fix(pihole): add Traefik middleware to redirect root to /admin/

Pi-hole's web interface returns 403 Forbidden when accessed via the
root path. Add a Traefik middleware that redirects requests to the
root URL to /admin/ path where the web interface is accessible.

Also add the pihole ArgoCD application manifest.

Co-authored-by: Cursor <cursoragent@cursor.com>

2 files changed, 68 insertions, 0 deletions

diff --git a/f3s/argocd-apps/services/pihole.yaml b/f3s/argocd-apps/services/pihole.yaml
new file mode 100644
index 0000000..1f309db
--- /dev/null
+++ b/f3s/argocd-apps/services/pihole.yaml
@@ -0,0 +1,55 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: pihole
+  namespace: cicd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  sources:
+    # Source 1: Local resources (PVs, PVCs, Ingresses)
+    - repoURL: https://codeberg.org/snonux/conf.git
+      targetRevision: master
+      path: f3s/pihole/helm-chart
+    # Source 2: Official Pi-hole Helm chart
+    - repoURL: https://mojo2600.github.io/pihole-kubernetes/
+      chart: pihole
+      targetRevision: 2.22.0
+      helm:
+        releaseName: pihole
+        values: |
+          persistentVolumeClaim:
+            enabled: true
+            existingClaim: "pihole-config-pvc"
+          dnsmasq:
+            customVolumeMounts:
+              - name: dnsmasq-config
+                mountPath: /etc/dnsmasq.d
+            customVolumes:
+              - name: dnsmasq-config
+                persistentVolumeClaim:
+                  claimName: "pihole-dnsmasq-pvc"
+          serviceDns:
+            type: LoadBalancer
+          serviceWeb:
+            type: ClusterIP
+          ingress:
+            enabled: false # Managed by local chart Source 1
+          adminPasswordSecret: "pihole-admin-password"
+          adminPasswordKey: "password"
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: services
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=false
+    retry:
+      limit: 3
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 1m
diff --git a/f3s/pihole/helm-chart/templates/ingress.yaml b/f3s/pihole/helm-chart/templates/ingress.yaml
index 20dfc25..eedd0c5 100644
--- a/f3s/pihole/helm-chart/templates/ingress.yaml
+++ b/f3s/pihole/helm-chart/templates/ingress.yaml
@@ -1,3 +1,14 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: pihole-redirect-admin
+  namespace: services
+spec:
+  redirectRegex:
+    regex: ^https?://[^/]+/?$
+    replacement: /admin/
+    permanent: false
+---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
@@ -6,6 +17,7 @@ metadata:
   annotations:
     spec.ingressClassName: traefik
     traefik.ingress.kubernetes.io/router.entrypoints: web
+    traefik.ingress.kubernetes.io/router.middlewares: services-pihole-redirect-admin@kubernetescrd
 spec:
   rules:
     - host: pihole.f3s.buetow.org
@@ -28,6 +40,7 @@ metadata:
   annotations:
     spec.ingressClassName: traefik
     traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
+    traefik.ingress.kubernetes.io/router.middlewares: services-pihole-redirect-admin@kubernetescrd
 spec:
   tls:
     - hosts: