1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
|
# Pi-hole
Network-wide ad blocking for the f3s cluster.
## Deployment
**Production DNS** runs on the Raspberry Pis **`pi2.lan.buetow.org`** and **`pi3.lan.buetow.org`**: Docker Compose with `network_mode: host` (see `f3s/docs/pi-phase-2-2.md`). Tracked extras live under **`docker-pi/`**:
- `docker-pi/dnsmasq.d/99-f3s-lan-wildcard.conf` — resolves `*.f3s.lan.buetow.org` to the CARP VIP **192.168.1.138** (on pi2/pi3 this file lives in **`~/pihole/etc-dnsmasq.d/`**, which is bind-mounted to `/etc/dnsmasq.d` in compose; then `docker compose restart`).
- `docker-pi/docker-compose.example.yml` — reference `volumes` snippet to merge with your host-local compose.
An ArgoCD Application for Pi-hole on k3s remains in **`f3s/argocd-apps/services/pihole.yaml`** but sync is disabled; the chart values are kept aligned with the Pis’ dnsmasq wildcard.
### Manual Secret Requirement
The admin password is not stored in Git. Before deployment, create the following secret in the `services` namespace:
```bash
kubectl create secret generic pihole-admin-password \
-n services \
--from-literal=password='REPLACE_WITH_YOUR_PASSWORD'
```
## Access
- **External**: [https://pihole.f3s.buetow.org](https://pihole.f3s.buetow.org)
- **LAN**: [https://pihole.f3s.lan.buetow.org](https://pihole.f3s.lan.buetow.org)
## DNS Service
Pi-hole answers on **`pi2` / `pi3`** (LAN **192.168.1.127**, **192.168.1.128**, port 53 UDP/TCP). Older docs referred to k3s LoadBalancer IPs on r0–r2; those are not the live Pi-hole path anymore.
### Client Configuration
#### Linux (Fedora/NetworkManager)
##### Quick Toggle (Recommended)
If you have the dotfiles repository, use the toggle script:
```bash
# Toggle Pi-hole DNS on/off
pihole-dns-toggle
# Or use specific commands
pihole-dns-toggle on # Enable Pi-hole DNS
pihole-dns-toggle off # Disable Pi-hole (use DHCP DNS)
pihole-dns-toggle status # Show current status
```
The script is located at `~/git/dotfiles/scripts/pihole-dns-toggle` and automatically detects your active network connection.
##### Manual Configuration
Configure your network connection to use Pi-hole with automatic failover:
```bash
# First, identify your active connection name
nmcli connection show --active
# Configure DNS servers (replace CONNECTION_NAME with your actual connection name from above)
nmcli con mod "CONNECTION_NAME" ipv4.dns "192.168.1.127 192.168.1.128 192.168.1.1"
nmcli con mod "CONNECTION_NAME" ipv4.ignore-auto-dns yes
nmcli con up "CONNECTION_NAME"
```
Example for a WiFi connection named `www_irregular_ninja`:
```bash
nmcli con mod "www_irregular_ninja" ipv4.dns "192.168.1.127 192.168.1.128 192.168.1.1"
nmcli con mod "www_irregular_ninja" ipv4.ignore-auto-dns yes
nmcli con up "www_irregular_ninja"
```
DNS servers are tried in order:
1. Primary: 192.168.1.127 (pi2)
2. Fallback: 192.168.1.128 (pi3)
3. Last resort: 192.168.1.1 (router)
#### Verify Configuration
```bash
# Check configured DNS servers
nmcli dev show | grep DNS
# Check /etc/resolv.conf
cat /etc/resolv.conf
# Test DNS resolution through Pi-hole
dig @192.168.1.127 google.com +short
# Test ad blocking (should return 0.0.0.0)
dig doubleclick.net +short
```
#### Firefox Configuration
If using Firefox, ensure DNS over HTTPS (DoH) is disabled:
1. Open Firefox → Settings → Privacy & Security
2. Scroll to "DNS over HTTPS"
3. Set to "Off" or "Default Protection"
This allows Firefox to use the system DNS (Pi-hole) instead of bypassing it with DoH.
#### Router Configuration (Alternative)
For network-wide Pi-hole usage, configure your router's DHCP server to hand out Pi-hole as the DNS server:
- Primary DNS: 192.168.1.127 (pi2)
- Secondary DNS: 192.168.1.128 (pi3) or 192.168.1.1 (router)
## Storage
On **pi2 / pi3**, Pi-hole state is in the Docker volumes / bind mounts under each host’s `~/pihole` (not NFS). The historical k3s NFS paths (`/data/nfs/k3svolumes/pihole/…`) apply only if the cluster chart is used again.
## Management
On the Pis: `cd ~/pihole && docker compose ps|logs|restart`.
For the dormant k3s deployment, use the `Justfile` (`just status`, `just logs`, `just sync`).
|
