *t
+		oo := *o
+		var sum []int
+		for i := range tt {
+			if len(oo) >= i {
+				sum = append(sum, tt[i]+oo[i])
+			}
+		}
+		return &sum
+	}
+	return t
+}
+
+func (c *TlsConfig) Equals(config *TlsConfig) bool {
+	return utils.JSONEquals(c, config)
+}
--- a/pkg/client/model/model_generated.go
+++ b/pkg/client/model/model_generated.go
--- a/pkg/client/model/model_private_test.go
+++ b/pkg/client/model/model_private_test.go
@@ -0,0 +1,104 @@
+package model
+
+import (
+	. "github.com/onsi/ginkgo/v2"
+	"github.com/onsi/gomega"
+	"go.uber.org/zap"
+
+	"github.com/bakito/adguardhome-sync/pkg/log"
+	"github.com/bakito/adguardhome-sync/pkg/utils"
+)
+
+var _ = Describe("Types", func() {
+	Context("DhcpConfigV4", func() {
+		DescribeTable("DhcpConfigV4 should not be valid",
+			func(v4 DhcpConfigV4) {
+				gomega.Ω(v4.isValid()).Should(gomega.BeFalse())
+			},
+			Entry(`When GatewayIp is nil`, DhcpConfigV4{
+				GatewayIp:  nil,
+				SubnetMask: utils.Ptr("2.2.2.2"),
+				RangeStart: utils.Ptr("3.3.3.3"),
+				RangeEnd:   utils.Ptr("4.4.4.4"),
+			}),
+			Entry(`When GatewayIp is ""`, DhcpConfigV4{
+				GatewayIp:  utils.Ptr(""),
+				SubnetMask: utils.Ptr("2.2.2.2"),
+				RangeStart: utils.Ptr("3.3.3.3"),
+				RangeEnd:   utils.Ptr("4.4.4.4"),
+			}),
+			Entry(`When SubnetMask is nil`, DhcpConfigV4{
+				GatewayIp:  utils.Ptr("1.1.1.1"),
+				SubnetMask: nil,
+				RangeStart: utils.Ptr("3.3.3.3"),
+				RangeEnd:   utils.Ptr("4.4.4.4"),
+			}),
+			Entry(`When SubnetMask is ""`, DhcpConfigV4{
+				GatewayIp:  utils.Ptr("1.1.1.1"),
+				SubnetMask: utils.Ptr(""),
+				RangeStart: utils.Ptr("3.3.3.3"),
+				RangeEnd:   utils.Ptr("4.4.4.4"),
+			}),
+			Entry(`When SubnetMask is nil`, DhcpConfigV4{
+				GatewayIp:  utils.Ptr("1.1.1.1"),
+				SubnetMask: utils.Ptr("2.2.2.2"),
+				RangeStart: nil,
+				RangeEnd:   utils.Ptr("4.4.4.4"),
+			}),
+			Entry(`When SubnetMask is ""`, DhcpConfigV4{
+				GatewayIp:  utils.Ptr("1.1.1.1"),
+				SubnetMask: utils.Ptr("2.2.2.2"),
+				RangeStart: utils.Ptr(""),
+				RangeEnd:   utils.Ptr("4.4.4.4"),
+			}),
+			Entry(`When RangeEnd is nil`, DhcpConfigV4{
+				GatewayIp:  utils.Ptr("1.1.1.1"),
+				SubnetMask: utils.Ptr("2.2.2.2"),
+				RangeStart: utils.Ptr("3.3.3.3"),
+				RangeEnd:   nil,
+			}),
+			Entry(`When RangeEnd is ""`, DhcpConfigV4{
+				GatewayIp:  utils.Ptr("1.1.1.1"),
+				SubnetMask: utils.Ptr("2.2.2.2"),
+				RangeStart: utils.Ptr("3.3.3.3"),
+				RangeEnd:   utils.Ptr(""),
+			}),
+		)
+	})
+	Context("DhcpConfigV6", func() {
+		DescribeTable("DhcpConfigV6 should not be valid",
+			func(v6 DhcpConfigV6) {
+				gomega.Ω(v6.isValid()).Should(gomega.BeFalse())
+			},
+			Entry(`When SubnetMask is nil`, DhcpConfigV6{RangeStart: nil}),
+			Entry(`When SubnetMask is ""`, DhcpConfigV6{RangeStart: utils.Ptr("")}),
+		)
+	})
+	Context("DNSConfig", func() {
+		var (
+			cfg *DNSConfig
+			l   *zap.SugaredLogger
+		)
+
+		BeforeEach(func() {
+			cfg = &DNSConfig{
+				UsePrivatePtrResolvers: utils.Ptr(true),
+			}
+			l = log.GetLogger("test")
+		})
+		Context("Sanitize", func() {
+			It("should disable UsePrivatePtrResolvers resolvers is nil ", func() {
+				cfg.LocalPtrUpstreams = nil
+				cfg.Sanitize(l)
+				gomega.Ω(cfg.UsePrivatePtrResolvers).ShouldNot(gomega.BeNil())
+				gomega.Ω(*cfg.UsePrivatePtrResolvers).Should(gomega.Equal(false))
+			})
+			It("should disable UsePrivatePtrResolvers resolvers is empty ", func() {
+				cfg.LocalPtrUpstreams = utils.Ptr([]string{})
+				cfg.Sanitize(l)
+				gomega.Ω(cfg.UsePrivatePtrResolvers).ShouldNot(gomega.BeNil())
+				gomega.Ω(*cfg.UsePrivatePtrResolvers).Should(gomega.Equal(false))
+			})
+		})
+	})
+})
--- a/pkg/client/model/model_suite_test.go
+++ b/pkg/client/model/model_suite_test.go
@@ -0,0 +1,13 @@
+package model_test
+
+import (
+	"testing"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+)
+
+func TestTypes(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "Model Suite")
+}
--- a/pkg/client/model/model_test.go
+++ b/pkg/client/model/model_test.go
@@ -0,0 +1,470 @@
+package model_test
+
+import (
+	"encoding/json"
+	"os"
+
+	"github.com/google/uuid"
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+
+	"github.com/bakito/adguardhome-sync/pkg/client/model"
+	"github.com/bakito/adguardhome-sync/pkg/types"
+	"github.com/bakito/adguardhome-sync/pkg/utils"
+)
+
+var _ = Describe("Types", func() {
+	var (
+		url     string
+		apiPath string
+	)
+	BeforeEach(func() {
+		url = "https://" + uuid.NewString()
+		apiPath = "/" + uuid.NewString()
+	})
+
+	Context("FilteringStatus", func() {
+		It("should correctly parse json", func() {
+			b, err := os.ReadFile("../../../testdata/filtering-status.json")
+			fs := &model.FilterStatus{}
+			Ω(err).ShouldNot(HaveOccurred())
+			err = json.Unmarshal(b, fs)
+			Ω(err).ShouldNot(HaveOccurred())
+		})
+	})
+
+	Context("Filters", func() {
+		Context("Merge", func() {
+			var (
+				originFilters  []model.Filter
+				replicaFilters []model.Filter
+			)
+			BeforeEach(func() {
+				originFilters = []model.Filter{}
+				replicaFilters = []model.Filter{}
+			})
+
+			It("should add a missing filter", func() {
+				originFilters = append(originFilters, model.Filter{Url: url})
+				a, u, d := model.MergeFilters(&replicaFilters, &originFilters)
+				Ω(a).Should(HaveLen(1))
+				Ω(u).Should(BeEmpty())
+				Ω(d).Should(BeEmpty())
+
+				Ω(a[0].Url).Should(Equal(url))
+			})
+
+			It("should remove additional filter", func() {
+				replicaFilters = append(replicaFilters, model.Filter{Url: url})
+				a, u, d := model.MergeFilters(&replicaFilters, &originFilters)
+				Ω(a).Should(BeEmpty())
+				Ω(u).Should(BeEmpty())
+				Ω(d).Should(HaveLen(1))
+
+				Ω(d[0].Url).Should(Equal(url))
+			})
+
+			It("should update existing filter when enabled differs", func() {
+				enabled := true
+				originFilters = append(originFilters, model.Filter{Url: url, Enabled: enabled})
+				replicaFilters = append(replicaFilters, model.Filter{Url: url, Enabled: !enabled})
+				a, u, d := model.MergeFilters(&replicaFilters, &originFilters)
+				Ω(a).Should(BeEmpty())
+				Ω(u).Should(HaveLen(1))
+				Ω(d).Should(BeEmpty())
+
+				Ω(u[0].Enabled).Should(Equal(enabled))
+			})
+
+			It("should update existing filter when name differs", func() {
+				name1 := uuid.NewString()
+				name2 := uuid.NewString()
+				originFilters = append(originFilters, model.Filter{Url: url, Name: name1})
+				replicaFilters = append(replicaFilters, model.Filter{Url: url, Name: name2})
+				a, u, d := model.MergeFilters(&replicaFilters, &originFilters)
+				Ω(a).Should(BeEmpty())
+				Ω(u).Should(HaveLen(1))
+				Ω(d).Should(BeEmpty())
+
+				Ω(u[0].Name).Should(Equal(name1))
+			})
+
+			It("should have no changes", func() {
+				originFilters = append(originFilters, model.Filter{Url: url})
+				replicaFilters = append(replicaFilters, model.Filter{Url: url})
+				a, u, d := model.MergeFilters(&replicaFilters, &originFilters)
+				Ω(a).Should(BeEmpty())
+				Ω(u).Should(BeEmpty())
+				Ω(d).Should(BeEmpty())
+			})
+		})
+	})
+	Context("AdGuardInstance", func() {
+		It("should build a key with url and api apiPath", func() {
+			i := &types.AdGuardInstance{URL: url, APIPath: apiPath}
+			Ω(i.Key()).Should(Equal(url + "#" + apiPath))
+		})
+	})
+	Context("RewriteEntry", func() {
+		It("should build a key with url and api apiPath", func() {
+			domain := uuid.NewString()
+			answer := uuid.NewString()
+			re := &model.RewriteEntry{Domain: utils.Ptr(domain), Answer: utils.Ptr(answer)}
+			Ω(re.Key()).Should(Equal(domain + "#" + answer))
+		})
+	})
+	Context("QueryLogConfig", func() {
+		Context("Equal", func() {
+			var (
+				a *model.QueryLogConfigWithIgnored
+				b *model.QueryLogConfigWithIgnored
+			)
+			BeforeEach(func() {
+				a = &model.QueryLogConfigWithIgnored{}
+				b = &model.QueryLogConfigWithIgnored{}
+			})
+			It("should be equal", func() {
+				a.Enabled = utils.Ptr(true)
+				var interval model.QueryLogConfigInterval = 1
+				a.Interval = &interval
+				a.AnonymizeClientIp = utils.Ptr(true)
+				b.Enabled = utils.Ptr(true)
+				b.Interval = &interval
+				b.AnonymizeClientIp = utils.Ptr(true)
+				Ω(a.Equals(b)).Should(BeTrue())
+			})
+			It("should not be equal when enabled differs", func() {
+				a.Enabled = utils.Ptr(true)
+				b.Enabled = utils.Ptr(false)
+				Ω(a.Equals(b)).ShouldNot(BeTrue())
+			})
+			It("should not be equal when interval differs", func() {
+				var interval1 model.QueryLogConfigInterval = 1
+				var interval2 model.QueryLogConfigInterval = 2
+				a.Interval = &interval1
+				b.Interval = &interval2
+				Ω(a.Equals(b)).ShouldNot(BeTrue())
+			})
+			It("should not be equal when anonymizeClientIP differs", func() {
+				a.AnonymizeClientIp = utils.Ptr(true)
+				b.AnonymizeClientIp = utils.Ptr(false)
+				Ω(a.Equals(b)).ShouldNot(BeTrue())
+			})
+		})
+	})
+	Context("RewriteEntries", func() {
+		Context("Merge", func() {
+			var (
+				originRE  model.RewriteEntries
+				replicaRE model.RewriteEntries
+				domain    string
+			)
+			BeforeEach(func() {
+				originRE = model.RewriteEntries{}
+				replicaRE = model.RewriteEntries{}
+				domain = uuid.NewString()
+			})
+
+			It("should add a missing rewrite entry", func() {
+				originRE = append(originRE, model.RewriteEntry{Domain: utils.Ptr(domain)})
+				a, r, d := replicaRE.Merge(&originRE)
+				Ω(a).Should(HaveLen(1))
+				Ω(r).Should(BeEmpty())
+				Ω(d).Should(BeEmpty())
+
+				Ω(*a[0].Domain).Should(Equal(domain))
+			})
+
+			It("should remove additional rewrite entry", func() {
+				replicaRE = append(replicaRE, model.RewriteEntry{Domain: utils.Ptr(domain)})
+				a, r, d := replicaRE.Merge(&originRE)
+				Ω(a).Should(BeEmpty())
+				Ω(r).Should(HaveLen(1))
+				Ω(d).Should(BeEmpty())
+
+				Ω(*r[0].Domain).Should(Equal(domain))
+			})
+
+			It("should have no changes", func() {
+				originRE = append(originRE, model.RewriteEntry{Domain: utils.Ptr(domain)})
+				replicaRE = append(replicaRE, model.RewriteEntry{Domain: utils.Ptr(domain)})
+				a, r, d := replicaRE.Merge(&originRE)
+				Ω(a).Should(BeEmpty())
+				Ω(r).Should(BeEmpty())
+				Ω(d).Should(BeEmpty())
+			})
+
+			It("should remove target duplicate", func() {
+				originRE = append(originRE, model.RewriteEntry{Domain: utils.Ptr(domain)})
+				replicaRE = append(replicaRE, model.RewriteEntry{Domain: utils.Ptr(domain)})
+				replicaRE = append(replicaRE, model.RewriteEntry{Domain: utils.Ptr(domain)})
+				a, r, d := replicaRE.Merge(&originRE)
+				Ω(a).Should(BeEmpty())
+				Ω(r).Should(HaveLen(1))
+				Ω(d).Should(BeEmpty())
+			})
+
+			It("should remove target duplicate", func() {
+				originRE = append(originRE, model.RewriteEntry{Domain: utils.Ptr(domain)})
+				originRE = append(originRE, model.RewriteEntry{Domain: utils.Ptr(domain)})
+				replicaRE = append(replicaRE, model.RewriteEntry{Domain: utils.Ptr(domain)})
+				a, r, d := replicaRE.Merge(&originRE)
+				Ω(a).Should(BeEmpty())
+				Ω(r).Should(BeEmpty())
+				Ω(d).Should(HaveLen(1))
+			})
+		})
+	})
+	Context("Config", func() {
+		var cfg *types.Config
+		BeforeEach(func() {
+			cfg = &types.Config{}
+		})
+		Context("UniqueReplicas", func() {
+			It("should be empty if noting defined", func() {
+				r := cfg.UniqueReplicas()
+				Ω(r).Should(BeEmpty())
+			})
+			It("should be empty if replica url is not set", func() {
+				cfg.Replica = &types.AdGuardInstance{URL: ""}
+				r := cfg.UniqueReplicas()
+				Ω(r).Should(BeEmpty())
+			})
+			It("should be empty if replicas url is not set", func() {
+				cfg.Replicas = []types.AdGuardInstance{{URL: ""}}
+				r := cfg.UniqueReplicas()
+				Ω(r).Should(BeEmpty())
+			})
+			It("should return only one replica if same url and apiPath", func() {
+				cfg.Replica = &types.AdGuardInstance{URL: url, APIPath: apiPath}
+				cfg.Replicas = []types.AdGuardInstance{{URL: url, APIPath: apiPath}, {URL: url, APIPath: apiPath}}
+				r := cfg.UniqueReplicas()
+				Ω(r).Should(HaveLen(1))
+			})
+			It("should return 3 one replicas if urls are different", func() {
+				cfg.Replica = &types.AdGuardInstance{URL: url, APIPath: apiPath}
+				cfg.Replicas = []types.AdGuardInstance{
+					{URL: url + "1", APIPath: apiPath},
+					{URL: url, APIPath: apiPath + "1"},
+				}
+				r := cfg.UniqueReplicas()
+				Ω(r).Should(HaveLen(3))
+			})
+			It("should set default api apiPath if not set", func() {
+				cfg.Replica = &types.AdGuardInstance{URL: url}
+				cfg.Replicas = []types.AdGuardInstance{{URL: url + "1"}}
+				r := cfg.UniqueReplicas()
+				Ω(r).Should(HaveLen(2))
+				Ω(r[0].APIPath).Should(Equal(types.DefaultAPIPath))
+				Ω(r[1].APIPath).Should(Equal(types.DefaultAPIPath))
+			})
+		})
+	})
+
+	Context("Clients", func() {
+		Context("Merge", func() {
+			var (
+				originClients  *model.Clients
+				replicaClients model.Clients
+				name           string
+			)
+			BeforeEach(func() {
+				originClients = &model.Clients{}
+				replicaClients = model.Clients{}
+				name = uuid.NewString()
+			})
+
+			It("should add a missing client", func() {
+				originClients.Add(model.Client{Name: utils.Ptr(name)})
+				a, u, d := replicaClients.Merge(originClients)
+				Ω(a).Should(HaveLen(1))
+				Ω(u).Should(BeEmpty())
+				Ω(d).Should(BeEmpty())
+
+				Ω(*a[0].Name).Should(Equal(name))
+			})
+
+			It("should remove additional client", func() {
+				replicaClients.Add(model.Client{Name: utils.Ptr(name)})
+				a, u, d := replicaClients.Merge(originClients)
+				Ω(a).Should(BeEmpty())
+				Ω(u).Should(BeEmpty())
+				Ω(d).Should(HaveLen(1))
+
+				Ω(*d[0].Name).Should(Equal(name))
+			})
+
+			It("should update existing client when name differs", func() {
+				disallowed := true
+				originClients.Add(model.Client{Name: utils.Ptr(name), FilteringEnabled: utils.Ptr(disallowed)})
+				replicaClients.Add(model.Client{Name: utils.Ptr(name), FilteringEnabled: utils.Ptr(!disallowed)})
+				a, u, d := replicaClients.Merge(originClients)
+				Ω(a).Should(BeEmpty())
+				Ω(u).Should(HaveLen(1))
+				Ω(d).Should(BeEmpty())
+
+				Ω(*u[0].FilteringEnabled).Should(Equal(disallowed))
+			})
+		})
+	})
+
+	Context("Client", func() {
+		Context("Equals", func() {
+			var (
+				cl1 *model.Client
+				cl2 *model.Client
+			)
+			BeforeEach(func() {
+				cl1 = &model.Client{
+					Name:                    utils.Ptr("foo"),
+					BlockedServicesSchedule: &model.Schedule{TimeZone: utils.Ptr("UTC")},
+				}
+				cl2 = &model.Client{
+					Name:                    utils.Ptr("foo"),
+					BlockedServicesSchedule: &model.Schedule{TimeZone: utils.Ptr("Local")},
+				}
+			})
+
+			It("should equal if only timezone differs on empty blocked service schedule", func() {
+				Ω(cl1.Equals(cl2)).Should(BeTrue())
+			})
+		})
+	})
+	Context("BlockedServices", func() {
+		Context("Equals", func() {
+			It("should be equal", func() {
+				s1 := &model.BlockedServicesArray{"a", "b"}
+				s2 := &model.BlockedServicesArray{"b", "a"}
+				Ω(model.EqualsStringSlice(s1, s2, true)).Should(BeTrue())
+			})
+			It("should not be equal different values", func() {
+				s1 := &model.BlockedServicesArray{"a", "b"}
+				s2 := &model.BlockedServicesArray{"B", "a"}
+				Ω(model.EqualsStringSlice(s1, s2, true)).ShouldNot(BeTrue())
+			})
+			It("should not be equal different length", func() {
+				s1 := &model.BlockedServicesArray{"a", "b"}
+				s2 := &model.BlockedServicesArray{"b", "a", "c"}
+				Ω(model.EqualsStringSlice(s1, s2, true)).ShouldNot(BeTrue())
+			})
+		})
+	})
+	Context("DNSConfig", func() {
+		Context("Equals", func() {
+			It("should be equal", func() {
+				dc1 := &model.DNSConfig{LocalPtrUpstreams: utils.Ptr([]string{"a"})}
+				dc2 := &model.DNSConfig{LocalPtrUpstreams: utils.Ptr([]string{"a"})}
+				Ω(dc1.Equals(dc2)).Should(BeTrue())
+			})
+			It("should not be equal", func() {
+				dc1 := &model.DNSConfig{LocalPtrUpstreams: utils.Ptr([]string{"a"})}
+				dc2 := &model.DNSConfig{LocalPtrUpstreams: utils.Ptr([]string{"b"})}
+				Ω(dc1.Equals(dc2)).ShouldNot(BeTrue())
+			})
+		})
+	})
+	Context("DHCPServerConfig", func() {
+		Context("Equals", func() {
+			It("should be equal", func() {
+				dc1 := &model.DhcpStatus{
+					V4: &model.DhcpConfigV4{
+						GatewayIp:     utils.Ptr("1.2.3.4"),
+						LeaseDuration: utils.Ptr(123),
+						RangeStart:    utils.Ptr("1.2.3.5"),
+						RangeEnd:      utils.Ptr("1.2.3.6"),
+						SubnetMask:    utils.Ptr("255.255.255.0"),
+					},
+				}
+				dc2 := &model.DhcpStatus{
+					V4: &model.DhcpConfigV4{
+						GatewayIp:     utils.Ptr("1.2.3.4"),
+						LeaseDuration: utils.Ptr(123),
+						RangeStart:    utils.Ptr("1.2.3.5"),
+						RangeEnd:      utils.Ptr("1.2.3.6"),
+						SubnetMask:    utils.Ptr("255.255.255.0"),
+					},
+				}
+				Ω(dc1.Equals(dc2)).Should(BeTrue())
+			})
+			It("should not be equal", func() {
+				dc1 := &model.DhcpStatus{
+					V4: &model.DhcpConfigV4{
+						GatewayIp:     utils.Ptr("1.2.3.3"),
+						LeaseDuration: utils.Ptr(123),
+						RangeStart:    utils.Ptr("1.2.3.5"),
+						RangeEnd:      utils.Ptr("1.2.3.6"),
+						SubnetMask:    utils.Ptr("255.255.255.0"),
+					},
+				}
+				dc2 := &model.DhcpStatus{
+					V4: &model.DhcpConfigV4{
+						GatewayIp:     utils.Ptr("1.2.3.4"),
+						LeaseDuration: utils.Ptr(123),
+						RangeStart:    utils.Ptr("1.2.3.5"),
+						RangeEnd:      utils.Ptr("1.2.3.6"),
+						SubnetMask:    utils.Ptr("255.255.255.0"),
+					},
+				}
+				Ω(dc1.Equals(dc2)).ShouldNot(BeTrue())
+			})
+		})
+		Context("Clone", func() {
+			It("clone should be equal", func() {
+				dc1 := &model.DhcpStatus{
+					V4: &model.DhcpConfigV4{
+						GatewayIp:     utils.Ptr("1.2.3.4"),
+						LeaseDuration: utils.Ptr(123),
+						RangeStart:    utils.Ptr("1.2.3.5"),
+						RangeEnd:      utils.Ptr("1.2.3.6"),
+						SubnetMask:    utils.Ptr("255.255.255.0"),
+					},
+				}
+				Ω(dc1.Clone().Equals(dc1)).Should(BeTrue())
+			})
+		})
+		Context("HasConfig", func() {
+			It("should not have a config", func() {
+				dc1 := &model.DhcpStatus{
+					V4: &model.DhcpConfigV4{},
+					V6: &model.DhcpConfigV6{},
+				}
+				Ω(dc1.HasConfig()).Should(BeFalse())
+			})
+			It("should not have a v4 config with nil IP", func() {
+				dc1 := &model.DhcpStatus{
+					V4: &model.DhcpConfigV4{
+						GatewayIp: nil,
+					},
+					V6: &model.DhcpConfigV6{
+						RangeStart: utils.Ptr("1.2.3.5"),
+					},
+				}
+				Ω(dc1.HasConfig()).Should(BeTrue())
+			})
+			It("should not have a v4 config with empty IP", func() {
+				dc1 := &model.DhcpStatus{
+					V4: &model.DhcpConfigV4{
+						GatewayIp: utils.Ptr(""),
+					},
+					V6: &model.DhcpConfigV6{
+						RangeStart: utils.Ptr("1.2.3.5"),
+					},
+				}
+				Ω(dc1.HasConfig()).Should(BeTrue())
+			})
+			It("should not have a v6 config", func() {
+				dc1 := &model.DhcpStatus{
+					V4: &model.DhcpConfigV4{
+						GatewayIp:     utils.Ptr("1.2.3.4"),
+						LeaseDuration: utils.Ptr(123),
+						RangeStart:    utils.Ptr("1.2.3.5"),
+						RangeEnd:      utils.Ptr("1.2.3.6"),
+						SubnetMask:    utils.Ptr("255.255.255.0"),
+					},
+					V6: &model.DhcpConfigV6{},
+				}
+				Ω(dc1.HasConfig()).Should(BeTrue())
+			})
+		})
+	})
+})
--- a/pkg/config/config-schema.json
+++ b/pkg/config/config-schema.json
@@ -0,0 +1,181 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "additionalProperties": false,
+  "definitions": {
+    "Instance": {
+      "additionalProperties": false,
+      "properties": {
+        "apiPath": {
+          "type": "string"
+        },
+        "autoSetup": {
+          "type": "boolean"
+        },
+        "cookie": {
+          "type": "string"
+        },
+        "dhcpServerEnabled": {
+          "type": "boolean"
+        },
+        "insecureSkipVerify": {
+          "type": "boolean"
+        },
+        "interfaceName": {
+          "type": "string"
+        },
+        "password": {
+          "type": "string"
+        },
+        "url": {
+          "format": "uri",
+          "type": "string"
+        },
+        "username": {
+          "type": "string"
+        },
+        "webURL": {
+          "format": "uri",
+          "type": "string"
+        },
+        "requestHeaders": {
+          "type": "object"
+        }
+      },
+      "type": "object"
+    }
+  },
+  "description": "validates only for valid schema. No required fields, as the can be defined via env ars afterwards.",
+  "properties": {
+    "api": {
+      "additionalProperties": false,
+      "properties": {
+        "darkMode": {
+          "type": "boolean"
+        },
+        "metrics": {
+          "additionalProperties": false,
+          "properties": {
+            "enabled": {
+              "type": "boolean"
+            },
+            "queryLogLimit": {
+              "type": "integer"
+            },
+            "scrapeInterval": {
+              "type": "string"
+            }
+          },
+          "type": "object"
+        },
+        "password": {
+          "type": "string"
+        },
+        "port": {
+          "type": "number"
+        },
+        "tls": {
+          "additionalProperties": false,
+          "properties": {
+            "certDir": {
+              "type": "string"
+            },
+            "certName": {
+              "type": "string"
+            },
+            "keyName": {
+              "type": "string"
+            }
+          },
+          "type": "object"
+        },
+        "username": {
+          "type": "string"
+        }
+      },
+      "type": "object"
+    },
+    "continueOnError": {
+      "type": "boolean"
+    },
+    "cron": {
+      "type": "string"
+    },
+    "features": {
+      "additionalProperties": false,
+      "properties": {
+        "clientSettings": {
+          "type": "boolean"
+        },
+        "dhcp": {
+          "additionalProperties": false,
+          "properties": {
+            "serverConfig": {
+              "type": "boolean"
+            },
+            "staticLeases": {
+              "type": "boolean"
+            }
+          },
+          "type": "object"
+        },
+        "dns": {
+          "additionalProperties": false,
+          "properties": {
+            "accessLists": {
+              "type": "boolean"
+            },
+            "rewrites": {
+              "type": "boolean"
+            },
+            "serverConfig": {
+              "type": "boolean"
+            }
+          },
+          "type": "object"
+        },
+        "filters": {
+          "type": "boolean"
+        },
+        "generalSettings": {
+          "type": "boolean"
+        },
+        "queryLogConfig": {
+          "type": "boolean"
+        },
+        "services": {
+          "type": "boolean"
+        },
+        "statsConfig": {
+          "type": "boolean"
+        },
+        "theme": {
+          "type": "boolean"
+        },
+        "tlsConfig": {
+          "type": "boolean"
+        }
+      },
+      "type": "object"
+    },
+    "origin": {
+      "$ref": "#/definitions/Instance"
+    },
+    "printConfigOnly": {
+      "type": "boolean"
+    },
+    "replica": {
+      "$ref": "#/definitions/Instance"
+    },
+    "replicas": {
+      "items": {
+        "$ref": "#/definitions/Instance"
+      },
+      "type": "array"
+    },
+    "runOnStart": {
+      "type": "boolean"
+    }
+  },
+  "title": "adguardhome-sync Configuration",
+  "type": "object"
+}
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -0,0 +1,131 @@
+package config
+
+import (
+	"errors"
+	"regexp"
+
+	"github.com/caarlos0/env/v11"
+
+	"github.com/bakito/adguardhome-sync/pkg/log"
+	"github.com/bakito/adguardhome-sync/pkg/types"
+)
+
+var (
+	envReplicasURLPattern = regexp.MustCompile(`^REPLICA(\d+)_URL=(.*)`)
+	logger                = log.GetLogger("config")
+)
+
+type AppConfig struct {
+	cfg      *types.Config
+	filePath string
+	content  string
+}
+
+func (ac *AppConfig) PrintConfigOnly() bool {
+	return ac.cfg.PrintConfigOnly
+}
+
+func (ac *AppConfig) Get() *types.Config {
+	return ac.cfg
+}
+
+func (ac *AppConfig) Init() error {
+	return ac.cfg.Init()
+}
+
+func Get(configFile string, flags Flags) (*AppConfig, error) {
+	path, err := configFilePath(configFile)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := validateSchema(path); err != nil {
+		return nil, err
+	}
+
+	cfg := initialConfig()
+
+	// read yaml config
+	var content string
+	if content, err = readFile(cfg, path); err != nil {
+		return nil, err
+	}
+
+	// overwrite from command flags
+	if err := readFlags(cfg, flags); err != nil {
+		return nil, err
+	}
+
+	// *bool field creates issues when already not nil
+	cfg.Origin.DHCPServerEnabled = nil // origin filed makes no sense to be set.
+
+	// keep previously set value
+	replicaDhcpServer := cfg.Replica.DHCPServerEnabled
+	cfg.Replica.DHCPServerEnabled = nil
+
+	// ignore origin and replicas form env parsing as they are handled separately
+	replicas := cfg.Replicas
+	cfg.Replicas = nil
+	replica := cfg.Replica
+	cfg.Replica = nil
+	origin := cfg.Origin
+	cfg.Origin = nil
+
+	// overwrite from env vars
+	if err := env.Parse(cfg); err != nil {
+		return nil, err
+	}
+	if err := env.ParseWithOptions(origin, env.Options{Prefix: "ORIGIN_"}); err != nil {
+		return nil, err
+	}
+	if err := env.ParseWithOptions(replica, env.Options{Prefix: "REPLICA_"}); err != nil {
+		return nil, err
+	}
+	// restore origin and replica
+	cfg.Origin = origin
+	cfg.Replica = replica
+	cfg.Replicas = replicas
+
+	// if not set from env, use previous value
+	if cfg.Replica.DHCPServerEnabled == nil {
+		cfg.Replica.DHCPServerEnabled = replicaDhcpServer
+	}
+
+	if cfg.Replica != nil &&
+		cfg.Replica.URL == "" &&
+		cfg.Replica.Username == "" {
+		cfg.Replica = nil
+	}
+
+	if len(cfg.Replicas) > 0 && cfg.Replica != nil {
+		return nil, errors.New("mixed replica config in use. " +
+			"Do not use single replica and numbered (list) replica config combined")
+	}
+
+	handleDeprecatedEnvVars(cfg)
+
+	if cfg.Replica != nil {
+		cfg.Replicas = []types.AdGuardInstance{*cfg.Replica}
+		cfg.Replica = nil
+	}
+
+	cfg.Replicas, err = enrichReplicasFromEnv(cfg.Replicas)
+
+	return &AppConfig{cfg: cfg, filePath: path, content: content}, err
+}
+
+func initialConfig() *types.Config {
+	return &types.Config{
+		RunOnStart: true,
+		Origin: &types.AdGuardInstance{
+			APIPath: "/control",
+		},
+		Replica: &types.AdGuardInstance{
+			APIPath: "/control",
+		},
+		API: types.API{
+			Port: 8080,
+		},
+		Features: types.NewFeatures(true),
+	}
+}
--- a/pkg/config/config_suite_test.go
+++ b/pkg/config/config_suite_test.go
@@ -0,0 +1,15 @@
+package config_test
+
+import (
+	"testing"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+	"github.com/onsi/gomega/format"
+)
+
+func TestCmd(t *testing.T) {
+	format.TruncatedDiff = false
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "Config Suite")
+}
--- a/pkg/config/config_test.go
+++ b/pkg/config/config_test.go
@@ -0,0 +1,270 @@
+package config_test
+
+import (
+	"os"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+	gm "go.uber.org/mock/gomock"
+
+	"github.com/bakito/adguardhome-sync/pkg/config"
+	flagsmock "github.com/bakito/adguardhome-sync/pkg/mocks/flags"
+)
+
+var _ = Describe("Config", func() {
+	Context("Get", func() {
+		var (
+			flags          *flagsmock.MockFlags
+			mockCtrl       *gm.Controller
+			changedEnvVars []string
+			setEnv         = func(name, value string) {
+				_ = os.Setenv(name, value)
+				changedEnvVars = append(changedEnvVars, name)
+			}
+		)
+		BeforeEach(func() {
+			mockCtrl = gm.NewController(GinkgoT())
+			flags = flagsmock.NewMockFlags(mockCtrl)
+			changedEnvVars = nil
+		})
+		AfterEach(func() {
+			for _, envVar := range changedEnvVars {
+				_ = os.Unsetenv(envVar)
+				println(envVar)
+			}
+			defer mockCtrl.Finish()
+		})
+		Context("Get", func() {
+			Context("Mixed Config", func() {
+				It("should have the origin URL from the config file", func() {
+					flags.EXPECT().Changed(gm.Any()).Return(false).AnyTimes()
+
+					_, err := config.Get("../../testdata/config_test_replicas_and_replica.yaml", flags)
+					Ω(err).Should(HaveOccurred())
+					Ω(err.Error()).Should(ContainSubstring("mixed replica config in use"))
+				})
+			})
+			Context("Env Var Clash", func() {
+				It("should not use USERNAME env variable if it is defined (#570)", func() {
+					incorrect := "ThisIsNotTheCorrectUsername"
+					setEnv("USERNAME", incorrect)
+					flags.EXPECT().Changed(gm.Any()).Return(false).AnyTimes()
+
+					c, err := config.Get("../../testdata/config_test_replica.yaml", flags)
+					Ω(err).ShouldNot(HaveOccurred())
+					Ω(c.Get().Origin.Username).ShouldNot(Equal(incorrect))
+					Ω(c.Get().Replicas[0].Username).ShouldNot(Equal(incorrect))
+				})
+			})
+			Context("Origin Url", func() {
+				It("should have the origin URL from the config file", func() {
+					flags.EXPECT().Changed(gm.Any()).Return(false).AnyTimes()
+
+					cfg, err := config.Get("../../testdata/config_test_replicas.yaml", flags)
+					Ω(err).ShouldNot(HaveOccurred())
+					Ω(cfg.Get().Origin.URL).Should(Equal("https://origin-file:443"))
+				})
+				It("should have the origin URL from the config flags", func() {
+					flags.EXPECT().Changed(config.FlagOriginURL).Return(true).AnyTimes()
+					flags.EXPECT().Changed(gm.Any()).Return(false).AnyTimes()
+					flags.EXPECT().GetString(config.FlagOriginURL).Return("https://origin-flag:443", nil).AnyTimes()
+
+					cfg, err := config.Get("../../testdata/config_test_replicas.yaml", flags)
+					Ω(err).ShouldNot(HaveOccurred())
+					Ω(cfg.Get().Origin.URL).Should(Equal("https://origin-flag:443"))
+				})
+				It("should have the origin URL from the config env var", func() {
+					setEnv("ORIGIN_URL", "https://origin-env:443")
+					flags.EXPECT().Changed(config.FlagOriginURL).Return(true).AnyTimes()
+					flags.EXPECT().Changed(gm.Any()).Return(false).AnyTimes()
+					flags.EXPECT().GetString(config.FlagOriginURL).Return("https://origin-flag:443", nil).AnyTimes()
+
+					cfg, err := config.Get("../../testdata/config_test_replicas.yaml", flags)
+					Ω(err).ShouldNot(HaveOccurred())
+					Ω(cfg.Get().Origin.URL).Should(Equal("https://origin-env:443"))
+				})
+			})
+			Context("Replica insecure skip verify", func() {
+				It("should have the insecure skip verify from the config file", func() {
+					flags.EXPECT().Changed(gm.Any()).Return(false).AnyTimes()
+
+					cfg, err := config.Get("../../testdata/config_test_replica.yaml", flags)
+					Ω(err).ShouldNot(HaveOccurred())
+					Ω(cfg.Get().Replicas[0].InsecureSkipVerify).Should(BeFalse())
+				})
+				It("should have the insecure skip verify from the config flags", func() {
+					flags.EXPECT().Changed(config.FlagReplicaISV).Return(true).AnyTimes()
+					flags.EXPECT().Changed(gm.Any()).Return(false).AnyTimes()
+					flags.EXPECT().GetBool(config.FlagReplicaISV).Return(true, nil).AnyTimes()
+
+					cfg, err := config.Get("../../testdata/config_test_replica.yaml", flags)
+					Ω(err).ShouldNot(HaveOccurred())
+					Ω(cfg.Get().Replicas[0].InsecureSkipVerify).Should(BeTrue())
+				})
+				It("should have the insecure skip verify from the config env var", func() {
+					setEnv("REPLICA_INSECURE_SKIP_VERIFY", "false")
+					flags.EXPECT().Changed(config.FlagReplicaISV).Return(true).AnyTimes()
+					flags.EXPECT().Changed(gm.Any()).Return(false).AnyTimes()
+					flags.EXPECT().GetBool(config.FlagReplicaISV).Return(true, nil).AnyTimes()
+
+					cfg, err := config.Get("../../testdata/config_test_replica.yaml", flags)
+					Ω(err).ShouldNot(HaveOccurred())
+					Ω(cfg.Get().Replicas[0].InsecureSkipVerify).Should(BeFalse())
+				})
+			})
+
+			Context("Replica 1 insecure skip verify", func() {
+				It("should have the insecure skip verify from the config file", func() {
+					flags.EXPECT().Changed(gm.Any()).Return(false).AnyTimes()
+
+					cfg, err := config.Get("../../testdata/config_test_replicas.yaml", flags)
+					Ω(err).ShouldNot(HaveOccurred())
+					Ω(cfg.Get().Replicas[0].InsecureSkipVerify).Should(BeFalse())
+				})
+				It("should have the insecure skip verify from the config env var", func() {
+					setEnv("REPLICA1_INSECURE_SKIP_VERIFY", "true")
+					flags.EXPECT().Changed(gm.Any()).Return(false).AnyTimes()
+
+					cfg, err := config.Get("../../testdata/config_test_replicas.yaml", flags)
+					Ω(err).ShouldNot(HaveOccurred())
+					Ω(cfg.Get().Replicas[0].InsecureSkipVerify).Should(BeTrue())
+				})
+			})
+			Context("API Port", func() {
+				It("should have the api port from the config file", func() {
+					flags.EXPECT().Changed(gm.Any()).Return(false).AnyTimes()
+					cfg, err := config.Get("../../testdata/config_test_replicas.yaml", flags)
+					Ω(err).ShouldNot(HaveOccurred())
+					Ω(cfg.Get().API.Port).Should(Equal(9090))
+				})
+				It("should have the api port from the config flags", func() {
+					flags.EXPECT().Changed(config.FlagAPIPort).Return(true).AnyTimes()
+					flags.EXPECT().Changed(gm.Any()).Return(false).AnyTimes()
+					flags.EXPECT().GetInt(config.FlagAPIPort).Return(9990, nil).AnyTimes()
+
+					cfg, err := config.Get("../../testdata/config_test_replicas.yaml", flags)
+					Ω(err).ShouldNot(HaveOccurred())
+					Ω(cfg.Get().API.Port).Should(Equal(9990))
+				})
+				It("should have the api port from the config env var", func() {
+					setEnv("API_PORT", "9999")
+					flags.EXPECT().Changed(config.FlagAPIPort).Return(true).AnyTimes()
+					flags.EXPECT().Changed(gm.Any()).Return(false).AnyTimes()
+					flags.EXPECT().GetInt(config.FlagAPIPort).Return(9990, nil).AnyTimes()
+
+					cfg, err := config.Get("../../testdata/config_test_replicas.yaml", flags)
+					Ω(err).ShouldNot(HaveOccurred())
+					Ω(cfg.Get().API.Port).Should(Equal(9999))
+				})
+			})
+
+			Context("Replica DHCPServerEnabled", func() {
+				It("should have the dhcp server enabled from the config file", func() {
+					flags.EXPECT().Changed(gm.Any()).Return(false).AnyTimes()
+
+					cfg, err := config.Get("../../testdata/config_test_replica.yaml", flags)
+					Ω(err).ShouldNot(HaveOccurred())
+					Ω(cfg.Get().Replicas[0].DHCPServerEnabled).ShouldNot(BeNil())
+					Ω(*cfg.Get().Replicas[0].DHCPServerEnabled).Should(BeFalse())
+				})
+			})
+
+			Context("Replica 1 DHCPServerEnabled", func() {
+				It("should have the dhcp server enabled from the config file", func() {
+					flags.EXPECT().Changed(gm.Any()).Return(false).AnyTimes()
+
+					cfg, err := config.Get("../../testdata/config_test_replicas.yaml", flags)
+					Ω(err).ShouldNot(HaveOccurred())
+					Ω(cfg.Get().Replicas[0].DHCPServerEnabled).ShouldNot(BeNil())
+					Ω(*cfg.Get().Replicas[0].DHCPServerEnabled).Should(BeFalse())
+				})
+			})
+			Context("API Port", func() {
+				It("should have the api port from the config file", func() {
+					flags.EXPECT().Changed(gm.Any()).Return(false).AnyTimes()
+					cfg, err := config.Get("../../testdata/config_test_replicas.yaml", flags)
+					Ω(err).ShouldNot(HaveOccurred())
+					Ω(cfg.Get().API.Port).Should(Equal(9090))
+				})
+				It("should have the api port from the config flags", func() {
+					flags.EXPECT().Changed(config.FlagAPIPort).Return(true).AnyTimes()
+					flags.EXPECT().Changed(gm.Any()).Return(false).AnyTimes()
+					flags.EXPECT().GetInt(config.FlagAPIPort).Return(9990, nil).AnyTimes()
+
+					cfg, err := config.Get("../../testdata/config_test_replicas.yaml", flags)
+					Ω(err).ShouldNot(HaveOccurred())
+					Ω(cfg.Get().API.Port).Should(Equal(9990))
+				})
+				It("should have the api port from the config env var", func() {
+					setEnv("API_PORT", "9999")
+					flags.EXPECT().Changed(config.FlagAPIPort).Return(true).AnyTimes()
+					flags.EXPECT().Changed(gm.Any()).Return(false).AnyTimes()
+					flags.EXPECT().GetInt(config.FlagAPIPort).Return(9990, nil).AnyTimes()
+
+					cfg, err := config.Get("../../testdata/config_test_replicas.yaml", flags)
+					Ω(err).ShouldNot(HaveOccurred())
+					Ω(cfg.Get().API.Port).Should(Equal(9999))
+				})
+			})
+
+			Context("Feature DNS Server Config", func() {
+				It("should have the feature dns server config from the config file", func() {
+					flags.EXPECT().Changed(gm.Any()).Return(false).AnyTimes()
+					cfg, err := config.Get("../../testdata/config_test_replicas.yaml", flags)
+					Ω(err).ShouldNot(HaveOccurred())
+					Ω(cfg.Get().Features.DNS.ServerConfig).Should(BeFalse())
+				})
+				It("should have the feature dns server config from the config flags", func() {
+					flags.EXPECT().Changed(config.FlagFeatureDNSServerConfig).Return(true).AnyTimes()
+					flags.EXPECT().Changed(gm.Any()).Return(false).AnyTimes()
+					flags.EXPECT().GetBool(config.FlagFeatureDNSServerConfig).Return(true, nil).AnyTimes()
+
+					cfg, err := config.Get("../../testdata/config_test_replicas.yaml", flags)
+					Ω(err).ShouldNot(HaveOccurred())
+					Ω(cfg.Get().Features.DNS.ServerConfig).Should(BeTrue())
+				})
+				It("should have the feature dns server config from the config env var", func() {
+					setEnv("FEATURES_DNS_SERVER_CONFIG", "false")
+					flags.EXPECT().Changed(config.FlagFeatureDNSServerConfig).Return(true).AnyTimes()
+					flags.EXPECT().Changed(gm.Any()).Return(false).AnyTimes()
+					flags.EXPECT().GetBool(config.FlagFeatureDNSServerConfig).Return(true, nil).AnyTimes()
+
+					cfg, err := config.Get("../../testdata/config_test_replicas.yaml", flags)
+					Ω(err).ShouldNot(HaveOccurred())
+					Ω(cfg.Get().Features.DNS.ServerConfig).Should(BeFalse())
+				})
+				It("should have the feature dns server config from the config DEPRECATED env var", func() {
+					setEnv("FEATURES_DNS_SERVERCONFIG", "false")
+					flags.EXPECT().Changed(config.FlagFeatureDNSServerConfig).Return(true).AnyTimes()
+					flags.EXPECT().Changed(gm.Any()).Return(false).AnyTimes()
+					flags.EXPECT().GetBool(config.FlagFeatureDNSServerConfig).Return(true, nil).AnyTimes()
+
+					cfg, err := config.Get("../../testdata/config_test_replicas.yaml", flags)
+					Ω(err).ShouldNot(HaveOccurred())
+					Ω(cfg.Get().Features.DNS.ServerConfig).Should(BeFalse())
+				})
+			})
+
+			Context("Headers", func() {
+				It("have headers from the config file", func() {
+					flags.EXPECT().Changed(gm.Any()).Return(false).AnyTimes()
+
+					cfg, err := config.Get("../../testdata/config_test_replicas.yaml", flags)
+					Ω(err).ShouldNot(HaveOccurred())
+					Ω(cfg.Get().Replicas[0].RequestHeaders).Should(HaveLen(2))
+					Ω(cfg.Get().Replicas[0].RequestHeaders["FOO"]).Should(Equal("bar"))
+					Ω(cfg.Get().Replicas[0].RequestHeaders["Client-ID"]).Should(Equal("xxxx"))
+				})
+				It("have headers from the config file will be replaced when defined as ENV", func() {
+					setEnv("REPLICA1_REQUEST_HEADERS", "AAA:bbb")
+					flags.EXPECT().Changed(gm.Any()).Return(false).AnyTimes()
+
+					cfg, err := config.Get("../../testdata/config_test_replicas.yaml", flags)
+					Ω(err).ShouldNot(HaveOccurred())
+					Ω(cfg.Get().Replicas[0].RequestHeaders).Should(HaveLen(1))
+					Ω(cfg.Get().Replicas[0].RequestHeaders["AAA"]).Should(Equal("bbb"))
+				})
+			})
+		})
+	})
+})
--- a/pkg/config/deprecated_env_test.go
+++ b/pkg/config/deprecated_env_test.go
@@ -0,0 +1,139 @@
+package config_test
+
+import (
+	"fmt"
+	"os"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+
+	"github.com/bakito/adguardhome-sync/pkg/config"
+)
+
+var envVars = []string{
+	"FEATURES_GENERAL_SETTINGS",
+	"FEATURES_QUERY_LOG_CONFIG",
+	"FEATURES_STATS_CONFIG",
+	"FEATURES_CLIENT_SETTINGS",
+	"FEATURES_SERVICES",
+	"FEATURES_FILTERS",
+	"FEATURES_THEME",
+	"FEATURES_DHCP_SERVER_CONFIG",
+	"FEATURES_DHCP_STATIC_LEASES",
+	"FEATURES_DNS_SERVER_CONFIG",
+	"FEATURES_DNS_ACCESS_LISTS",
+	"FEATURES_DNS_REWRITES",
+	"REPLICA1_INTERFACE_NAME",
+	"REPLICA1_DHCP_SERVER_ENABLED",
+}
+
+var deprecatedEnvVars = []string{
+	"FEATURES_GENERALSETTINGS",
+	"FEATURES_QUERYLOGCONFIG",
+	"FEATURES_STATSCONFIG",
+	"FEATURES_CLIENTSETTINGS",
+	"FEATURES_SERVICES",
+	"FEATURES_FILTERS",
+	"FEATURES_DHCP_SERVERCONFIG",
+	"FEATURES_DHCP_STATICLEASES",
+	"FEATURES_DNS_SERVERCONFIG",
+	"FEATURES_DNS_ACCESSLISTS",
+	"FEATURES_DNS_REWRITES",
+	"REPLICA1_INTERFACENAME",
+	"REPLICA1_DHCPSERVERENABLED",
+}
+
+var _ = Describe("Config", func() {
+	Context("deprecated", func() {
+		BeforeEach(func() {
+			for _, envVar := range deprecatedEnvVars {
+				Ω(os.Setenv(envVar, "false")).ShouldNot(HaveOccurred())
+			}
+		})
+		AfterEach(func() {
+			for _, envVar := range deprecatedEnvVars {
+				Ω(os.Unsetenv(envVar)).ShouldNot(HaveOccurred())
+			}
+		})
+		Context("Get", func() {
+			It("features should be false", func() {
+				cfg, err := config.Get("", nil)
+				Ω(err).ShouldNot(HaveOccurred())
+				verifyFeatures(cfg, false)
+			})
+		})
+	})
+	Context("current", func() {
+		BeforeEach(func() {
+			for _, envVar := range envVars {
+				Ω(os.Unsetenv(envVar)).ShouldNot(HaveOccurred())
+			}
+		})
+		AfterEach(func() {
+			for _, envVar := range envVars {
+				Ω(os.Unsetenv(envVar)).ShouldNot(HaveOccurred())
+			}
+		})
+		Context("Get", func() {
+			It("features should be true by default", func() {
+				cfg, err := config.Get("", nil)
+				Ω(err).ShouldNot(HaveOccurred())
+				verifyFeatures(cfg, true)
+			})
+			It("features should be true by default", func() {
+				cfg, err := config.Get("", nil)
+				Ω(err).ShouldNot(HaveOccurred())
+				verifyFeatures(cfg, true)
+			})
+			It("features should be false", func() {
+				for _, envVar := range envVars {
+					Ω(os.Setenv(envVar, "false")).ShouldNot(HaveOccurred())
+				}
+				cfg, err := config.Get("", nil)
+				Ω(err).ShouldNot(HaveOccurred())
+				verifyFeatures(cfg, false)
+			})
+			Context("interface name", func() {
+				It("should set interface name of replica 1", func() {
+					Ω(os.Setenv("REPLICA1_URL", "https://foo.bar")).ShouldNot(HaveOccurred())
+					Ω(os.Setenv(fmt.Sprintf("REPLICA%s_INTERFACE_NAME", "1"), "eth0")).ShouldNot(HaveOccurred())
+					cfg, err := config.Get("", nil)
+					Ω(err).ShouldNot(HaveOccurred())
+					Ω(cfg.Get().Replicas[0].InterfaceName).Should(Equal("eth0"))
+				})
+			})
+			Context("dhcp server", func() {
+				It("should enable the dhcp server of replica 1", func() {
+					Ω(os.Setenv("REPLICA1_URL", "https://foo.bar")).ShouldNot(HaveOccurred())
+					Ω(os.Setenv(fmt.Sprintf("REPLICA%s_DHCPSERVERENABLED", "1"), "true")).ShouldNot(HaveOccurred())
+					cfg, err := config.Get("", nil)
+					Ω(err).ShouldNot(HaveOccurred())
+					Ω(cfg.Get().Replicas[0].DHCPServerEnabled).ShouldNot(BeNil())
+					Ω(*cfg.Get().Replicas[0].DHCPServerEnabled).Should(BeTrue())
+				})
+				It("should disable the dhcp server of replica 1", func() {
+					Ω(os.Setenv("REPLICA1_URL", "https://foo.bar")).ShouldNot(HaveOccurred())
+					Ω(os.Setenv(fmt.Sprintf("REPLICA%s_DHCPSERVERENABLED", "1"), "false")).ShouldNot(HaveOccurred())
+					cfg, err := config.Get("", nil)
+					Ω(err).ShouldNot(HaveOccurred())
+					Ω(cfg.Get().Replicas[0].DHCPServerEnabled).ShouldNot(BeNil())
+					Ω(*cfg.Get().Replicas[0].DHCPServerEnabled).Should(BeFalse())
+				})
+			})
+		})
+	})
+})
+
+func verifyFeatures(cfg *config.AppConfig, value bool) {
+	Ω(cfg.Get().Features.GeneralSettings).Should(Equal(value))
+	Ω(cfg.Get().Features.QueryLogConfig).Should(Equal(value))
+	Ω(cfg.Get().Features.StatsConfig).Should(Equal(value))
+	Ω(cfg.Get().Features.ClientSettings).Should(Equal(value))
+	Ω(cfg.Get().Features.Services).Should(Equal(value))
+	Ω(cfg.Get().Features.Filters).Should(Equal(value))
+	Ω(cfg.Get().Features.DHCP.ServerConfig).Should(Equal(value))
+	Ω(cfg.Get().Features.DHCP.StaticLeases).Should(Equal(value))
+	Ω(cfg.Get().Features.DNS.ServerConfig).Should(Equal(value))
+	Ω(cfg.Get().Features.DNS.AccessLists).Should(Equal(value))
+	Ω(cfg.Get().Features.DNS.Rewrites).Should(Equal(value))
+}
--- a/pkg/config/env.go
+++ b/pkg/config/env.go
@@ -0,0 +1,146 @@
+package config
+
+import (
+	"fmt"
+	"os"
+	"strconv"
+	"strings"
+
+	"github.com/caarlos0/env/v11"
+
+	"github.com/bakito/adguardhome-sync/pkg/types"
+	"github.com/bakito/adguardhome-sync/pkg/utils"
+)
+
+func handleDeprecatedEnvVars(cfg *types.Config) {
+	if val, ok := checkDeprecatedEnvVar("RUNONSTART", "RUN_ON_START"); ok {
+		cfg.RunOnStart, _ = strconv.ParseBool(val)
+	}
+	if val, ok := checkDeprecatedEnvVar("API_DARKMODE", "API_DARK_MODE"); ok {
+		cfg.API.DarkMode, _ = strconv.ParseBool(val)
+	}
+	if val, ok := checkDeprecatedEnvVar("FEATURES_GENERALSETTINGS", "FEATURES_GENERAL_SETTINGS"); ok {
+		cfg.Features.GeneralSettings, _ = strconv.ParseBool(val)
+	}
+	if val, ok := checkDeprecatedEnvVar("FEATURES_QUERYLOGCONFIG", "FEATURES_QUERY_LOG_CONFIG"); ok {
+		cfg.Features.QueryLogConfig, _ = strconv.ParseBool(val)
+	}
+	if val, ok := checkDeprecatedEnvVar("FEATURES_STATSCONFIG", "FEATURES_STATS_CONFIG"); ok {
+		cfg.Features.StatsConfig, _ = strconv.ParseBool(val)
+	}
+	if val, ok := checkDeprecatedEnvVar("FEATURES_CLIENTSETTINGS", "FEATURES_CLIENT_SETTINGS"); ok {
+		cfg.Features.ClientSettings, _ = strconv.ParseBool(val)
+	}
+	if val, ok := checkDeprecatedEnvVar("FEATURES_DHCP_SERVERCONFIG", "FEATURES_DHCP_SERVER_CONFIG"); ok {
+		cfg.Features.DHCP.ServerConfig, _ = strconv.ParseBool(val)
+	}
+	if val, ok := checkDeprecatedEnvVar("FEATURES_DHCP_STATICLEASES", "FEATURES_DHCP_STATIC_LEASES"); ok {
+		cfg.Features.DHCP.StaticLeases, _ = strconv.ParseBool(val)
+	}
+	if val, ok := checkDeprecatedEnvVar("FEATURES_DNS_ACCESSLISTS", "FEATURES_DNS_ACCESS_LISTS"); ok {
+		cfg.Features.DNS.AccessLists, _ = strconv.ParseBool(val)
+	}
+	if val, ok := checkDeprecatedEnvVar("FEATURES_DNS_SERVERCONFIG", "FEATURES_DNS_SERVER_CONFIG"); ok {
+		cfg.Features.DNS.ServerConfig, _ = strconv.ParseBool(val)
+	}
+
+	if cfg.Replica != nil {
+		if val, ok := checkDeprecatedEnvVar("REPLICA_WEBURL", "REPLICA_WEB_URL"); ok {
+			cfg.Replica.WebURL = val
+		}
+		if val, ok := checkDeprecatedEnvVar("REPLICA_AUTOSETUP", "REPLICA_AUTO_SETUP"); ok {
+			cfg.Replica.AutoSetup, _ = strconv.ParseBool(val)
+		}
+		if val, ok := checkDeprecatedEnvVar("REPLICA_INTERFACENAME", "REPLICA_INTERFACE_NAME"); ok {
+			cfg.Replica.InterfaceName = val
+		}
+		if val, ok := checkDeprecatedEnvVar("REPLICA_DHCPSERVERENABLED", "REPLICA_DHCP_SERVER_ENABLED"); ok {
+			if b, err := strconv.ParseBool(val); err != nil {
+				cfg.Replica.DHCPServerEnabled = utils.Ptr(b)
+			}
+		}
+	}
+}
+
+func checkDeprecatedEnvVar(oldName, newName string) (string, bool) {
+	old, oldOK := os.LookupEnv(oldName)
+	if oldOK {
+		logger.With("deprecated", oldName, "replacement", newName).
+			Warn("Deprecated env variable is used, please use the correct one")
+	}
+	newVal, newOK := os.LookupEnv(newName)
+	if newOK {
+		return newVal, true
+	}
+	return old, oldOK
+}
+
+func checkDeprecatedReplicaEnvVar(oldPattern, newPattern string, replicaID int) (string, bool) {
+	return checkDeprecatedEnvVar(fmt.Sprintf(oldPattern, replicaID), fmt.Sprintf(newPattern, replicaID))
+}
+
+// Manually collect replicas from env.
+func enrichReplicasFromEnv(initialReplicas []types.AdGuardInstance) ([]types.AdGuardInstance, error) {
+	var replicas []types.AdGuardInstance
+	for _, v := range os.Environ() {
+		if envReplicasURLPattern.MatchString(v) {
+			sm := envReplicasURLPattern.FindStringSubmatch(v)
+			id, _ := strconv.Atoi(sm[1])
+
+			if id <= 0 {
+				return nil, fmt.Errorf("numbered replica env variables must have a number id >= 1, got %q", v)
+			}
+
+			if id > len(initialReplicas) {
+				replicas = append(replicas, types.AdGuardInstance{URL: sm[2]})
+			} else {
+				re := initialReplicas[id-1]
+				re.URL = sm[2]
+				replicas = append(replicas, re)
+			}
+		}
+	}
+
+	if len(replicas) == 0 {
+		replicas = initialReplicas
+	}
+
+	for i := range replicas {
+		reID := i + 1
+
+		// keep previously set value
+		replicaDhcpServer := replicas[i].DHCPServerEnabled
+		replicas[i].DHCPServerEnabled = nil
+		if err := env.ParseWithOptions(&replicas[i], env.Options{Prefix: fmt.Sprintf("REPLICA%d_", reID)}); err != nil {
+			return nil, err
+		}
+		if replicas[i].DHCPServerEnabled == nil {
+			replicas[i].DHCPServerEnabled = replicaDhcpServer
+		}
+		if val, ok := checkDeprecatedReplicaEnvVar("REPLICA%d_APIPATH", "REPLICA%d_API_PATH", reID); ok {
+			replicas[i].APIPath = val
+		}
+		if val, ok := checkDeprecatedReplicaEnvVar("REPLICA%d_INSECURESKIPVERIFY", "REPLICA%d_INSECURE_SKIP_VERIFY", reID); ok {
+			replicas[i].InsecureSkipVerify = strings.EqualFold(val, "true")
+		}
+		if val, ok := checkDeprecatedReplicaEnvVar("REPLICA%d_AUTOSETUP", "REPLICA%d_AUTO_SETUP", reID); ok {
+			replicas[i].AutoSetup = strings.EqualFold(val, "true")
+		}
+		if val, ok := checkDeprecatedReplicaEnvVar("REPLICA%d_INTERFACENAME", "REPLICA%d_INTERFACE_NAME", reID); ok {
+			replicas[i].InterfaceName = val
+		}
+
+		if dhcpEnabled, ok := checkDeprecatedReplicaEnvVar("REPLICA%d_DHCPSERVERENABLED", "REPLICA%d_DHCP_SERVER_ENABLED", reID); ok {
+			if strings.EqualFold(dhcpEnabled, "true") {
+				replicas[i].DHCPServerEnabled = utils.Ptr(true)
+			} else if strings.EqualFold(dhcpEnabled, "false") {
+				replicas[i].DHCPServerEnabled = utils.Ptr(false)
+			}
+		}
+		if replicas[i].APIPath == "" {
+			replicas[i].APIPath = "/control"
+		}
+	}
+
+	return replicas, nil
+}
--- a/pkg/config/env_test.go
+++ b/pkg/config/env_test.go
@@ -0,0 +1,25 @@
+package config
+
+import (
+	"os"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+)
+
+var _ = Describe("Config", func() {
+	Context("env", func() {
+		Context("enrichReplicasFromEnv", func() {
+			It("should have the origin URL from the config env var", func() {
+				_ = os.Setenv("REPLICA0_URL", "https://origin-env:443")
+				defer func() {
+					_ = os.Unsetenv("REPLICA0_URL")
+				}()
+				_, err := enrichReplicasFromEnv(nil)
+
+				Ω(err).Should(HaveOccurred())
+				Ω(err.Error()).Should(ContainSubstring("numbered replica env variables must have a number id >= 1"))
+			})
+		})
+	})
+})
--- a/pkg/config/file.go
+++ b/pkg/config/file.go
@@ -0,0 +1,37 @@
+package config
+
+import (
+	"os"
+	"path/filepath"
+
+	"gopkg.in/yaml.v3"
+
+	"github.com/bakito/adguardhome-sync/pkg/types"
+)
+
+func readFile(cfg *types.Config, path string) (string, error) {
+	var content string
+	if _, err := os.Stat(path); err == nil {
+		b, err := os.ReadFile(path)
+		if err != nil {
+			return "", err
+		}
+		content = string(b)
+		if err := yaml.Unmarshal(b, cfg); err != nil {
+			return "", err
+		}
+	}
+	return content, nil
+}
+
+func configFilePath(configFile string) (string, error) {
+	if configFile == "" {
+		// Find home directory.
+		home, err := os.UserHomeDir()
+		if err != nil {
+			return "", err
+		}
+		return filepath.Join(home, ".adguardhome-sync.yaml"), nil
+	}
+	return configFile, nil
+}
--- a/pkg/config/file_test.go
+++ b/pkg/config/file_test.go
@@ -0,0 +1,30 @@
+package config
+
+import (
+	"os"
+	"path/filepath"
+
+	"github.com/google/uuid"
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+)
+
+var _ = Describe("Config", func() {
+	Context("configFilePath", func() {
+		It("should return the same value", func() {
+			path := uuid.NewString()
+			result, err := configFilePath(path)
+
+			Ω(err).ShouldNot(HaveOccurred())
+			Ω(result).Should(Equal(path))
+		})
+		It("should the file in HOME dir", func() {
+			home, err := os.UserHomeDir()
+			Ω(err).ShouldNot(HaveOccurred())
+			result, err := configFilePath("")
+
+			Ω(err).ShouldNot(HaveOccurred())
+			Ω(result).Should(Equal(filepath.Join(home, ".adguardhome-sync.yaml")))
+		})
+	})
+})
--- a/pkg/config/flag-names.go
+++ b/pkg/config/flag-names.go
@@ -0,0 +1,45 @@
+package config
+
+const (
+	FlagCron            = "cron"
+	FlagRunOnStart      = "runOnStart"
+	FlagPrintConfigOnly = "printConfigOnly"
+	FlagContinueOnError = "continueOnError"
+
+	FlagAPIPort     = "api-port"
+	FlagAPIUsername = "api-username"
+	FlagAPIPassword = "api-password"
+	FlagAPIDarkMode = "api-dark-mode"
+
+	FlagFeatureDhcpServerConfig = "feature-dhcp-server-config"
+	FlagFeatureDhcpStaticLeases = "feature-dhcp-static-leases"
+	FlagFeatureDNSServerConfig  = "feature-dns-server-config"
+	FlagFeatureDNSAccessLists   = "feature-dns-access-lists"
+	FlagFeatureDNSRewrites      = "feature-dns-rewrites"
+	FlagFeatureGeneral          = "feature-general-settings"
+	FlagFeatureQueryLog         = "feature-query-log-config"
+	FlagFeatureStats            = "feature-stats-config"
+	FlagFeatureClient           = "feature-client-settings"
+	FlagFeatureServices         = "feature-services"
+	FlagFeatureFilters          = "feature-filters"
+	FlagFeatureTLSConfig        = "feature-tls-config"
+
+	FlagOriginURL      = "origin-url"
+	FlagOriginWebURL   = "origin-web-url"
+	FlagOriginAPIPath  = "origin-api-path"
+	FlagOriginUsername = "origin-username"
+
+	FlagOriginPassword = "origin-password"
+	FlagOriginCookie   = "origin-cookie"
+	FlagOriginISV      = "origin-insecure-skip-verify"
+
+	FlagReplicaURL           = "replica-url"
+	FlagReplicaWebURL        = "replica-web-url"
+	FlagReplicaAPIPath       = "replica-api-path"
+	FlagReplicaUsername      = "replica-username"
+	FlagReplicaPassword      = "replica-password"
+	FlagReplicaCookie        = "replica-cookie"
+	FlagReplicaISV           = "replica-insecure-skip-verify"
+	FlagReplicaAutoSetup     = "replica-auto-setup"
+	FlagReplicaInterfaceName = "replica-interface-name"
+)
--- a/pkg/config/flags.go
+++ b/pkg/config/flags.go
@@ -0,0 +1,268 @@
+package config
+
+import (
+	"github.com/bakito/adguardhome-sync/pkg/types"
+)
+
+func readFlags(cfg *types.Config, flags Flags) error {
+	if flags == nil {
+		return nil
+	}
+
+	fr := &flagReader{
+		cfg:   cfg,
+		flags: flags,
+	}
+
+	if err := fr.readRootFlags(); err != nil {
+		return err
+	}
+
+	if err := fr.readAPIFlags(); err != nil {
+		return err
+	}
+
+	if err := fr.readFeatureFlags(); err != nil {
+		return err
+	}
+
+	if err := fr.readOriginFlags(); err != nil {
+		return err
+	}
+
+	return fr.readReplicaFlags()
+}
+
+type flagReader struct {
+	cfg   *types.Config
+	flags Flags
+}
+
+func (fr *flagReader) readReplicaFlags() error {
+	if err := fr.setStringFlag(FlagReplicaURL, func(cgf *types.Config, value string) {
+		fr.cfg.Replica.URL = value
+	}); err != nil {
+		return err
+	}
+	if err := fr.setStringFlag(FlagReplicaWebURL, func(cgf *types.Config, value string) {
+		fr.cfg.Replica.WebURL = value
+	}); err != nil {
+		return err
+	}
+	if err := fr.setStringFlag(FlagReplicaAPIPath, func(cgf *types.Config, value string) {
+		fr.cfg.Replica.APIPath = value
+	}); err != nil {
+		return err
+	}
+	if err := fr.setStringFlag(FlagReplicaUsername, func(cgf *types.Config, value string) {
+		fr.cfg.Replica.Username = value
+	}); err != nil {
+		return err
+	}
+	if err := fr.setStringFlag(FlagReplicaPassword, func(cgf *types.Config, value string) {
+		fr.cfg.Replica.Password = value
+	}); err != nil {
+		return err
+	}
+	if err := fr.setStringFlag(FlagReplicaCookie, func(cgf *types.Config, value string) {
+		fr.cfg.Replica.Cookie = value
+	}); err != nil {
+		return err
+	}
+	if err := fr.setBoolFlag(FlagReplicaISV, func(cgf *types.Config, value bool) {
+		fr.cfg.Replica.InsecureSkipVerify = value
+	}); err != nil {
+		return err
+	}
+	if err := fr.setBoolFlag(FlagReplicaAutoSetup, func(cgf *types.Config, value bool) {
+		fr.cfg.Replica.AutoSetup = value
+	}); err != nil {
+		return err
+	}
+	return fr.setStringFlag(FlagReplicaInterfaceName, func(cgf *types.Config, value string) {
+		fr.cfg.Replica.InterfaceName = value
+	})
+}
+
+func (fr *flagReader) readOriginFlags() error {
+	if err := fr.setStringFlag(FlagOriginURL, func(cgf *types.Config, value string) {
+		fr.cfg.Origin.URL = value
+	}); err != nil {
+		return err
+	}
+	if err := fr.setStringFlag(FlagOriginWebURL, func(cgf *types.Config, value string) {
+		fr.cfg.Origin.WebURL = value
+	}); err != nil {
+		return err
+	}
+	if err := fr.setStringFlag(FlagOriginAPIPath, func(cgf *types.Config, value string) {
+		fr.cfg.Origin.APIPath = value
+	}); err != nil {
+		return err
+	}
+	if err := fr.setStringFlag(FlagOriginUsername, func(cgf *types.Config, value string) {
+		fr.cfg.Origin.Username = value
+	}); err != nil {
+		return err
+	}
+	if err := fr.setStringFlag(FlagOriginPassword, func(cgf *types.Config, value string) {
+		fr.cfg.Origin.Password = value
+	}); err != nil {
+		return err
+	}
+	if err := fr.setStringFlag(FlagOriginCookie, func(cgf *types.Config, value string) {
+		fr.cfg.Origin.Cookie = value
+	}); err != nil {
+		return err
+	}
+	return fr.setBoolFlag(FlagOriginISV, func(cgf *types.Config, value bool) {
+		fr.cfg.Origin.InsecureSkipVerify = value
+	})
+}
+
+func (fr *flagReader) readFeatureFlags() error {
+	if err := fr.setBoolFlag(FlagFeatureDhcpServerConfig, func(cgf *types.Config, value bool) {
+		fr.cfg.Features.DHCP.ServerConfig = value
+	}); err != nil {
+		return err
+	}
+	if err := fr.setBoolFlag(FlagFeatureDhcpStaticLeases, func(cgf *types.Config, value bool) {
+		fr.cfg.Features.DHCP.StaticLeases = value
+	}); err != nil {
+		return err
+	}
+
+	if err := fr.setBoolFlag(FlagFeatureDNSServerConfig, func(cgf *types.Config, value bool) {
+		fr.cfg.Features.DNS.ServerConfig = value
+	}); err != nil {
+		return err
+	}
+	if err := fr.setBoolFlag(FlagFeatureDNSAccessLists, func(cgf *types.Config, value bool) {
+		fr.cfg.Features.DNS.AccessLists = value
+	}); err != nil {
+		return err
+	}
+	if err := fr.setBoolFlag(FlagFeatureDNSRewrites, func(cgf *types.Config, value bool) {
+		fr.cfg.Features.DNS.Rewrites = value
+	}); err != nil {
+		return err
+	}
+
+	if err := fr.setBoolFlag(FlagFeatureGeneral, func(cgf *types.Config, value bool) {
+		fr.cfg.Features.GeneralSettings = value
+	}); err != nil {
+		return err
+	}
+	if err := fr.setBoolFlag(FlagFeatureQueryLog, func(cgf *types.Config, value bool) {
+		fr.cfg.Features.QueryLogConfig = value
+	}); err != nil {
+		return err
+	}
+	if err := fr.setBoolFlag(FlagFeatureStats, func(cgf *types.Config, value bool) {
+		fr.cfg.Features.StatsConfig = value
+	}); err != nil {
+		return err
+	}
+	if err := fr.setBoolFlag(FlagFeatureClient, func(cgf *types.Config, value bool) {
+		fr.cfg.Features.ClientSettings = value
+	}); err != nil {
+		return err
+	}
+	if err := fr.setBoolFlag(FlagFeatureServices, func(cgf *types.Config, value bool) {
+		fr.cfg.Features.Services = value
+	}); err != nil {
+		return err
+	}
+	if err := fr.setBoolFlag(FlagFeatureFilters, func(cgf *types.Config, value bool) {
+		fr.cfg.Features.Filters = value
+	}); err != nil {
+		return err
+	}
+	return fr.setBoolFlag(FlagFeatureTLSConfig, func(cgf *types.Config, value bool) {
+		fr.cfg.Features.TLSConfig = value
+	})
+}
+
+func (fr *flagReader) readAPIFlags() error {
+	if err := fr.setIntFlag(FlagAPIPort, func(cgf *types.Config, value int) {
+		fr.cfg.API.Port = value
+	}); err != nil {
+		return err
+	}
+	if err := fr.setStringFlag(FlagAPIUsername, func(cgf *types.Config, value string) {
+		fr.cfg.API.Username = value
+	}); err != nil {
+		return err
+	}
+	if err := fr.setStringFlag(FlagAPIPassword, func(cgf *types.Config, value string) {
+		fr.cfg.API.Password = value
+	}); err != nil {
+		return err
+	}
+	return fr.setBoolFlag(FlagAPIDarkMode, func(cgf *types.Config, value bool) {
+		fr.cfg.API.DarkMode = value
+	})
+}
+
+func (fr *flagReader) readRootFlags() error {
+	if err := fr.setStringFlag(FlagCron, func(cgf *types.Config, value string) {
+		fr.cfg.Cron = value
+	}); err != nil {
+		return err
+	}
+	if err := fr.setBoolFlag(FlagRunOnStart, func(cgf *types.Config, value bool) {
+		fr.cfg.RunOnStart = value
+	}); err != nil {
+		return err
+	}
+	if err := fr.setBoolFlag(FlagPrintConfigOnly, func(cgf *types.Config, value bool) {
+		fr.cfg.PrintConfigOnly = value
+	}); err != nil {
+		return err
+	}
+	return fr.setBoolFlag(FlagContinueOnError, func(cgf *types.Config, value bool) {
+		fr.cfg.ContinueOnError = value
+	})
+}
+
+type Flags interface {
+	Changed(name string) bool
+	GetString(name string) (string, error)
+	GetInt(name string) (int, error)
+	GetBool(name string) (bool, error)
+}
+
+func (fr *flagReader) setStringFlag(name string, cb callback[string]) (err error) {
+	if fr.flags.Changed(name) {
+		var value string
+		if value, err = fr.flags.GetString(name); err != nil {
+			return err
+		}
+		cb(fr.cfg, value)
+	}
+	return nil
+}
+
+func (fr *flagReader) setBoolFlag(name string, cb callback[bool]) (err error) {
+	if fr.flags.Changed(name) {
+		var value bool
+		if value, err = fr.flags.GetBool(name); err != nil {
+			return err
+		}
+		cb(fr.cfg, value)
+	}
+	return nil
+}
+
+func (fr *flagReader) setIntFlag(name string, cb callback[int]) (err error) {
+	if fr.flags.Changed(name) {
+		var value int
+		if value, err = fr.flags.GetInt(name); err != nil {
+			return err
+		}
+		cb(fr.cfg, value)
+	}
+	return nil
+}
+
+type callback[T any] func(cgf *types.Config, value T)
--- a/pkg/config/flags_test.go
+++ b/pkg/config/flags_test.go
@@ -0,0 +1,237 @@
+package config
+
+import (
+	"strings"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+	gm "go.uber.org/mock/gomock"
+
+	flagsmock "github.com/bakito/adguardhome-sync/pkg/mocks/flags"
+	"github.com/bakito/adguardhome-sync/pkg/types"
+)
+
+var _ = Describe("Config", func() {
+	var (
+		cfg      *types.Config
+		flags    *flagsmock.MockFlags
+		mockCtrl *gm.Controller
+	)
+	BeforeEach(func() {
+		cfg = &types.Config{
+			Origin:  &types.AdGuardInstance{},
+			Replica: &types.AdGuardInstance{},
+			Features: types.Features{
+				DNS: types.DNS{
+					AccessLists:  true,
+					ServerConfig: true,
+					Rewrites:     true,
+				},
+				DHCP: types.DHCP{
+					ServerConfig: true,
+					StaticLeases: true,
+				},
+				GeneralSettings: true,
+				QueryLogConfig:  true,
+				StatsConfig:     true,
+				ClientSettings:  true,
+				Services:        true,
+				Filters:         true,
+			},
+		}
+		mockCtrl = gm.NewController(GinkgoT())
+		flags = flagsmock.NewMockFlags(mockCtrl)
+	})
+	AfterEach(func() {
+		defer mockCtrl.Finish()
+	})
+	Context("readFlags", func() {
+		It("should not change the config with nil flags", func() {
+			clone := cfg.DeepCopy()
+			err := readFlags(cfg, nil)
+
+			Ω(err).ShouldNot(HaveOccurred())
+			Ω(cfg).Should(Equal(clone))
+		})
+		It("should not change the config with no changed flags", func() {
+			clone := cfg.DeepCopy()
+			flags.EXPECT().Changed(gm.Any()).Return(false).AnyTimes()
+			err := readFlags(cfg, flags)
+
+			Ω(err).ShouldNot(HaveOccurred())
+			Ω(cfg).Should(Equal(clone))
+		})
+	})
+	Context("readFeatureFlags", func() {
+		It("should disable all flags", func() {
+			flags.EXPECT().Changed(gm.Any()).DoAndReturn(func(name string) bool {
+				return strings.HasPrefix(name, "feature")
+			}).AnyTimes()
+			flags.EXPECT().GetBool(gm.Any()).Return(false, nil).AnyTimes()
+			err := readFlags(cfg, flags)
+
+			Ω(err).ShouldNot(HaveOccurred())
+			Ω(cfg.Features).Should(Equal(types.Features{
+				DNS: types.DNS{
+					AccessLists:  false,
+					ServerConfig: false,
+					Rewrites:     false,
+				},
+				DHCP: types.DHCP{
+					ServerConfig: false,
+					StaticLeases: false,
+				},
+				GeneralSettings: false,
+				QueryLogConfig:  false,
+				StatsConfig:     false,
+				ClientSettings:  false,
+				Services:        false,
+				Filters:         false,
+			}))
+		})
+	})
+	Context("readAPIFlags", func() {
+		It("should change all values", func() {
+			cfg.API = types.API{
+				Port:     1111,
+				Username: "2222",
+				Password: "3333",
+				DarkMode: false,
+			}
+			flags.EXPECT().Changed(gm.Any()).DoAndReturn(func(name string) bool {
+				return strings.HasPrefix(name, "api")
+			}).AnyTimes()
+			flags.EXPECT().GetInt(FlagAPIPort).Return(9999, nil)
+			flags.EXPECT().GetString(FlagAPIUsername).Return("aaaa", nil)
+			flags.EXPECT().GetString(FlagAPIPassword).Return("bbbb", nil)
+			flags.EXPECT().GetBool(FlagAPIDarkMode).Return(true, nil)
+			err := readFlags(cfg, flags)
+
+			Ω(err).ShouldNot(HaveOccurred())
+			Ω(cfg.API).Should(Equal(types.API{
+				Port:     9999,
+				Username: "aaaa",
+				Password: "bbbb",
+				DarkMode: true,
+			}))
+		})
+	})
+	Context("readRootFlags", func() {
+		It("should change all values", func() {
+			cfg.Cron = "*/10 * * * *"
+			cfg.PrintConfigOnly = false
+			cfg.ContinueOnError = false
+			cfg.RunOnStart = false
+
+			flags.EXPECT().Changed(FlagCron).Return(true)
+			flags.EXPECT().Changed(FlagRunOnStart).Return(true)
+			flags.EXPECT().Changed(FlagPrintConfigOnly).Return(true)
+			flags.EXPECT().Changed(FlagContinueOnError).Return(true)
+			flags.EXPECT().Changed(gm.Any()).Return(false).AnyTimes()
+
+			flags.EXPECT().GetString(FlagCron).Return("*/30 * * * *", nil)
+			flags.EXPECT().GetBool(FlagRunOnStart).Return(true, nil)
+			flags.EXPECT().GetBool(FlagPrintConfigOnly).Return(true, nil)
+			flags.EXPECT().GetBool(FlagContinueOnError).Return(true, nil)
+			err := readFlags(cfg, flags)
+
+			Ω(err).ShouldNot(HaveOccurred())
+			Ω(cfg.Cron).Should(Equal("*/30 * * * *"))
+			Ω(cfg.RunOnStart).Should(BeTrue())
+			Ω(cfg.PrintConfigOnly).Should(BeTrue())
+			Ω(cfg.ContinueOnError).Should(BeTrue())
+		})
+	})
+	Context("readOriginFlags", func() {
+		It("should change all values", func() {
+			cfg.Origin = &types.AdGuardInstance{
+				URL:                "1",
+				WebURL:             "2",
+				APIPath:            "3",
+				Username:           "4",
+				Password:           "5",
+				Cookie:             "6",
+				InsecureSkipVerify: false,
+			}
+
+			flags.EXPECT().Changed(FlagOriginURL).Return(true)
+			flags.EXPECT().Changed(FlagOriginWebURL).Return(true)
+			flags.EXPECT().Changed(FlagOriginAPIPath).Return(true)
+			flags.EXPECT().Changed(FlagOriginUsername).Return(true)
+			flags.EXPECT().Changed(FlagOriginPassword).Return(true)
+			flags.EXPECT().Changed(FlagOriginCookie).Return(true)
+			flags.EXPECT().Changed(FlagOriginISV).Return(true)
+			flags.EXPECT().Changed(gm.Any()).Return(false).AnyTimes()
+
+			flags.EXPECT().GetString(FlagOriginURL).Return("a", nil)
+			flags.EXPECT().GetString(FlagOriginWebURL).Return("b", nil)
+			flags.EXPECT().GetString(FlagOriginAPIPath).Return("c", nil)
+			flags.EXPECT().GetString(FlagOriginUsername).Return("d", nil)
+			flags.EXPECT().GetString(FlagOriginPassword).Return("e", nil)
+			flags.EXPECT().GetString(FlagOriginCookie).Return("f", nil)
+			flags.EXPECT().GetBool(FlagOriginISV).Return(true, nil)
+			err := readFlags(cfg, flags)
+
+			Ω(err).ShouldNot(HaveOccurred())
+			Ω(cfg.Origin).Should(Equal(&types.AdGuardInstance{
+				URL:                "a",
+				WebURL:             "b",
+				APIPath:            "c",
+				Username:           "d",
+				Password:           "e",
+				Cookie:             "f",
+				InsecureSkipVerify: true,
+			}))
+		})
+	})
+	Context("readReplicaFlags", func() {
+		It("should change all values", func() {
+			cfg.Replica = &types.AdGuardInstance{
+				URL:                "1",
+				WebURL:             "2",
+				APIPath:            "3",
+				Username:           "4",
+				Password:           "5",
+				Cookie:             "6",
+				InsecureSkipVerify: false,
+				AutoSetup:          false,
+				InterfaceName:      "7",
+			}
+
+			flags.EXPECT().Changed(FlagReplicaURL).Return(true)
+			flags.EXPECT().Changed(FlagReplicaWebURL).Return(true)
+			flags.EXPECT().Changed(FlagReplicaAPIPath).Return(true)
+			flags.EXPECT().Changed(FlagReplicaUsername).Return(true)
+			flags.EXPECT().Changed(FlagReplicaPassword).Return(true)
+			flags.EXPECT().Changed(FlagReplicaCookie).Return(true)
+			flags.EXPECT().Changed(FlagReplicaISV).Return(true)
+			flags.EXPECT().Changed(FlagReplicaAutoSetup).Return(true)
+			flags.EXPECT().Changed(FlagReplicaInterfaceName).Return(true)
+			flags.EXPECT().Changed(gm.Any()).Return(false).AnyTimes()
+
+			flags.EXPECT().GetString(FlagReplicaURL).Return("a", nil)
+			flags.EXPECT().GetString(FlagReplicaWebURL).Return("b", nil)
+			flags.EXPECT().GetString(FlagReplicaAPIPath).Return("c", nil)
+			flags.EXPECT().GetString(FlagReplicaUsername).Return("d", nil)
+			flags.EXPECT().GetString(FlagReplicaPassword).Return("e", nil)
+			flags.EXPECT().GetString(FlagReplicaCookie).Return("f", nil)
+			flags.EXPECT().GetBool(FlagReplicaISV).Return(true, nil)
+			flags.EXPECT().GetBool(FlagReplicaAutoSetup).Return(true, nil)
+			flags.EXPECT().GetString(FlagReplicaInterfaceName).Return("g", nil)
+			err := readFlags(cfg, flags)
+
+			Ω(err).ShouldNot(HaveOccurred())
+			Ω(cfg.Replica).Should(Equal(&types.AdGuardInstance{
+				URL:                "a",
+				WebURL:             "b",
+				APIPath:            "c",
+				Username:           "d",
+				Password:           "e",
+				Cookie:             "f",
+				InsecureSkipVerify: true,
+				AutoSetup:          true,
+				InterfaceName:      "g",
+			}))
+		})
+	})
+})
--- a/pkg/config/print-config.go
+++ b/pkg/config/print-config.go
@@ -0,0 +1,89 @@
+package config
+
+import (
+	"bytes"
+	_ "embed"
+	"os"
+	"runtime"
+	"sort"
+	"strings"
+	"text/template"
+
+	"gopkg.in/yaml.v3"
+
+	"github.com/bakito/adguardhome-sync/pkg/client"
+	"github.com/bakito/adguardhome-sync/pkg/types"
+	"github.com/bakito/adguardhome-sync/version"
+)
+
+//go:embed print-config.md
+var printConfigTemplate string
+
+func (ac *AppConfig) Print() error {
+	originVersion := aghVersion(*ac.cfg.Origin)
+	var replicaVersions []string
+	for _, replica := range ac.cfg.Replicas {
+		replicaVersions = append(replicaVersions, aghVersion(replica))
+	}
+
+	out, err := ac.printInternal(os.Environ(), originVersion, replicaVersions)
+	if err != nil {
+		return err
+	}
+
+	logger.Infof(
+		"Printing adguardhome-sync aggregated config (THE APPLICATION WILL NOT START IN THIS MODE):\n%s",
+		out,
+	)
+
+	return nil
+}
+
+func aghVersion(i types.AdGuardInstance) string {
+	cl, err := client.New(i)
+	if err != nil {
+		return "N/A"
+	}
+	stats, err := cl.Status()
+	if err != nil {
+		return "N/A"
+	}
+	return stats.Version
+}
+
+func (ac *AppConfig) printInternal(env []string, originVersion string, replicaVersions []string) (string, error) {
+	config, err := yaml.Marshal(ac.Get())
+	if err != nil {
+		return "", err
+	}
+
+	funcMap := template.FuncMap{
+		// The name "inc" is what the function will be called in the template text.
+		"inc": func(i int) int {
+			return i + 1
+		},
+	}
+
+	t, err := template.New("printConfigTemplate").Funcs(funcMap).Parse(printConfigTemplate)
+	if err != nil {
+		return "", err
+	}
+
+	sort.Strings(env)
+
+	var buf bytes.Buffer
+
+	err = t.Execute(&buf, map[string]any{
+		"Version":              version.Version,
+		"Build":                version.Build,
+		"OperatingSystem":      runtime.GOOS,
+		"Architecture":         runtime.GOARCH,
+		"AggregatedConfig":     string(config),
+		"ConfigFilePath":       ac.filePath,
+		"ConfigFileContent":    ac.content,
+		"EnvironmentVariables": strings.Join(env, "\n"),
+		"OriginVersion":        originVersion,
+		"ReplicaVersions":      replicaVersions,
+	})
+	return buf.String(), err
+}
--- a/pkg/config/print-config.md
+++ b/pkg/config/print-config.md
@@ -0,0 +1,36 @@
+<!-- PLEASE COPY THE FOLLOWING OUTPUT AS IS INTO THE GITHUB ISSUE (Don't forget to mask your usernames, passwords, IPs and other sensitive information when using this in an issue ) -->
+
+### Runtime
+
+AdguardHome-Sync Version: {{ .Version }}
+Build: {{ .Build }}
+OperatingSystem: {{ .OperatingSystem }}
+Architecture: {{ .Architecture }}
+OriginVersion: {{ .OriginVersion }}
+ReplicaVersions:
+{{- range $i,$rep := .ReplicaVersions }}
+- Replica {{ inc $i }}: {{ $rep }}
+{{- end }}
+
+### AdGuardHome sync aggregated config
+
+```yaml
+{{ .AggregatedConfig }}
+```
+{{- if .ConfigFilePath }}
+### AdGuardHome sync unmodified config file
+
+Config file path: {{ .ConfigFilePath }}
+
+```yaml
+{{ .ConfigFileContent }}
+```
+{{- end }}
+
+### Environment Variables
+
+```ini
+{{ .EnvironmentVariables }}
+```
+
+<!-- END OF GITHUB ISSUE CONTENT -->
--- a/pkg/config/print-config_test.go
+++ b/pkg/config/print-config_test.go
@@ -0,0 +1,60 @@
+package config
+
+import (
+	_ "embed"
+	"fmt"
+	"os"
+	"path/filepath"
+	"runtime"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+
+	"github.com/bakito/adguardhome-sync/pkg/test/matchers"
+	"github.com/bakito/adguardhome-sync/pkg/types"
+	"github.com/bakito/adguardhome-sync/version"
+)
+
+var _ = Describe("AppConfig", func() {
+	var (
+		ac  *AppConfig
+		env []string
+	)
+	BeforeEach(func() {
+		ac = &AppConfig{
+			cfg: &types.Config{
+				Origin: &types.AdGuardInstance{
+					URL: "https://ha.xxxx.net:3000",
+				},
+			},
+			content: `
+origin:
+  url: https://ha.xxxx.net:3000
+`,
+		}
+		env = []string{"FOO=foo", "BAR=bar"}
+	})
+	Context("printInternal", func() {
+		It("should printInternal config without file", func() {
+			out, err := ac.printInternal(env, "v0.0.1", []string{"v0.0.2"})
+			Ω(err).ShouldNot(HaveOccurred())
+			Ω(out).
+				Should(matchers.EqualIgnoringLineEndings(fmt.Sprintf(expected(1), version.Version, version.Build, runtime.GOOS, runtime.GOARCH)))
+		})
+		It("should printInternal config with file", func() {
+			ac.filePath = "config.yaml"
+			out, err := ac.printInternal(env, "v0.0.1", []string{"v0.0.2"})
+			Ω(err).ShouldNot(HaveOccurred())
+			Ω(out).
+				Should(matchers.EqualIgnoringLineEndings(fmt.Sprintf(expected(2), version.Version, version.Build, runtime.GOOS, runtime.GOARCH)))
+		})
+	})
+})
+
+func expected(id int) string {
+	b, err := os.ReadFile(
+		filepath.Join("..", "..", "testdata", "config", fmt.Sprintf("print-config_test_expected%d.md", id)),
+	)
+	Ω(err).ShouldNot(HaveOccurred())
+	return string(b)
+}
--- a/pkg/config/validate.go
+++ b/pkg/config/validate.go
@@ -0,0 +1,59 @@
+package config
+
+import (
+	_ "embed"
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/santhosh-tekuri/jsonschema/v6"
+	"gopkg.in/yaml.v3"
+)
+
+const schemaURL = "config-schema.json"
+
+//go:embed config-schema.json
+var schemaData string
+
+func validateSchema(cfgFile string) error {
+	// ignore if file not exists
+	if _, err := os.Stat(cfgFile); err != nil {
+		// Config file does not exist or is not readable - ignore it
+		//nolint:nilerr
+		return nil
+	}
+	// Load YAML file
+	yamlContent, err := os.ReadFile(cfgFile)
+	if err != nil {
+		return fmt.Errorf("config file %q is invalid: %w", cfgFile, err)
+	}
+
+	return validateYAML(yamlContent)
+}
+
+func validateYAML(yamlContent []byte) error {
+	if yamlContent == nil || strings.TrimSpace(string(yamlContent)) == "" {
+		return nil
+	}
+
+	// Convert YAML to JSON
+	var yamlData any
+	err := yaml.Unmarshal(yamlContent, &yamlData)
+	if err != nil {
+		return err
+	}
+
+	// Load JSON schema
+	sch, err := jsonschema.UnmarshalJSON(strings.NewReader(schemaData))
+	if err != nil {
+		return err
+	}
+
+	c := jsonschema.NewCompiler()
+	if err := c.AddResource(schemaURL, sch); err != nil {
+		return err
+	}
+	schema := c.MustCompile(schemaURL)
+	// validateSchema
+	return schema.Validate(yamlData)
+}
--- a/pkg/config/validate_test.go
+++ b/pkg/config/validate_test.go
@@ -0,0 +1,45 @@
+package config
+
+import (
+	"github.com/go-faker/faker/v4"
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+	"gopkg.in/yaml.v3"
+
+	"github.com/bakito/adguardhome-sync/pkg/types"
+)
+
+var _ = Describe("Config", func() {
+	Context("validateSchema", func() {
+		DescribeTable("validateSchema config",
+			func(configFile string, expectFail bool) {
+				err := validateSchema(configFile)
+				if expectFail {
+					Ω(err).Should(HaveOccurred())
+				} else {
+					Ω(err).ShouldNot(HaveOccurred())
+				}
+			},
+			Entry(`Should be valid`, "../../testdata/config/config-valid.yaml", false),
+			Entry(`Should be valid if file doesn't exist`, "../../testdata/config/foo.bar", false),
+			Entry(`Should fail if file is not yaml`, "../../go.mod", true),
+		)
+		It("validate config with all fields randomly populated", func() {
+			cfg := &types.Config{}
+
+			err := faker.FakeData(cfg)
+			Ω(err).ShouldNot(HaveOccurred())
+
+			data, err := yaml.Marshal(&cfg)
+			Ω(err).ShouldNot(HaveOccurred())
+
+			err = validateYAML(data)
+			Ω(err).ShouldNot(HaveOccurred())
+		})
+		It("validate config with empty file", func() {
+			var data []byte
+			err := validateYAML(data)
+			Ω(err).ShouldNot(HaveOccurred())
+		})
+	})
+})
--- a/pkg/log/log.go
+++ b/pkg/log/log.go
@@ -1,12 +1,24 @@
 package log

 import (
+	"os"
+
 	"go.uber.org/zap"
+	"go.uber.org/zap/zapcore"
 )

-var rootLogger *zap.Logger
+const (
+	logHistorySize = 50
+	envLogLevel    = "LOG_LEVEL"
+	envLogFormat   = "LOG_FORMAT"
+)

-// GetLogger returns a named logger
+var (
+	rootLogger *zap.Logger
+	logs       []string
+)
+
+// GetLogger returns a named logger.
 func GetLogger(name string) *zap.SugaredLogger {
 	return rootLogger.Named(name).Sugar()
 }
@@ -14,15 +26,93 @@ func GetLogger(name string) *zap.SugaredLogger {
 func init() {
 	level := zap.InfoLevel

+	if lvl, ok := os.LookupEnv(envLogLevel); ok {
+		if err := level.Set(lvl); err != nil {
+			panic(err)
+		}
+	}
+
+	format := "console"
+	if fmt, ok := os.LookupEnv(envLogFormat); ok {
+		format = fmt
+	}
+
 	cfg := zap.Config{
 		Level:            zap.NewAtomicLevelAt(level),
 		Development:      false,
-		Encoding:         "console",
-		EncoderConfig:    zap.NewDevelopmentEncoderConfig(),
+		Encoding:         format,
+		EncoderConfig:    zap.NewProductionEncoderConfig(),
 		OutputPaths:      []string{"stdout"},
 		ErrorOutputPaths: []string{"stderr"},
 	}
+	cfg.EncoderConfig.EncodeTime = zapcore.ISO8601TimeEncoder
+	cfg.EncoderConfig.EncodeDuration = zapcore.StringDurationEncoder
+	cfg.EncoderConfig.EncodeLevel = zapcore.CapitalLevelEncoder

-	rootLogger, _ = cfg.Build()
-	rootLogger.Sugar()
+	opt := zap.WrapCore(func(c zapcore.Core) zapcore.Core {
+		return zapcore.NewTee(c, &logList{
+			enc:          zapcore.NewConsoleEncoder(cfg.EncoderConfig),
+			LevelEnabler: cfg.Level,
+		})
+	})
+
+	rootLogger, _ = cfg.Build(opt)
+}
+
+type logList struct {
+	zapcore.LevelEnabler
+	enc zapcore.Encoder
+}
+
+func (l *logList) clone() *logList {
+	return &logList{
+		LevelEnabler: l.LevelEnabler,
+		enc:          l.enc.Clone(),
+	}
+}
+
+func (l *logList) With(fields []zapcore.Field) zapcore.Core {
+	clone := l.clone()
+	addFields(clone.enc, fields)
+	return clone
+}
+
+func (l *logList) Check(ent zapcore.Entry, ce *zapcore.CheckedEntry) *zapcore.CheckedEntry {
+	if l.Enabled(ent.Level) {
+		return ce.AddCore(ent, l)
+	}
+	return ce
+}
+
+func (l *logList) Write(ent zapcore.Entry, fields []zapcore.Field) error {
+	buf, err := l.enc.EncodeEntry(ent, fields)
+	if err != nil {
+		return err
+	}
+	logs = append(logs, buf.String())
+
+	if len(logs) > logHistorySize {
+		logs = logs[len(logs)-logHistorySize:]
+	}
+	return nil
+}
+
+func (l *logList) Sync() error {
+	return nil
+}
+
+// Logs get the current logs.
+func Logs() []string {
+	return logs
+}
+
+// Clear  the current logs.
+func Clear() {
+	logs = nil
+}
+
+func addFields(enc zapcore.ObjectEncoder, fields []zapcore.Field) {
+	for i := range fields {
+		fields[i].AddTo(enc)
+	}
 }
--- a/pkg/metrics/handler.go
+++ b/pkg/metrics/handler.go
@@ -0,0 +1,14 @@
+package metrics
+
+import (
+	"github.com/gin-gonic/gin"
+	"github.com/prometheus/client_golang/prometheus/promhttp"
+)
+
+func Handler() gin.HandlerFunc {
+	h := promhttp.Handler()
+
+	return func(c *gin.Context) {
+		h.ServeHTTP(c.Writer, c.Request)
+	}
+}
--- a/pkg/metrics/metrics.go
+++ b/pkg/metrics/metrics.go
@@ -0,0 +1,297 @@
+package metrics
+
+import (
+	"github.com/prometheus/client_golang/prometheus"
+
+	"github.com/bakito/adguardhome-sync/pkg/client/model"
+	"github.com/bakito/adguardhome-sync/pkg/log"
+)
+
+const StatsTotal = "total"
+
+var (
+	l = log.GetLogger("metrics")
+
+	// avgProcessingTime - Average processing time for a DNS query.
+	avgProcessingTime = prometheus.NewGaugeVec(
+		prometheus.GaugeOpts{
+			Name:      "avg_processing_time",
+			Namespace: "adguard",
+			Help:      "This represent the average processing time for a DNS query in s",
+		},
+		[]string{"hostname"},
+	)
+
+	// dnsQueries - Number of DNS queries.
+	dnsQueries = prometheus.NewGaugeVec(
+		prometheus.GaugeOpts{
+			Name:      "num_dns_queries",
+			Namespace: "adguard",
+			Help:      "Number of DNS queries",
+		},
+		[]string{"hostname"},
+	)
+
+	// blockedFiltering - Number of DNS queries blocked.
+	blockedFiltering = prometheus.NewGaugeVec(
+		prometheus.GaugeOpts{
+			Name:      "num_blocked_filtering",
+			Namespace: "adguard",
+			Help:      "This represent the number of domains blocked",
+		},
+		[]string{"hostname"},
+	)
+
+	// parentalFiltering - Number of DNS queries replaced by parental control.
+	parentalFiltering = prometheus.NewGaugeVec(
+		prometheus.GaugeOpts{
+			Name:      "num_replaced_parental",
+			Namespace: "adguard",
+			Help:      "This represent the number of domains blocked (parental)",
+		},
+		[]string{"hostname"},
+	)
+
+	// safeBrowsingFiltering - Number of DNS queries replaced by safe browsing.
+	safeBrowsingFiltering = prometheus.NewGaugeVec(
+		prometheus.GaugeOpts{
+			Name:      "num_replaced_safebrowsing",
+			Namespace: "adguard",
+			Help:      "This represent the number of domains blocked (safe browsing)",
+		},
+		[]string{"hostname"},
+	)
+
+	// safeSearchFiltering - Number of DNS queries replaced by safe search.
+	safeSearchFiltering = prometheus.NewGaugeVec(
+		prometheus.GaugeOpts{
+			Name:      "num_replaced_safesearch",
+			Namespace: "adguard",
+			Help:      "This represent the number of domains blocked (safe search)",
+		},
+		[]string{"hostname"},
+	)
+
+	// topQueries - The number of top queries.
+	topQueries = prometheus.NewGaugeVec(
+		prometheus.GaugeOpts{
+			Name:      "top_queried_domains",
+			Namespace: "adguard",
+			Help:      "This represent the top queried domains",
+		},
+		[]string{"hostname", "domain"},
+	)
+
+	// topBlocked - The number of top domains blocked.
+	topBlocked = prometheus.NewGaugeVec(
+		prometheus.GaugeOpts{
+			Name:      "top_blocked_domains",
+			Namespace: "adguard",
+			Help:      "This represent the top bloacked domains",
+		},
+		[]string{"hostname", "domain"},
+	)
+
+	// topClients - The number of top clients.
+	topClients = prometheus.NewGaugeVec(
+		prometheus.GaugeOpts{
+			Name:      "top_clients",
+			Namespace: "adguard",
+			Help:      "This represent the top clients",
+		},
+		[]string{"hostname", "client"},
+	)
+
+	// queryTypes - The type of DNS Queries (A, AAAA...)
+	queryTypes = prometheus.NewGaugeVec(
+		prometheus.GaugeOpts{
+			Name:      "query_types",
+			Namespace: "adguard",
+			Help:      "This represent the DNS query types",
+		},
+		[]string{"hostname", "type"},
+	)
+
+	// running - If Adguard is running.
+	running = prometheus.NewGaugeVec(
+		prometheus.GaugeOpts{
+			Name:      "running",
+			Namespace: "adguard",
+			Help:      "This represent if Adguard is running",
+		},
+		[]string{"hostname"},
+	)
+
+	// protectionEnabled - If Adguard protection is enabled.
+	protectionEnabled = prometheus.NewGaugeVec(
+		prometheus.GaugeOpts{
+			Name:      "protection_enabled",
+			Namespace: "adguard",
+			Help:      "This represent if Adguard Protection is enabled",
+		},
+		[]string{"hostname"},
+	)
+	// aghsSyncDuration - the sync curation in seconds.
+	aghsSyncDuration = prometheus.NewGaugeVec(
+		prometheus.GaugeOpts{
+			Name:      "sync_duration_seconds",
+			Namespace: "adguard_home_sync",
+			Help:      "This represents the duration of the last sync in seconds",
+		},
+		[]string{"hostname"},
+	)
+	// aghsSyncSuccessful - the sync result.
+	aghsSyncSuccessful = prometheus.NewGaugeVec(
+		prometheus.GaugeOpts{
+			Name:      "sync_successful",
+			Namespace: "adguard_home_sync",
+			Help:      "This represents the whether the last sync was successful",
+		},
+		[]string{"hostname"},
+	)
+	stats = OverallStats{}
+)
+
+// Init initializes all Prometheus metrics made available by AdGuard  exporter.
+func Init() {
+	initMetric("avg_processing_time", avgProcessingTime)
+	initMetric("num_dns_queries", dnsQueries)
+	initMetric("num_blocked_filtering", blockedFiltering)
+	initMetric("num_replaced_parental", parentalFiltering)
+	initMetric("num_replaced_safebrowsing", safeBrowsingFiltering)
+	initMetric("num_replaced_safesearch", safeSearchFiltering)
+	initMetric("top_queried_domains", topQueries)
+	initMetric("top_blocked_domains", topBlocked)
+	initMetric("top_clients", topClients)
+	initMetric("query_types", queryTypes)
+	initMetric("running", running)
+	initMetric("protection_enabled", protectionEnabled)
+	initMetric("sync_duration_seconds", aghsSyncDuration)
+	initMetric("sync_successful", aghsSyncSuccessful)
+}
+
+func initMetric(name string, metric *prometheus.GaugeVec) {
+	prometheus.MustRegister(metric)
+	l.With("name", name).Info("New Prometheus metric registered")
+}
+
+func UpdateInstances(iml InstanceMetricsList) {
+	for _, im := range iml.Metrics {
+		updateMetrics(im)
+		stats[im.HostName] = im.Stats
+	}
+
+	l.Debug("updated")
+}
+
+func UpdateResult(host string, ok bool, duration float64) {
+	if ok {
+		aghsSyncSuccessful.WithLabelValues(host).Set(1)
+	} else {
+		aghsSyncSuccessful.WithLabelValues(host).Set(0)
+	}
+	aghsSyncDuration.WithLabelValues(host).Set(duration)
+}
+
+func updateMetrics(im InstanceMetrics) {
+	// Status
+	isRunning := 0
+	if im.Status.Running {
+		isRunning = 1
+	}
+	running.WithLabelValues(im.HostName).Set(float64(isRunning))
+
+	isProtected := 0
+	if im.Status.ProtectionEnabled {
+		isProtected = 1
+	}
+	protectionEnabled.WithLabelValues(im.HostName).Set(float64(isProtected))
+
+	// Stats
+	avgProcessingTime.WithLabelValues(im.HostName).Set(safeMetric(im.Stats.AvgProcessingTime))
+	dnsQueries.WithLabelValues(im.HostName).Set(safeMetric(im.Stats.NumDnsQueries))
+	blockedFiltering.WithLabelValues(im.HostName).Set(safeMetric(im.Stats.NumBlockedFiltering))
+	parentalFiltering.WithLabelValues(im.HostName).Set(safeMetric(im.Stats.NumReplacedParental))
+	safeBrowsingFiltering.WithLabelValues(im.HostName).Set(safeMetric(im.Stats.NumReplacedSafebrowsing))
+	safeSearchFiltering.WithLabelValues(im.HostName).Set(safeMetric(im.Stats.NumReplacedSafesearch))
+
+	if im.Stats.TopQueriedDomains != nil {
+		for _, tq := range *im.Stats.TopQueriedDomains {
+			for domain, value := range tq.AdditionalProperties {
+				topQueries.WithLabelValues(im.HostName, domain).Set(float64(value))
+			}
+		}
+	}
+	if im.Stats.TopBlockedDomains != nil {
+		for _, tb := range *im.Stats.TopBlockedDomains {
+			for domain, value := range tb.AdditionalProperties {
+				topBlocked.WithLabelValues(im.HostName, domain).Set(float64(value))
+			}
+		}
+	}
+	if im.Stats.TopClients != nil {
+		for _, tc := range *im.Stats.TopClients {
+			for source, value := range tc.AdditionalProperties {
+				topClients.WithLabelValues(im.HostName, source).Set(float64(value))
+			}
+		}
+	}
+
+	// LogQuery
+	m := make(map[string]int)
+	if im.QueryLog != nil && im.QueryLog.Data != nil {
+		logdata := *im.QueryLog.Data
+		for _, ld := range logdata {
+			if ld.Answer != nil {
+				dnsanswer := *ld.Answer
+				if len(dnsanswer) > 0 {
+					for _, dnsa := range dnsanswer {
+						dnsType := *dnsa.Type
+						m[dnsType]++
+					}
+				}
+			}
+		}
+	}
+
+	for key, value := range m {
+		queryTypes.WithLabelValues(im.HostName, key).Set(float64(value))
+	}
+}
+
+type InstanceMetricsList struct {
+	Metrics []InstanceMetrics `faker:"slice_len=5"`
+}
+
+type InstanceMetrics struct {
+	HostName string
+	Status   *model.ServerStatus
+	Stats    *model.Stats
+	QueryLog *model.QueryLog
+}
+
+type OverallStats map[string]*model.Stats
+
+func (os OverallStats) consolidate() OverallStats {
+	consolidated := OverallStats{StatsTotal: model.NewStats()}
+	for host, stats := range os {
+		consolidated[host] = stats
+		consolidated[StatsTotal].Add(stats)
+	}
+	return consolidated
+}
+
+func safeMetric[T int | float64 | float32](v *T) float64 {
+	if v == nil {
+		return 0
+	}
+	return float64(*v)
+}
+
+func getStats() OverallStats {
+	return stats.consolidate()
+}
+
+func (os OverallStats) Total() *model.Stats {
+	return os[StatsTotal]
+}
--- a/pkg/metrics/metrics_suite_test.go
+++ b/pkg/metrics/metrics_suite_test.go
@@ -0,0 +1,13 @@
+package metrics_test
+
+import (
+	"testing"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+)
+
+func TestSync(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "Metrics Suite")
+}
--- a/pkg/metrics/metrics_test.go
+++ b/pkg/metrics/metrics_test.go
@@ -0,0 +1,102 @@
+package metrics
+
+import (
+	"github.com/go-faker/faker/v4"
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+	"k8s.io/utils/ptr"
+
+	"github.com/bakito/adguardhome-sync/pkg/client/model"
+)
+
+var _ = Describe("Metrics", func() {
+	BeforeEach(func() {
+		stats = make(OverallStats)
+	})
+	Context("UpdateInstances / getStats", func() {
+		It("generate correct stats", func() {
+			UpdateInstances(InstanceMetricsList{[]InstanceMetrics{
+				{HostName: "foo", Status: &model.ServerStatus{}, Stats: &model.Stats{
+					NumDnsQueries: ptr.To(100),
+					DnsQueries: ptr.To(
+						[]int{10, 20, 30, 40, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
+					),
+				}},
+				{HostName: "bar", Status: &model.ServerStatus{}, Stats: &model.Stats{
+					NumDnsQueries: ptr.To(200),
+					DnsQueries: ptr.To(
+						[]int{20, 40, 60, 80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
+					),
+				}},
+				{HostName: "aaa", Status: &model.ServerStatus{}, Stats: &model.Stats{
+					NumDnsQueries: ptr.To(300),
+					DnsQueries: ptr.To(
+						[]int{30, 60, 90, 120, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
+					),
+				}},
+			}})
+			Ω(stats).Should(HaveKey("foo"))
+			Ω(stats["foo"].NumDnsQueries).Should(Equal(ptr.To(100)))
+			Ω(stats).Should(HaveKey("bar"))
+			Ω(stats["bar"].NumDnsQueries).Should(Equal(ptr.To(200)))
+			Ω(stats).Should(HaveKey("aaa"))
+			Ω(stats["aaa"].NumDnsQueries).Should(Equal(ptr.To(300)))
+
+			os := getStats()
+			tot := os.Total()
+			Ω(*tot.NumDnsQueries).Should(Equal(600))
+			Ω(
+				*tot.DnsQueries,
+			).Should(Equal([]int{60, 120, 180, 240, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}))
+
+			foo := os["foo"]
+			bar := os["bar"]
+			aaa := os["aaa"]
+
+			Ω(*foo.NumDnsQueries).Should(Equal(100))
+			Ω(*bar.NumDnsQueries).Should(Equal(200))
+			Ω(*aaa.NumDnsQueries).Should(Equal(300))
+			Ω(
+				*foo.DnsQueries,
+			).Should(Equal([]int{10, 20, 30, 40, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}))
+			Ω(
+				*bar.DnsQueries,
+			).Should(Equal([]int{20, 40, 60, 80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}))
+			Ω(
+				*aaa.DnsQueries,
+			).Should(Equal([]int{30, 60, 90, 120, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}))
+		})
+	})
+	Context("StatsGraph", func() {
+		var metrics InstanceMetricsList
+		BeforeEach(func() {
+			err := faker.FakeData(&metrics)
+			Ω(err).ShouldNot(HaveOccurred())
+		})
+		It("should provide correct results with faked values", func() {
+			UpdateInstances(metrics)
+
+			_, dns, blocked, malware, adult := StatsGraph()
+
+			verifyStats(dns)
+			verifyStats(blocked)
+			verifyStats(malware)
+			verifyStats(adult)
+		})
+	})
+})
+
+func verifyStats(lines []Line) {
+	var total Line
+	sum := make([]int, len(lines[0].Data))
+	for _, l := range lines {
+		if l.Title == labelTotal {
+			total = l
+		} else {
+			for i, d := range l.Data {
+				sum[i] += d
+			}
+		}
+	}
+	Ω(sum).Should(Equal(total.Data))
+}
--- a/pkg/metrics/stats.go
+++ b/pkg/metrics/stats.go
@@ -0,0 +1,130 @@
+package metrics
+
+import (
+	"slices"
+	"strings"
+
+	"github.com/bakito/adguardhome-sync/pkg/client/model"
+)
+
+const labelTotal = "Total"
+
+var (
+	blue             = []int{78, 141, 245}
+	blueAlternatives = [][]int{
+		{44, 95, 163},
+		{122, 166, 247},
+		{30, 61, 92},
+		{93, 158, 255},
+		{58, 123, 213},
+	}
+
+	red             = []int{255, 94, 94}
+	redAlternatives = [][]int{
+		{204, 59, 59},
+		{255, 127, 127},
+		{140, 36, 36},
+		{255, 153, 153},
+		{255, 66, 66},
+	}
+
+	yellow             = []int{232, 198, 78}
+	yellowAlternatives = [][]int{
+		{196, 163, 60},
+		{255, 220, 110},
+		{140, 114, 36},
+		{250, 233, 156},
+		{212, 180, 84},
+	}
+
+	green             = []int{110, 224, 122}
+	greenAlternatives = [][]int{
+		{68, 160, 80},
+		{142, 255, 158},
+		{44, 140, 63},
+		{163, 255, 192},
+		{85, 198, 102},
+	}
+)
+
+func StatsGraph() (t *model.Stats, dns, blocked, malware, adult []Line) {
+	s := getStats()
+	t = s.Total()
+	dns = graphLines(t, s, blue, blueAlternatives, func(s *model.Stats) []int {
+		return safeStats(s.DnsQueries)
+	})
+	blocked = graphLines(t, s, red, redAlternatives, func(s *model.Stats) []int {
+		return safeStats(s.BlockedFiltering)
+	})
+	malware = graphLines(t, s, green, greenAlternatives, func(s *model.Stats) []int {
+		return safeStats(s.ReplacedSafebrowsing)
+	})
+	adult = graphLines(t, s, yellow, yellowAlternatives, func(s *model.Stats) []int {
+		return safeStats(s.ReplacedParental)
+	})
+
+	return t, dns, blocked, malware, adult
+}
+
+func safeStats(stats *[]int) []int {
+	if stats == nil {
+		return make([]int, 0)
+	}
+	return *stats
+}
+
+func graphLines(
+	t *model.Stats,
+	s OverallStats,
+	baseColor []int,
+	altColors [][]int,
+	dataCB func(s *model.Stats) []int,
+) []Line {
+	g := &graph{
+		total: Line{
+			Fill:  true,
+			Title: labelTotal,
+			Data:  dataCB(t),
+			R:     baseColor[0],
+			G:     baseColor[1],
+			B:     baseColor[2],
+		},
+	}
+
+	var i int
+	for name, data := range s {
+		if name != StatsTotal {
+			g.replicas = append(g.replicas, Line{
+				Fill:  false,
+				Title: name,
+				Data:  dataCB(data),
+				R:     altColors[i%len(altColors)][0],
+				G:     altColors[i%len(altColors)][1],
+				B:     altColors[i%len(altColors)][2],
+			})
+			i++
+		}
+	}
+
+	lines := []Line{g.total}
+
+	slices.SortFunc(g.replicas, func(a, b Line) int {
+		return strings.Compare(a.Title, b.Title)
+	})
+	lines = append(lines, g.replicas...)
+	return lines
+}
+
+type graph struct {
+	total    Line
+	replicas []Line
+}
+
+type Line struct {
+	Data  []int  `json:"data"`
+	R     int    `json:"r"`
+	G     int    `json:"g"`
+	B     int    `json:"b"`
+	Title string `json:"title"`
+	Fill  bool   `json:"fill"`
+}
--- a/pkg/mocks/client/mock.go
+++ b/pkg/mocks/client/mock.go
@@ -0,0 +1,682 @@
+// Code generated by MockGen. DO NOT EDIT.
+// Source: github.com/bakito/adguardhome-sync/pkg/client (interfaces: Client)
+//
+// Generated by this command:
+//
+//	mockgen -package client -destination pkg/mocks/client/mock.go github.com/bakito/adguardhome-sync/pkg/client Client
+//
+
+// Package client is a generated GoMock package.
+package client
+
+import (
+	reflect "reflect"
+
+	model "github.com/bakito/adguardhome-sync/pkg/client/model"
+	gomock "go.uber.org/mock/gomock"
+)
+
+// MockClient is a mock of Client interface.
+type MockClient struct {
+	ctrl     *gomock.Controller
+	recorder *MockClientMockRecorder
+	isgomock struct{}
+}
+
+// MockClientMockRecorder is the mock recorder for MockClient.
+type MockClientMockRecorder struct {
+	mock *MockClient
+}
+
+// NewMockClient creates a new mock instance.
+func NewMockClient(ctrl *gomock.Controller) *MockClient {
+	mock := &MockClient{ctrl: ctrl}
+	mock.recorder = &MockClientMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use.
+func (m *MockClient) EXPECT() *MockClientMockRecorder {
+	return m.recorder
+}
+
+// AccessList mocks base method.
+func (m *MockClient) AccessList() (*model.AccessList, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "AccessList")
+	ret0, _ := ret[0].(*model.AccessList)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// AccessList indicates an expected call of AccessList.
+func (mr *MockClientMockRecorder) AccessList() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AccessList", reflect.TypeOf((*MockClient)(nil).AccessList))
+}
+
+// AddClient mocks base method.
+func (m *MockClient) AddClient(client *model.Client) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "AddClient", client)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// AddClient indicates an expected call of AddClient.
+func (mr *MockClientMockRecorder) AddClient(client any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddClient", reflect.TypeOf((*MockClient)(nil).AddClient), client)
+}
+
+// AddDHCPStaticLease mocks base method.
+func (m *MockClient) AddDHCPStaticLease(lease model.DhcpStaticLease) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "AddDHCPStaticLease", lease)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// AddDHCPStaticLease indicates an expected call of AddDHCPStaticLease.
+func (mr *MockClientMockRecorder) AddDHCPStaticLease(lease any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddDHCPStaticLease", reflect.TypeOf((*MockClient)(nil).AddDHCPStaticLease), lease)
+}
+
+// AddFilter mocks base method.
+func (m *MockClient) AddFilter(whitelist bool, f model.Filter) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "AddFilter", whitelist, f)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// AddFilter indicates an expected call of AddFilter.
+func (mr *MockClientMockRecorder) AddFilter(whitelist, f any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddFilter", reflect.TypeOf((*MockClient)(nil).AddFilter), whitelist, f)
+}
+
+// AddRewriteEntries mocks base method.
+func (m *MockClient) AddRewriteEntries(e ...model.RewriteEntry) error {
+	m.ctrl.T.Helper()
+	varargs := []any{}
+	for _, a := range e {
+		varargs = append(varargs, a)
+	}
+	ret := m.ctrl.Call(m, "AddRewriteEntries", varargs...)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// AddRewriteEntries indicates an expected call of AddRewriteEntries.
+func (mr *MockClientMockRecorder) AddRewriteEntries(e ...any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddRewriteEntries", reflect.TypeOf((*MockClient)(nil).AddRewriteEntries), e...)
+}
+
+// BlockedServicesSchedule mocks base method.
+func (m *MockClient) BlockedServicesSchedule() (*model.BlockedServicesSchedule, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "BlockedServicesSchedule")
+	ret0, _ := ret[0].(*model.BlockedServicesSchedule)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// BlockedServicesSchedule indicates an expected call of BlockedServicesSchedule.
+func (mr *MockClientMockRecorder) BlockedServicesSchedule() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "BlockedServicesSchedule", reflect.TypeOf((*MockClient)(nil).BlockedServicesSchedule))
+}
+
+// Clients mocks base method.
+func (m *MockClient) Clients() (*model.Clients, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "Clients")
+	ret0, _ := ret[0].(*model.Clients)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// Clients indicates an expected call of Clients.
+func (mr *MockClientMockRecorder) Clients() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Clients", reflect.TypeOf((*MockClient)(nil).Clients))
+}
+
+// DNSConfig mocks base method.
+func (m *MockClient) DNSConfig() (*model.DNSConfig, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "DNSConfig")
+	ret0, _ := ret[0].(*model.DNSConfig)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// DNSConfig indicates an expected call of DNSConfig.
+func (mr *MockClientMockRecorder) DNSConfig() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DNSConfig", reflect.TypeOf((*MockClient)(nil).DNSConfig))
+}
+
+// DeleteClient mocks base method.
+func (m *MockClient) DeleteClient(client *model.Client) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "DeleteClient", client)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// DeleteClient indicates an expected call of DeleteClient.
+func (mr *MockClientMockRecorder) DeleteClient(client any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteClient", reflect.TypeOf((*MockClient)(nil).DeleteClient), client)
+}
+
+// DeleteDHCPStaticLease mocks base method.
+func (m *MockClient) DeleteDHCPStaticLease(lease model.DhcpStaticLease) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "DeleteDHCPStaticLease", lease)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// DeleteDHCPStaticLease indicates an expected call of DeleteDHCPStaticLease.
+func (mr *MockClientMockRecorder) DeleteDHCPStaticLease(lease any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteDHCPStaticLease", reflect.TypeOf((*MockClient)(nil).DeleteDHCPStaticLease), lease)
+}
+
+// DeleteFilter mocks base method.
+func (m *MockClient) DeleteFilter(whitelist bool, f model.Filter) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "DeleteFilter", whitelist, f)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// DeleteFilter indicates an expected call of DeleteFilter.
+func (mr *MockClientMockRecorder) DeleteFilter(whitelist, f any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteFilter", reflect.TypeOf((*MockClient)(nil).DeleteFilter), whitelist, f)
+}
+
+// DeleteRewriteEntries mocks base method.
+func (m *MockClient) DeleteRewriteEntries(e ...model.RewriteEntry) error {
+	m.ctrl.T.Helper()
+	varargs := []any{}
+	for _, a := range e {
+		varargs = append(varargs, a)
+	}
+	ret := m.ctrl.Call(m, "DeleteRewriteEntries", varargs...)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// DeleteRewriteEntries indicates an expected call of DeleteRewriteEntries.
+func (mr *MockClientMockRecorder) DeleteRewriteEntries(e ...any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteRewriteEntries", reflect.TypeOf((*MockClient)(nil).DeleteRewriteEntries), e...)
+}
+
+// DhcpConfig mocks base method.
+func (m *MockClient) DhcpConfig() (*model.DhcpStatus, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "DhcpConfig")
+	ret0, _ := ret[0].(*model.DhcpStatus)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// DhcpConfig indicates an expected call of DhcpConfig.
+func (mr *MockClientMockRecorder) DhcpConfig() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DhcpConfig", reflect.TypeOf((*MockClient)(nil).DhcpConfig))
+}
+
+// Filtering mocks base method.
+func (m *MockClient) Filtering() (*model.FilterStatus, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "Filtering")
+	ret0, _ := ret[0].(*model.FilterStatus)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// Filtering indicates an expected call of Filtering.
+func (mr *MockClientMockRecorder) Filtering() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Filtering", reflect.TypeOf((*MockClient)(nil).Filtering))
+}
+
+// Host mocks base method.
+func (m *MockClient) Host() string {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "Host")
+	ret0, _ := ret[0].(string)
+	return ret0
+}
+
+// Host indicates an expected call of Host.
+func (mr *MockClientMockRecorder) Host() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Host", reflect.TypeOf((*MockClient)(nil).Host))
+}
+
+// Parental mocks base method.
+func (m *MockClient) Parental() (bool, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "Parental")
+	ret0, _ := ret[0].(bool)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// Parental indicates an expected call of Parental.
+func (mr *MockClientMockRecorder) Parental() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Parental", reflect.TypeOf((*MockClient)(nil).Parental))
+}
+
+// ProfileInfo mocks base method.
+func (m *MockClient) ProfileInfo() (*model.ProfileInfo, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "ProfileInfo")
+	ret0, _ := ret[0].(*model.ProfileInfo)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// ProfileInfo indicates an expected call of ProfileInfo.
+func (mr *MockClientMockRecorder) ProfileInfo() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ProfileInfo", reflect.TypeOf((*MockClient)(nil).ProfileInfo))
+}
+
+// QueryLog mocks base method.
+func (m *MockClient) QueryLog(limit int) (*model.QueryLog, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "QueryLog", limit)
+	ret0, _ := ret[0].(*model.QueryLog)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// QueryLog indicates an expected call of QueryLog.
+func (mr *MockClientMockRecorder) QueryLog(limit any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "QueryLog", reflect.TypeOf((*MockClient)(nil).QueryLog), limit)
+}
+
+// QueryLogConfig mocks base method.
+func (m *MockClient) QueryLogConfig() (*model.QueryLogConfigWithIgnored, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "QueryLogConfig")
+	ret0, _ := ret[0].(*model.QueryLogConfigWithIgnored)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// QueryLogConfig indicates an expected call of QueryLogConfig.
+func (mr *MockClientMockRecorder) QueryLogConfig() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "QueryLogConfig", reflect.TypeOf((*MockClient)(nil).QueryLogConfig))
+}
+
+// RefreshFilters mocks base method.
+func (m *MockClient) RefreshFilters(whitelist bool) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "RefreshFilters", whitelist)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// RefreshFilters indicates an expected call of RefreshFilters.
+func (mr *MockClientMockRecorder) RefreshFilters(whitelist any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RefreshFilters", reflect.TypeOf((*MockClient)(nil).RefreshFilters), whitelist)
+}
+
+// RewriteList mocks base method.
+func (m *MockClient) RewriteList() (*model.RewriteEntries, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "RewriteList")
+	ret0, _ := ret[0].(*model.RewriteEntries)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// RewriteList indicates an expected call of RewriteList.
+func (mr *MockClientMockRecorder) RewriteList() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RewriteList", reflect.TypeOf((*MockClient)(nil).RewriteList))
+}
+
+// SafeBrowsing mocks base method.
+func (m *MockClient) SafeBrowsing() (bool, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "SafeBrowsing")
+	ret0, _ := ret[0].(bool)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// SafeBrowsing indicates an expected call of SafeBrowsing.
+func (mr *MockClientMockRecorder) SafeBrowsing() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SafeBrowsing", reflect.TypeOf((*MockClient)(nil).SafeBrowsing))
+}
+
+// SafeSearchConfig mocks base method.
+func (m *MockClient) SafeSearchConfig() (*model.SafeSearchConfig, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "SafeSearchConfig")
+	ret0, _ := ret[0].(*model.SafeSearchConfig)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// SafeSearchConfig indicates an expected call of SafeSearchConfig.
+func (mr *MockClientMockRecorder) SafeSearchConfig() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SafeSearchConfig", reflect.TypeOf((*MockClient)(nil).SafeSearchConfig))
+}
+
+// SetAccessList mocks base method.
+func (m *MockClient) SetAccessList(accessList *model.AccessList) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "SetAccessList", accessList)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// SetAccessList indicates an expected call of SetAccessList.
+func (mr *MockClientMockRecorder) SetAccessList(accessList any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetAccessList", reflect.TypeOf((*MockClient)(nil).SetAccessList), accessList)
+}
+
+// SetBlockedServicesSchedule mocks base method.
+func (m *MockClient) SetBlockedServicesSchedule(schedule *model.BlockedServicesSchedule) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "SetBlockedServicesSchedule", schedule)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// SetBlockedServicesSchedule indicates an expected call of SetBlockedServicesSchedule.
+func (mr *MockClientMockRecorder) SetBlockedServicesSchedule(schedule any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetBlockedServicesSchedule", reflect.TypeOf((*MockClient)(nil).SetBlockedServicesSchedule), schedule)
+}
+
+// SetCustomRules mocks base method.
+func (m *MockClient) SetCustomRules(rules *[]string) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "SetCustomRules", rules)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// SetCustomRules indicates an expected call of SetCustomRules.
+func (mr *MockClientMockRecorder) SetCustomRules(rules any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetCustomRules", reflect.TypeOf((*MockClient)(nil).SetCustomRules), rules)
+}
+
+// SetDNSConfig mocks base method.
+func (m *MockClient) SetDNSConfig(config *model.DNSConfig) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "SetDNSConfig", config)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// SetDNSConfig indicates an expected call of SetDNSConfig.
+func (mr *MockClientMockRecorder) SetDNSConfig(config any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetDNSConfig", reflect.TypeOf((*MockClient)(nil).SetDNSConfig), config)
+}
+
+// SetDhcpConfig mocks base method.
+func (m *MockClient) SetDhcpConfig(status *model.DhcpStatus) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "SetDhcpConfig", status)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// SetDhcpConfig indicates an expected call of SetDhcpConfig.
+func (mr *MockClientMockRecorder) SetDhcpConfig(status any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetDhcpConfig", reflect.TypeOf((*MockClient)(nil).SetDhcpConfig), status)
+}
+
+// SetProfileInfo mocks base method.
+func (m *MockClient) SetProfileInfo(settings *model.ProfileInfo) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "SetProfileInfo", settings)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// SetProfileInfo indicates an expected call of SetProfileInfo.
+func (mr *MockClientMockRecorder) SetProfileInfo(settings any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetProfileInfo", reflect.TypeOf((*MockClient)(nil).SetProfileInfo), settings)
+}
+
+// SetQueryLogConfig mocks base method.
+func (m *MockClient) SetQueryLogConfig(ql *model.QueryLogConfigWithIgnored) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "SetQueryLogConfig", ql)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// SetQueryLogConfig indicates an expected call of SetQueryLogConfig.
+func (mr *MockClientMockRecorder) SetQueryLogConfig(ql any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetQueryLogConfig", reflect.TypeOf((*MockClient)(nil).SetQueryLogConfig), ql)
+}
+
+// SetSafeSearchConfig mocks base method.
+func (m *MockClient) SetSafeSearchConfig(settings *model.SafeSearchConfig) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "SetSafeSearchConfig", settings)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// SetSafeSearchConfig indicates an expected call of SetSafeSearchConfig.
+func (mr *MockClientMockRecorder) SetSafeSearchConfig(settings any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetSafeSearchConfig", reflect.TypeOf((*MockClient)(nil).SetSafeSearchConfig), settings)
+}
+
+// SetStatsConfig mocks base method.
+func (m *MockClient) SetStatsConfig(sc *model.PutStatsConfigUpdateRequest) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "SetStatsConfig", sc)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// SetStatsConfig indicates an expected call of SetStatsConfig.
+func (mr *MockClientMockRecorder) SetStatsConfig(sc any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetStatsConfig", reflect.TypeOf((*MockClient)(nil).SetStatsConfig), sc)
+}
+
+// SetTLSConfig mocks base method.
+func (m *MockClient) SetTLSConfig(tls *model.TlsConfig) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "SetTLSConfig", tls)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// SetTLSConfig indicates an expected call of SetTLSConfig.
+func (mr *MockClientMockRecorder) SetTLSConfig(tls any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetTLSConfig", reflect.TypeOf((*MockClient)(nil).SetTLSConfig), tls)
+}
+
+// Setup mocks base method.
+func (m *MockClient) Setup() error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "Setup")
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// Setup indicates an expected call of Setup.
+func (mr *MockClientMockRecorder) Setup() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Setup", reflect.TypeOf((*MockClient)(nil).Setup))
+}
+
+// Stats mocks base method.
+func (m *MockClient) Stats() (*model.Stats, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "Stats")
+	ret0, _ := ret[0].(*model.Stats)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// Stats indicates an expected call of Stats.
+func (mr *MockClientMockRecorder) Stats() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Stats", reflect.TypeOf((*MockClient)(nil).Stats))
+}
+
+// StatsConfig mocks base method.
+func (m *MockClient) StatsConfig() (*model.GetStatsConfigResponse, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "StatsConfig")
+	ret0, _ := ret[0].(*model.GetStatsConfigResponse)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// StatsConfig indicates an expected call of StatsConfig.
+func (mr *MockClientMockRecorder) StatsConfig() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "StatsConfig", reflect.TypeOf((*MockClient)(nil).StatsConfig))
+}
+
+// Status mocks base method.
+func (m *MockClient) Status() (*model.ServerStatus, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "Status")
+	ret0, _ := ret[0].(*model.ServerStatus)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// Status indicates an expected call of Status.
+func (mr *MockClientMockRecorder) Status() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Status", reflect.TypeOf((*MockClient)(nil).Status))
+}
+
+// TLSConfig mocks base method.
+func (m *MockClient) TLSConfig() (*model.TlsConfig, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "TLSConfig")
+	ret0, _ := ret[0].(*model.TlsConfig)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// TLSConfig indicates an expected call of TLSConfig.
+func (mr *MockClientMockRecorder) TLSConfig() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "TLSConfig", reflect.TypeOf((*MockClient)(nil).TLSConfig))
+}
+
+// ToggleFiltering mocks base method.
+func (m *MockClient) ToggleFiltering(enabled bool, interval int) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "ToggleFiltering", enabled, interval)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// ToggleFiltering indicates an expected call of ToggleFiltering.
+func (mr *MockClientMockRecorder) ToggleFiltering(enabled, interval any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ToggleFiltering", reflect.TypeOf((*MockClient)(nil).ToggleFiltering), enabled, interval)
+}
+
+// ToggleParental mocks base method.
+func (m *MockClient) ToggleParental(enable bool) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "ToggleParental", enable)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// ToggleParental indicates an expected call of ToggleParental.
+func (mr *MockClientMockRecorder) ToggleParental(enable any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ToggleParental", reflect.TypeOf((*MockClient)(nil).ToggleParental), enable)
+}
+
+// ToggleProtection mocks base method.
+func (m *MockClient) ToggleProtection(enable bool) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "ToggleProtection", enable)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// ToggleProtection indicates an expected call of ToggleProtection.
+func (mr *MockClientMockRecorder) ToggleProtection(enable any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ToggleProtection", reflect.TypeOf((*MockClient)(nil).ToggleProtection), enable)
+}
+
+// ToggleSafeBrowsing mocks base method.
+func (m *MockClient) ToggleSafeBrowsing(enable bool) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "ToggleSafeBrowsing", enable)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// ToggleSafeBrowsing indicates an expected call of ToggleSafeBrowsing.
+func (mr *MockClientMockRecorder) ToggleSafeBrowsing(enable any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ToggleSafeBrowsing", reflect.TypeOf((*MockClient)(nil).ToggleSafeBrowsing), enable)
+}
+
+// UpdateClient mocks base method.
+func (m *MockClient) UpdateClient(client *model.Client) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "UpdateClient", client)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// UpdateClient indicates an expected call of UpdateClient.
+func (mr *MockClientMockRecorder) UpdateClient(client any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateClient", reflect.TypeOf((*MockClient)(nil).UpdateClient), client)
+}
+
+// UpdateFilter mocks base method.
+func (m *MockClient) UpdateFilter(whitelist bool, f model.Filter) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "UpdateFilter", whitelist, f)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// UpdateFilter indicates an expected call of UpdateFilter.
+func (mr *MockClientMockRecorder) UpdateFilter(whitelist, f any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateFilter", reflect.TypeOf((*MockClient)(nil).UpdateFilter), whitelist, f)
+}
--- a/pkg/mocks/flags/mock.go
+++ b/pkg/mocks/flags/mock.go
@@ -0,0 +1,99 @@
+// Code generated by MockGen. DO NOT EDIT.
+// Source: github.com/bakito/adguardhome-sync/pkg/config (interfaces: Flags)
+//
+// Generated by this command:
+//
+//	mockgen -package client -destination pkg/mocks/flags/mock.go github.com/bakito/adguardhome-sync/pkg/config Flags
+//
+
+// Package client is a generated GoMock package.
+package client
+
+import (
+	reflect "reflect"
+
+	gomock "go.uber.org/mock/gomock"
+)
+
+// MockFlags is a mock of Flags interface.
+type MockFlags struct {
+	ctrl     *gomock.Controller
+	recorder *MockFlagsMockRecorder
+	isgomock struct{}
+}
+
+// MockFlagsMockRecorder is the mock recorder for MockFlags.
+type MockFlagsMockRecorder struct {
+	mock *MockFlags
+}
+
+// NewMockFlags creates a new mock instance.
+func NewMockFlags(ctrl *gomock.Controller) *MockFlags {
+	mock := &MockFlags{ctrl: ctrl}
+	mock.recorder = &MockFlagsMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use.
+func (m *MockFlags) EXPECT() *MockFlagsMockRecorder {
+	return m.recorder
+}
+
+// Changed mocks base method.
+func (m *MockFlags) Changed(name string) bool {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "Changed", name)
+	ret0, _ := ret[0].(bool)
+	return ret0
+}
+
+// Changed indicates an expected call of Changed.
+func (mr *MockFlagsMockRecorder) Changed(name any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Changed", reflect.TypeOf((*MockFlags)(nil).Changed), name)
+}
+
+// GetBool mocks base method.
+func (m *MockFlags) GetBool(name string) (bool, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetBool", name)
+	ret0, _ := ret[0].(bool)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// GetBool indicates an expected call of GetBool.
+func (mr *MockFlagsMockRecorder) GetBool(name any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetBool", reflect.TypeOf((*MockFlags)(nil).GetBool), name)
+}
+
+// GetInt mocks base method.
+func (m *MockFlags) GetInt(name string) (int, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetInt", name)
+	ret0, _ := ret[0].(int)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// GetInt indicates an expected call of GetInt.
+func (mr *MockFlagsMockRecorder) GetInt(name any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetInt", reflect.TypeOf((*MockFlags)(nil).GetInt), name)
+}
+
+// GetString mocks base method.
+func (m *MockFlags) GetString(name string) (string, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetString", name)
+	ret0, _ := ret[0].(string)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// GetString indicates an expected call of GetString.
+func (mr *MockFlagsMockRecorder) GetString(name any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetString", reflect.TypeOf((*MockFlags)(nil).GetString), name)
+}
--- a/pkg/sync/action-general.go
+++ b/pkg/sync/action-general.go
@@ -0,0 +1,300 @@
+package sync
+
+import (
+	"go.uber.org/zap"
+
+	"github.com/bakito/adguardhome-sync/pkg/client"
+	"github.com/bakito/adguardhome-sync/pkg/client/model"
+	"github.com/bakito/adguardhome-sync/pkg/utils"
+)
+
+var (
+	actionProfileInfo = func(ac *actionContext) error {
+		if pro, err := ac.client.ProfileInfo(); err != nil {
+			return err
+		} else if merged := pro.ShouldSyncFor(ac.origin.profileInfo, ac.cfg.Features.Theme); merged != nil {
+			return ac.client.SetProfileInfo(merged)
+		}
+		return nil
+	}
+	actionProtection = func(ac *actionContext) error {
+		if ac.origin.status.ProtectionEnabled != ac.replicaStatus.ProtectionEnabled {
+			return ac.client.ToggleProtection(ac.origin.status.ProtectionEnabled)
+		}
+		return nil
+	}
+	actionParental = func(ac *actionContext) error {
+		if rp, err := ac.client.Parental(); err != nil {
+			return err
+		} else if ac.origin.parental != rp {
+			return ac.client.ToggleParental(ac.origin.parental)
+		}
+		return nil
+	}
+	actionSafeSearchConfig = func(ac *actionContext) error {
+		if ssc, err := ac.client.SafeSearchConfig(); err != nil {
+			return err
+		} else if !ac.origin.safeSearch.Equals(ssc) {
+			return ac.client.SetSafeSearchConfig(ac.origin.safeSearch)
+		}
+		return nil
+	}
+	actionSafeBrowsing = func(ac *actionContext) error {
+		if rs, err := ac.client.SafeBrowsing(); err != nil {
+			return err
+		} else if ac.origin.safeBrowsing != rs {
+			if err = ac.client.ToggleSafeBrowsing(ac.origin.safeBrowsing); err != nil {
+				return err
+			}
+		}
+		return nil
+	}
+	actionQueryLogConfig = func(ac *actionContext) error {
+		qlc, err := ac.client.QueryLogConfig()
+		if err != nil {
+			return err
+		}
+		if !ac.origin.queryLogConfig.Equals(qlc) {
+			return ac.client.SetQueryLogConfig(ac.origin.queryLogConfig)
+		}
+		return nil
+	}
+	actionStatsConfig = func(ac *actionContext) error {
+		sc, err := ac.client.StatsConfig()
+		if err != nil {
+			return err
+		}
+		if !sc.Equals(ac.origin.statsConfig) {
+			return ac.client.SetStatsConfig(ac.origin.statsConfig)
+		}
+		return nil
+	}
+	actionDNSRewrites = func(ac *actionContext) error {
+		replicaRewrites, err := ac.client.RewriteList()
+		if err != nil {
+			return err
+		}
+
+		a, r, d := replicaRewrites.Merge(ac.origin.rewrites)
+
+		if err = ac.client.DeleteRewriteEntries(r...); err != nil {
+			return err
+		}
+		if err = ac.client.AddRewriteEntries(a...); err != nil {
+			return err
+		}
+
+		for _, dupl := range d {
+			ac.rl.With("domain", dupl.Domain, "answer", dupl.Answer).Warn("Skipping duplicated rewrite from source")
+		}
+		return nil
+	}
+	actionFilters = func(ac *actionContext) error {
+		rf, err := ac.client.Filtering()
+		if err != nil {
+			return err
+		}
+
+		if err = syncFilterType(ac.rl, ac.origin.filters.Filters, rf.Filters, false, ac.client, ac.cfg.ContinueOnError); err != nil {
+			return err
+		}
+		if err = syncFilterType(ac.rl, ac.origin.filters.WhitelistFilters, rf.WhitelistFilters, true, ac.client, ac.cfg.ContinueOnError); err != nil {
+			return err
+		}
+
+		if utils.PtrToString(ac.origin.filters.UserRules) != utils.PtrToString(rf.UserRules) {
+			return ac.client.SetCustomRules(ac.origin.filters.UserRules)
+		}
+
+		if !utils.PtrEquals(ac.origin.filters.Enabled, rf.Enabled) ||
+			!utils.PtrEquals(ac.origin.filters.Interval, rf.Interval) {
+			return ac.client.ToggleFiltering(*ac.origin.filters.Enabled, *ac.origin.filters.Interval)
+		}
+		return nil
+	}
+
+	actionBlockedServicesSchedule = func(ac *actionContext) error {
+		rbss, err := ac.client.BlockedServicesSchedule()
+		if err != nil {
+			return err
+		}
+
+		if !ac.origin.blockedServicesSchedule.Equals(rbss) {
+			return ac.client.SetBlockedServicesSchedule(ac.origin.blockedServicesSchedule)
+		}
+		return nil
+	}
+	actionClientSettings = func(ac *actionContext) error {
+		rc, err := ac.client.Clients()
+		if err != nil {
+			return err
+		}
+
+		a, u, r := rc.Merge(ac.origin.clients)
+
+		for _, client := range r {
+			if err := ac.client.DeleteClient(client); err != nil {
+				ac.rl.With("client-name", client.Name, "error", err).Error("error deleting client setting")
+				if !ac.cfg.ContinueOnError {
+					return err
+				}
+			}
+		}
+
+		for _, client := range a {
+			if err := ac.client.AddClient(client); err != nil {
+				ac.rl.With("client-name", client.Name, "error", err).Error("error adding client setting")
+				if !ac.cfg.ContinueOnError {
+					return err
+				}
+			}
+		}
+
+		for _, client := range u {
+			if err := ac.client.UpdateClient(client); err != nil {
+				ac.rl.With("client-name", client.Name, "error", err).Error("error updating client setting")
+				if !ac.cfg.ContinueOnError {
+					return err
+				}
+			}
+		}
+
+		return nil
+	}
+
+	actionDNSAccessLists = func(ac *actionContext) error {
+		al, err := ac.client.AccessList()
+		if err != nil {
+			return err
+		}
+		if !al.Equals(ac.origin.accessList) {
+			return ac.client.SetAccessList(ac.origin.accessList)
+		}
+		return nil
+	}
+	actionDNSServerConfig = func(ac *actionContext) error {
+		dc, err := ac.client.DNSConfig()
+		if err != nil {
+			return err
+		}
+
+		// dc.Sanitize(ac.rl)
+
+		if !dc.Equals(ac.origin.dnsConfig) {
+			if err = ac.client.SetDNSConfig(ac.origin.dnsConfig); err != nil {
+				return err
+			}
+		}
+		return nil
+	}
+	actionDHCPServerConfig = func(ac *actionContext) error {
+		if ac.origin.dhcpServerConfig.HasConfig() {
+			sc, err := ac.client.DhcpConfig()
+			if err != nil {
+				return err
+			}
+			origClone := ac.origin.dhcpServerConfig.Clone()
+			if ac.replica.InterfaceName != "" {
+				// overwrite interface name
+				origClone.InterfaceName = utils.Ptr(ac.replica.InterfaceName)
+			}
+			if ac.replica.DHCPServerEnabled != nil {
+				// overwrite dhcp enabled
+				origClone.Enabled = ac.replica.DHCPServerEnabled
+			}
+
+			if !sc.CleanAndEquals(origClone) {
+				return ac.client.SetDhcpConfig(origClone)
+			}
+		}
+		return nil
+	}
+	actionDHCPStaticLeases = func(ac *actionContext) error {
+		sc, err := ac.client.DhcpConfig()
+		if err != nil {
+			return err
+		}
+
+		a, r := model.MergeDhcpStaticLeases(sc.StaticLeases, ac.origin.dhcpServerConfig.StaticLeases)
+
+		for _, lease := range r {
+			if err := ac.client.DeleteDHCPStaticLease(lease); err != nil {
+				ac.rl.With("hostname", lease.Hostname, "error", err).Error("error deleting dhcp static lease")
+				if !ac.cfg.ContinueOnError {
+					return err
+				}
+			}
+		}
+
+		for _, lease := range a {
+			if err := ac.client.AddDHCPStaticLease(lease); err != nil {
+				ac.rl.With("hostname", lease.Hostname, "error", err).Error("error adding dhcp static lease")
+				if !ac.cfg.ContinueOnError {
+					return err
+				}
+			}
+		}
+		return nil
+	}
+	tlsConfig = func(ac *actionContext) error {
+		tlsc, err := ac.client.TLSConfig()
+		if err != nil {
+			return err
+		}
+
+		if !tlsc.Equals(ac.origin.tlsConfig) {
+			if err := ac.client.SetTLSConfig(ac.origin.tlsConfig); err != nil {
+				ac.rl.With("enabled", ac.origin.tlsConfig.Enabled, "error", err).Error("error setting tls config")
+				if !ac.cfg.ContinueOnError {
+					return err
+				}
+			}
+		}
+		return nil
+	}
+)
+
+func syncFilterType(
+	rl *zap.SugaredLogger,
+	of *[]model.Filter,
+	rFilters *[]model.Filter,
+	whitelist bool,
+	replica client.Client,
+	continueOnError bool,
+) error {
+	fa, fu, fd := model.MergeFilters(rFilters, of)
+
+	for _, f := range fd {
+		if err := replica.DeleteFilter(whitelist, f); err != nil {
+			rl.With("filter", f.Name, "url", f.Url, "whitelist", whitelist, "error", err).Error("error deleting filter")
+			if !continueOnError {
+				return err
+			}
+		}
+	}
+
+	for _, f := range fa {
+		if err := replica.AddFilter(whitelist, f); err != nil {
+			rl.With("filter", f.Name, "url", f.Url, "whitelist", whitelist, "error", err).Error("error adding filter")
+			if !continueOnError {
+				return err
+			}
+		}
+	}
+
+	for _, f := range fu {
+		if err := replica.UpdateFilter(whitelist, f); err != nil {
+			rl.With("filter", f.Name, "url", f.Url, "whitelist", whitelist, "error", err).Error("error updating filter")
+			if !continueOnError {
+				return err
+			}
+		}
+	}
+
+	if len(fa) > 0 || len(fu) > 0 {
+		if err := replica.RefreshFilters(whitelist); err != nil {
+			return err
+		}
+	}
+	return nil
+}
--- a/pkg/sync/action.go
+++ b/pkg/sync/action.go
@@ -0,0 +1,108 @@
+package sync
+
+import (
+	"go.uber.org/zap"
+
+	"github.com/bakito/adguardhome-sync/pkg/client"
+	"github.com/bakito/adguardhome-sync/pkg/client/model"
+	"github.com/bakito/adguardhome-sync/pkg/types"
+)
+
+func setupActions(cfg *types.Config) (actions []syncAction) {
+	if cfg.Features.GeneralSettings {
+		actions = append(actions,
+			action("profile info", actionProfileInfo),
+			action("protection", actionProtection),
+			action("parental", actionParental),
+			action("safe search config", actionSafeSearchConfig),
+			action("safe browsing", actionSafeBrowsing),
+		)
+	}
+	if cfg.Features.DNS.ServerConfig {
+		actions = append(actions,
+			action("DNS server config", actionDNSServerConfig),
+		)
+	}
+	if cfg.Features.QueryLogConfig {
+		actions = append(actions,
+			action("query log config", actionQueryLogConfig),
+		)
+	}
+	if cfg.Features.StatsConfig {
+		actions = append(actions,
+			action("stats config", actionStatsConfig),
+		)
+	}
+	if cfg.Features.DNS.Rewrites {
+		actions = append(actions,
+			action("DNS rewrites", actionDNSRewrites),
+		)
+	}
+	if cfg.Features.Filters {
+		actions = append(actions,
+			action("actionFilters", actionFilters),
+		)
+	}
+	if cfg.Features.Services {
+		actions = append(actions,
+			action("blocked services schedule", actionBlockedServicesSchedule),
+		)
+	}
+	if cfg.Features.ClientSettings {
+		actions = append(actions,
+			action("client settings", actionClientSettings),
+		)
+	}
+	if cfg.Features.DNS.AccessLists {
+		actions = append(actions,
+			action("DNS access lists", actionDNSAccessLists),
+		)
+	}
+	if cfg.Features.DHCP.ServerConfig {
+		actions = append(actions,
+			action("DHCP server config", actionDHCPServerConfig),
+		)
+	}
+	if cfg.Features.DHCP.StaticLeases {
+		actions = append(actions,
+			action("DHCP static leases", actionDHCPStaticLeases),
+		)
+	}
+	if cfg.Features.TLSConfig {
+		actions = append(actions,
+			action("TLS config", tlsConfig),
+		)
+	}
+	return actions
+}
+
+type syncAction interface {
+	sync(ac *actionContext) error
+	name() string
+}
+
+type actionContext struct {
+	rl            *zap.SugaredLogger
+	origin        *origin
+	client        client.Client
+	replicaStatus *model.ServerStatus
+	replica       types.AdGuardInstance
+	cfg           *types.Config
+}
+
+type defaultAction struct {
+	myName string
+	doSync func(ac *actionContext) error
+}
+
+func action(name string, f func(ac *actionContext) error) syncAction {
+	return &defaultAction{myName: name, doSync: f}
+}
+
+func (d *defaultAction) sync(ac *actionContext) error {
+	return d.doSync(ac)
+}
+
+func (d *defaultAction) name() string {
+	return d.myName
+}
--- a/pkg/sync/favicon.ico
+++ b/pkg/sync/favicon.ico
--- a/pkg/sync/http.go
+++ b/pkg/sync/http.go
@@ -2,77 +2,168 @@ package sync

 import (
 	"context"
+	_ "embed"
+	"errors"
 	"fmt"
+	"html/template"
 	"net"
 	"net/http"
 	"os"
 	"os/signal"
+	"strings"
 	"syscall"
 	"time"
+
+	"github.com/gin-gonic/gin"
+
+	"github.com/bakito/adguardhome-sync/pkg/log"
+	"github.com/bakito/adguardhome-sync/pkg/metrics"
+	"github.com/bakito/adguardhome-sync/version"
 )

-func (w *worker) handleSync(rw http.ResponseWriter, req *http.Request) {
-	switch req.Method {
-	case http.MethodPost:
-		l.With("remote-addr", req.RemoteAddr).Info("Starting sync from API")
-		w.sync()
-	default:
-		http.Error(rw, "only POST allowed", http.StatusBadRequest)
+var (
+	//go:embed index.html
+	index []byte
+	//go:embed favicon.ico
+	favicon []byte
+	//go:embed logo.svg
+	logo []byte
+)
+
+func (w *worker) handleSync(c *gin.Context) {
+	l.With("remote-addr", c.Request.RemoteAddr).Info("Starting sync from API")
+	w.sync()
+}
+
+func (w *worker) handleRoot(c *gin.Context) {
+	total, dns, blocked, malware, adult := metrics.StatsGraph()
+
+	c.HTML(http.StatusOK, "index.html", map[string]any{
+		"DarkMode":   w.cfg.API.DarkMode,
+		"Metrics":    w.cfg.API.Metrics.Enabled,
+		"Version":    version.Version,
+		"Build":      version.Build,
+		"SyncStatus": w.status(),
+		"Stats": map[string]any{
+			"Labels":  getLast24Hours(),
+			"DNS":     dns,
+			"Blocked": blocked,
+			"BlockedPercentage": fmt.Sprintf(
+				"%.2f",
+				(float64(*total.NumBlockedFiltering)*100.0)/float64(*total.NumDnsQueries),
+			),
+			"Malware": malware,
+			"MalwarePercentage": fmt.Sprintf(
+				"%.2f",
+				(float64(*total.NumReplacedSafebrowsing)*100.0)/float64(*total.NumDnsQueries),
+			),
+			"Adult": adult,
+			"AdultPercentage": fmt.Sprintf(
+				"%.2f",
+				(float64(*total.NumReplacedParental)*100.0)/float64(*total.NumDnsQueries),
+			),
+
+			"TotalDNS":     total.NumDnsQueries,
+			"TotalBlocked": total.NumBlockedFiltering,
+			"TotalMalware": total.NumReplacedSafebrowsing,
+			"TotalAdult":   total.NumReplacedParental,
+		},
+	},
+	)
+}
+
+func (w *worker) handleFavicon(c *gin.Context) {
+	c.Data(http.StatusOK, "image/x-icon", favicon)
+}
+
+func (w *worker) handleLogo(c *gin.Context) {
+	c.Data(http.StatusOK, "image/svg+xml", logo)
+}
+
+func (w *worker) handleLogs(c *gin.Context) {
+	c.Data(http.StatusOK, "text/plain", []byte(strings.Join(log.Logs(), "")))
+}
+
+func (w *worker) handleClearLogs(c *gin.Context) {
+	log.Clear()
+	c.Status(http.StatusOK)
+}
+
+func (w *worker) handleStatus(c *gin.Context) {
+	c.JSON(http.StatusOK, w.status())
+}
+
+func (w *worker) handleHealthz(c *gin.Context) {
+	status := w.status()
+
+	if status.Origin.Status != "success" {
+		c.Status(http.StatusServiceUnavailable)
+		return
 	}
-}

-func (w *worker) handleRoot(rw http.ResponseWriter, _ *http.Request) {
-	_, _ = rw.Write([]byte("adguardhome-sync"))
-}
-
-func (w *worker) basicAuth(h http.HandlerFunc) http.HandlerFunc {
-	return func(rw http.ResponseWriter, r *http.Request) {
-
-		rw.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`)
-
-		username, password, authOK := r.BasicAuth()
-		if !authOK {
-			http.Error(rw, "Not authorized", 401)
+	for _, replica := range status.Replicas {
+		if replica.Status != "success" {
+			c.Status(http.StatusServiceUnavailable)
 			return
 		}
-
-		if username != w.cfg.API.Username || password != w.cfg.API.Password {
-			http.Error(rw, "Not authorized", 401)
-			return
-		}
-
-		h.ServeHTTP(rw, r)
-	}
-}
-
-func use(h http.HandlerFunc, middleware ...func(http.HandlerFunc) http.HandlerFunc) http.HandlerFunc {
-	for _, m := range middleware {
-		h = m(h)
 	}

-	return h
+	c.Status(http.StatusOK)
 }

 func (w *worker) listenAndServe() {
-	l.With("port", w.cfg.API.Port).Info("Starting API server")
+	sl := l.With("port", w.cfg.API.Port)
+	if w.cfg.API.TLS.Enabled() {
+		c, k := w.cfg.API.TLS.Certs()
+		sl = sl.With("tls-cert", c).With("tls-key", k)
+	}
+	sl.Info("Starting API server")

 	ctx, cancel := context.WithCancel(context.Background())
-	mux := http.NewServeMux()
-	httpServer := &http.Server{
-		Addr:        fmt.Sprintf(":%d", w.cfg.API.Port),
-		Handler:     mux,
-		BaseContext: func(_ net.Listener) context.Context { return ctx },
+
+	gin.SetMode(gin.ReleaseMode)
+	r := gin.New()
+	r.Use(gin.Recovery())
+
+	r.HEAD("/healthz", w.handleHealthz)
+	r.GET("/healthz", w.handleHealthz)
+
+	var group gin.IRouter = r
+	if w.cfg.API.Username != "" && w.cfg.API.Password != "" {
+		group = r.Group("/", gin.BasicAuth(map[string]string{w.cfg.API.Username: w.cfg.API.Password}))
 	}

-	if w.cfg.API.Username != "" && w.cfg.API.Password != "" {
-		mux.HandleFunc("/api/v1/sync", use(w.handleSync, w.basicAuth))
-		mux.HandleFunc("/", use(w.handleRoot, w.basicAuth))
-	} else {
-		mux.HandleFunc("/api/v1/sync", w.handleSync)
-		mux.HandleFunc("/", w.handleRoot)
+	group.POST("/api/v1/sync", w.handleSync)
+	group.GET("/api/v1/logs", w.handleLogs)
+	group.POST("/api/v1/clear-logs", w.handleClearLogs)
+	group.GET("/api/v1/status", w.handleStatus)
+	group.GET("/favicon.ico", w.handleFavicon)
+	group.GET("/logo.svg", w.handleLogo)
+	group.GET("/", w.handleRoot)
+	if w.cfg.API.Metrics.Enabled {
+		group.GET("/metrics", metrics.Handler())
+
+		go w.startScraping()
 	}
+
+	httpServer := &http.Server{
+		Addr:              fmt.Sprintf(":%d", w.cfg.API.Port),
+		Handler:           r,
+		BaseContext:       func(_ net.Listener) context.Context { return ctx },
+		ReadHeaderTimeout: 1 * time.Second,
+	}
+
+	r.SetHTMLTemplate(template.Must(template.New("index.html").Parse(string(index))))
+
 	go func() {
-		if err := httpServer.ListenAndServe(); err != http.ErrServerClosed {
+		var err error
+		if w.cfg.API.TLS.Enabled() {
+			err = httpServer.ListenAndServeTLS(w.cfg.API.TLS.Certs())
+		} else {
+			err = httpServer.ListenAndServe()
+		}
+
+		if !errors.Is(err, http.ErrServerClosed) {
 			l.With("error", err).Fatalf("HTTP server ListenAndServe")
 		}
 	}()
@@ -94,7 +185,7 @@ func (w *worker) listenAndServe() {
 		l.Fatal("os.Kill - terminating...")
 	}()

-	gracefullCtx, cancelShutdown := context.WithTimeout(context.Background(), 5*time.Second)
+	gracefulCtx, cancelShutdown := context.WithTimeout(context.Background(), 5*time.Second)
 	defer cancelShutdown()

 	if w.cron != nil {
@@ -102,7 +193,7 @@ func (w *worker) listenAndServe() {
 		w.cron.Stop()
 	}

-	if err := httpServer.Shutdown(gracefullCtx); err != nil {
+	if err := httpServer.Shutdown(gracefulCtx); err != nil {
 		l.With("error", err).Error("Shutdown error")
 		defer os.Exit(1)
 	} else {
@@ -111,6 +202,41 @@ func (w *worker) listenAndServe() {

 	// manually cancel context if not using httpServer.RegisterOnShutdown(cancel)
 	cancel()
-
-	defer os.Exit(0)
+}
+
+type syncStatus struct {
+	SyncRunning bool            `json:"syncRunning"`
+	Origin      replicaStatus   `json:"origin"`
+	Replicas    []replicaStatus `json:"replicas"`
+}
+
+type replicaStatus struct {
+	Host              string `json:"host"`
+	URL               string `json:"url"`
+	Status            string `json:"status"`
+	Error             string `json:"error,omitempty"`
+	ProtectionEnabled *bool  `json:"protection_enabled"`
+}
+
+func getLast24Hours() []string {
+	var result []string
+	currentTime := time.Now()
+
+	// Loop to get the last 24 hours
+	for i := range 24 {
+		// Calculate the time for the current hour in the loop
+		timeInstance := currentTime.Add(time.Duration(-i) * time.Hour)
+		timeInstance = timeInstance.Truncate(time.Hour)
+
+		// Format the time as "14 Dec 17:00"
+		formattedTime := timeInstance.Format("02 Jan 15:04")
+		result = append(result, formattedTime)
+	}
+
+	// Reverse the slice to get the correct order (from oldest to latest)
+	for i, j := 0, len(result)-1; i < j; i, j = i+1, j-1 {
+		result[i], result[j] = result[j], result[i]
+	}
+
+	return result
 }
--- a/pkg/sync/index.html
+++ b/pkg/sync/index.html
@@ -0,0 +1,256 @@
+<html lang="en">
+<head>
+    <title>AdGuard Home sync</title>
+    <script type="text/javascript" src="https://code.jquery.com/jquery-3.7.1.min.js">
+    </script>
+    {{- if .DarkMode }}
+    <link rel="stylesheet" href="https://bootswatch.com/5/darkly/bootstrap.min.css"
+          crossorigin="anonymous">
+    {{- else }}
+    <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.3/dist/css/bootstrap.min.css" rel="stylesheet"
+          integrity="sha384-QWTKZyjpPEjISv5WaRU9OFeRpok6YctnYmDr5pNlyT2bRjXh0JMhjY6hW+ALEwIH"
+          crossorigin="anonymous">
+    {{- end }}
+    <script type="text/javascript">
+        $(document).ready(function () {
+            $("#showLogs").click(function () {
+                $.get("api/v1/logs", {}, function (data) {
+                        $('#logs').html(data);
+                    }
+                );
+                $.get("api/v1/status", {}, function (status) {
+                        $('#origin').removeClass(function (index, className) {
+                            return (className.match(/(^|\s)btn-\S+/g) || []).join(' ');
+                        }).addClass("btn-" + status.origin.status).attr('title', status.origin.error);
+                        status.replicas.forEach(function (replica, i) {
+                            $('#replica_' + i).removeClass(function (index, className) {
+                                return (className.match(/(^|\s)btn-\S+/g) || []).join(' ');
+                            }).addClass("btn-" + replica.status).attr('title', replica.error);
+                        });
+                    }
+                );
+            });
+            $("#clearLogs").click(function () {
+                $.post("api/v1/clear-logs", {}, function () {
+                        $('#logs').html("");
+                    }
+                );
+            });
+            $("#sync").click(function () {
+                $.post("api/v1/sync", {}, function (data) {
+                });
+                $("#showLogs").click();
+            });
+            $("#showLogs").click();
+        });
+    </script>
+    <link rel="shortcut icon" href="favicon.ico">
+    <style>
+        .stat-card {
+            border-radius: 8px;
+            box-shadow: 0 2px 8px rgba(0, 0, 0, 0.5);
+            padding: 15px;
+            text-align: left;
+            display: flex;
+            flex-direction: column;
+            justify-content: space-between;
+            height: 100%;
+        }
+        {{- if .Metrics }}
+        .stat-card h3 {
+            margin: 0;
+            font-size: 2rem;
+        }
+        .stat-card p {
+            margin: 5px 0;
+            font-size: 0.9rem;
+        }
+        .percentage {
+            font-size: 0.9rem;
+            text-align: right;
+            height: 20px;
+        }
+        canvas {
+            flex-grow: 1;
+            height: 100px !important;
+        }
+        {{- end }}
+        .button-row {
+            margin-top: 20px;
+        }
+        .btn-group {
+            margin: 5px;
+        }
+    </style>
+</head>
+<body>
+<div class="container-fluid px-4">
+    <div class="row">
+        <div class="d-flex align-items-center mb-3">
+            <img src="logo.svg" alt="Logo" class="me-3" style="height: 4em;">
+            <div>
+                <h1 class="mb-0">AdGuard Home sync</h1>
+                <p class="h6 text-muted mb-0">{{ .Version }} ({{ .Build }})</p>
+            </div>
+        </div>
+    </div>
+    {{- if .Metrics }}
+    <div class="row g-4 d-flex">
+        <div class="col-12 col-md-3 d-flex">
+            <div class="stat-card flex-fill">
+                <div class="percentage"></div>
+                <h3 style="color: rgb(78, 141, 245);">{{.Stats.TotalDNS}}</h3>
+                <p>DNS Queries</p>
+                <canvas id="dnsQueriesChart"></canvas>
+            </div>
+        </div>
+
+        <div class="col-12 col-md-3 d-flex">
+            <div class="stat-card flex-fill">
+                <div class="percentage" style="color: rgb(255, 94, 94);">{{.Stats.BlockedPercentage}}%</div>
+                <h3 style="color: rgb(255, 94, 94);">{{.Stats.TotalBlocked}}</h3>
+                <p>Blocked by Filters</p>
+                <canvas id="blockedFiltersChart"></canvas>
+            </div>
+        </div>
+
+        <div class="col-12 col-md-3 d-flex">
+            <div class="stat-card flex-fill">
+                <div class="percentage" style="color: rgb(110, 224, 122);">{{.Stats.MalwarePercentage}}%</div>
+                <h3 style="color: rgb(110, 224, 122);">{{.Stats.TotalMalware}}</h3>
+                <p>Blocked malware/phishing</p>
+                <canvas id="malwareChart"></canvas>
+            </div>
+        </div>
+
+        <div class="col-12 col-md-3 d-flex">
+            <div class="stat-card flex-fill">
+                <div class="percentage" style="color: rgb(232, 198, 78);">{{.Stats.AdultPercentage}}%</div>
+                <h3 style="color: rgb(232, 198, 78);">{{.Stats.TotalAdult}}</h3>
+                <p>Blocked adult websites</p>
+                <canvas id="adultWebsitesChart"></canvas>
+            </div>
+        </div>
+    </div>
+    {{- end }}
+    <div class="row button-row">
+        <div class="col">
+            <div class="btn-group" role="group">
+                <button type="button" class="btn btn-success" id="sync">Synchronize</button>
+                <button type="button" class="btn btn-secondary" id="showLogs">Update Logs</button>
+                <button type="button" class="btn btn-secondary dropdown-toggle dropdown-toggle-split" data-bs-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
+                </button>
+                <div class="dropdown-menu">
+                    <a class="dropdown-item" href="#" id="clearLogs">Clear Logs</a>
+                </div>
+
+            </div>
+        </div>
+        <div class="col col-md-auto">
+            <div class="btn-group float-right" role="group">
+                <a href="{{ .SyncStatus.Origin.URL }}" target="_blank" class="btn btn-{{ .SyncStatus.Origin.Status }}"
+                   type="button" id="origin"
+                   {{ if .SyncStatus.Origin.Error }} title="{{ .SyncStatus.Origin.Error }}" {{ end }}>Origin {{ .SyncStatus.Origin.Host }}</a>
+                {{ range $i, $r := .SyncStatus.Replicas }}
+                <a href="{{ $r.URL }}" target="_blank" class="btn btn-{{ $r.Status }}"
+                   type="button" id="replica_{{ $i }}"
+                   {{ if $r.Error }} title="{{ $r.Error }}" {{ end }} >Replica {{ $r.Host }}</a>
+                {{ end }}
+            </div>
+        </div>
+    </div>
+    <div class="row  mt-3">
+        <div class="col-12 col-md-12">
+            <div class="stat-card">
+                <pre class="p-3 border"><code id="logs"></code></pre>
+            </div>
+        </div>
+    </div>
+</div>
+<!-- openssl dgst -sha384 -binary popper.min.js | openssl base64 -A  -->
+<script src="https://cdn.jsdelivr.net/npm/@popperjs/core@2.9.2/dist/umd/popper.min.js"
+    integrity="sha384-IQsoLXl5PILFhosVNubq5LC7Qb9DXgDA9i+tQ8Zj3iwWAwPtgFTxbJ8NT4GN1R8p" crossorigin="anonymous">
+</script>
+<script src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.3/dist/js/bootstrap.min.js"
+    integrity="sha384-0pUGZvbkm6XF6gxjEnlmuGrJXVbNuzT9qBBavbLwCsOGabYfZo0T0to5eqruptLy" crossorigin="anonymous">
+</script>
+{{- if .Metrics }}
+<script src="https://cdn.jsdelivr.net/npm/chart.js@4.4.7/dist/chart.umd.min.js"ŝ
+    integrity="sha384-vsrfeLOOY6KuIYKDlmVH5UiBmgIdB1oEf7p01YgWHuqmOHfZr374+odEv96n9tNC" crossorigin="anonymous">
+</script>
+<script>
+    // Function to create minimal line charts
+    function createChart(canvasId, data) {
+        const ctx = document.getElementById(canvasId).getContext('2d');
+
+        const datasets = Array(data.length);
+        for (let i = 0; i < data.length; i++) {
+            datasets[i] = {
+                data: data[i].data,
+                title:  data[i].title,
+                backgroundColor: `rgb(${data[i].r}, ${data[i].g}, ${data[i].b}, 0.2)`,
+                borderColor: `rgb(${data[i].r}, ${data[i].g}, ${data[i].b}, 1)`,
+                borderWidth: 3,
+                fill: data[i].fill,
+                pointRadius: 0,
+            }
+        }
+
+        new Chart(ctx, {
+            type: 'line',
+            data: {
+                labels: {{.Stats.Labels}},
+                datasets: datasets
+            },
+            options: {
+                responsive: true,
+                maintainAspectRatio: false,
+                interaction: {
+                    mode: 'index',
+                    intersect: false,
+                },
+                plugins: {
+                    legend: { display: false },
+                    tooltip: {
+                        enabled: true,
+                        bodyFont: {
+                            size: 20
+                        },
+                        titleFont: {
+                            size: 20
+                        },
+                        displayColors: false,
+                        callbacks: {
+                            label: function(tooltipItem) {
+                                if (tooltipItem.dataset.title) {
+                                    return tooltipItem.raw + " - " + tooltipItem.dataset.title;
+                                }
+                                return tooltipItem.raw;
+                            }
+                        }
+                    }
+                },
+                scales: {
+                    x: { display: false,
+                        title: {
+                            display: true
+                        }
+                    },
+                    y: { display: false,
+                        min: 0,
+                        title: {
+                            display: true
+                        } }
+                }
+            }
+        });
+    }
+
+    createChart('dnsQueriesChart', {{.Stats.DNS}});
+    createChart('blockedFiltersChart', {{.Stats.Blocked}});
+    createChart('malwareChart', {{.Stats.Malware}});
+    createChart('adultWebsitesChart', {{.Stats.Adult}});
+</script>
+{{- end }}
+</body>
+</html>
--- a/pkg/sync/logo.svg
+++ b/pkg/sync/logo.svg
@@ -0,0 +1,190 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg
+   version="1.2"
+   viewBox="0 0 1000 1000"
+   id="svg3"
+   sodipodi:docname="adguardhome-sync.svg"
+   inkscape:version="1.4.2 (f4327f4, 2025-05-13)"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:svg="http://www.w3.org/2000/svg">
+  <defs
+     id="defs3">
+    <inkscape:path-effect
+       effect="fillet_chamfer"
+       id="path-effect1"
+       nodesatellites_param="F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 | F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1"
+       is_visible="true"
+       lpeversion="1"
+       radius="0"
+       unit="px"
+       method="auto"
+       mode="F"
+       chamfer_steps="1"
+       flexible="false"
+       use_knot_distance="true"
+       apply_no_radius="true"
+       apply_with_radius="true"
+       only_selected="false"
+       hide_knots="false" />
+    <inkscape:path-effect
+       effect="fillet_chamfer"
+       id="path-effect18"
+       is_visible="true"
+       lpeversion="1"
+       nodesatellites_param="F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,54.646215,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 | F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,54.646212,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1"
+       radius="0"
+       unit="px"
+       method="auto"
+       mode="F"
+       chamfer_steps="1"
+       flexible="false"
+       use_knot_distance="true"
+       apply_no_radius="true"
+       apply_with_radius="true"
+       only_selected="false"
+       hide_knots="false" />
+    <inkscape:path-effect
+       effect="skeletal"
+       id="path-effect13"
+       is_visible="true"
+       lpeversion="1"
+       pattern="m 78.30448,0.02132 c -1.76356,0.0996 -3.48821,0.55822 -5.06836,1.34765 L 5.80252,35.08773 c -18.554321,9.281429 -18.766576,9.393634 0,18.78124 l 67.4336,33.71876 c 8.62996,4.31519 18.78393,-1.9607 18.7832,-11.60938 v -11.5 h 213 c 6.62742,0 12,-5.372583 12,-12 v -16 c 0,-6.627417 -5.37258,-12 -12,-12 h -213 v -11.5 C 92.01887,5.52137 85.74946,-0.40162 78.30448,0.02132 Z"
+       copytype="repeated_stretched"
+       prop_scale="1"
+       scale_y_rel="false"
+       spacing="100"
+       normal_offset="0"
+       tang_offset="0"
+       prop_units="false"
+       vertical_pattern="false"
+       hide_knot="false"
+       fuse_tolerance="0"
+       pattern-nodetypes="cccccccssssccc" />
+    <inkscape:path-effect
+       effect="fillet_chamfer"
+       id="path-effect11"
+       is_visible="true"
+       lpeversion="1"
+       nodesatellites_param="F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,12,0,1 @ F,0,1,1,0,12,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1"
+       radius="0"
+       unit="px"
+       method="auto"
+       mode="F"
+       chamfer_steps="1"
+       flexible="false"
+       use_knot_distance="true"
+       apply_no_radius="true"
+       apply_with_radius="true"
+       only_selected="false"
+       hide_knots="false" />
+    <inkscape:path-effect
+       effect="fillet_chamfer"
+       id="path-effect33"
+       is_visible="true"
+       lpeversion="1"
+       nodesatellites_param=""
+       radius="0"
+       unit="px"
+       method="auto"
+       mode="F"
+       chamfer_steps="1"
+       flexible="false"
+       use_knot_distance="true"
+       apply_no_radius="true"
+       apply_with_radius="true"
+       only_selected="false"
+       hide_knots="false" />
+    <linearGradient
+       id="swatch26"
+       inkscape:swatch="solid">
+      <stop
+         style="stop-color:#000000;stop-opacity:1;"
+         offset="0"
+         id="stop26" />
+    </linearGradient>
+    <linearGradient
+       id="swatch25"
+       inkscape:swatch="solid">
+      <stop
+         style="stop-color:#407b28;stop-opacity:1;"
+         offset="0"
+         id="stop25" />
+    </linearGradient>
+    <inkscape:perspective
+       sodipodi:type="inkscape:persp3d"
+       inkscape:vp_x="0 : 500 : 1"
+       inkscape:vp_y="0 : 1000 : 0"
+       inkscape:vp_z="1000 : 500 : 1"
+       inkscape:persp3d-origin="500 : 333.33333 : 1"
+       id="perspective6" />
+    <inkscape:path-effect
+       effect="skeletal"
+       id="path-effect13-9"
+       is_visible="true"
+       lpeversion="1"
+       pattern="m -435.41689,700.31394 -82.73956,27.87776 82.73956,31.49534 v -23.8092 l 434.54687,9.11337 v -33.59902 l -434.54687,9.11337 z"
+       copytype="repeated_stretched"
+       prop_scale="2"
+       scale_y_rel="false"
+       spacing="100"
+       normal_offset="0"
+       tang_offset="0"
+       prop_units="false"
+       vertical_pattern="false"
+       hide_knot="false"
+       fuse_tolerance="0"
+       pattern-nodetypes="sccccccs" />
+  </defs>
+  <sodipodi:namedview
+     id="namedview3"
+     pagecolor="#505050"
+     bordercolor="#eeeeee"
+     borderopacity="1"
+     inkscape:showpageshadow="0"
+     inkscape:pageopacity="0"
+     inkscape:pagecheckerboard="0"
+     inkscape:deskcolor="#505050"
+     inkscape:zoom="0.70710678"
+     inkscape:cx="540.93669"
+     inkscape:cy="502.04582"
+     inkscape:window-width="1556"
+     inkscape:window-height="1360"
+     inkscape:window-x="1868"
+     inkscape:window-y="0"
+     inkscape:window-maximized="0"
+     inkscape:current-layer="svg3" />
+  <path
+     fill="#68bc71"
+     d="m 993.75002,114.1 c 0,171.8 3.1,595.3 -493.8,885.9 C 3.0500233,709.4 6.2500233,285.9 6.2500233,114.1 159.35002,35.9 345.25002,0 499.95002,0 c 154.7,0 340.6,35.9 493.8,114.1 z"
+     id="path1"
+     inkscape:label="shield" />
+  <path
+     fill="#67b279"
+     d="M500 1000C3.1 709.4 6.2 285.9 6.2 114.1 159.4 35.9 345.3 0 500 0z"
+     id="path2"
+     inkscape:label="half-shield" />
+  <path
+     fill="#ffffff"
+     d="m 225,449.6 c 15,-11.7 80,-53.4 128.3,1.6 L 453.3,569.6 720,297.9 c 11.7,-10 31.7,-23.3 55,-5 L 455,716.2 Z"
+     id="path3"
+     inkscape:label="checkmark"
+     style="display:none" />
+  <circle
+     style="display:none;fill:#ffffff;fill-opacity:0.5;stroke:#ffffff;stroke-width:8e-08;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:100;stroke-dasharray:none;stroke-opacity:0.502604"
+     id="path18"
+     cx="-500"
+     cy="426"
+     r="400"
+     inkscape:label="badge"
+     transform="scale(-1,1)" />
+  <path
+     id="path12-8"
+     style="fill:#ffffff;fill-opacity:1;stroke:#ffffff;stroke-width:4.00001;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:100;stroke-dasharray:none;stroke-opacity:1"
+     d="m -75.867249,555.75073 c -1.469322,-39.92741 -12.296964,-76.43624 -30.823861,-104.61661 -21.05517,28.18037 -47.89663,45.38022 -75.18829,53.68483 l 42.51192,20.42415 c -33.35434,61.94297 -101.60764,105.3289 -167.51689,101.23666 -42.42317,-1.43193 -82.3318,-22.18867 -112.01355,-52.33871 -21.09944,-21.43232 -53.37423,-31.44115 -79.38397,-16.1329 l -10.3958,6.11853 c 43.49744,68.86447 120.54256,113.80911 201.79332,112.04834 87.97224,-4.41047 162.60077,-62.73987 194.96448,-137.74518 z M -537.90127,346.51705 c 1.46924,39.92741 12.29681,76.43626 30.82364,104.61667 21.05523,-28.18031 47.89674,-45.38011 75.18842,-53.68467 l -42.51189,-20.42423 c 33.35441,-61.94281 101.60759,-105.32857 167.51673,-101.23635 42.4233,1.43194 82.33203,22.18879 112.01381,52.33897 21.0994,21.43235 53.37417,31.44124 79.38393,16.13305 l 10.39581,-6.11852 c -43.49739,-68.86468 -120.54264,-113.8095 -201.79355,-112.04872 -87.97208,4.41046 -162.60049,62.73965 -194.96429,137.74477 z"
+     transform="matrix(0,-1.3167476,1.3167476,0,-94.029776,21.910887)"
+     inkscape:label="double-arrow"
+     inkscape:path-effect="#path-effect1"
+     inkscape:original-d="m -75.867249,555.75073 c -1.469322,-39.92741 -12.296964,-76.43624 -30.823861,-104.61661 -21.05517,28.18037 -47.89663,45.38022 -75.18829,53.68483 l 42.51192,20.42415 c -33.35434,61.94297 -101.60764,105.3289 -167.51689,101.23666 -42.42317,-1.43193 -82.3318,-22.18867 -112.01355,-52.33871 -21.09944,-21.43232 -53.37423,-31.44115 -79.38397,-16.1329 l -10.3958,6.11853 c 43.49744,68.86447 120.54256,113.80911 201.79332,112.04834 87.97224,-4.41047 162.60077,-62.73987 194.96448,-137.74518 z M -537.90127,346.51705 c 1.46924,39.92741 12.29681,76.43626 30.82364,104.61667 21.05523,-28.18031 47.89674,-45.38011 75.18842,-53.68467 l -42.51189,-20.42423 c 33.35441,-61.94281 101.60759,-105.32857 167.51673,-101.23635 42.4233,1.43194 82.33203,22.18879 112.01381,52.33897 21.0994,21.43235 53.37417,31.44124 79.38393,16.13305 l 10.39581,-6.11852 c -43.49739,-68.86468 -120.54264,-113.8095 -201.79355,-112.04872 -87.97208,4.41046 -162.60049,62.73965 -194.96429,137.74477 z" />
+</svg>
--- a/pkg/sync/scrape.go
+++ b/pkg/sync/scrape.go
@@ -0,0 +1,51 @@
+package sync
+
+import (
+	"time"
+
+	"github.com/bakito/adguardhome-sync/pkg/metrics"
+	"github.com/bakito/adguardhome-sync/pkg/types"
+)
+
+func (w *worker) startScraping() {
+	metrics.Init()
+	if w.cfg.API.Metrics.ScrapeInterval == 0 {
+		w.cfg.API.Metrics.ScrapeInterval = 30 * time.Second
+	}
+	if w.cfg.API.Metrics.QueryLogLimit == 0 {
+		w.cfg.API.Metrics.QueryLogLimit = 10_000
+	}
+	l.With(
+		"scrape-interval", w.cfg.API.Metrics.ScrapeInterval,
+		"query-log-limit", w.cfg.API.Metrics.QueryLogLimit,
+	).Info("setup metrics")
+	w.scrape()
+	for range time.Tick(w.cfg.API.Metrics.ScrapeInterval) {
+		w.scrape()
+	}
+}
+
+func (w *worker) scrape() {
+	var iml metrics.InstanceMetricsList
+
+	iml.Metrics = append(iml.Metrics, w.getMetrics(*w.cfg.Origin))
+	for _, replica := range w.cfg.Replicas {
+		iml.Metrics = append(iml.Metrics, w.getMetrics(replica))
+	}
+	metrics.UpdateInstances(iml)
+}
+
+func (w *worker) getMetrics(inst types.AdGuardInstance) metrics.InstanceMetrics {
+	var im metrics.InstanceMetrics
+	client, err := w.createClient(inst)
+	if err != nil {
+		l.With("error", err, "url", w.cfg.Origin.URL).Error("Error creating origin client")
+		return im
+	}
+
+	im.HostName = inst.Host
+	im.Status, _ = client.Status()
+	im.Stats, _ = client.Stats()
+	im.QueryLog, _ = client.QueryLog(w.cfg.API.Metrics.QueryLogLimit)
+	return im
+}
--- a/pkg/sync/sync.go
+++ b/pkg/sync/sync.go
@@ -1,50 +1,152 @@
 package sync

 import (
-	"github.com/bakito/adguardhome-sync/pkg/client"
-	"github.com/bakito/adguardhome-sync/pkg/log"
-	"github.com/bakito/adguardhome-sync/pkg/types"
+	"errors"
+	"fmt"
+	"net/http"
+	"runtime"
+	"sort"
+	"time"
+
 	"github.com/robfig/cron/v3"
 	"go.uber.org/zap"
+
+	"github.com/bakito/adguardhome-sync/pkg/client"
+	"github.com/bakito/adguardhome-sync/pkg/client/model"
+	"github.com/bakito/adguardhome-sync/pkg/log"
+	"github.com/bakito/adguardhome-sync/pkg/metrics"
+	"github.com/bakito/adguardhome-sync/pkg/types"
+	"github.com/bakito/adguardhome-sync/pkg/utils"
+	"github.com/bakito/adguardhome-sync/pkg/versions"
+	"github.com/bakito/adguardhome-sync/version"
 )

-var (
-	l = log.GetLogger("sync")
-)
+var l = log.GetLogger("sync")
+
+// Sync config from origin to replica.
+func Sync(cfg *types.Config) error {
+	if cfg.Origin.URL == "" {
+		return errors.New("origin URL is required")
+	}
+
+	if len(cfg.UniqueReplicas()) == 0 {
+		return errors.New("no replicas configured")
+	}
+
+	l.With(
+		"version", version.Version,
+		"build", version.Build,
+		"os", runtime.GOOS,
+		"arch", runtime.GOARCH,
+	).Info("AdGuardHome sync")
+	cfg.Log(l)
+	cfg.Features.LogDisabled(l)
+	cfg.Origin.AutoSetup = false

-// Sync config from origin to replica
-func Sync(cfg *types.Config) {
 	w := &worker{
-		cfg: cfg,
+		cfg:          cfg,
+		createClient: client.New,
 	}
 	if cfg.Cron != "" {
 		w.cron = cron.New()
 		cl := l.With("cron", cfg.Cron)
-		_, err := w.cron.AddFunc(cfg.Cron, func() {
+		sched, err := cron.ParseStandard(cfg.Cron)
+		if err != nil {
+			cl.With("error", err).Error("Error parsing cron expression")
+			return err
+		}
+		cl = cl.With("next-execution", sched.Next(time.Now()))
+		_, err = w.cron.AddFunc(cfg.Cron, func() {
 			w.sync()
 		})
 		if err != nil {
 			cl.With("error", err).Error("Error during cron job setup")
-			return
+			return err
 		}
 		cl.Info("Setup cronjob")
 		if cfg.API.Port != 0 {
 			w.cron.Start()
 		} else {
+			runOnStartAsync(cfg, w)
 			w.cron.Run()
 		}
-	} else {
-		w.sync()
 	}
 	if cfg.API.Port != 0 {
+		runOnStartAsync(cfg, w)
 		w.listenAndServe()
+	} else if cfg.RunOnStart {
+		l.Info("Running sync on startup")
+		w.sync()
+	}
+
+	return nil
+}
+
+func runOnStartAsync(cfg *types.Config, w *worker) {
+	if cfg.RunOnStart {
+		go func() {
+			l.Info("Running sync on startup")
+			w.sync()
+		}()
 	}
 }

 type worker struct {
-	cfg     *types.Config
-	running bool
-	cron    *cron.Cron
+	cfg          *types.Config
+	running      bool
+	cron         *cron.Cron
+	createClient func(instance types.AdGuardInstance) (client.Client, error)
+	actions      []syncAction
+}
+
+func (w *worker) status() *syncStatus {
+	syncStatus := &syncStatus{
+		Origin: w.getStatus(*w.cfg.Origin),
+	}
+
+	for _, replica := range w.cfg.Replicas {
+		st := w.getStatus(replica)
+		if w.running {
+			st.Status = "info"
+		}
+		syncStatus.Replicas = append(syncStatus.Replicas, st)
+	}
+
+	sort.Slice(syncStatus.Replicas, func(i, j int) bool {
+		return syncStatus.Replicas[i].Host < syncStatus.Replicas[j].Host
+	})
+
+	syncStatus.SyncRunning = w.running
+
+	return syncStatus
+}
+
+func (w *worker) getStatus(inst types.AdGuardInstance) replicaStatus {
+	st := replicaStatus{Host: inst.WebHost, URL: inst.WebURL}
+
+	oc, err := w.createClient(inst)
+	if err != nil {
+		l.With("error", err, "url", w.cfg.Origin.URL).Error("Error creating origin client")
+		st.Status = "danger"
+		st.Error = err.Error()
+		return st
+	}
+	sl := l.With("from", inst.WebHost)
+	status, err := oc.Status()
+	if err != nil {
+		if errors.Is(err, client.ErrSetupNeeded) {
+			st.Status = "warning"
+			st.Error = err.Error()
+			return st
+		}
+		sl.With("error", err).Error("Error getting origin status")
+		st.Status = "danger"
+		st.Error = err.Error()
+		return st
+	}
+	st.Status = "success"
+	st.ProtectionEnabled = utils.Ptr(status.ProtectionEnabled)
+	return st
 }

 func (w *worker) sync() {
@@ -53,9 +155,11 @@ func (w *worker) sync() {
 		return
 	}
 	w.running = true
-	defer func() { w.running = false }()
+	defer func() {
+		w.running = false
+	}()

-	oc, err := client.New(w.cfg.Origin)
+	oc, err := w.createClient(*w.cfg.Origin)
 	if err != nil {
 		l.With("error", err, "url", w.cfg.Origin.URL).Error("Error creating origin client")
 		return
@@ -64,28 +168,64 @@ func (w *worker) sync() {
 	sl := l.With("from", oc.Host())

 	o := &origin{}
-
 	o.status, err = oc.Status()
 	if err != nil {
 		sl.With("error", err).Error("Error getting origin status")
 		return
 	}

+	if versions.IsNewerThan(versions.MinAgh, o.status.Version) {
+		sl.With("error", err, "version", o.status.Version).
+			Errorf("Origin AdGuard Home version must be >= %s", versions.MinAgh)
+		return
+	}
+
+	sl.With("version", o.status.Version).Info("Connected to origin")
+
+	o.profileInfo, err = oc.ProfileInfo()
+	if err != nil {
+		sl.With("error", err).Error("Error getting profileInfo info")
+
+		// Workaround for https://github.com/AdguardTeam/AdGuardHome/issues/7987
+		// and https://github.com/AdguardTeam/AdGuardHome/issues/7985
+
+		clientErr := &client.Error{}
+		if !w.cfg.ContinueOnError || !errors.As(err, &clientErr) || clientErr.Code() != http.StatusUnauthorized {
+			return
+		}
+	}
+
+	o.parental, err = oc.Parental()
+	if err != nil {
+		sl.With("error", err).Error("Error getting parental status")
+		return
+	}
+	o.safeSearch, err = oc.SafeSearchConfig()
+	if err != nil {
+		sl.With("error", err).Error("Error getting safe search status")
+		return
+	}
+	o.safeBrowsing, err = oc.SafeBrowsing()
+	if err != nil {
+		sl.With("error", err).Error("Error getting safe browsing status")
+		return
+	}
+
 	o.rewrites, err = oc.RewriteList()
 	if err != nil {
 		sl.With("error", err).Error("Error getting origin rewrites")
 		return
 	}

-	o.services, err = oc.Services()
+	o.blockedServicesSchedule, err = oc.BlockedServicesSchedule()
 	if err != nil {
-		sl.With("error", err).Error("Error getting origin services")
+		sl.With("error", err).Error("Error getting origin blocked services schedule")
 		return
 	}

 	o.filters, err = oc.Filtering()
 	if err != nil {
-		sl.With("error", err).Error("Error getting origin filters")
+		sl.With("error", err).Error("Error getting origin actionFilters")
 		return
 	}
 	o.clients, err = oc.Clients()
@@ -93,6 +233,46 @@ func (w *worker) sync() {
 		sl.With("error", err).Error("Error getting origin clients")
 		return
 	}
+	o.queryLogConfig, err = oc.QueryLogConfig()
+	if err != nil {
+		sl.With("error", err).Error("Error getting query log config")
+		return
+	}
+	o.statsConfig, err = oc.StatsConfig()
+	if err != nil {
+		sl.With("error", err).Error("Error getting stats config")
+		return
+	}
+
+	o.accessList, err = oc.AccessList()
+	if err != nil {
+		sl.With("error", err).Error("Error getting access list")
+		return
+	}
+
+	o.dnsConfig, err = oc.DNSConfig()
+	if err != nil {
+		sl.With("error", err).Error("Error getting dns config")
+		return
+	}
+
+	if w.cfg.Features.DHCP.ServerConfig || w.cfg.Features.DHCP.StaticLeases {
+		o.dhcpServerConfig, err = oc.DhcpConfig()
+		if err != nil {
+			sl.With("error", err).Error("Error getting dhcp server config")
+			return
+		}
+	}
+
+	if w.cfg.Features.TLSConfig {
+		o.tlsConfig, err = oc.TLSConfig()
+		if err != nil {
+			sl.With("error", err).Error("Error getting tls config")
+			return
+		}
+	}
+
+	w.actions = setupActions(w.cfg)

 	replicas := w.cfg.UniqueReplicas()
 	for _, replica := range replicas {
@@ -101,155 +281,101 @@ func (w *worker) sync() {
 }

 func (w *worker) syncTo(l *zap.SugaredLogger, o *origin, replica types.AdGuardInstance) {
-
-	rc, err := client.New(replica)
+	rc, err := w.createClient(replica)
 	if err != nil {
 		l.With("error", err, "url", replica.URL).Error("Error creating replica client")
+		return
 	}

 	rl := l.With("to", rc.Host())
 	rl.Info("Start sync")
+	start := time.Now()
+	withError := false
+	delta := time.Since(start).Seconds()
+	defer func() {
+		metrics.UpdateResult(rc.Host(), !withError, delta)
+		doneLog := rl.With("duration", fmt.Sprintf("%vs", delta))
+		if withError {
+			doneLog.Error("Sync done")
+		} else {
+			doneLog.Info("Sync done")
+		}
+	}()

+	replicaStatus, err := w.statusWithSetup(rl, replica, rc)
+	if err != nil {
+		rl.With("error", err).Error("Error getting replica status")
+		withError = true
+		return
+	}
+
+	rl.With("version", replicaStatus.Version).Info("Connected to replica")
+
+	if versions.IsNewerThan(versions.MinAgh, replicaStatus.Version) {
+		rl.With("error", err, "version", replicaStatus.Version).
+			Errorf("Replica AdGuard Home version must be >= %s", versions.MinAgh)
+		withError = true
+		return
+	}
+
+	if o.status.Version != replicaStatus.Version {
+		rl.With("originVersion", o.status.Version, "replicaVersion", replicaStatus.Version).
+			Warn("Versions do not match")
+	}
+
+	ac := &actionContext{
+		cfg:           w.cfg,
+		rl:            rl,
+		origin:        o,
+		replicaStatus: replicaStatus,
+		client:        rc,
+		replica:       replica,
+	}
+
+	for _, action := range w.actions {
+		if err := action.sync(ac); err != nil {
+			rl.With("error", err).Errorf("Error syncing %s", action.name())
+			withError = true
+			if !w.cfg.ContinueOnError {
+				return
+			}
+		}
+	}
+}
+
+func (w *worker) statusWithSetup(
+	rl *zap.SugaredLogger,
+	replica types.AdGuardInstance,
+	rc client.Client,
+) (*model.ServerStatus, error) {
 	rs, err := rc.Status()
 	if err != nil {
-		l.With("error", err).Error("Error getting replica status")
-		return
-	}
-
-	if o.status.Version != rs.Version {
-		l.With("originVersion", o.status.Version, "replicaVersion", rs.Version).Warn("Versions do not match")
-	}
-
-	err = w.syncRewrites(o.rewrites, rc)
-	if err != nil {
-		l.With("error", err).Error("Error syncing rewrites")
-		return
-	}
-	err = w.syncFilters(o.filters, rc)
-	if err != nil {
-		l.With("error", err).Error("Error syncing filters")
-		return
-	}
-
-	err = w.syncServices(o.services, rc)
-	if err != nil {
-		l.With("error", err).Error("Error syncing services")
-		return
-	}
-
-	if err = w.syncClients(o.clients, rc); err != nil {
-		l.With("error", err).Error("Error syncing clients")
-		return
-	}
-
-	rl.Info("Sync done")
-}
-
-func (w *worker) syncServices(os *types.Services, replica client.Client) error {
-	rs, err := replica.Services()
-	if err != nil {
-		return err
-	}
-
-	if !os.Equals(rs) {
-		if err := replica.SetServices(*os); err != nil {
-			return err
+		if replica.AutoSetup && errors.Is(err, client.ErrSetupNeeded) {
+			if serr := rc.Setup(); serr != nil {
+				rl.With("error", serr).Error("Error setup AdGuardHome")
+				return nil, err
+			}
+			return rc.Status()
 		}
+		return nil, err
 	}
-	return nil
-}
-
-func (w *worker) syncFilters(of *types.FilteringStatus, replica client.Client) error {
-	rf, err := replica.Filtering()
-	if err != nil {
-		return err
-	}
-
-	fa, fd := rf.Filters.Merge(of.Filters)
-
-	if err = replica.AddFilters(false, fa...); err != nil {
-		return err
-	}
-
-	if len(fa) > 0 {
-		if err = replica.RefreshFilters(false); err != nil {
-			return err
-		}
-	}
-
-	if err = replica.DeleteFilters(false, fd...); err != nil {
-		return err
-	}
-
-	fa, fd = rf.WhitelistFilters.Merge(of.WhitelistFilters)
-	if err = replica.AddFilters(true, fa...); err != nil {
-		return err
-	}
-
-	if len(fa) > 0 {
-		if err = replica.RefreshFilters(true); err != nil {
-			return err
-		}
-	}
-
-	if err = replica.DeleteFilters(true, fd...); err != nil {
-		return err
-	}
-
-	if of.UserRules.String() != rf.UserRules.String() {
-		return replica.SetCustomRules(of.UserRules)
-	}
-
-	if of.Enabled != rf.Enabled || of.Interval != rf.Interval {
-		if err = replica.ToggleFiltering(of.Enabled, of.Interval); err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-func (w *worker) syncRewrites(or *types.RewriteEntries, replica client.Client) error {
-
-	replicaRewrites, err := replica.RewriteList()
-	if err != nil {
-		return err
-	}
-
-	a, r := replicaRewrites.Merge(or)
-
-	if err = replica.AddRewriteEntries(a...); err != nil {
-		return err
-	}
-	if err = replica.DeleteRewriteEntries(r...); err != nil {
-		return err
-	}
-	return nil
-}
-
-func (w *worker) syncClients(oc *types.Clients, replica client.Client) error {
-	rc, err := replica.Clients()
-	if err != nil {
-		return err
-	}
-
-	a, u, r := rc.Merge(oc)
-
-	if err = replica.AddClients(a...); err != nil {
-		return err
-	}
-	if err = replica.UpdateClients(u...); err != nil {
-		return err
-	}
-	if err = replica.DeleteClients(r...); err != nil {
-		return err
-	}
-	return nil
+	return rs, err
 }

 type origin struct {
-	status   *types.Status
-	rewrites *types.RewriteEntries
-	services *types.Services
-	filters  *types.FilteringStatus
-	clients  *types.Clients
+	status                  *model.ServerStatus
+	rewrites                *model.RewriteEntries
+	blockedServicesSchedule *model.BlockedServicesSchedule
+	filters                 *model.FilterStatus
+	clients                 *model.Clients
+	queryLogConfig          *model.QueryLogConfigWithIgnored
+	statsConfig             *model.GetStatsConfigResponse
+	accessList              *model.AccessList
+	dnsConfig               *model.DNSConfig
+	dhcpServerConfig        *model.DhcpStatus
+	parental                bool
+	safeSearch              *model.SafeSearchConfig
+	profileInfo             *model.ProfileInfo
+	safeBrowsing            bool
+	tlsConfig               *model.TlsConfig
 }
--- a/pkg/sync/sync_suite_test.go
+++ b/pkg/sync/sync_suite_test.go
@@ -0,0 +1,13 @@
+package sync_test
+
+import (
+	"testing"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+)
+
+func TestSync(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "Sync Suite")
+}
--- a/pkg/sync/sync_test.go
+++ b/pkg/sync/sync_test.go
@@ -0,0 +1,713 @@
+package sync
+
+import (
+	"errors"
+
+	"github.com/google/uuid"
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+	gm "go.uber.org/mock/gomock"
+
+	"github.com/bakito/adguardhome-sync/pkg/client"
+	"github.com/bakito/adguardhome-sync/pkg/client/model"
+	clientmock "github.com/bakito/adguardhome-sync/pkg/mocks/client"
+	"github.com/bakito/adguardhome-sync/pkg/types"
+	"github.com/bakito/adguardhome-sync/pkg/utils"
+	"github.com/bakito/adguardhome-sync/pkg/versions"
+)
+
+var _ = Describe("Sync", func() {
+	var (
+		mockCtrl *gm.Controller
+		cl       *clientmock.MockClient
+		w        *worker
+		te       error
+		ac       *actionContext
+	)
+
+	BeforeEach(func() {
+		mockCtrl = gm.NewController(GinkgoT())
+		cl = clientmock.NewMockClient(mockCtrl)
+		w = &worker{
+			createClient: func(instance types.AdGuardInstance) (client.Client, error) {
+				return cl, nil
+			},
+			cfg: &types.Config{
+				Features: types.Features{
+					DHCP: types.DHCP{
+						ServerConfig: true,
+						StaticLeases: true,
+					},
+					DNS: types.DNS{
+						ServerConfig: true,
+						Rewrites:     true,
+						AccessLists:  true,
+					},
+					Filters:         true,
+					ClientSettings:  true,
+					Services:        true,
+					GeneralSettings: true,
+					StatsConfig:     true,
+					QueryLogConfig:  true,
+					Theme:           true,
+				},
+				Replicas: []types.AdGuardInstance{
+					{},
+				},
+			},
+		}
+		te = errors.New(uuid.NewString())
+
+		ac = &actionContext{
+			cfg: w.cfg,
+			rl:  l,
+			origin: &origin{
+				profileInfo: &model.ProfileInfo{
+					Name:     "origin",
+					Language: "en",
+					Theme:    "auto",
+				},
+				status:         &model.ServerStatus{},
+				safeSearch:     &model.SafeSearchConfig{},
+				queryLogConfig: &model.QueryLogConfigWithIgnored{},
+				statsConfig:    &model.PutStatsConfigUpdateRequest{},
+			},
+			replicaStatus: &model.ServerStatus{},
+			client:        cl,
+			replica:       w.cfg.Replicas[0],
+		}
+	})
+	AfterEach(func() {
+		defer mockCtrl.Finish()
+	})
+
+	Context("worker", func() {
+		Context("actionDNSRewrites", func() {
+			var (
+				domain string
+				answer string
+				reO    model.RewriteEntries
+				reR    model.RewriteEntries
+			)
+
+			BeforeEach(func() {
+				domain = uuid.NewString()
+				answer = uuid.NewString()
+				reO = model.RewriteEntries{{Domain: utils.Ptr(domain), Answer: utils.Ptr(answer)}}
+				reR = model.RewriteEntries{{Domain: utils.Ptr(domain), Answer: utils.Ptr(answer)}}
+			})
+			It("should have no changes (empty slices)", func() {
+				ac.origin.rewrites = &reO
+				cl.EXPECT().RewriteList().Return(&reR, nil)
+				cl.EXPECT().AddRewriteEntries()
+				cl.EXPECT().DeleteRewriteEntries()
+				err := actionDNSRewrites(ac)
+				Ω(err).ShouldNot(HaveOccurred())
+			})
+			It("should add one rewrite entry", func() {
+				reR = []model.RewriteEntry{}
+				ac.origin.rewrites = &reO
+				cl.EXPECT().RewriteList().Return(&reR, nil)
+				cl.EXPECT().AddRewriteEntries(reO[0])
+				cl.EXPECT().DeleteRewriteEntries()
+				err := actionDNSRewrites(ac)
+				Ω(err).ShouldNot(HaveOccurred())
+			})
+			It("should remove one rewrite entry", func() {
+				reO = []model.RewriteEntry{}
+				ac.origin.rewrites = &reO
+				cl.EXPECT().RewriteList().Return(&reR, nil)
+				cl.EXPECT().AddRewriteEntries()
+				cl.EXPECT().DeleteRewriteEntries(reR[0])
+				err := actionDNSRewrites(ac)
+				Ω(err).ShouldNot(HaveOccurred())
+			})
+			It("should remove one rewrite entry", func() {
+				reO = []model.RewriteEntry{}
+				ac.origin.rewrites = &reO
+				cl.EXPECT().RewriteList().Return(&reR, nil)
+				cl.EXPECT().AddRewriteEntries()
+				cl.EXPECT().DeleteRewriteEntries(reR[0])
+				err := actionDNSRewrites(ac)
+				Ω(err).ShouldNot(HaveOccurred())
+			})
+			It("should return error when error on RewriteList()", func() {
+				ac.origin.rewrites = &reO
+				cl.EXPECT().RewriteList().Return(nil, te)
+				err := actionDNSRewrites(ac)
+				Ω(err).Should(HaveOccurred())
+			})
+			It("should return error when error on AddRewriteEntries()", func() {
+				ac.origin.rewrites = &reO
+				cl.EXPECT().RewriteList().Return(&reR, nil)
+				cl.EXPECT().DeleteRewriteEntries()
+				cl.EXPECT().AddRewriteEntries().Return(te)
+				err := actionDNSRewrites(ac)
+				Ω(err).Should(HaveOccurred())
+			})
+			It("should return error when error on DeleteRewriteEntries()", func() {
+				ac.origin.rewrites = &reO
+				cl.EXPECT().RewriteList().Return(&reR, nil)
+				cl.EXPECT().DeleteRewriteEntries().Return(te)
+				err := actionDNSRewrites(ac)
+				Ω(err).Should(HaveOccurred())
+			})
+		})
+		Context("actionClientSettings", func() {
+			var (
+				clR  *model.Clients
+				name string
+			)
+			BeforeEach(func() {
+				name = uuid.NewString()
+				ac.origin.clients = &model.Clients{Clients: &model.ClientsArray{{Name: utils.Ptr(name)}}}
+				clR = &model.Clients{Clients: &model.ClientsArray{{Name: utils.Ptr(name)}}}
+			})
+			It("should have no changes (empty slices)", func() {
+				cl.EXPECT().Clients().Return(clR, nil)
+				err := actionClientSettings(ac)
+				Ω(err).ShouldNot(HaveOccurred())
+			})
+			It("should add one client", func() {
+				clR.Clients = &model.ClientsArray{}
+				cl.EXPECT().Clients().Return(clR, nil)
+				cl.EXPECT().AddClient(&(*ac.origin.clients.Clients)[0])
+				err := actionClientSettings(ac)
+				Ω(err).ShouldNot(HaveOccurred())
+			})
+			It("should update one client", func() {
+				(*clR.Clients)[0].FilteringEnabled = utils.Ptr(true)
+				cl.EXPECT().Clients().Return(clR, nil)
+				cl.EXPECT().UpdateClient(&(*ac.origin.clients.Clients)[0])
+				err := actionClientSettings(ac)
+				Ω(err).ShouldNot(HaveOccurred())
+			})
+			It("should delete one client", func() {
+				ac.origin.clients.Clients = &model.ClientsArray{}
+				cl.EXPECT().Clients().Return(clR, nil)
+				cl.EXPECT().DeleteClient(&(*clR.Clients)[0])
+				err := actionClientSettings(ac)
+				Ω(err).ShouldNot(HaveOccurred())
+			})
+			It("should return error when error on Clients()", func() {
+				cl.EXPECT().Clients().Return(nil, te)
+				err := actionClientSettings(ac)
+				Ω(err).Should(HaveOccurred())
+			})
+		})
+		Context("actionParental", func() {
+			It("should have no changes", func() {
+				cl.EXPECT().Parental()
+				err := actionParental(ac)
+				Ω(err).ShouldNot(HaveOccurred())
+			})
+			It("should have parental enabled changes", func() {
+				ac.origin.parental = true
+				cl.EXPECT().Parental()
+				cl.EXPECT().ToggleParental(true)
+				err := actionParental(ac)
+				Ω(err).ShouldNot(HaveOccurred())
+			})
+		})
+		Context("actionProtection", func() {
+			It("should have no changes", func() {
+				err := actionProtection(ac)
+				Ω(err).ShouldNot(HaveOccurred())
+			})
+			It("should have protection enabled changes", func() {
+				ac.origin.status.ProtectionEnabled = true
+				cl.EXPECT().ToggleProtection(true)
+				err := actionProtection(ac)
+				Ω(err).ShouldNot(HaveOccurred())
+			})
+		})
+		Context("actionSafeSearchConfig", func() {
+			It("should have no changes", func() {
+				cl.EXPECT().SafeSearchConfig().Return(ac.origin.safeSearch, nil)
+
+				err := actionSafeSearchConfig(ac)
+				Ω(err).ShouldNot(HaveOccurred())
+			})
+			It("should have safeSearch enabled changes", func() {
+				ac.origin.safeSearch = &model.SafeSearchConfig{Enabled: utils.Ptr(true)}
+				cl.EXPECT().SafeSearchConfig().Return(&model.SafeSearchConfig{}, nil)
+				cl.EXPECT().SetSafeSearchConfig(ac.origin.safeSearch)
+				err := actionSafeSearchConfig(ac)
+				Ω(err).ShouldNot(HaveOccurred())
+			})
+			It("should have Duckduckgo safeSearch enabled changed", func() {
+				ac.origin.safeSearch = &model.SafeSearchConfig{Duckduckgo: utils.Ptr(true)}
+				cl.EXPECT().SafeSearchConfig().Return(&model.SafeSearchConfig{Google: utils.Ptr(true)}, nil)
+				cl.EXPECT().SetSafeSearchConfig(ac.origin.safeSearch)
+				err := actionSafeSearchConfig(ac)
+				Ω(err).ShouldNot(HaveOccurred())
+			})
+		})
+		Context("actionProfileInfo", func() {
+			It("should have no changes", func() {
+				cl.EXPECT().ProfileInfo().Return(ac.origin.profileInfo, nil)
+				err := actionProfileInfo(ac)
+				Ω(err).ShouldNot(HaveOccurred())
+			})
+			It("should have profileInfo language changed", func() {
+				ac.origin.profileInfo.Language = "de"
+				cl.EXPECT().ProfileInfo().Return(&model.ProfileInfo{Name: "replica", Language: "en"}, nil)
+				cl.EXPECT().SetProfileInfo(&model.ProfileInfo{
+					Language: "de",
+					Name:     "replica",
+					Theme:    "auto",
+				})
+				err := actionProfileInfo(ac)
+				Ω(err).ShouldNot(HaveOccurred())
+			})
+			It("should not change theme if feature is disabled", func() {
+				ac.origin.profileInfo.Language = "de"
+				ac.cfg.Features.Theme = false
+				cl.EXPECT().ProfileInfo().Return(&model.ProfileInfo{Name: "replica", Language: "en"}, nil)
+				cl.EXPECT().SetProfileInfo(&model.ProfileInfo{
+					Language: "de",
+					Name:     "replica",
+					Theme:    "",
+				})
+				err := actionProfileInfo(ac)
+				Ω(err).ShouldNot(HaveOccurred())
+			})
+			It("should not sync profileInfo if language is not set", func() {
+				ac.origin.profileInfo.Language = ""
+				cl.EXPECT().
+					ProfileInfo().
+					Return(&model.ProfileInfo{Name: "replica", Language: "en", Theme: "auto"}, nil)
+				cl.EXPECT().SetProfileInfo(ac.origin.profileInfo).Times(0)
+				err := actionProfileInfo(ac)
+				Ω(err).ShouldNot(HaveOccurred())
+			})
+			It("should not sync profileInfo if theme is not set", func() {
+				ac.origin.profileInfo.Theme = ""
+				cl.EXPECT().
+					ProfileInfo().
+					Return(&model.ProfileInfo{Name: "replica", Language: "en", Theme: "auto"}, nil)
+				cl.EXPECT().SetProfileInfo(ac.origin.profileInfo).Times(0)
+				err := actionProfileInfo(ac)
+				Ω(err).ShouldNot(HaveOccurred())
+			})
+		})
+		Context("actionSafeBrowsing", func() {
+			It("should have no changes", func() {
+				cl.EXPECT().SafeBrowsing()
+				err := actionSafeBrowsing(ac)
+				Ω(err).ShouldNot(HaveOccurred())
+			})
+
+			It("should have safeBrowsing enabled changes", func() {
+				ac.origin.safeBrowsing = true
+				cl.EXPECT().SafeBrowsing()
+				cl.EXPECT().ToggleSafeBrowsing(true)
+				err := actionSafeBrowsing(ac)
+				Ω(err).ShouldNot(HaveOccurred())
+			})
+		})
+		Context("actionQueryLogConfig", func() {
+			var qlc *model.QueryLogConfigWithIgnored
+			BeforeEach(func() {
+				qlc = &model.QueryLogConfigWithIgnored{}
+			})
+			It("should have no changes", func() {
+				cl.EXPECT().QueryLogConfig().Return(qlc, nil)
+				err := actionQueryLogConfig(ac)
+				Ω(err).ShouldNot(HaveOccurred())
+			})
+			It("should have QueryLogConfig changes", func() {
+				var interval model.QueryLogConfigInterval = 123
+				ac.origin.queryLogConfig.Interval = &interval
+				cl.EXPECT().QueryLogConfig().Return(qlc, nil)
+				cl.EXPECT().
+					SetQueryLogConfig(&model.QueryLogConfigWithIgnored{QueryLogConfig: model.QueryLogConfig{AnonymizeClientIp: nil, Interval: &interval, Enabled: nil}})
+				err := actionQueryLogConfig(ac)
+				Ω(err).ShouldNot(HaveOccurred())
+			})
+		})
+		Context("syncConfigs", func() {
+			var sc *model.PutStatsConfigUpdateRequest
+			BeforeEach(func() {
+				sc = &model.PutStatsConfigUpdateRequest{}
+			})
+			It("should have no changes", func() {
+				cl.EXPECT().StatsConfig().Return(sc, nil)
+				err := actionStatsConfig(ac)
+				Ω(err).ShouldNot(HaveOccurred())
+			})
+			It("should have StatsConfig changes", func() {
+				var interval float32 = 123
+				ac.origin.statsConfig.Interval = interval
+				cl.EXPECT().StatsConfig().Return(sc, nil)
+				cl.EXPECT().SetStatsConfig(&model.PutStatsConfigUpdateRequest{Interval: interval})
+				err := actionStatsConfig(ac)
+				Ω(err).ShouldNot(HaveOccurred())
+			})
+		})
+		Context("statusWithSetup", func() {
+			var (
+				status *model.ServerStatus
+				inst   types.AdGuardInstance
+			)
+			BeforeEach(func() {
+				status = &model.ServerStatus{}
+				inst = types.AdGuardInstance{
+					AutoSetup: true,
+				}
+			})
+			It("should get the replica status", func() {
+				cl.EXPECT().Status().Return(status, nil)
+				st, err := w.statusWithSetup(l, inst, cl)
+				Ω(err).ShouldNot(HaveOccurred())
+				Ω(st).Should(Equal(status))
+			})
+			It("should runs setup before getting replica status", func() {
+				cl.EXPECT().Status().Return(nil, client.ErrSetupNeeded)
+				cl.EXPECT().Setup()
+				cl.EXPECT().Status().Return(status, nil)
+				st, err := w.statusWithSetup(l, inst, cl)
+				Ω(err).ShouldNot(HaveOccurred())
+				Ω(st).Should(Equal(status))
+			})
+			It("should fail on setup", func() {
+				cl.EXPECT().Status().Return(nil, client.ErrSetupNeeded)
+				cl.EXPECT().Setup().Return(te)
+				st, err := w.statusWithSetup(l, inst, cl)
+				Ω(err).Should(HaveOccurred())
+				Ω(st).Should(BeNil())
+			})
+		})
+		Context("actionBlockedServicesSchedule", func() {
+			var rbss *model.BlockedServicesSchedule
+			BeforeEach(func() {
+				ac.origin.blockedServicesSchedule = &model.BlockedServicesSchedule{}
+				rbss = &model.BlockedServicesSchedule{}
+			})
+			It("should have no changes", func() {
+				cl.EXPECT().BlockedServicesSchedule().Return(ac.origin.blockedServicesSchedule, nil)
+				err := actionBlockedServicesSchedule(ac)
+				Ω(err).ShouldNot(HaveOccurred())
+			})
+			It("should have blockedServices schedule changes", func() {
+				ac.origin.blockedServicesSchedule = &model.BlockedServicesSchedule{Ids: utils.Ptr([]string{"bar"})}
+
+				cl.EXPECT().BlockedServicesSchedule().Return(rbss, nil)
+				cl.EXPECT().SetBlockedServicesSchedule(ac.origin.blockedServicesSchedule)
+				err := actionBlockedServicesSchedule(ac)
+				Ω(err).ShouldNot(HaveOccurred())
+			})
+		})
+		Context("syncFilters", func() {
+			var rf *model.FilterStatus
+			BeforeEach(func() {
+				ac.origin.filters = &model.FilterStatus{}
+				rf = &model.FilterStatus{}
+			})
+			It("should have no changes", func() {
+				cl.EXPECT().Filtering().Return(rf, nil)
+				err := actionFilters(ac)
+				Ω(err).ShouldNot(HaveOccurred())
+			})
+			It("should have changes user roles", func() {
+				ac.origin.filters.UserRules = utils.Ptr([]string{"foo"})
+				cl.EXPECT().Filtering().Return(rf, nil)
+				cl.EXPECT().SetCustomRules(ac.origin.filters.UserRules)
+				err := actionFilters(ac)
+				Ω(err).ShouldNot(HaveOccurred())
+			})
+			It("should have changed filtering config", func() {
+				ac.origin.filters.Enabled = utils.Ptr(true)
+				ac.origin.filters.Interval = utils.Ptr(123)
+				cl.EXPECT().Filtering().Return(rf, nil)
+				cl.EXPECT().ToggleFiltering(*ac.origin.filters.Enabled, *ac.origin.filters.Interval)
+				err := actionFilters(ac)
+				Ω(err).ShouldNot(HaveOccurred())
+			})
+			It("should add a filter", func() {
+				ac.origin.filters.Filters = utils.Ptr([]model.Filter{{Name: "foo", Url: "https://foo.bar"}})
+				cl.EXPECT().Filtering().Return(rf, nil)
+				cl.EXPECT().AddFilter(false, model.Filter{Name: "foo", Url: "https://foo.bar"})
+				cl.EXPECT().RefreshFilters(gm.Any())
+				err := actionFilters(ac)
+				Ω(err).ShouldNot(HaveOccurred())
+			})
+			It("should delete a filter", func() {
+				rf.Filters = utils.Ptr([]model.Filter{{Name: "foo", Url: "https://foo.bar"}})
+				cl.EXPECT().Filtering().Return(rf, nil)
+				cl.EXPECT().DeleteFilter(false, model.Filter{Name: "foo", Url: "https://foo.bar"})
+				err := actionFilters(ac)
+				Ω(err).ShouldNot(HaveOccurred())
+			})
+			It("should update a filter", func() {
+				ac.origin.filters.Filters = utils.Ptr(
+					[]model.Filter{{Name: "foo", Url: "https://foo.bar", Enabled: true}},
+				)
+				rf.Filters = utils.Ptr([]model.Filter{{Name: "foo", Url: "https://foo.bar"}})
+				cl.EXPECT().Filtering().Return(rf, nil)
+				cl.EXPECT().UpdateFilter(false, model.Filter{Name: "foo", Url: "https://foo.bar", Enabled: true})
+				cl.EXPECT().RefreshFilters(gm.Any())
+				err := actionFilters(ac)
+				Ω(err).ShouldNot(HaveOccurred())
+			})
+
+			It("should abort after failed added filter", func() {
+				ac.cfg.ContinueOnError = false
+				ac.origin.filters.Filters = utils.Ptr([]model.Filter{{Name: "foo", Url: "https://foo.bar"}})
+				cl.EXPECT().Filtering().Return(rf, nil)
+				cl.EXPECT().
+					AddFilter(false, model.Filter{Name: "foo", Url: "https://foo.bar"}).
+					Return(errors.New("test failure"))
+				err := actionFilters(ac)
+				Ω(err).Should(HaveOccurred())
+			})
+
+			It("should continue after failed added filter", func() {
+				ac.cfg.ContinueOnError = true
+				ac.origin.filters.Filters = utils.Ptr(
+					[]model.Filter{{Name: "foo", Url: "https://foo.bar"}, {Name: "bar", Url: "https://bar.foo"}},
+				)
+				cl.EXPECT().Filtering().Return(rf, nil)
+				cl.EXPECT().
+					AddFilter(false, model.Filter{Name: "foo", Url: "https://foo.bar"}).
+					Return(errors.New("test failure"))
+				cl.EXPECT().AddFilter(false, model.Filter{Name: "bar", Url: "https://bar.foo"})
+				cl.EXPECT().RefreshFilters(gm.Any())
+				err := actionFilters(ac)
+				Ω(err).ShouldNot(HaveOccurred())
+			})
+		})
+
+		Context("actionDNSAccessLists", func() {
+			var ral *model.AccessList
+			BeforeEach(func() {
+				ac.origin.accessList = &model.AccessList{}
+				ral = &model.AccessList{}
+			})
+			It("should have no changes", func() {
+				cl.EXPECT().AccessList().Return(ral, nil)
+				err := actionDNSAccessLists(ac)
+				Ω(err).ShouldNot(HaveOccurred())
+			})
+			It("should have access list changes", func() {
+				ral.BlockedHosts = utils.Ptr([]string{"foo"})
+				cl.EXPECT().AccessList().Return(ral, nil)
+				cl.EXPECT().SetAccessList(ac.origin.accessList)
+				err := actionDNSAccessLists(ac)
+				Ω(err).ShouldNot(HaveOccurred())
+			})
+		})
+
+		Context("actionDNSServerConfig", func() {
+			var rdc *model.DNSConfig
+			BeforeEach(func() {
+				ac.origin.dnsConfig = &model.DNSConfig{}
+				rdc = &model.DNSConfig{}
+			})
+			It("should have no changes", func() {
+				cl.EXPECT().DNSConfig().Return(rdc, nil)
+				err := actionDNSServerConfig(ac)
+				Ω(err).ShouldNot(HaveOccurred())
+			})
+			It("should have dns config changes", func() {
+				rdc.BootstrapDns = utils.Ptr([]string{"foo"})
+				cl.EXPECT().DNSConfig().Return(rdc, nil)
+				cl.EXPECT().SetDNSConfig(ac.origin.dnsConfig)
+				err := actionDNSServerConfig(ac)
+				Ω(err).ShouldNot(HaveOccurred())
+			})
+		})
+
+		Context("actionDHCPServerConfig", func() {
+			var rsc *model.DhcpStatus
+			BeforeEach(func() {
+				ac.origin.dhcpServerConfig = &model.DhcpStatus{
+					V4: &model.DhcpConfigV4{
+						GatewayIp:  utils.Ptr("1.2.3.4"),
+						RangeStart: utils.Ptr("1.2.3.5"),
+						RangeEnd:   utils.Ptr("1.2.3.6"),
+						SubnetMask: utils.Ptr("255.255.255.0"),
+					},
+				}
+				rsc = &model.DhcpStatus{}
+				w.cfg.Features.DHCP.StaticLeases = false
+			})
+			It("should have no changes", func() {
+				rsc.V4 = ac.origin.dhcpServerConfig.V4
+				cl.EXPECT().DhcpConfig().Return(rsc, nil)
+				err := actionDHCPServerConfig(ac)
+				Ω(err).ShouldNot(HaveOccurred())
+			})
+			It("should have changes", func() {
+				rsc.Enabled = utils.Ptr(true)
+				cl.EXPECT().DhcpConfig().Return(rsc, nil)
+				cl.EXPECT().SetDhcpConfig(ac.origin.dhcpServerConfig)
+				err := actionDHCPServerConfig(ac)
+				Ω(err).ShouldNot(HaveOccurred())
+			})
+			It("should use replica interface name", func() {
+				ac.replica.InterfaceName = "foo"
+				cl.EXPECT().DhcpConfig().Return(rsc, nil)
+				oscClone := ac.origin.dhcpServerConfig.Clone()
+				oscClone.InterfaceName = utils.Ptr("foo")
+				cl.EXPECT().SetDhcpConfig(oscClone)
+				err := actionDHCPServerConfig(ac)
+				Ω(err).ShouldNot(HaveOccurred())
+			})
+			It("should enable the target dhcp server", func() {
+				ac.replica.DHCPServerEnabled = utils.Ptr(true)
+				cl.EXPECT().DhcpConfig().Return(rsc, nil)
+				oscClone := ac.origin.dhcpServerConfig.Clone()
+				oscClone.Enabled = utils.Ptr(true)
+				cl.EXPECT().SetDhcpConfig(oscClone)
+				err := actionDHCPServerConfig(ac)
+				Ω(err).ShouldNot(HaveOccurred())
+			})
+			It("should not sync empty IPv4", func() {
+				ac.replica.DHCPServerEnabled = utils.Ptr(false)
+				ac.origin.dhcpServerConfig.V4 = &model.DhcpConfigV4{
+					GatewayIp: utils.Ptr(""),
+				}
+				err := actionDHCPServerConfig(ac)
+				Ω(err).ShouldNot(HaveOccurred())
+			})
+		})
+
+		Context("sync", func() {
+			BeforeEach(func() {
+				w.cfg = &types.Config{
+					Origin:  &types.AdGuardInstance{},
+					Replica: &types.AdGuardInstance{URL: "foo"},
+					Features: types.Features{
+						DHCP: types.DHCP{
+							ServerConfig: true,
+							StaticLeases: true,
+						},
+						DNS: types.DNS{
+							ServerConfig: true,
+							Rewrites:     true,
+							AccessLists:  true,
+						},
+						Filters:         true,
+						ClientSettings:  true,
+						Services:        true,
+						GeneralSettings: true,
+						StatsConfig:     true,
+						QueryLogConfig:  true,
+						TLSConfig:       true,
+					},
+				}
+			})
+			It("should have no changes", func() {
+				// origin
+				cl.EXPECT().Host().Times(2)
+				cl.EXPECT().Status().Return(&model.ServerStatus{Version: versions.MinAgh}, nil)
+				cl.EXPECT().ProfileInfo().Return(&model.ProfileInfo{}, nil)
+				cl.EXPECT().Parental()
+				cl.EXPECT().SafeSearchConfig().Return(&model.SafeSearchConfig{}, nil)
+				cl.EXPECT().SafeBrowsing()
+				cl.EXPECT().RewriteList().Return(&model.RewriteEntries{}, nil)
+				cl.EXPECT().BlockedServicesSchedule()
+				cl.EXPECT().Filtering().Return(&model.FilterStatus{}, nil)
+				cl.EXPECT().Clients().Return(&model.Clients{}, nil)
+				cl.EXPECT().QueryLogConfig().Return(&model.QueryLogConfigWithIgnored{}, nil)
+				cl.EXPECT().StatsConfig().Return(&model.PutStatsConfigUpdateRequest{}, nil)
+				cl.EXPECT().AccessList().Return(&model.AccessList{}, nil)
+				cl.EXPECT().DNSConfig().Return(&model.DNSConfig{}, nil)
+				cl.EXPECT().DhcpConfig().Return(&model.DhcpStatus{}, nil)
+				cl.EXPECT().TLSConfig().Return(&model.TlsConfig{}, nil)
+
+				// replica
+				cl.EXPECT().Host()
+				cl.EXPECT().Status().Return(&model.ServerStatus{Version: versions.MinAgh}, nil)
+				cl.EXPECT().ProfileInfo().Return(&model.ProfileInfo{}, nil)
+				cl.EXPECT().Parental()
+				cl.EXPECT().SafeSearchConfig().Return(&model.SafeSearchConfig{}, nil)
+				cl.EXPECT().SafeBrowsing()
+				cl.EXPECT().QueryLogConfig().Return(&model.QueryLogConfigWithIgnored{}, nil)
+				cl.EXPECT().StatsConfig().Return(&model.PutStatsConfigUpdateRequest{}, nil)
+				cl.EXPECT().RewriteList().Return(&model.RewriteEntries{}, nil)
+				cl.EXPECT().AddRewriteEntries()
+				cl.EXPECT().DeleteRewriteEntries()
+				cl.EXPECT().Filtering().Return(&model.FilterStatus{}, nil)
+				cl.EXPECT().BlockedServicesSchedule()
+				cl.EXPECT().Clients().Return(&model.Clients{}, nil)
+				cl.EXPECT().AccessList().Return(&model.AccessList{}, nil)
+				cl.EXPECT().DNSConfig().Return(&model.DNSConfig{}, nil)
+				cl.EXPECT().DhcpConfig().Return(&model.DhcpStatus{}, nil)
+				cl.EXPECT().TLSConfig().Return(&model.TlsConfig{}, nil)
+				w.sync()
+			})
+			It("should not sync DHCP", func() {
+				w.cfg.Features.DHCP.ServerConfig = false
+				w.cfg.Features.DHCP.StaticLeases = false
+				// origin
+				cl.EXPECT().Host().Times(2)
+				cl.EXPECT().Status().Return(&model.ServerStatus{Version: versions.MinAgh}, nil)
+				cl.EXPECT().ProfileInfo().Return(&model.ProfileInfo{}, nil)
+				cl.EXPECT().Parental()
+				cl.EXPECT().SafeSearchConfig().Return(&model.SafeSearchConfig{}, nil)
+				cl.EXPECT().SafeBrowsing()
+				cl.EXPECT().RewriteList().Return(&model.RewriteEntries{}, nil)
+				cl.EXPECT().BlockedServicesSchedule()
+				cl.EXPECT().Filtering().Return(&model.FilterStatus{}, nil)
+				cl.EXPECT().Clients().Return(&model.Clients{}, nil)
+				cl.EXPECT().QueryLogConfig().Return(&model.QueryLogConfigWithIgnored{}, nil)
+				cl.EXPECT().StatsConfig().Return(&model.PutStatsConfigUpdateRequest{}, nil)
+				cl.EXPECT().AccessList().Return(&model.AccessList{}, nil)
+				cl.EXPECT().DNSConfig().Return(&model.DNSConfig{}, nil)
+				cl.EXPECT().TLSConfig().Return(&model.TlsConfig{}, nil)
+
+				// replica
+				cl.EXPECT().Host()
+				cl.EXPECT().Status().Return(&model.ServerStatus{Version: versions.MinAgh}, nil)
+				cl.EXPECT().ProfileInfo().Return(&model.ProfileInfo{}, nil)
+				cl.EXPECT().Parental()
+				cl.EXPECT().SafeSearchConfig().Return(&model.SafeSearchConfig{}, nil)
+				cl.EXPECT().SafeBrowsing()
+				cl.EXPECT().QueryLogConfig().Return(&model.QueryLogConfigWithIgnored{}, nil)
+				cl.EXPECT().StatsConfig().Return(&model.PutStatsConfigUpdateRequest{}, nil)
+				cl.EXPECT().RewriteList().Return(&model.RewriteEntries{}, nil)
+				cl.EXPECT().AddRewriteEntries()
+				cl.EXPECT().DeleteRewriteEntries()
+				cl.EXPECT().Filtering().Return(&model.FilterStatus{}, nil)
+				cl.EXPECT().BlockedServicesSchedule()
+				cl.EXPECT().Clients().Return(&model.Clients{}, nil)
+				cl.EXPECT().AccessList().Return(&model.AccessList{}, nil)
+				cl.EXPECT().DNSConfig().Return(&model.DNSConfig{}, nil)
+				cl.EXPECT().TLSConfig().Return(&model.TlsConfig{}, nil)
+				w.sync()
+			})
+			It("origin version is too small", func() {
+				// origin
+				cl.EXPECT().Host()
+				cl.EXPECT().Status().Return(&model.ServerStatus{Version: "v0.106.9"}, nil)
+				w.sync()
+			})
+			It("replica version is too small", func() {
+				// origin
+				cl.EXPECT().Host()
+				cl.EXPECT().Status().Return(&model.ServerStatus{Version: versions.MinAgh}, nil)
+				cl.EXPECT().ProfileInfo().Return(&model.ProfileInfo{}, nil)
+				cl.EXPECT().Parental()
+				cl.EXPECT().SafeSearchConfig().Return(&model.SafeSearchConfig{}, nil)
+				cl.EXPECT().SafeBrowsing()
+				cl.EXPECT().RewriteList().Return(&model.RewriteEntries{}, nil)
+				cl.EXPECT().BlockedServicesSchedule()
+				cl.EXPECT().Filtering().Return(&model.FilterStatus{}, nil)
+				cl.EXPECT().Clients().Return(&model.Clients{}, nil)
+				cl.EXPECT().QueryLogConfig().Return(&model.QueryLogConfigWithIgnored{}, nil)
+				cl.EXPECT().StatsConfig().Return(&model.PutStatsConfigUpdateRequest{}, nil)
+				cl.EXPECT().AccessList().Return(&model.AccessList{}, nil)
+				cl.EXPECT().DNSConfig().Return(&model.DNSConfig{}, nil)
+				cl.EXPECT().DhcpConfig().Return(&model.DhcpStatus{}, nil)
+				cl.EXPECT().TLSConfig().Return(&model.TlsConfig{}, nil)
+
+				// replica
+				cl.EXPECT().Host().Times(2)
+				cl.EXPECT().Status().Return(&model.ServerStatus{Version: "v0.106.9"}, nil)
+				w.sync()
+			})
+		})
+	})
+})
--- a/pkg/test/matchers/matchers.go
+++ b/pkg/test/matchers/matchers.go
@@ -0,0 +1,44 @@
+package matchers
+
+import (
+	"strings"
+
+	"github.com/onsi/gomega/format"
+	"github.com/onsi/gomega/types"
+)
+
+type equalIgnoringLineEndingsMatcher struct {
+	expected string
+}
+
+func (matcher *equalIgnoringLineEndingsMatcher) Match(actual any) (success bool, err error) {
+	actualStr, ok := actual.(string)
+	if !ok {
+		return false, nil
+	}
+
+	normalizedActual := strings.ReplaceAll(actualStr, "\r\n", "\n")
+	normalizedExpected := strings.ReplaceAll(matcher.expected, "\r\n", "\n")
+
+	return normalizedActual == normalizedExpected, nil
+}
+
+func (matcher *equalIgnoringLineEndingsMatcher) FailureMessage(actual any) (message string) {
+	actualString, actualOK := actual.(string)
+	if actualOK {
+		return format.MessageWithDiff(actualString, "to equal", matcher.expected)
+	}
+
+	return format.Message(actual, "to equal", matcher.expected)
+}
+
+func (matcher *equalIgnoringLineEndingsMatcher) NegatedFailureMessage(actual any) (message string) {
+	return format.Message(actual, "not to equal", matcher.expected)
+}
+
+// EqualIgnoringLineEndings returns a new matcher.
+func EqualIgnoringLineEndings(expected string) types.GomegaMatcher {
+	return &equalIgnoringLineEndingsMatcher{
+		expected: expected,
+	}
+}
--- a/pkg/types/features.go
+++ b/pkg/types/features.go
@@ -0,0 +1,104 @@
+package types
+
+import (
+	"go.uber.org/zap"
+)
+
+func NewFeatures(enabled bool) Features {
+	return Features{
+		DNS: DNS{
+			AccessLists:  enabled,
+			ServerConfig: enabled,
+			Rewrites:     enabled,
+		},
+		DHCP: DHCP{
+			ServerConfig: enabled,
+			StaticLeases: enabled,
+		},
+		GeneralSettings: enabled,
+		QueryLogConfig:  enabled,
+		StatsConfig:     enabled,
+		ClientSettings:  enabled,
+		Services:        enabled,
+		Filters:         enabled,
+		Theme:           enabled,
+		TLSConfig:       enabled,
+	}
+}
+
+// Features feature flags.
+type Features struct {
+	DNS             DNS  `json:"dns"             yaml:"dns"`
+	DHCP            DHCP `json:"dhcp"            yaml:"dhcp"`
+	GeneralSettings bool `json:"generalSettings" yaml:"generalSettings" documentation:"Sync general settings" env:"FEATURES_GENERAL_SETTINGS"`
+	QueryLogConfig  bool `json:"queryLogConfig"  yaml:"queryLogConfig"  documentation:"Sync query log config" env:"FEATURES_QUERY_LOG_CONFIG"`
+	StatsConfig     bool `json:"statsConfig"     yaml:"statsConfig"     documentation:"Sync stats config"     env:"FEATURES_STATS_CONFIG"`
+	ClientSettings  bool `json:"clientSettings"  yaml:"clientSettings"  documentation:"Sync client settings"  env:"FEATURES_CLIENT_SETTINGS"`
+	Services        bool `json:"services"        yaml:"services"        documentation:"Sync services"         env:"FEATURES_SERVICES"`
+	Filters         bool `json:"filters"         yaml:"filters"         documentation:"Sync filters"          env:"FEATURES_FILTERS"`
+	Theme           bool `json:"theme"           yaml:"theme"           documentation:"Sync the web UI theme" env:"FEATURES_THEME"`
+	TLSConfig       bool `json:"tlsConfig"       yaml:"tlsConfig"       documentation:"Sync the TLS config"   env:"FEATURES_TLS_CONFIG"`
+}
+
+// DHCP features.
+type DHCP struct {
+	ServerConfig bool `documentation:"Sync DHCP server config" env:"FEATURES_DHCP_SERVER_CONFIG" json:"serverConfig" yaml:"serverConfig"`
+	StaticLeases bool `documentation:"Sync DHCP static leases" env:"FEATURES_DHCP_STATIC_LEASES" json:"staticLeases" yaml:"staticLeases"`
+}
+
+// DNS features.
+type DNS struct {
+	AccessLists  bool `documentation:"Sync DNS access lists"  env:"FEATURES_DNS_ACCESS_LISTS"  json:"accessLists"  yaml:"accessLists"`
+	ServerConfig bool `documentation:"Sync DNS server config" env:"FEATURES_DNS_SERVER_CONFIG" json:"serverConfig" yaml:"serverConfig"`
+	Rewrites     bool `documentation:"Sync DNS rewrites"      env:"FEATURES_DNS_REWRITES"      json:"rewrites"     yaml:"rewrites"`
+}
+
+// LogDisabled log all disabled features.
+func (f *Features) LogDisabled(l *zap.SugaredLogger) {
+	features := f.collectDisabled()
+
+	if len(features) > 0 {
+		l.With("features", features).Info("Disabled features")
+	}
+}
+
+func (f *Features) collectDisabled() []string {
+	var features []string
+	if !f.DHCP.ServerConfig {
+		features = append(features, "DHCP.ServerConfig")
+	}
+	if !f.DHCP.StaticLeases {
+		features = append(features, "DHCP.StaticLeases")
+	}
+	if !f.DNS.AccessLists {
+		features = append(features, "DNS.AccessLists")
+	}
+	if !f.DNS.ServerConfig {
+		features = append(features, "DNS.ServerConfig")
+	}
+	if !f.DNS.Rewrites {
+		features = append(features, "DNS.Rewrites")
+	}
+	if !f.GeneralSettings {
+		features = append(features, "GeneralSettings")
+	}
+	if !f.QueryLogConfig {
+		features = append(features, "QueryLogConfig")
+	}
+	if !f.StatsConfig {
+		features = append(features, "StatsConfig")
+	}
+	if !f.ClientSettings {
+		features = append(features, "ClientSettings")
+	}
+	if !f.Services {
+		features = append(features, "BlockedServices")
+	}
+	if !f.Filters {
+		features = append(features, "Filters")
+	}
+	if !f.TLSConfig {
+		features = append(features, "TLSConfig")
+	}
+	return features
+}
--- a/pkg/types/types.go
+++ b/pkg/types/types.go
@@ -1,34 +1,102 @@
+// Package types
+// +kubebuilder:object:generate=true
 package types

 import (
-	"encoding/json"
 	"fmt"
-	"sort"
+	"net/url"
+	"path/filepath"
 	"strings"
 	"time"
+
+	"go.uber.org/zap"
 )

+const (
+	// DefaultAPIPath default api path.
+	DefaultAPIPath = "/control"
+)
+
+// Config application configuration struct
+// +k8s:deepcopy-gen=true
 type Config struct {
-	Origin   AdGuardInstance   `json:"origin" yaml:"origin"`
-	Replica  *AdGuardInstance  `json:"replica,omitempty" yaml:"replica,omitempty"`
-	Replicas []AdGuardInstance `json:"replicas,omitempty" yaml:"replicas,omitempty"`
-	Cron     string            `json:"cron,omitempty" yaml:"cron,omitempty"`
-	API      API               `json:"api,omitempty" yaml:"api,omitempty"`
+	// Origin adguardhome instance
+	Origin *AdGuardInstance `json:"origin"                    yaml:"origin"`
+	// One single replica adguardhome instance
+	Replica *AdGuardInstance `json:"replica,omitempty"         yaml:"replica,omitempty"`
+	// Multiple replica instances
+	Replicas        []AdGuardInstance `json:"replicas,omitempty"        yaml:"replicas,omitempty"        faker:"slice_len=2"`
+	Cron            string            `json:"cron,omitempty"            yaml:"cron,omitempty"                                documentation:"Cron expression for the sync interval"              env:"CRON"`
+	RunOnStart      bool              `json:"runOnStart,omitempty"      yaml:"runOnStart,omitempty"                          documentation:"Run the sung on startup"                            env:"RUN_ON_START"`
+	PrintConfigOnly bool              `json:"printConfigOnly,omitempty" yaml:"printConfigOnly,omitempty"                     documentation:"Print current config only and stop the application" env:"PRINT_CONFIG_ONLY"`
+	ContinueOnError bool              `json:"continueOnError,omitempty" yaml:"continueOnError,omitempty"                     documentation:"Continue sync on errors"                            env:"CONTINUE_ON_ERROR"`
+	API             API               `json:"api,omitempty"             yaml:"api,omitempty"`
+	Features        Features          `json:"features,omitempty"        yaml:"features,omitempty"`
 }

+// API configuration.
 type API struct {
-	Port     int    `json:"port,omitempty" yaml:"port,omitempty"`
-	Username string `json:"username,omitempty" yaml:"username,omitempty"`
-	Password string `json:"password,omitempty" yaml:"password,omitempty"`
+	Port     int     `documentation:"API port"      env:"API_PORT"      json:"port,omitempty"     yaml:"port,omitempty"`
+	Username string  `documentation:"API username"  env:"API_USERNAME"  json:"username,omitempty" yaml:"username,omitempty"`
+	Password string  `documentation:"API password"  env:"API_PASSWORD"  json:"password,omitempty" yaml:"password,omitempty"`
+	DarkMode bool    `documentation:"API dark mode" env:"API_DARK_MODE" json:"darkMode,omitempty" yaml:"darkMode,omitempty"`
+	Metrics  Metrics `                                                  json:"metrics,omitempty"  yaml:"metrics,omitempty"`
+	TLS      TLS     `                                                  json:"tls,omitempty"      yaml:"tls,omitempty"`
 }

+// Metrics configuration.
+type Metrics struct {
+	Enabled        bool          `documentation:"Enable metrics"                env:"API_METRICS_ENABLED"         json:"enabled,omitempty"        yaml:"enabled,omitempty"`
+	ScrapeInterval time.Duration `documentation:"Interval for metrics scraping" env:"API_METRICS_SCRAPE_INTERVAL" json:"scrapeInterval,omitempty" yaml:"scrapeInterval,omitempty"`
+	QueryLogLimit  int           `documentation:"Metrics log query limit"       env:"API_METRICS_QUERY_LOG_LIMIT" json:"queryLogLimit,omitempty"  yaml:"queryLogLimit,omitempty"`
+}
+
+// TLS configuration.
+type TLS struct {
+	CertDir  string `documentation:"API TLS certificate directory" env:"API_TLS_CERT_DIR"  json:"certDir,omitempty"  yaml:"certDir,omitempty"`
+	CertName string `documentation:"API TLS certificate file name" env:"API_TLS_CERT_NAME" json:"certName,omitempty" yaml:"certName,omitempty"`
+	KeyName  string `documentation:"API TLS key file name"         env:"API_TLS_KEY_NAME"  json:"keyName,omitempty"  yaml:"keyName,omitempty"`
+}
+
+func (t TLS) Enabled() bool {
+	return strings.TrimSpace(t.CertDir) != ""
+}
+
+func (t TLS) Certs() (cert, key string) {
+	cert = filepath.Join(t.CertDir, defaultIfEmpty(t.CertName, "tls.crt"))
+	key = filepath.Join(t.CertDir, defaultIfEmpty(t.KeyName, "tls.key"))
+	return cert, key
+}
+
+func defaultIfEmpty(val, fallback string) string {
+	if strings.TrimSpace(val) == "" {
+		return fallback
+	}
+	return val
+}
+
+// Mask maks username and password.
+func (a *API) Mask() {
+	a.Username = mask(a.Username)
+	a.Password = mask(a.Password)
+}
+
+// UniqueReplicas get unique replication instances.
 func (cfg *Config) UniqueReplicas() []AdGuardInstance {
 	dedup := make(map[string]AdGuardInstance)
-	if cfg.Replica != nil {
+	if cfg.Replica != nil && cfg.Replica.URL != "" {
+		if cfg.Replica.APIPath == "" {
+			cfg.Replica.APIPath = DefaultAPIPath
+		}
 		dedup[cfg.Replica.Key()] = *cfg.Replica
 	}
 	for _, replica := range cfg.Replicas {
-		dedup[replica.Key()] = replica
+		if replica.APIPath == "" {
+			replica.APIPath = DefaultAPIPath
+		}
+		if replica.URL != "" {
+			dedup[replica.Key()] = replica
+		}
 	}

 	var r []AdGuardInstance
@@ -38,225 +106,117 @@ func (cfg *Config) UniqueReplicas() []AdGuardInstance {
 	return r
 }

+// Log the current config.
+func (cfg *Config) Log(l *zap.SugaredLogger) {
+	c := cfg.mask()
+	l.With("config", c).Debug("Using config")
+}
+
+func (cfg *Config) mask() *Config {
+	c := cfg.DeepCopy()
+	c.Origin.Mask()
+	if c.Replica != nil {
+		if c.Replica.URL == "" {
+			c.Replica = nil
+		} else {
+			c.Replica.Mask()
+		}
+	}
+	for i := range c.Replicas {
+		c.Replicas[i].Mask()
+	}
+	c.API.Mask()
+	return c
+}
+
+func (cfg *Config) Init() error {
+	if err := cfg.Origin.Init(); err != nil {
+		return err
+	}
+	for i := range cfg.Replicas {
+		replica := &cfg.Replicas[i]
+		if err := replica.Init(); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// AdGuardInstance AdguardHome config instance
+// +k8s:deepcopy-gen=true
 type AdGuardInstance struct {
-	URL                string `json:"url" yaml:"url"`
-	APIPath            string `json:"apiPath,omitempty" yaml:"apiPath,omitempty"`
-	Username           string `json:"username,omitempty" yaml:"username,omitempty"`
-	Password           string `json:"password,omitempty" yaml:"password,omitempty"`
-	InsecureSkipVerify bool   `json:"insecureSkipVerify" yaml:"insecureSkipVerify"`
+	URL                string            `documentation:"URL of adguardhome instance"                               env:"URL"                  faker:"url" json:"url"                         yaml:"url"`
+	WebURL             string            `documentation:"Web URL of adguardhome instance"                           env:"WEB_URL"              faker:"url" json:"webURL"                      yaml:"webURL"`
+	APIPath            string            `documentation:"API Path"                                                  env:"API_PATH"                         json:"apiPath,omitempty"           yaml:"apiPath,omitempty"`
+	Username           string            `documentation:"Adguardhome username"                                      env:"USERNAME"                         json:"username,omitempty"          yaml:"username,omitempty"`
+	Password           string            `documentation:"Adguardhome password"                                      env:"PASSWORD"                         json:"password,omitempty"          yaml:"password,omitempty"`
+	Cookie             string            `documentation:"Adguardhome cookie"                                        env:"COOKIE"                           json:"cookie,omitempty"            yaml:"cookie,omitempty"`
+	RequestHeaders     map[string]string `documentation:"Request Headers 'key1:value1,key2:value2'"                 env:"REQUEST_HEADERS"                  json:"requestHeaders,omitempty"    yaml:"requestHeaders,omitempty"`
+	InsecureSkipVerify bool              `documentation:"Skip TLS verification"                                     env:"INSECURE_SKIP_VERIFY"             json:"insecureSkipVerify"          yaml:"insecureSkipVerify"`
+	AutoSetup          bool              `documentation:"Automatically setup the instance if it is not initialized" env:"AUTO_SETUP"                       json:"autoSetup"                   yaml:"autoSetup"`
+	InterfaceName      string            `documentation:"Network interface name"                                    env:"INTERFACE_NAME"                   json:"interfaceName,omitempty"     yaml:"interfaceName,omitempty"`
+	DHCPServerEnabled  *bool             `documentation:"Enable DHCP server"                                        env:"DHCP_SERVER_ENABLED"              json:"dhcpServerEnabled,omitempty" yaml:"dhcpServerEnabled,omitempty"`
+
+	Host    string `json:"-" yaml:"-"`
+	WebHost string `json:"-" yaml:"-"`
 }

+// Key AdGuardInstance key.
 func (i *AdGuardInstance) Key() string {
-	return fmt.Sprintf("%s%s", i.URL, i.APIPath)
+	return fmt.Sprintf("%s#%s", i.URL, i.APIPath)
 }

-type Status struct {
-	DNSAddresses      []string `json:"dns_addresses"`
-	DNSPort           int      `json:"dns_port"`
-	HTTPPort          int      `json:"http_port"`
-	ProtectionEnabled bool     `json:"protection_enabled"`
-	DhcpAvailable     bool     `json:"dhcp_available"`
-	Running           bool     `json:"running"`
-	Version           string   `json:"version"`
-	Language          string   `json:"language"`
+// Mask maks username and password.
+func (i *AdGuardInstance) Mask() {
+	i.Username = mask(i.Username)
+	i.Password = mask(i.Password)
 }

-type RewriteEntries []RewriteEntry
-
-func (rwe *RewriteEntries) Merge(other *RewriteEntries) (RewriteEntries, RewriteEntries) {
-	current := make(map[string]RewriteEntry)
-
-	var adds RewriteEntries
-	var removes RewriteEntries
-	for _, rr := range *rwe {
-		current[rr.Key()] = rr
+func (i *AdGuardInstance) Init() error {
+	u, err := url.Parse(i.URL)
+	if err != nil {
+		return err
 	}
+	i.Host = u.Host

-	for _, rr := range *other {
-		if _, ok := current[rr.Key()]; ok {
-			delete(current, rr.Key())
-		} else {
-			adds = append(adds, rr)
+	if i.WebURL == "" {
+		i.WebHost = i.Host
+		i.WebURL = i.URL
+	} else {
+		u, err := url.Parse(i.WebURL)
+		if err != nil {
+			return err
 		}
+		i.WebHost = u.Host
 	}
+	return nil
+}

-	for _, rr := range current {
-		removes = append(removes, rr)
+func mask(s string) string {
+	if len(s) < 3 {
+		return strings.Repeat("*", len(s))
 	}
-
-	return adds, removes
+	mask := strings.Repeat("*", len(s)-2)
+	return fmt.Sprintf("%v%s%v", string(s[0]), mask, string(s[len(s)-1]))
 }

-type RewriteEntry struct {
-	Domain string `json:"domain"`
-	Answer string `json:"answer"`
+// Protection API struct.
+type Protection struct {
+	ProtectionEnabled bool `json:"protection_enabled"`
 }

-func (re *RewriteEntry) Key() string {
-	return fmt.Sprintf("%s#%s", re.Domain, re.Answer)
+// InstallConfig AdguardHome install config.
+type InstallConfig struct {
+	Web      InstallPort `json:"web"`
+	DNS      InstallPort `json:"dns"`
+	Username string      `json:"username"`
+	Password string      `json:"password"`
 }

-type Filters []Filter
-
-type Filter struct {
-	ID          int       `json:"id"`
-	Enabled     bool      `json:"enabled"`
-	URL         string    `json:"url"`  // needed for add
-	Name        string    `json:"name"` // needed for add
-	RulesCount  int       `json:"rules_count"`
-	LastUpdated time.Time `json:"last_updated"`
-	Whitelist   bool      `json:"whitelist"` // needed for add
-}
-
-type FilteringStatus struct {
-	FilteringConfig
-	Filters          Filters   `json:"filters"`
-	WhitelistFilters Filters   `json:"whitelist_filters"`
-	UserRules        UserRules `json:"user_rules"`
-}
-
-type UserRules []string
-
-func (ur UserRules) String() string {
-	return strings.Join(ur, "\n")
-}
-
-type FilteringConfig struct {
-	Enabled  bool `json:"enabled"`
-	Interval int  `json:"interval"`
-}
-
-type RefreshFilter struct {
-	Whitelist bool `json:"whitelist"`
-}
-
-func (fs *Filters) Merge(other Filters) (Filters, Filters) {
-	current := make(map[string]Filter)
-
-	var adds Filters
-	var removes Filters
-	for _, f := range *fs {
-		current[f.URL] = f
-	}
-
-	for _, rr := range other {
-		if _, ok := current[rr.URL]; ok {
-			delete(current, rr.URL)
-		} else {
-			adds = append(adds, rr)
-		}
-	}
-
-	for _, rr := range current {
-		removes = append(removes, rr)
-	}
-
-	return adds, removes
-}
-
-type Services []string
-
-func (s Services) Sort() {
-	sort.Strings(s)
-}
-
-func (s *Services) Equals(o *Services) bool {
-	s.Sort()
-	o.Sort()
-	return equals(*s, *o)
-}
-
-type Clients struct {
-	Clients     []Client `json:"clients"`
-	AutoClients []struct {
-		IP        string `json:"ip"`
-		Name      string `json:"name"`
-		Source    string `json:"source"`
-		WhoisInfo struct {
-		} `json:"whois_info"`
-	} `json:"auto_clients"`
-	SupportedTags []string `json:"supported_tags"`
-}
-
-type Client struct {
-	Ids             []string `json:"ids"`
-	Tags            []string `json:"tags"`
-	BlockedServices []string `json:"blocked_services"`
-	Upstreams       []string `json:"upstreams"`
-
-	UseGlobalSettings        bool   `json:"use_global_settings"`
-	UseGlobalBlockedServices bool   `json:"use_global_blocked_services"`
-	Name                     string `json:"name"`
-	FilteringEnabled         bool   `json:"filtering_enabled"`
-	ParentalEnabled          bool   `json:"parental_enabled"`
-	SafesearchEnabled        bool   `json:"safesearch_enabled"`
-	SafebrowsingEnabled      bool   `json:"safebrowsing_enabled"`
-	Disallowed               bool   `json:"disallowed"`
-	DisallowedRule           string `json:"disallowed_rule"`
-}
-
-func (cl *Client) Sort() {
-	sort.Strings(cl.Ids)
-	sort.Strings(cl.Tags)
-	sort.Strings(cl.BlockedServices)
-	sort.Strings(cl.Upstreams)
-}
-
-func (cl *Client) Equal(o *Client) bool {
-	cl.Sort()
-	o.Sort()
-
-	a, _ := json.Marshal(cl)
-	b, _ := json.Marshal(o)
-	return string(a) == string(b)
-}
-
-func (clients *Clients) Merge(other *Clients) ([]Client, []Client, []Client) {
-	current := make(map[string]Client)
-	for _, client := range clients.Clients {
-		current[client.Name] = client
-	}
-
-	expected := make(map[string]Client)
-	for _, client := range other.Clients {
-		expected[client.Name] = client
-	}
-
-	var adds []Client
-	var removes []Client
-	var updates []Client
-
-	for _, cl := range expected {
-		if oc, ok := current[cl.Name]; ok {
-			if !cl.Equal(&oc) {
-				updates = append(updates, cl)
-			}
-			delete(current, cl.Name)
-		} else {
-			adds = append(adds, cl)
-		}
-	}
-
-	for _, rr := range current {
-		removes = append(removes, rr)
-	}
-
-	return adds, updates, removes
-}
-
-type ClientUpdate struct {
-	Name string `json:"name"`
-	Data Client `json:"data"`
-}
-
-func equals(a []string, b []string) bool {
-	if len(a) != len(b) {
-		return false
-	}
-	for i, v := range a {
-		if v != b[i] {
-			return false
-		}
-	}
-	return true
+// InstallPort AdguardHome install config port.
+type InstallPort struct {
+	IP         string `json:"ip"`
+	Port       int    `json:"port"`
+	Status     string `json:"status"`
+	CanAutofix bool   `json:"can_autofix"`
 }
--- a/pkg/types/types_fuzz_test.go
+++ b/pkg/types/types_fuzz_test.go
@@ -0,0 +1,15 @@
+package types
+
+import (
+	"testing"
+)
+
+func FuzzMask(f *testing.F) {
+	testcases := []string{"", "a", "ab", "abc", "abcd"}
+	for _, tc := range testcases {
+		f.Add(tc)
+	}
+	f.Fuzz(func(t *testing.T, value string) {
+		_ = mask(value)
+	})
+}
--- a/pkg/types/types_suite_test.go
+++ b/pkg/types/types_suite_test.go
@@ -0,0 +1,13 @@
+package types_test
+
+import (
+	"testing"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+)
+
+func TestSync(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "Types Suite")
+}
--- a/pkg/types/types_test.go
+++ b/pkg/types/types_test.go
@@ -0,0 +1,152 @@
+package types
+
+import (
+	"strings"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+)
+
+var _ = Describe("Types", func() {
+	Context("AdGuardInstance", func() {
+		var inst AdGuardInstance
+
+		BeforeEach(func() {
+			inst = AdGuardInstance{}
+		})
+		Context("Instance Init", func() {
+			BeforeEach(func() {
+				inst.URL = "https://localhost:3000"
+			})
+			It("should correctly set Host and WebHost if only URL is set", func() {
+				err := inst.Init()
+				Ω(err).ShouldNot(HaveOccurred())
+				Ω(inst.Host).Should(Equal("localhost:3000"))
+				Ω(inst.WebHost).Should(Equal("localhost:3000"))
+				Ω(inst.URL).Should(Equal("https://localhost:3000"))
+				Ω(inst.WebURL).Should(Equal("https://localhost:3000"))
+			})
+			It("should correctly set Host and WebHost if URL and WebURL are set", func() {
+				inst.WebURL = "https://127.0.0.1:4000"
+				err := inst.Init()
+				Ω(err).ShouldNot(HaveOccurred())
+				Ω(inst.Host).Should(Equal("localhost:3000"))
+				Ω(inst.WebHost).Should(Equal("127.0.0.1:4000"))
+				Ω(inst.WebURL).Should(Equal(inst.WebURL))
+				Ω(inst.URL).Should(Equal("https://localhost:3000"))
+				Ω(inst.WebURL).Should(Equal("https://127.0.0.1:4000"))
+			})
+		})
+	})
+	Context("Config", func() {
+		Context("init", func() {
+			cfg := Config{
+				Origin: &AdGuardInstance{},
+				Replicas: []AdGuardInstance{
+					{URL: "https://localhost:3000"},
+				},
+			}
+			err := cfg.Init()
+			Ω(err).ShouldNot(HaveOccurred())
+			Ω(cfg.Replicas[0].Host).Should(Equal("localhost:3000"))
+			Ω(cfg.Replicas[0].WebHost).Should(Equal("localhost:3000"))
+			Ω(cfg.Replicas[0].URL).Should(Equal("https://localhost:3000"))
+			Ω(cfg.Replicas[0].WebURL).Should(Equal("https://localhost:3000"))
+		})
+		Context("UniqueReplicas", func() {
+			It("should return unique replicas in the array", func() {
+				cfg := Config{
+					Origin: &AdGuardInstance{},
+					Replicas: []AdGuardInstance{
+						{URL: "a"},
+						{URL: "a", APIPath: DefaultAPIPath},
+						{URL: "a", APIPath: "foo"},
+						{URL: "b", APIPath: DefaultAPIPath},
+					},
+					Replica: &AdGuardInstance{URL: "b"},
+				}
+				replicas := cfg.UniqueReplicas()
+				Ω(replicas).Should(HaveLen(3))
+			})
+		})
+		Context("mask", func() {
+			It("should mask all names and passwords", func() {
+				cfg := Config{
+					Origin: &AdGuardInstance{},
+					Replicas: []AdGuardInstance{
+						{URL: "a", Username: "user", Password: "pass"},
+					},
+					Replica: &AdGuardInstance{URL: "a", Username: "user", Password: "pass"},
+					API:     API{Username: "user", Password: "pass"},
+				}
+				masked := cfg.mask()
+				Ω(masked.Replicas[0].Username).Should(Equal("u**r"))
+				Ω(masked.Replicas[0].Password).Should(Equal("p**s"))
+				Ω(masked.Replica.Username).Should(Equal("u**r"))
+				Ω(masked.Replica.Password).Should(Equal("p**s"))
+				Ω(masked.API.Username).Should(Equal("u**r"))
+				Ω(masked.API.Password).Should(Equal("p**s"))
+			})
+		})
+		DescribeTable("mask should work correctly",
+			func(value, expected string) {
+				Ω(mask(value)).Should(Equal(expected))
+			},
+			Entry(`Empty password`, "", ""),
+			Entry(`1 char password`, "a", "*"),
+			Entry(`2 char password`, "ab", "**"),
+			Entry(`3 char password`, "abc", "a*c"),
+		)
+	})
+	Context("Feature", func() {
+		Context("LogDisabled", func() {
+			It("should log all features", func() {
+				f := NewFeatures(false)
+				Ω(f.collectDisabled()).Should(HaveLen(12))
+			})
+			It("should log no features", func() {
+				f := NewFeatures(true)
+				Ω(f.collectDisabled()).Should(BeEmpty())
+			})
+		})
+	})
+	Context("TLS", func() {
+		var t TLS
+		BeforeEach(func() {
+			t = TLS{
+				CertDir: "/path/to/certs",
+			}
+		})
+		Context("Enabled", func() {
+			It("should use enabled", func() {
+				Ω(t.Enabled()).Should(BeTrue())
+			})
+			It("should use disabled", func() {
+				t.CertDir = " "
+				Ω(t.Enabled()).Should(BeFalse())
+			})
+		})
+		Context("Certs", func() {
+			It("should use default crt and key", func() {
+				crt, key := t.Certs()
+				crt = normalizePath(crt)
+				key = normalizePath(key)
+				Ω(crt).Should(Equal("/path/to/certs/tls.crt"))
+				Ω(key).Should(Equal("/path/to/certs/tls.key"))
+			})
+			It("should use custom crt and key", func() {
+				t.CertName = "foo.crt"
+				t.KeyName = "bar.key"
+				crt, key := t.Certs()
+				crt = normalizePath(crt)
+				key = normalizePath(key)
+				Ω(crt).Should(Equal("/path/to/certs/foo.crt"))
+				Ω(key).Should(Equal("/path/to/certs/bar.key"))
+			})
+		})
+	})
+})
+
+func normalizePath(path string) string {
+	return strings.ReplaceAll(path, "\\", "/")
+}
--- a/pkg/types/zz_generated.deepcopy.go
+++ b/pkg/types/zz_generated.deepcopy.go
@@ -0,0 +1,209 @@
+//go:build !ignore_autogenerated
+
+// Code generated by controller-gen. DO NOT EDIT.
+
+package types
+
+import ()
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *API) DeepCopyInto(out *API) {
+	*out = *in
+	out.Metrics = in.Metrics
+	out.TLS = in.TLS
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new API.
+func (in *API) DeepCopy() *API {
+	if in == nil {
+		return nil
+	}
+	out := new(API)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AdGuardInstance) DeepCopyInto(out *AdGuardInstance) {
+	*out = *in
+	if in.RequestHeaders != nil {
+		in, out := &in.RequestHeaders, &out.RequestHeaders
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	if in.DHCPServerEnabled != nil {
+		in, out := &in.DHCPServerEnabled, &out.DHCPServerEnabled
+		*out = new(bool)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdGuardInstance.
+func (in *AdGuardInstance) DeepCopy() *AdGuardInstance {
+	if in == nil {
+		return nil
+	}
+	out := new(AdGuardInstance)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Config) DeepCopyInto(out *Config) {
+	*out = *in
+	if in.Origin != nil {
+		in, out := &in.Origin, &out.Origin
+		*out = new(AdGuardInstance)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Replica != nil {
+		in, out := &in.Replica, &out.Replica
+		*out = new(AdGuardInstance)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Replicas != nil {
+		in, out := &in.Replicas, &out.Replicas
+		*out = make([]AdGuardInstance, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	out.API = in.API
+	out.Features = in.Features
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Config.
+func (in *Config) DeepCopy() *Config {
+	if in == nil {
+		return nil
+	}
+	out := new(Config)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DHCP) DeepCopyInto(out *DHCP) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DHCP.
+func (in *DHCP) DeepCopy() *DHCP {
+	if in == nil {
+		return nil
+	}
+	out := new(DHCP)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DNS) DeepCopyInto(out *DNS) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DNS.
+func (in *DNS) DeepCopy() *DNS {
+	if in == nil {
+		return nil
+	}
+	out := new(DNS)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Features) DeepCopyInto(out *Features) {
+	*out = *in
+	out.DNS = in.DNS
+	out.DHCP = in.DHCP
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Features.
+func (in *Features) DeepCopy() *Features {
+	if in == nil {
+		return nil
+	}
+	out := new(Features)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *InstallConfig) DeepCopyInto(out *InstallConfig) {
+	*out = *in
+	out.Web = in.Web
+	out.DNS = in.DNS
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InstallConfig.
+func (in *InstallConfig) DeepCopy() *InstallConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(InstallConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *InstallPort) DeepCopyInto(out *InstallPort) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InstallPort.
+func (in *InstallPort) DeepCopy() *InstallPort {
+	if in == nil {
+		return nil
+	}
+	out := new(InstallPort)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Metrics) DeepCopyInto(out *Metrics) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Metrics.
+func (in *Metrics) DeepCopy() *Metrics {
+	if in == nil {
+		return nil
+	}
+	out := new(Metrics)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Protection) DeepCopyInto(out *Protection) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Protection.
+func (in *Protection) DeepCopy() *Protection {
+	if in == nil {
+		return nil
+	}
+	out := new(Protection)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TLS) DeepCopyInto(out *TLS) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLS.
+func (in *TLS) DeepCopy() *TLS {
+	if in == nil {
+		return nil
+	}
+	out := new(TLS)
+	in.DeepCopyInto(out)
+	return out
+}
--- a/pkg/utils/clone.go
+++ b/pkg/utils/clone.go
@@ -0,0 +1,18 @@
+package utils
+
+import (
+	"bytes"
+	"encoding/json"
+)
+
+func Clone[I any](in, out I) I {
+	b, _ := json.Marshal(in)
+	_ = json.Unmarshal(b, out)
+	return out
+}
+
+func JSONEquals(a, b any) bool {
+	ja, _ := json.Marshal(a)
+	jb, _ := json.Marshal(b)
+	return bytes.Equal(ja, jb)
+}
--- a/pkg/utils/ptr.go
+++ b/pkg/utils/ptr.go
@@ -0,0 +1,24 @@
+package utils
+
+import "fmt"
+
+func Ptr[I any](i I) *I {
+	return &i
+}
+
+func PtrToString[I any](i *I) string {
+	if i == nil {
+		return ""
+	}
+	return fmt.Sprintf("%v", i)
+}
+
+func PtrEquals[I comparable](a, b *I) bool {
+	if a == nil && b == nil {
+		return true
+	}
+	if a == nil || b == nil {
+		return false
+	}
+	return *a == *b
+}
--- a/pkg/versions/versions.go
+++ b/pkg/versions/versions.go
@@ -0,0 +1,23 @@
+package versions
+
+import "golang.org/x/mod/semver"
+
+const (
+	// MinAgh minimal adguardhome version.
+	MinAgh = "v0.107.40"
+)
+
+func IsNewerThan(v1, v2 string) bool {
+	return semver.Compare(sanitize(v1), sanitize(v2)) == 1
+}
+
+func IsSame(v1, v2 string) bool {
+	return semver.Compare(sanitize(v1), sanitize(v2)) == 0
+}
+
+func sanitize(v string) string {
+	if v == "" || v[0] == 'v' {
+		return v
+	}
+	return "v" + v
+}
--- a/pkg/versions/versions_suite_test.go
+++ b/pkg/versions/versions_suite_test.go
@@ -0,0 +1,13 @@
+package versions_test
+
+import (
+	"testing"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+)
+
+func TestTypes(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "Types Suite")
+}
--- a/pkg/versions/versions_test.go
+++ b/pkg/versions/versions_test.go
@@ -0,0 +1,30 @@
+package versions_test
+
+import (
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+
+	"github.com/bakito/adguardhome-sync/pkg/versions"
+)
+
+var _ = Describe("Versions", func() {
+	Context("IsNewerThan", func() {
+		It("should correctly parse json", func() {
+			Ω(versions.IsNewerThan("v0.106.10", "v0.106.9")).Should(BeTrue())
+			Ω(versions.IsNewerThan("v0.106.9", "v0.106.10")).Should(BeFalse())
+			Ω(versions.IsNewerThan("v0.106.10", "0.106.9")).Should(BeTrue())
+			Ω(versions.IsNewerThan("v0.106.9", "0.106.10")).Should(BeFalse())
+			// tests for #607
+			Ω(versions.IsNewerThan("v0.108.0-b.72", versions.MinAgh)).Should(BeTrue())
+			Ω(versions.IsNewerThan("0.108.0-b.72", versions.MinAgh)).Should(BeTrue())
+			Ω(versions.IsNewerThan(versions.MinAgh, "v0.108.0-b.72")).Should(BeFalse())
+			Ω(versions.IsNewerThan(versions.MinAgh, "0.108.0-b.72")).Should(BeFalse())
+		})
+	})
+	Context("IsSame", func() {
+		It("should be the same version", func() {
+			Ω(versions.IsSame("v0.106.9", "v0.106.9")).Should(BeTrue())
+			Ω(versions.IsSame("0.106.9", "v0.106.9")).Should(BeTrue())
+		})
+	})
+})
--- a/renovate.json
+++ b/renovate.json
@@ -0,0 +1,28 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "customManagers": [
+    {
+      "customType": "regex",
+      "datasourceTemplate": "go",
+      "description": "Update toolbox tools in .toolbox.mk",
+      "managerFilePatterns": [
+        ".toolbox.mk"
+      ],
+      "matchStrings": [
+        "# renovate: packageName=(?<packageName>.+?)\\s+.+?_VERSION \\?= (?<currentValue>.+?)\\s"
+      ]
+    },
+    {
+      "customType": "regex",
+      "datasourceTemplate": "github-releases",
+      "description": "Update github _VERSION Makefile",
+      "managerFilePatterns": [
+        "Makefile"
+      ],
+      "matchStrings": [
+        "# renovate: packageName=(?<packageName>.+?)\\s+.+?_VERSION \\?= (?<currentValue>.+?)\\s"
+      ]
+    }
+  ],
+  "dependencyDashboard": true
+}
--- a/testdata/.gitignore
+++ b/testdata/.gitignore
@@ -0,0 +1,2 @@
+docker-compose.yaml
+!config_test_*.yaml
--- a/testdata/blockedservices-list.json
+++ b/testdata/blockedservices-list.json
@@ -0,0 +1,4 @@
+[
+  "9gag",
+  "dailymotion"
+]
--- a/testdata/blockedservicesschedule-get.json
+++ b/testdata/blockedservicesschedule-get.json
@@ -0,0 +1,22 @@
+{
+  "schedule": {
+    "time_zone": "Europe/Zurich",
+    "tue": {
+      "start": 0,
+      "end": 86340000
+    },
+    "thu": {
+      "start": 0,
+      "end": 86340000
+    },
+    "sat": {
+      "start": 0,
+      "end": 35940000
+    }
+  },
+  "ids": [
+    "9gag",
+    "dailymotion",
+    "disneyplus"
+  ]
+}
--- a/testdata/clients.json
+++ b/testdata/clients.json
@@ -0,0 +1,81 @@
+{
+  "clients": [
+    {
+      "ids": [
+        "192.168.1.3"
+      ],
+      "tags": [
+        "device_pc"
+      ],
+      "name": "PC",
+      "use_global_settings": true,
+      "filtering_enabled": false,
+      "parental_enabled": false,
+      "safesearch_enabled": false,
+      "safebrowsing_enabled": false,
+      "use_global_blocked_services": true,
+      "blocked_services": null,
+      "upstreams": null,
+      "whois_info": null,
+      "disallowed": false,
+      "disallowed_rule": ""
+    },
+    {
+      "ids": [
+        "192.168.1.2"
+      ],
+      "tags": [
+        "device_phone"
+      ],
+      "name": "Phone LAN",
+      "use_global_settings": true,
+      "filtering_enabled": false,
+      "parental_enabled": false,
+      "safesearch_enabled": false,
+      "safebrowsing_enabled": false,
+      "use_global_blocked_services": false,
+      "blocked_services": [
+        "facebook",
+        "ok",
+        "vk",
+        "mail_ru",
+        "qq"
+      ],
+      "upstreams": [],
+      "whois_info": null,
+      "disallowed": false,
+      "disallowed_rule": ""
+    }
+  ],
+  "auto_clients": [
+    {
+      "ip": "127.0.0.1",
+      "name": "localhost",
+      "source": "etc/hosts",
+      "whois_info": {}
+    }
+  ],
+  "supported_tags": [
+    "device_audio",
+    "device_camera",
+    "device_gameconsole",
+    "device_laptop",
+    "device_nas",
+    "device_other",
+    "device_pc",
+    "device_phone",
+    "device_printer",
+    "device_securityalarm",
+    "device_tablet",
+    "device_tv",
+    "os_android",
+    "os_ios",
+    "os_linux",
+    "os_macos",
+    "os_other",
+    "os_windows",
+    "user_admin",
+    "user_child",
+    "user_regular"
+  ]
+}
--- a/testdata/config/print-config_test_expected1.md
+++ b/testdata/config/print-config_test_expected1.md
@@ -0,0 +1,31 @@
+<!-- PLEASE COPY THE FOLLOWING OUTPUT AS IS INTO THE GITHUB ISSUE (Don't forget to mask your usernames, passwords, IPs and other sensitive information when using this in an issue ) -->
+
+### Runtime
+
+AdguardHome-Sync Version: %s
+Build: %s
+OperatingSystem: %s
+Architecture: %s
+OriginVersion: v0.0.1
+ReplicaVersions:
+- Replica 1: v0.0.2
+
+### AdGuardHome sync aggregated config
+
+```yaml
+origin:
+    url: https://ha.xxxx.net:3000
+    webURL: ""
+    insecureSkipVerify: false
+    autoSetup: false
+
+```
+
+### Environment Variables
+
+```ini
+BAR=bar
+FOO=foo
+```
+
+<!-- END OF GITHUB ISSUE CONTENT -->
--- a/testdata/config/print-config_test_expected2.md
+++ b/testdata/config/print-config_test_expected2.md
@@ -0,0 +1,41 @@
+<!-- PLEASE COPY THE FOLLOWING OUTPUT AS IS INTO THE GITHUB ISSUE (Don't forget to mask your usernames, passwords, IPs and other sensitive information when using this in an issue ) -->
+
+### Runtime
+
+AdguardHome-Sync Version: %s
+Build: %s
+OperatingSystem: %s
+Architecture: %s
+OriginVersion: v0.0.1
+ReplicaVersions:
+- Replica 1: v0.0.2
+
+### AdGuardHome sync aggregated config
+
+```yaml
+origin:
+    url: https://ha.xxxx.net:3000
+    webURL: ""
+    insecureSkipVerify: false
+    autoSetup: false
+
+```
+### AdGuardHome sync unmodified config file
+
+Config file path: config.yaml
+
+```yaml
+
+origin:
+  url: https://ha.xxxx.net:3000
+
+```
+
+### Environment Variables
+
+```ini
+BAR=bar
+FOO=foo
+```
+
+<!-- END OF GITHUB ISSUE CONTENT -->
--- a/testdata/config_test_replica.yaml
+++ b/testdata/config_test_replica.yaml
@@ -0,0 +1,38 @@
+origin:
+  url: https://origin-file:443
+  webURL: https://origin-file:443
+  apiPath: /control
+  username: foo
+  password: '*********'
+  insecureSkipVerify: true
+  autoSetup: false
+replica:
+  url: https://replica-file:443
+  webURL: https://replica-file:443
+  apiPath: /control
+  username: bar
+  password: '*********'
+  insecureSkipVerify: false
+  autoSetup: false
+  interfaceName: eth3
+  dhcpServerEnabled: false
+cron: '*/15 * * * *'
+runOnStart: true
+printConfigOnly: true
+api:
+  port: 9090
+features:
+  dns:
+    accessLists: true
+    serverConfig: false
+    rewrites: true
+  dhcp:
+    serverConfig: true
+    staticLeases: true
+  generalSettings: true
+  queryLogConfig: true
+  statsConfig: true
+  clientSettings: true
+  services: true
+  filters: true
+  theme: true
--- a/testdata/config_test_replicas.yaml
+++ b/testdata/config_test_replicas.yaml
@@ -0,0 +1,41 @@
+origin:
+  url: https://origin-file:443
+  webURL: https://origin-file:443
+  apiPath: /control
+  username: foo
+  password: '*********'
+  insecureSkipVerify: true
+  autoSetup: false
+replicas:
+  - url: https://replica-file:443
+    webURL: https://replica-file:443
+    apiPath: /control
+    username: bar
+    password: '*********'
+    insecureSkipVerify: false
+    autoSetup: false
+    interfaceName: eth3
+    dhcpServerEnabled: false
+    requestHeaders:
+      FOO: bar
+      Client-ID: xxxx
+cron: '*/15 * * * *'
+runOnStart: true
+printConfigOnly: true
+api:
+  port: 9090
+features:
+  dns:
+    accessLists: true
+    serverConfig: false
+    rewrites: true
+  dhcp:
+    serverConfig: true
+    staticLeases: true
+  generalSettings: true
+  queryLogConfig: true
+  statsConfig: true
+  clientSettings: true
+  services: true
+  filters: true
+  theme: true
--- a/testdata/config_test_replicas_and_replica.yaml
+++ b/testdata/config_test_replicas_and_replica.yaml
@@ -0,0 +1,48 @@
+origin:
+  url: https://origin-file:443
+  webURL: https://origin-file:443
+  apiPath: /control
+  username: foo
+  password: '*********'
+  insecureSkipVerify: true
+  autoSetup: false
+replica:
+  url: https://replica-file:443
+  webURL: https://replica-file:443
+  apiPath: /control
+  username: bar
+  password: '*********'
+  insecureSkipVerify: false
+  autoSetup: false
+  interfaceName: eth3
+  dhcpServerEnabled: false
+replicas:
+  - url: https://replicas-file:443
+    webURL: https://replicas-file:443
+    apiPath: /control
+    username: bar
+    password: '*********'
+    insecureSkipVerify: false
+    autoSetup: false
+    interfaceName: eth3
+    dhcpServerEnabled: false
+cron: '*/15 * * * *'
+runOnStart: true
+printConfigOnly: true
+api:
+  port: 9090
+features:
+  dns:
+    accessLists: true
+    serverConfig: false
+    rewrites: true
+  dhcp:
+    serverConfig: true
+    staticLeases: true
+  generalSettings: true
+  queryLogConfig: true
+  statsConfig: true
+  clientSettings: true
+  services: true
+  filters: true
+  theme: true
--- a/testdata/dhcp-status.json
+++ b/testdata/dhcp-status.json
@@ -0,0 +1,17 @@
+{
+  "enabled": false,
+  "interface_name": "docker0",
+  "v4": {
+    "gateway_ip": "172.17.0.1",
+    "subnet_mask": "255.255.255.0",
+    "range_start": "172.17.0.100",
+    "range_end": "172.17.0.200",
+    "lease_duration": 888888
+  },
+  "v6": {
+    "range_start": "",
+    "lease_duration": 0
+  },
+  "leases": [],
+  "static_leases": []
+}
--- a/testdata/dns-info.json
+++ b/testdata/dns-info.json
@@ -0,0 +1,22 @@
+{
+  "upstream_dns": [
+    "https://dns10.quad9.net/dns-query"
+  ],
+  "upstream_dns_file": "",
+  "bootstrap_dns": [
+    "1.1.1.1:53"
+  ],
+  "protection_enabled": true,
+  "ratelimit": 20,
+  "blocking_mode": "default",
+  "blocking_ipv4": "",
+  "blocking_ipv6": "",
+  "edns_cs_enabled": false,
+  "dnssec_enabled": false,
+  "disable_ipv6": false,
+  "upstream_mode": "",
+  "cache_size": 4194304,
+  "cache_ttl_min": 0,
+  "cache_ttl_max": 0
+}
+
--- a/Show More
+++ b/Show More