f3s skill: Pi-hole on pi2/pi3, LAN wildcard DNS, dserver index

Document Docker Pi-hole on Raspberry Pis, *.f3s.lan.buetow.org → CARP VIP,
tracked paths in conf (f3s/pihole/docker-pi), client DNS and rollout notes.
Add references/pihole-pi.md; track references/dserver.d linked from SKILL.md.
Update skill description and IP table entries for pi2/pi3.

Made-with: Cursor

3 files changed, 52 insertions, 4 deletions

diff --git a/prompts/skills/f3s/SKILL.md b/prompts/skills/f3s/SKILL.md
index 9aabebc..793d1d0 100644
--- a/prompts/skills/f3s/SKILL.md
+++ b/prompts/skills/f3s/SKILL.md
@@ -1,6 +1,6 @@
 ---
 name: f3s
-description: Reference skill for the f3s homelab—four Beelink S12 Pro hosts (f0/f1/f2/f3) running FreeBSD with Rocky Linux Bhyve VMs and a k3s Kubernetes cluster. f0/f1/f2 run r0/r1/r2 k3s nodes; f3 is standalone bhyve only (not part of k3s). Also includes four Raspberry Pi 3 nodes (pi0–pi3) running Rocky Linux 9. Covers DTail/dserver on Pis (arm64) and k3s VMs (amd64). Use when troubleshooting or making configuration decisions for the f3s setup.
+description: Reference skill for the f3s homelab—four Beelink S12 Pro hosts (f0/f1/f2/f3) running FreeBSD with Rocky Linux Bhyve VMs and a k3s Kubernetes cluster. f0/f1/f2 run r0/r1/r2 k3s nodes; f3 is standalone bhyve only (not part of k3s). Four Raspberry Pi 3 nodes (pi0–pi3) on Rocky Linux 9; pi2/pi3 run Pi-hole (Docker) and LAN wildcard DNS for *.f3s.lan.buetow.org. Covers DTail/dserver on Pis (arm64) and k3s VMs (amd64). Use when troubleshooting or making configuration decisions for the f3s setup.
 ---
 
 # f3s Homelab Reference
@@ -29,6 +29,7 @@ Detailed reference documentation is in the `references/` subfolder:
 - [Garage](references/garage.md) — Garage cluster, edge domain routing, S3 bucket/key workflow, troubleshooting
 - [DTail / dserver](references/dtail.md) — dserver: Pis **arm64** vs r0–r2 **amd64**, r-VM **root** + `root.authorized_keys` cache, firewalld **2222**, systemd timers
 - [dserver.d](references/dserver.d) — index: links to **Rocky r-VM DTail** subsection and full **dtail.md**
+- [Pi-hole on Pis](references/pihole-pi.md) — **pi2/pi3** Docker Pi-hole, **`~/pihole`**, **`*.f3s.lan.buetow.org` → 192.168.1.138**, paths under **`f3s/pihole/docker-pi/`**
 
 Package repository details were split into the sibling `pkgrepo` skill. Use `pkgrepo` for `pkgrepo.f3s.buetow.org`, repo layout, package publication, and client repo configuration.
 
@@ -50,8 +51,8 @@ Package repository details were split into the sibling `pkgrepo` skill. Use `pkg
 | f3s-storage-ha | CARP VIP (f0/f1) | 192.168.1.138 | — |
 | pi0 | Raspberry Pi 3, Rocky Linux 9, static `f3s.buetow.org` backend | 192.168.1.125 | 192.168.2.203 |
 | pi1 | Raspberry Pi 3, Rocky Linux 9, static `f3s.buetow.org` backend | 192.168.1.126 | 192.168.2.204 |
-| pi2 | Raspberry Pi 3, Rocky Linux 9 | 192.168.1.127 | — |
-| pi3 | Raspberry Pi 3, Rocky Linux 9 | 192.168.1.128 | — |
+| pi2 | Raspberry Pi 3, Rocky Linux 9, Pi-hole (Docker, host net) | 192.168.1.127 | — |
+| pi3 | Raspberry Pi 3, Rocky Linux 9, Pi-hole (Docker, host net) | 192.168.1.128 | — |
 
 ## Raspberry Pi Nodes
 
@@ -68,7 +69,7 @@ Four Raspberry Pi 3 boards running Rocky Linux 9.2 (Blue Onyx) aarch64 from the
 Current role split:
 
 - `pi0` and `pi1` serve static `f3s.buetow.org` content behind OpenBSD `relayd` over WireGuard
-- `pi2` and `pi3` remain available for Pi-specific services and experiments
+- `pi2` and `pi3` run **Pi-hole** in Docker (`network_mode: host`, `~/pihole` on each host). Tracked dnsmasq LAN wildcard: **`f3s/pihole/docker-pi/`** in the conf repo; details in [references/pihole-pi.md](references/pihole-pi.md).
 
 ### lighttpd Configuration
 
diff --git a/prompts/skills/f3s/references/dserver.d b/prompts/skills/f3s/references/dserver.d
new file mode 100644
index 0000000..6862fa0
--- /dev/null
+++ b/prompts/skills/f3s/references/dserver.d
@@ -0,0 +1,6 @@
+# dserver on f3s (index)
+
+- **r0–r2 Rocky bhyve / k3s VMs** — install context and SSH notes: [Rocky Linux VMs – DTail (dserver) on r0–r2](rocky-linux-vms.md#dtail-dserver-on-r0r2)
+- **Full DTail reference** (Pis arm64, r VMs amd64, firewalld, key cache, clients): [dtail.md](dtail.md)
+
+Upstream repo: `https://codeberg.org/snonux/dtail` — `doc/installation.md`, `examples/`.
diff --git a/prompts/skills/f3s/references/pihole-pi.md b/prompts/skills/f3s/references/pihole-pi.md
new file mode 100644
index 0000000..b141826
--- /dev/null
+++ b/prompts/skills/f3s/references/pihole-pi.md
@@ -0,0 +1,41 @@
+# Pi-hole on Raspberry Pi (pi2, pi3)
+
+Pi-hole runs in **Docker** on **`pi2.lan.buetow.org`** and **`pi3.lan.buetow.org`** with **`network_mode: host`** (Rocky Linux 9, firewalld allows 53/tcp, 53/udp, `http`). Compose uses **`cap_add: [NET_ADMIN]`**, bind-mounts **`./etc-pihole:/etc/pihole`** and **`./etc-dnsmasq.d:/etc/dnsmasq.d`**. Secrets live in **`~/pihole/.env`** on each host (**`WEBPASSWORD`** is host-local, not in git).
+
+**Client DNS (LAN):** prefer **`192.168.1.127`** (pi2), then **`192.168.1.128`** (pi3), then router fallback — see **`f3s/pihole/README.md`** in conf for `nmcli` examples.
+
+**Kubernetes:** Pi-hole was moved off the cluster; **`f3s/argocd-apps/services/pihole.yaml`** has sync disabled, but **`dnsmasq.customDnsEntries`** stays aligned with the Pis’ wildcard (`address=/.f3s.lan.buetow.org/192.168.1.138`) if that app is ever re-enabled.
+
+## LAN wildcard DNS
+
+Homelab LAN hostnames under **`*.f3s.lan.buetow.org`** should resolve to the **CARP VIP** **`192.168.1.138`** (FreeBSD **f0/f1** → relayd → k3s Traefik). In **dnsmasq** (Pi-hole):
+
+```text
+address=/.f3s.lan.buetow.org/192.168.1.138
+```
+
+The leading **`.`** matches the apex and all subdomains.
+
+## Tracked files in `conf`
+
+In the **`f3s`** repo (`https://codeberg.org/snonux/conf`):
+
+- **`f3s/pihole/docker-pi/dnsmasq.d/99-f3s-lan-wildcard.conf`** — copy into **`~/pihole/etc-dnsmasq.d/`** on each Pi (bind-mounted to `/etc/dnsmasq.d` in the live compose).
+- **`f3s/pihole/docker-pi/docker-compose.example.yml`** — reference compose including the **`etc-dnsmasq.d`** volume; merge with your live **`docker-compose.yml`**.
+
+After changing dnsmasq config: **`docker compose restart`** in **`~/pihole`**.
+
+**Rollout (from a workstation with SSH):** copy **`99-f3s-lan-wildcard.conf`** to each Pi (e.g. `/tmp`), then `sudo install -o root -g root -m 644 … ~/pihole/etc-dnsmasq.d/`, remove any obsolete apex-only file (e.g. **`02-custom-f3s.conf`**), restart compose. Keep both nodes in sync.
+
+## Verify
+
+```bash
+dig @pi2.lan.buetow.org foo.f3s.lan.buetow.org +short   # expect 192.168.1.138
+dig @pi3.lan.buetow.org f3s.lan.buetow.org +short       # expect 192.168.1.138
+```
+
+Admin UI: **`http://pi2.lan.buetow.org/admin/`** (and pi3).
+
+## Public DNS note
+
+**`frontends/var/nsd/zones/master/buetow.org.zone.tpl`** already has **`*.f3s.lan IN A 192.168.1.138`** for authoritative **`buetow.org`**; Pi-hole on the LAN keeps the same mapping for clients that use pi2/pi3 as resolver.