version: "3.8"

networks:
  proxy_infra:
    external: true

# More info at https://github.com/pi-hole/docker-pi-hole/ and https://docs.pi-hole.net/
services:
  pihole:
    image: pihole/pihole:2024.07.0
    ports:
      # LSC: I am not relying on Traefik to proxy DNS, in order to not loose
      #      name resolution when restarting the reverse proxy.
      - "53:53/tcp"
      - "53:53/udp"
      # LSC: No need for DHCP, already handeld.
      #      This is for BOOTP, taken over by DHCP.
      #- "67:67/udp"
      # Web UI handled through Traefik
      #- "9000:80/tcp"
    environment:
      TZ: "Europe/Zurich"
      WEBPASSWORD_FILE: "/webpassword"
    # Volumes store your data between container upgrades
    volumes:
      - "./conf/webpassword:/webpassword:ro"
      - "./etc-pihole/:/etc/pihole/:rw"
      - "./etc-dnsmasq.d/:/etc/dnsmasq.d/:rw"
      - "./etc-pihole-updatelists:/etc/pihole-updatelists/:rw"
    # Recommended but not required (DHCP needs NET_ADMIN)
    #   https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
    # LSC: Commented out, DHCP already handeld
    #cap_add:
    #  - NET_ADMIN
    restart: always
    networks:
      - proxy_infra
      - default
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=proxy_infra"
      - "traefik.http.services.pi-hole.loadbalancer.server.port=80"

      - "traefik.http.middlewares.pi-hole-redirect.redirectregex.permanent=true"
      - "traefik.http.middlewares.pi-hole-redirect.redirectregex.regex=https://${FQDN}/?$$"
      - "traefik.http.middlewares.pi-hole-redirect.redirectregex.replacement=https://${FQDN}/admin"
      # Priority goes from first in the list to last.
      - "traefik.http.middlewares.pi-hole.chain.middlewares=headers-base@file,headers-sts@file,headers-policy-self@file"

      # Pi-Hole
      - "traefik.http.routers.pi-hole.service=pi-hole"
      - "traefik.http.routers.pi-hole.entrypoints=web-secure"
      # Do not filter on prefix, otherwise the redirect does not work...
      - "traefik.http.routers.pi-hole.rule=Host(`${FQDN}`)"
      - "traefik.http.routers.pi-hole.tls=true"
      # This service is allowed only inside the LAN, but a Let's Encrypt
      # certificate is now required for access from Safari 15
      - "traefik.http.routers.pi-hole.tls.certresolver=letsencrypt"
      - "traefik.http.routers.pi-hole.middlewares=pi-hole,net-home@file,auth-traefik@file,pi-hole-redirect"