# =============================================================================
# DNS Chain: Router(:53) → AdGuard(:53,DOH,DOT) → Pi-hole(:5353) → Unbound(:5335)
# =============================================================================
# BE9300 router points to this host on port 53
# AdGuard handles DOH(443), DOT(853), and standard DNS(53)
# Pi-hole runs on port 5353 to avoid conflict with AdGuard
# Unbound provides recursive DNS on 5335 (installed locally)
# =============================================================================

# Step 1: Start Pi-hole on port 5053 (5353 is used by mDNS/Avahi, 53 is AdGuard)
# Configure upstream to Unbound on 127.0.0.1#5335
# NOTE: DNS1/DNS2 are deprecated in Pi-hole v6+, use FTLCONF_dns_upstreams instead
docker run -d \
    --name pihole \
    --network host \
    -e TZ=America/Chicago \
    -e WEBPASSWORD=YOURPASSWORD \
    -e FTLCONF_webserver_enabled=true \
    -e FTLCONF_webserver_port=7300 \
    -e WEB_BIND_ADDR=0.0.0.0 \
    -e FTLCONF_dns_port=5053 \
    -e FTLCONF_dns_upstreams=127.0.0.1#5335 \
    -v pihole_etc:/etc/pihole:rw \
    -v pihole_dnsmasq:/etc/dnsmasq.d:rw \
    --restart=unless-stopped \
    pihole/pihole:latest

# Step 2: Start AdGuard Home on port 53 (what router sees)
# After first run, access http://<host-ip>:3000 to configure:
#   - Upstream DNS: 127.0.0.1:5353 (Pi-hole)
#   - DNS listen: 0.0.0.0:53
#   - Enable DOH (port 443) and DOT (port 853)
docker run -d \
    --name adguardhome \
    --network host \
    -e TZ=America/Chicago \
    -v adguard_conf:/opt/adguardhome/conf:rw \
    -v adguard_work:/opt/adguardhome/work:rw \
    -v adguard_certs:/opt/adguardhome/conf/certs:ro \
    --restart=unless-stopped \
    adguard/adguardhome:latest