Add Pi-hole with AdGuard DOH/DOT integration, reorganize swarm stacks, add DNS/n8n docs

services/standalone/Pihole/unbound/unbound.conf

@@ -0,0 +1,56 @@
+server:
+  # Listener (Pi-hole runs in host mode and queries localhost:5335)
+  interface: 127.0.0.1@5335
+  access-control: 127.0.0.1/32 allow
+  access-control: ::1 allow
+
+  # Protocols
+  do-ip4: yes
+  do-ip6: yes
+  do-udp: yes
+  do-tcp: yes
+
+  # Threads: match physical cores (not hyperthreads)
+  num-threads: 2
+  so-reuseport: yes
+
+  # Concurrency tuning
+  outgoing-range: 1024
+  incoming-num-tcp: 32
+  outgoing-num-tcp: 64
+  num-queries-per-thread: 4096
+
+  # Cache sizing (right-sized for ~200k Q/day, 4 GiB VM)
+  msg-cache-size: 128m
+  rrset-cache-size: 256m
+  infra-cache-numhosts: 10000
+
+  # TTL and prefetch to avoid cold-cache spikes
+  cache-min-ttl: 300
+  cache-max-ttl: 86400
+  prefetch: yes
+  prefetch-key: yes
+  serve-expired: yes        # optional but smooths client behavior on slow upstreams
+
+  # Network socket buffers for bursts
+  so-rcvbuf: 16m
+  so-sndbuf: 16m
+
+  # DNSSEC (keep enabled)
+  root-hints: "/var/lib/unbound/root.hints"
+  auto-trust-anchor-file: "/var/lib/unbound/root.key"
+
+  # Hardening (lightweight)
+  harden-glue: yes
+  harden-dnssec-stripped: yes
+  harden-referral-path: yes
+  harden-algo-downgrade: yes
+  use-caps-for-id: yes
+  unwanted-reply-threshold: 10000
+
+  # Logging / verbosity (low in production)
+  verbosity: 1
+  logfile: ""        # empty = syslog (or leave unset to avoid disk logs)
+  log-queries: no
+  log-replies: no
+  log-servfail: yes