pihole: add Pi-hole + Unbound stack

.env.example

@@ -9,6 +9,5 @@ CF_DNS_API_TOKEN=
 # Cloudflare Tunnel Token (Zero Trust → Networks → Tunnels → Tunnel erstellen)
 CLOUDFLARE_TUNNEL_TOKEN=
 
-# Traefik Dashboard Basic Auth
-# Generieren: echo $(htpasswd -nb admin PASSWORT) | sed -e 's/\$/\$\$/g'
-TRAEFIK_DASHBOARD_USER=admin:$$apr1$$...
+# Pi-hole Admin Passwort
+PIHOLE_PASSWORD=

Makefile

@@ -9,7 +9,7 @@ define compose
 	docker compose --env-file $(ENV_FILE) -f $(ROOT_DIR)/services/$(1)/docker-compose.yaml
 endef
 
-.PHONY: setup traefik-up traefik-down gitea-up gitea-down cloudflared-up cloudflared-down all-up all-down
+.PHONY: setup traefik-up traefik-down gitea-up gitea-down cloudflared-up cloudflared-down pihole-up pihole-down all-up all-down
 
 ## Einmalige Einrichtung (nach erstem `cp .env.example .env`)
 setup:
@@ -45,8 +45,15 @@ cloudflared-up:
 cloudflared-down:
 	$(call compose,cloudflared) down
 
-## Alle Services starten (Reihenfolge: Traefik → cloudflared → Gitea)
-all-up: traefik-up cloudflared-up gitea-up
+## Pi-hole + Unbound
+pihole-up:
+	$(call compose,pihole) up -d
+
+pihole-down:
+	$(call compose,pihole) down
+
+## Alle Services starten (Reihenfolge: Traefik → cloudflared → Gitea → Pi-hole)
+all-up: traefik-up cloudflared-up gitea-up pihole-up
 
 ## Alle Services stoppen
-all-down: gitea-down cloudflared-down traefik-down
+all-down: pihole-down gitea-down cloudflared-down traefik-down

services/pihole/config/dnsmasq.d/local.conf

@@ -0,0 +1,5 @@
+# Lokale Domain nicht upstream weiterleiten
+local=/home.dnlm.de/
+
+# Wildcard: *.dama.casa → dell01 (Traefik), umgeht Cloudflare lokal
+address=/.dama.casa/192.168.188.211

services/pihole/docker-compose.yaml

@@ -0,0 +1,46 @@
+services:
+  unbound:
+    image: mvance/unbound:latest
+    container_name: unbound
+    restart: unless-stopped
+    networks:
+      - dns
+
+  pihole:
+    image: pihole/pihole:latest
+    container_name: pihole
+    restart: unless-stopped
+    depends_on:
+      - unbound
+    ports:
+      - "192.168.188.211:53:53/tcp"
+      - "192.168.188.211:53:53/udp"
+    environment:
+      TZ: Europe/Berlin
+      WEBPASSWORD: ${PIHOLE_PASSWORD}
+      FTLCONF_LOCAL_IPV4: "192.168.188.211"
+      FTLCONF_dns_upstreams: "unbound#53"
+      FTLCONF_dns_hosts: >-
+        192.168.188.130 home.dnlm.de,
+        192.168.188.130 dm-nas02.fritz.box,
+        192.168.188.118 octopi.fritz.box
+    volumes:
+      - ./data/etc-pihole:/etc/pihole
+      - ./config/dnsmasq.d:/etc/dnsmasq.d
+    networks:
+      - proxy
+      - dns
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.pihole.rule=Host(`pihole.${DOMAIN}`)"
+      - "traefik.http.routers.pihole.entrypoints=websecure"
+      - "traefik.http.routers.pihole.tls=true"
+      - "traefik.http.routers.pihole.tls.certresolver=cloudflare"
+      - "traefik.http.services.pihole.loadbalancer.server.port=80"
+      - "traefik.docker.network=proxy"
+
+networks:
+  proxy:
+    external: true
+  dns:
+    internal: true