Add Pi-hole with AdGuard DOH/DOT integration, reorganize swarm stacks, add DNS/n8n docs

services/standalone/Pihole/docker-compose.yml

@@ -0,0 +1,17 @@
+services:
+  pihole:
+    image: pihole/pihole:latest
+    container_name: pihole
+    network_mode: host
+    environment:
+      TZ: "America/Chicago"
+      WEBPASSWORD: "YOURPASSWORD"
+      FTLCONF_webserver_enabled: "true"
+      FTLCONF_webserver_port: "7300"
+      WEB_BIND_ADDR: "0.0.0.0"
+      DNS1: "127.0.0.1#5335"
+      DNS2: "0.0.0.0"
+    volumes:
+      - ./etc-pihole:/etc/pihole
+      - ./etc-dnsmasq.d:/etc/dnsmasq.d
+    restart: unless-stopped

services/standalone/Pihole/pihole_adguard/run_command

@@ -0,0 +1,23 @@
+docker run -d \
+    --name pihole \
+    --network host \
+    -e TZ=America/Chicago \
+    -e WEBPASSWORD=YOURPASSWORD \
+    -e FTLCONF_webserver_enabled=true \
+    -e FTLCONF_webserver_port=7300 \
+    -e WEB_BIND_ADDR=0.0.0.0 \
+    -e DNS1=127.0.0.1#5335 \
+    -e DNS2=0.0.0.0 \
+    -v pihole_etc:/etc/pihole:rw \
+    -v pihole_dnsmasq:/etc/dnsmasq.d:rw \
+    --restart=unless-stopped \
+    pihole/pihole:latest
+
+docker run -d \
+    --name adguardhome \
+    --network host \
+    -e TZ=America/Chicago \
+    -v adguard_conf:/opt/adguardhome/conf:rw \
+    -v adguard_work:/opt/adguardhome/work:rw \
+    --restart=unless-stopped \
+    adguard/adguardhome:latest

services/standalone/Pihole/run_command

@@ -0,0 +1 @@
+docker run -d --name pihole --network host -e TZ=America/Chicago -e WEBPASSWORD=YOURPASSWORD -e FTLCONF_webserver_enabled=true -e FTLCONF_webserver_port=7300 -e WEB_BIND_ADDR=0.0.0.0 -e DNS1=127.0.0.1#5335 -e DNS2=0.0.0.0 -v pihole_etc:/etc/pihole -v pihole_dnsmasq:/etc/dnsmasq.d --restart=unless-stopped pihole/pihole:latest

services/standalone/Pihole/unbound/root.hints

@@ -0,0 +1,92 @@
+;       This file holds the information on root name servers needed to 
+;       initialize cache of Internet domain name servers
+;       (e.g. reference this file in the "cache  .  <file>"
+;       configuration file of BIND domain name servers). 
+; 
+;       This file is made available by InterNIC 
+;       under anonymous FTP as
+;           file                /domain/named.cache 
+;           on server           FTP.INTERNIC.NET
+;       -OR-                    RS.INTERNIC.NET
+;
+;       last update:     November 20, 2025
+;       related version of root zone:     2025112001
+; 
+; FORMERLY NS.INTERNIC.NET 
+;
+.                        3600000      NS    A.ROOT-SERVERS.NET.
+A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4
+A.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:ba3e::2:30
+; 
+; FORMERLY NS1.ISI.EDU 
+;
+.                        3600000      NS    B.ROOT-SERVERS.NET.
+B.ROOT-SERVERS.NET.      3600000      A     170.247.170.2
+B.ROOT-SERVERS.NET.      3600000      AAAA  2801:1b8:10::b
+; 
+; FORMERLY C.PSI.NET 
+;
+.                        3600000      NS    C.ROOT-SERVERS.NET.
+C.ROOT-SERVERS.NET.      3600000      A     192.33.4.12
+C.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2::c
+; 
+; FORMERLY TERP.UMD.EDU 
+;
+.                        3600000      NS    D.ROOT-SERVERS.NET.
+D.ROOT-SERVERS.NET.      3600000      A     199.7.91.13
+D.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2d::d
+; 
+; FORMERLY NS.NASA.GOV
+;
+.                        3600000      NS    E.ROOT-SERVERS.NET.
+E.ROOT-SERVERS.NET.      3600000      A     192.203.230.10
+E.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:a8::e
+; 
+; FORMERLY NS.ISC.ORG
+;
+.                        3600000      NS    F.ROOT-SERVERS.NET.
+F.ROOT-SERVERS.NET.      3600000      A     192.5.5.241
+F.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2f::f
+; 
+; FORMERLY NS.NIC.DDN.MIL
+;
+.                        3600000      NS    G.ROOT-SERVERS.NET.
+G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4
+G.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:12::d0d
+; 
+; FORMERLY AOS.ARL.ARMY.MIL
+;
+.                        3600000      NS    H.ROOT-SERVERS.NET.
+H.ROOT-SERVERS.NET.      3600000      A     198.97.190.53
+H.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:1::53
+; 
+; FORMERLY NIC.NORDU.NET
+;
+.                        3600000      NS    I.ROOT-SERVERS.NET.
+I.ROOT-SERVERS.NET.      3600000      A     192.36.148.17
+I.ROOT-SERVERS.NET.      3600000      AAAA  2001:7fe::53
+; 
+; OPERATED BY VERISIGN, INC.
+;
+.                        3600000      NS    J.ROOT-SERVERS.NET.
+J.ROOT-SERVERS.NET.      3600000      A     192.58.128.30
+J.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:c27::2:30
+; 
+; OPERATED BY RIPE NCC
+;
+.                        3600000      NS    K.ROOT-SERVERS.NET.
+K.ROOT-SERVERS.NET.      3600000      A     193.0.14.129
+K.ROOT-SERVERS.NET.      3600000      AAAA  2001:7fd::1
+; 
+; OPERATED BY ICANN
+;
+.                        3600000      NS    L.ROOT-SERVERS.NET.
+L.ROOT-SERVERS.NET.      3600000      A     199.7.83.42
+L.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:9f::42
+; 
+; OPERATED BY WIDE
+;
+.                        3600000      NS    M.ROOT-SERVERS.NET.
+M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33
+M.ROOT-SERVERS.NET.      3600000      AAAA  2001:dc3::35
+; End of file

services/standalone/Pihole/unbound/unbound.conf

@@ -0,0 +1,56 @@
+server:
+  # Listener (Pi-hole runs in host mode and queries localhost:5335)
+  interface: 127.0.0.1@5335
+  access-control: 127.0.0.1/32 allow
+  access-control: ::1 allow
+
+  # Protocols
+  do-ip4: yes
+  do-ip6: yes
+  do-udp: yes
+  do-tcp: yes
+
+  # Threads: match physical cores (not hyperthreads)
+  num-threads: 2
+  so-reuseport: yes
+
+  # Concurrency tuning
+  outgoing-range: 1024
+  incoming-num-tcp: 32
+  outgoing-num-tcp: 64
+  num-queries-per-thread: 4096
+
+  # Cache sizing (right-sized for ~200k Q/day, 4 GiB VM)
+  msg-cache-size: 128m
+  rrset-cache-size: 256m
+  infra-cache-numhosts: 10000
+
+  # TTL and prefetch to avoid cold-cache spikes
+  cache-min-ttl: 300
+  cache-max-ttl: 86400
+  prefetch: yes
+  prefetch-key: yes
+  serve-expired: yes        # optional but smooths client behavior on slow upstreams
+
+  # Network socket buffers for bursts
+  so-rcvbuf: 16m
+  so-sndbuf: 16m
+
+  # DNSSEC (keep enabled)
+  root-hints: "/var/lib/unbound/root.hints"
+  auto-trust-anchor-file: "/var/lib/unbound/root.key"
+
+  # Hardening (lightweight)
+  harden-glue: yes
+  harden-dnssec-stripped: yes
+  harden-referral-path: yes
+  harden-algo-downgrade: yes
+  use-caps-for-id: yes
+  unwanted-reply-threshold: 10000
+
+  # Logging / verbosity (low in production)
+  verbosity: 1
+  logfile: ""        # empty = syslog (or leave unset to avoid disk logs)
+  log-queries: no
+  log-replies: no
+  log-servfail: yes

services/standalone/Pihole/unbound/unbound.conf.d/remote-control.conf

@@ -0,0 +1,5 @@
+remote-control:
+  control-enable: yes
+  # by default the control interface is is 127.0.0.1 and ::1 and port 8953
+  # it is possible to use a unix socket too
+  control-interface: /run/unbound.ctl

services/standalone/Pihole/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf

@@ -0,0 +1,4 @@
+server:
+    # The following line will configure unbound to perform cryptographic
+    # DNSSEC validation using the root trust anchor.
+    auto-trust-anchor-file: "/var/lib/unbound/root.key"