From ffcdf525b5e1e862c8aa8d6d08c0e3dcb79443df Mon Sep 17 00:00:00 2001 From: alvis Date: Fri, 22 May 2026 13:04:02 +0000 Subject: [PATCH] wiki: document Pi-hole move to lizacer - New Pi-hole page (was implicit/outdated in Network) - Network: trimmed outdated pihole section to a pointer - Home: add Pi-hole to service index - Agap-Installation: note pihole lives on lizacer - Backups: remove pihole from Agap /mnt/ssd/dbs source list --- Agap-Installation.md | 2 +- Backups.md | 2 +- Home.md | 1 + Network.md | 28 ++-------------- Pi-hole.md | 77 ++++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 82 insertions(+), 28 deletions(-) create mode 100644 Pi-hole.md diff --git a/Agap-Installation.md b/Agap-Installation.md index 69bbe3e..b32e774 100644 --- a/Agap-Installation.md +++ b/Agap-Installation.md @@ -17,7 +17,7 @@ Required mount points: ## 2. Network -See [[Network]] for full setup: Netplan bridge, Caddy reverse proxy, Pi-hole DNS, and port forwarding requirements. +See [[Network]] for full setup: Netplan bridge, Caddy reverse proxy, and port forwarding requirements. Pi-hole runs on lizacer, not Agap — see [[Pi-hole]]. ### Hairpin NAT workaround diff --git a/Backups.md b/Backups.md index a1d731d..065b711 100644 --- a/Backups.md +++ b/Backups.md @@ -38,7 +38,7 @@ Rsync of all databases from SSD to backup volume. 30 3 * * * rsync -a --delete /mnt/ssd/dbs/ /mnt/backups/dbs/ >> /mnt/backups/dbs/cron.log 2>&1 && touch /mnt/backups/dbs/.last_sync ``` -Source: `/mnt/ssd/dbs/` (gitea, otter, pihole, qdrant, zabbix) +Source: `/mnt/ssd/dbs/` (gitea, otter, qdrant, zabbix) Destination: `/mnt/backups/dbs/` ## Vaultwarden diff --git a/Home.md b/Home.md index 2e0af85..a9b9f1f 100644 --- a/Home.md +++ b/Home.md @@ -16,6 +16,7 @@ - [[Home-Assistant]] — KVM virtual machine - [[3X-UI]] — VPN proxy - [[Zabbix]] — Monitoring (Zabbix 7.4, PostgreSQL, Apache) +- [[Pi-hole]] — LAN DNS ad-blocking (runs on lizacer) - [[Juris]] — Remote server (83.99.190.32) - [[Adolf]] — Persistent AI assistant (Telegram, GPU, memory) - [[Omo]] — AI coding agent (oh-my-opencode, local LLM via Bifrost) diff --git a/Network.md b/Network.md index ac5c863..a4756df 100644 --- a/Network.md +++ b/Network.md @@ -132,30 +132,6 @@ curl -v http://yourdomain.net/.well-known/acme-challenge/test # Expect HTTP 200 ``` -## Pi-hole (DNS ad-blocking) +## Pi-hole -Pi-hole runs as a Docker container on a **macvlan** network, giving it its own IP on the LAN (`192.168.1.2`). This allows it to bind to port 53 without conflicting with the host. - -### Architecture - -``` -[LAN clients] → DNS → 192.168.1.2 (pihole, macvlan on br0) - ↓ (upstream) - 8.8.8.8 / 1.1.1.1 -``` - -The host (`br0`) and Pi-hole (`macvlan-br0`) are on the same physical network but **cannot communicate directly** due to macvlan isolation. The host uses its router as DNS instead. - -### Setup - -```bash -cd ~/agap_git/pihole -docker compose up -d -``` - -Pi-hole data: `/mnt/ssd/dbs/pihole` -Web UI: `http://192.168.1.2/admin` (password: set via `FTLCONF_webserver_api_password`) - -### Router config - -Set the router's DNS server to `192.168.1.2` so all LAN clients use Pi-hole automatically. +LAN-wide DNS ad-blocking runs on lizacer at `192.168.1.2`. The router's DNS is set to that IP so every LAN client uses Pi-hole automatically. See [[Pi-hole]] for setup details. diff --git a/Pi-hole.md b/Pi-hole.md new file mode 100644 index 0000000..78565f9 --- /dev/null +++ b/Pi-hole.md @@ -0,0 +1,77 @@ +# Pi-hole + +Network-wide DNS ad-blocking. Runs on **[[Juris|lizacer]]** (192.168.1.4), not Agap. + +## Topology + +``` +[LAN clients] → DNS → 192.168.1.2 (pihole, macvlan on enp2s0) + ↓ + 8.8.8.8 / 1.1.1.1 +``` + +Pi-hole is a Docker macvlan container with its own LAN IP `192.168.1.2`, separate from lizacer's host IP `192.168.1.4`. The router's DNS is set to `192.168.1.2` so every LAN client uses Pi-hole automatically. + +| | | +|--|--| +| Host | lizacer (192.168.1.4) | +| Container IP | 192.168.1.2 | +| Web UI | `http://192.168.1.2/admin` | +| API | `https://192.168.1.2/api` | +| Compose | `/home/alvis/pihole/docker-compose.yaml` on lizacer | +| Data | `/home/alvis/pihole/data/pihole/` on lizacer | +| Web password | `FTLCONF_webserver_api_password` in compose | + +## Operations + +All commands run on lizacer (`ssh alvis@192.168.1.4`): + +```bash +cd ~/pihole +docker compose up -d # start +docker compose down # stop +docker compose logs -f # tail logs +docker compose pull && docker compose up -d # update image +``` + +## Macvlan host-isolation gotcha + +A Docker macvlan container is invisible to its own host kernel by default. From lizacer's shell, `ping 192.168.1.2` returns *Destination Host Unreachable* — even though every other LAN device can reach it fine. This breaks Zabbix monitoring, which runs on lizacer. + +**Fix:** a `macvlan-shim` interface lets the host route to the container's IP. Persisted as a systemd unit at `/etc/systemd/system/macvlan-shim.service`: + +```ini +[Unit] +Description=Macvlan shim for Pi-hole communication +After=network-online.target +Wants=network-online.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/bin/bash -c 'ip link add macvlan-shim link enp2s0 type macvlan mode bridge && ip addr add 192.168.1.253/32 dev macvlan-shim && ip link set macvlan-shim up && ip route add 192.168.1.2/32 dev macvlan-shim' +ExecStop=/bin/bash -c 'ip link del macvlan-shim' + +[Install] +WantedBy=multi-user.target +``` + +```bash +sudo systemctl daemon-reload +sudo systemctl enable --now macvlan-shim.service +``` + +After this, the host reaches the container directly. + +## Monitoring + +Zabbix host `pihole` (hostid 10778) polls `https://192.168.1.2/api` using the `Pi-hole modern API by HTTP` template. Host macros: + +| Macro | Value | +|------|-------| +| `{$PIHOLE.API.URL}` | `https://192.168.1.2/api` | +| `{$PIHOLE.PASSWORD}` | (matches `FTLCONF_webserver_api_password`) | + +## History + +Pi-hole originally ran on Agap (macvlan on `br0`). It was migrated to lizacer on 2026-05-03 to consolidate; Agap's compose, data dir (`/mnt/ssd/dbs/pihole/`), and macvlan-shim are retired stale state.