pihole: docker-pi dnsmasq wildcard, README for pi2/pi3, ArgoCD parity

Add dnsmasq.d wildcard for *.f3s.lan.buetow.org → 192.168.1.138 and example compose for Pis; refresh README (DNS on pi2/pi3, etc-dnsmasq.d). Align dormant ArgoCD Helm customDnsEntries with the same wildcard. Made-with: Cursor
author: Paul Buetow <paul@buetow.org> 2026-04-11 18:19:49 +0300
committer: Paul Buetow <paul@buetow.org> 2026-04-11 18:19:49 +0300
commit: 9747e2712c1fc1434acecff87f96a380d70a8648 (patch)
tree: 3f68ddf5636e4db1d94fda8c88f79854202fa54c
parent: 6f2e2f4eef379d4af960a1bd7ae6f4bfbb2401ef (diff)
4 files changed, 38 insertions, 23 deletions
diff --git a/f3s/argocd-apps/services/pihole.yaml b/f3s/argocd-apps/services/pihole.yaml
index a22e585..724c6c3 100644
--- a/f3s/argocd-apps/services/pihole.yaml
+++ b/f3s/argocd-apps/services/pihole.yaml
@@ -27,7 +27,8 @@ spec:
             existingClaim: "pihole-config-pvc"
           dnsmasq:
             customDnsEntries:
-              - address=/f3s.lan.buetow.org/192.168.1.138
+              # Match Pi docker hosts: f3s/pihole/docker-pi/dnsmasq.d/99-f3s-lan-wildcard.conf
+              - address=/.f3s.lan.buetow.org/192.168.1.138
             customVolumeMounts:
               - name: dnsmasq-config
                 mountPath: /etc/dnsmasq.d
diff --git a/f3s/pihole/README.md b/f3s/pihole/README.md
index 71d9ed1..22d2070 100644
--- a/f3s/pihole/README.md
+++ b/f3s/pihole/README.md
@@ -4,7 +4,12 @@ Network-wide ad blocking for the f3s cluster.
 
 ## Deployment
 
-Pi-hole is deployed via ArgoCD using a combination of a local Helm chart (for PVs/PVCs/Ingress) and the official upstream chart.
+**Production DNS** runs on the Raspberry Pis **`pi2.lan.buetow.org`** and **`pi3.lan.buetow.org`**: Docker Compose with `network_mode: host` (see `f3s/docs/pi-phase-2-2.md`). Tracked extras live under **`docker-pi/`**:
+
+- `docker-pi/dnsmasq.d/99-f3s-lan-wildcard.conf` — resolves `*.f3s.lan.buetow.org` to the CARP VIP **192.168.1.138** (on pi2/pi3 this file lives in **`~/pihole/etc-dnsmasq.d/`**, which is bind-mounted to `/etc/dnsmasq.d` in compose; then `docker compose restart`).
+- `docker-pi/docker-compose.example.yml` — reference `volumes` snippet to merge with your host-local compose.
+
+An ArgoCD Application for Pi-hole on k3s remains in **`f3s/argocd-apps/services/pihole.yaml`** but sync is disabled; the chart values are kept aligned with the Pis’ dnsmasq wildcard.
 
 ### Manual Secret Requirement
 
@@ -23,9 +28,7 @@ kubectl create secret generic pihole-admin-password \
 
 ## DNS Service
 
-Pi-hole DNS is available on both the Wireguard mesh and LAN networks:
-- **Wireguard mesh**: 192.168.2.120 (port 53 UDP/TCP)
-- **LAN IPs**: 192.168.1.120, 192.168.1.121, 192.168.1.122 (port 53 UDP/TCP)
+Pi-hole answers on **`pi2` / `pi3`** (LAN **192.168.1.127**, **192.168.1.128**, port 53 UDP/TCP). Older docs referred to k3s LoadBalancer IPs on r0–r2; those are not the live Pi-hole path anymore.
 
 ### Client Configuration
 
@@ -56,7 +59,7 @@ Configure your network connection to use Pi-hole with automatic failover:
 nmcli connection show --active
 
 # Configure DNS servers (replace CONNECTION_NAME with your actual connection name from above)
-nmcli con mod "CONNECTION_NAME" ipv4.dns "192.168.1.120 192.168.1.121 192.168.1.122 192.168.1.1"
+nmcli con mod "CONNECTION_NAME" ipv4.dns "192.168.1.127 192.168.1.128 192.168.1.1"
 nmcli con mod "CONNECTION_NAME" ipv4.ignore-auto-dns yes
 nmcli con up "CONNECTION_NAME"
 ```
@@ -64,16 +67,15 @@ nmcli con up "CONNECTION_NAME"
 Example for a WiFi connection named `www_irregular_ninja`:
 
 ```bash
-nmcli con mod "www_irregular_ninja" ipv4.dns "192.168.1.120 192.168.1.121 192.168.1.122 192.168.1.1"
+nmcli con mod "www_irregular_ninja" ipv4.dns "192.168.1.127 192.168.1.128 192.168.1.1"
 nmcli con mod "www_irregular_ninja" ipv4.ignore-auto-dns yes
 nmcli con up "www_irregular_ninja"
 ```
 
 DNS servers are tried in order:
-1. Primary: 192.168.1.120 (r0)
-2. Fallback: 192.168.1.121 (r1)
-3. Fallback: 192.168.1.122 (r2)
-4. Last resort: 192.168.1.1 (router)
+1. Primary: 192.168.1.127 (pi2)
+2. Fallback: 192.168.1.128 (pi3)
+3. Last resort: 192.168.1.1 (router)
 
 #### Verify Configuration
 
@@ -85,7 +87,7 @@ nmcli dev show | grep DNS
 cat /etc/resolv.conf
 
 # Test DNS resolution through Pi-hole
-dig @192.168.1.120 google.com +short
+dig @192.168.1.127 google.com +short
 
 # Test ad blocking (should return 0.0.0.0)
 dig doubleclick.net +short
@@ -103,21 +105,15 @@ This allows Firefox to use the system DNS (Pi-hole) instead of bypassing it with
 #### Router Configuration (Alternative)
 
 For network-wide Pi-hole usage, configure your router's DHCP server to hand out Pi-hole as the DNS server:
-- Primary DNS: 192.168.1.120
-- Secondary DNS: 192.168.1.121 (or 192.168.1.1 for fallback to router)
+- Primary DNS: 192.168.1.127 (pi2)
+- Secondary DNS: 192.168.1.128 (pi3) or 192.168.1.1 (router)
 
 ## Storage
 
-Configuration is persisted on NFS at:
-- `/data/nfs/k3svolumes/pihole/config`
-- `/data/nfs/k3svolumes/pihole/dnsmasq`
+On **pi2 / pi3**, Pi-hole state is in the Docker volumes / bind mounts under each host’s `~/pihole` (not NFS). The historical k3s NFS paths (`/data/nfs/k3svolumes/pihole/…`) apply only if the cluster chart is used again.
 
 ## Management
 
-Use the provided `Justfile` for common operations:
+On the Pis: `cd ~/pihole && docker compose ps|logs|restart`.
 
-```bash
-just status    # Check pod and service status
-just logs      # Follow logs
-just sync      # Trigger ArgoCD refresh
-```
+For the dormant k3s deployment, use the `Justfile` (`just status`, `just logs`, `just sync`).
diff --git a/f3s/pihole/docker-pi/dnsmasq.d/99-f3s-lan-wildcard.conf b/f3s/pihole/docker-pi/dnsmasq.d/99-f3s-lan-wildcard.conf
new file mode 100644
index 0000000..d8ccfd5
--- /dev/null
+++ b/f3s/pihole/docker-pi/dnsmasq.d/99-f3s-lan-wildcard.conf
@@ -0,0 +1,3 @@
+# Wildcard LAN services → k3s ingress on CARP VIP (relayd / Traefik).
+# Leading dot: match apex and all subdomains (dnsmasq address= semantics).
+address=/.f3s.lan.buetow.org/192.168.1.138
diff --git a/f3s/pihole/docker-pi/docker-compose.example.yml b/f3s/pihole/docker-pi/docker-compose.example.yml
new file mode 100644
index 0000000..6672b7c
--- /dev/null
+++ b/f3s/pihole/docker-pi/docker-compose.example.yml
@@ -0,0 +1,15 @@
+# Reference for pi2 / pi3 (~paul/pihole). Merge the `dnsmasq.d` volume with your live compose.
+# WEBPASSWORD lives in host-local `.env` (not in git). See f3s/docs/pi-phase-2-2.md.
+services:
+  pihole:
+    image: pihole/pihole:latest
+    network_mode: host
+    env_file:
+      - .env
+    environment:
+      TZ: Europe/Sofia
+      DNS1: 1.1.1.1
+      DNS2: 1.0.0.1
+    volumes:
+      # Production Pis use ./etc-dnsmasq.d (see pi-phase-2-2); same content as docker-pi/dnsmasq.d/ here.
+      - ./etc-dnsmasq.d:/etc/dnsmasq.d:ro
author	Paul Buetow <paul@buetow.org>	2026-04-11 18:19:49 +0300
committer	Paul Buetow <paul@buetow.org>	2026-04-11 18:19:49 +0300
commit	9747e2712c1fc1434acecff87f96a380d70a8648 (patch)
tree	3f68ddf5636e4db1d94fda8c88f79854202fa54c
parent	6f2e2f4eef379d4af960a1bd7ae6f4bfbb2401ef (diff)