alvis/AgapHost
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

wiki: document Pi-hole move to lizacer 

- New Pi-hole page (was implicit/outdated in Network)
- Network: trimmed outdated pihole section to a pointer
- Home: add Pi-hole to service index
- Agap-Installation: note pihole lives on lizacer
- Backups: remove pihole from Agap /mnt/ssd/dbs source list
alvis
2026-05-22 13:04:02 +00:00
parent 0479842e17
commit ffcdf525b5
5 changed files with 82 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
Agap-Installation.md

@@ -17,7 +17,7 @@ Required mount points:
## 2. Network
See [[Network]] for full setup: Netplan bridge, Caddy reverse proxy, Pi-hole DNS, and port forwarding requirements.
See [[Network]] for full setup: Netplan bridge, Caddy reverse proxy, and port forwarding requirements. Pi-hole runs on lizacer, not Agap — see [[Pi-hole]].
### Hairpin NAT workaround

2
Backups.md

@@ -38,7 +38,7 @@ Rsync of all databases from SSD to backup volume.
30 3 * * * rsync -a --delete /mnt/ssd/dbs/ /mnt/backups/dbs/ >> /mnt/backups/dbs/cron.log 2>&1 && touch /mnt/backups/dbs/.last_sync
```
Source: `/mnt/ssd/dbs/` (gitea, otter, pihole, qdrant, zabbix)
Source: `/mnt/ssd/dbs/` (gitea, otter, qdrant, zabbix)
Destination: `/mnt/backups/dbs/`
## Vaultwarden

1
Home.md

@@ -16,6 +16,7 @@
- [[Home-Assistant]] — KVM virtual machine
- [[3X-UI]] — VPN proxy
- [[Zabbix]] — Monitoring (Zabbix 7.4, PostgreSQL, Apache)
- [[Pi-hole]] — LAN DNS ad-blocking (runs on lizacer)
- [[Juris]] — Remote server (83.99.190.32)
- [[Adolf]] — Persistent AI assistant (Telegram, GPU, memory)
- [[Omo]] — AI coding agent (oh-my-opencode, local LLM via Bifrost)

28
Network.md

@@ -132,30 +132,6 @@ curl -v http://yourdomain.net/.well-known/acme-challenge/test
# Expect HTTP 200
```
## Pi-hole (DNS ad-blocking)
## Pi-hole
Pi-hole runs as a Docker container on a **macvlan** network, giving it its own IP on the LAN (`192.168.1.2`). This allows it to bind to port 53 without conflicting with the host.
### Architecture
```
[LAN clients] → DNS → 192.168.1.2 (pihole, macvlan on br0)
↓ (upstream)
8.8.8.8 / 1.1.1.1
```
The host (`br0`) and Pi-hole (`macvlan-br0`) are on the same physical network but **cannot communicate directly** due to macvlan isolation. The host uses its router as DNS instead.
### Setup
```bash
cd ~/agap_git/pihole
docker compose up -d
```
Pi-hole data: `/mnt/ssd/dbs/pihole`
Web UI: `http://192.168.1.2/admin` (password: set via `FTLCONF_webserver_api_password`)
### Router config
Set the router's DNS server to `192.168.1.2` so all LAN clients use Pi-hole automatically.
LAN-wide DNS ad-blocking runs on lizacer at `192.168.1.2`. The router's DNS is set to that IP so every LAN client uses Pi-hole automatically. See [[Pi-hole]] for setup details.

77
Pi-hole.md Normal file

@@ -0,0 +1,77 @@
# Pi-hole
Network-wide DNS ad-blocking. Runs on **[[Juris|lizacer]]** (192.168.1.4), not Agap.
## Topology
```
[LAN clients] → DNS → 192.168.1.2 (pihole, macvlan on enp2s0)
8.8.8.8 / 1.1.1.1
```
Pi-hole is a Docker macvlan container with its own LAN IP `192.168.1.2`, separate from lizacer's host IP `192.168.1.4`. The router's DNS is set to `192.168.1.2` so every LAN client uses Pi-hole automatically.
| | |
|--|--|
| Host | lizacer (192.168.1.4) |
| Container IP | 192.168.1.2 |
| Web UI | `http://192.168.1.2/admin` |
| API | `https://192.168.1.2/api` |
| Compose | `/home/alvis/pihole/docker-compose.yaml` on lizacer |
| Data | `/home/alvis/pihole/data/pihole/` on lizacer |
| Web password | `FTLCONF_webserver_api_password` in compose |
## Operations
All commands run on lizacer (`ssh alvis@192.168.1.4`):
```bash
cd ~/pihole
docker compose up -d # start
docker compose down # stop
docker compose logs -f # tail logs
docker compose pull && docker compose up -d # update image
```
## Macvlan host-isolation gotcha
A Docker macvlan container is invisible to its own host kernel by default. From lizacer's shell, `ping 192.168.1.2` returns *Destination Host Unreachable* — even though every other LAN device can reach it fine. This breaks Zabbix monitoring, which runs on lizacer.
**Fix:** a `macvlan-shim` interface lets the host route to the container's IP. Persisted as a systemd unit at `/etc/systemd/system/macvlan-shim.service`:
```ini
[Unit]
Description=Macvlan shim for Pi-hole communication
After=network-online.target
Wants=network-online.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/bin/bash -c 'ip link add macvlan-shim link enp2s0 type macvlan mode bridge && ip addr add 192.168.1.253/32 dev macvlan-shim && ip link set macvlan-shim up && ip route add 192.168.1.2/32 dev macvlan-shim'
ExecStop=/bin/bash -c 'ip link del macvlan-shim'
[Install]
WantedBy=multi-user.target
```
```bash
sudo systemctl daemon-reload
sudo systemctl enable --now macvlan-shim.service
```
After this, the host reaches the container directly.
## Monitoring
Zabbix host `pihole` (hostid 10778) polls `https://192.168.1.2/api` using the `Pi-hole modern API by HTTP` template. Host macros:
| Macro | Value |
|------|-------|
| `{$PIHOLE.API.URL}` | `https://192.168.1.2/api` |
| `{$PIHOLE.PASSWORD}` | (matches `FTLCONF_webserver_api_password`) |
## History
Pi-hole originally ran on Agap (macvlan on `br0`). It was migrated to lizacer on 2026-05-03 to consolidate; Agap's compose, data dir (`/mnt/ssd/dbs/pihole/`), and macvlan-shim are retired stale state.