From cfc0ff495052270872bde2620db39b72c6d3c95c Mon Sep 17 00:00:00 2001
From: "Thomas A. Christensen II" <25492070+MillironX@users.noreply.github.com>
Date: Sat, 12 Jul 2025 12:16:32 -0500
Subject: [PATCH 1/2] Remove DHCP capabilities from pihole

---
 services/pihole.nix | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/services/pihole.nix b/services/pihole.nix
index 10a7d74..579de3f 100644
--- a/services/pihole.nix
+++ b/services/pihole.nix
@@ -16,11 +16,10 @@
           containerConfig = {
             image = "docker.io/pihole/pihole:2025.06.2";
             publishPorts =
-              [ "53:53/tcp" "53:53/udp" "80:80/tcp" "443:443/tcp" "67:67/udp" ];
+              [ "53:53/tcp" "53:53/udp" "80:80/tcp" "443:443/tcp" ];
             environmentFiles = [ config.age.secrets.pihole-credentials.path ];
             volumes =
               [ "/etc/pihole:/etc/pihole:Z" "/etc/dnsmasq:/etc/dnsmasq:Z" ];
-            addCapabilities = [ "NET_ADMIN" ];
             networks = [ "bridge" ];
           };
         };

From ed6de3ca1d27ac0502b7b96f3b75b7353a6dd33f Mon Sep 17 00:00:00 2001
From: "Thomas A. Christensen II" <25492070+MillironX@users.noreply.github.com>
Date: Sat, 12 Jul 2025 12:29:29 -0500
Subject: [PATCH 2/2] Replace pihole volume storage with env config

---
 secrets/pihole.age  | Bin 758 -> 816 bytes
 services/pihole.nix |   5 -----
 2 files changed, 5 deletions(-)

diff --git a/secrets/pihole.age b/secrets/pihole.age
index 0272910dc97d6a5579e32d1feb53414d90724a34..40ec12d2196fbae80b4cb81ab233d0ade9bdcdd5 100644
GIT binary patch
delta 726
zcmWN}OKZ~r007_(oz9|OWNhH8xQkFrn@5|5$ym}hNz*lt<<Vt6x;4wAZPv6)+N=c~
zD2gDc^8tGBAS!qmZm`P^9_9m7Wa4}aDpL@hir__jT-^5qzF%##>(1<%6sjQ+Z-%QR
zL=H(KF;n0M@oa@nV-WAf0!g!MaHvglB9*XxHPMh1BtDq2il#6|)&&M+aTu&syfDDT
zDXmclB#zHul~K$W?Dad28PrC>NCZIrfDxMTJU=Y0?rfBxi<~T4WHLzzX_V4SqKO5J
zSYD?v7qz*;DCa_wj~$pOfeKX?G07%5SMApZNQX#@M1P=I3JaD8HCa6#DrsJ7>St%R
z8c$THyjXKwOs%R-tV+q28}XFzI3IB_xEu#i0zzO_&l)~YQe?UkPRF&pP;^O;8(Zz9
zf{vHcHqo#!7tZU*Xv0w$<6N$_GdpSzO+?u`%O}f9)fNJloWhlaTvcsa@%pQEj8i-~
zkyUIX<--9~4k3f!NLC6paJYa&rfic+NS`Q26rhw=Gg6*UvL!v7I=9%`H3{*&Bai_u
zW9uO%P%P*k!O$A47RQhnlfnx50kj_HG^C*Tn!4#QAWx2KQIm*8(Pqt&Nj#hhG|DhS
zf@l&m%M>2d`{|S~7!3MDV?$A-nQn?EnlIWlQ?5Xe#x=we6GcZ5L82|NIO$|TChw@e
z&&%Bhuiq^gEA4ydoSES*E&u3GZRPtL-%Wo#di=>D(da_&Pc6^=cyKjA%Ll%%y!oBm
zv+2UOYaiBkthxOBRxsFBf0cVoZ#&X=`1PC3e}LQku^m@t!I$*b+}RsFpS#xfzFTTP
zwe5v@`s%$eOSiY|A66q&q9v1^`PKdqBZq*6*GIX5m%IFai#_3<EIb?+&7bqri%*|*
v%8&M)|ERb1b#K4)wyTx6nA_QN_R)pO_f}<o`OfZzj!Mt)P39x6{@w5&8eI!l

delta 668
zcmWO0O>5Ht002;iOj!>q2u?kW4rDrOX_GWf3MxyJv`w0(P1`g{5r$2gq|MTgBwgB$
zvHSek=J4cAC!%9Ar+9EDy>>fHya?hBf<wGGaYKeqeZSzX9^LPszdRE%BY72TWD$+U
z>g)u@1I<iDX(O7@$`DdhQ8L|fohJ%Ljq;eVSdeoRO=_5&&hjBu3Hq=Q-mPYRdOY8b
zB8-)%k(h4yB#-}^*S2+kSpi`fh<E`l&~{xf<+5x^ELx?A5tk{%fn#AX;J{2JMe?Yx
zrXwH`w)Idmu5&>TM>ByWMAhRW2goI=$&*MvBFC$e3kAR=RSTvV4&noHHyT{n9Teak
z(ZC3}iJ1mNRxLd$##4;K%2W#n*-ko2cN{cM=1Oit^FWl(4#25e&F$v8luY6_BOyhV
zBOyv~Vh#=#D=e(G1v(O19Pb+x8gejg3h)h6BqTE*&LqQzWe}`vSdbfGazd8U@iNEL
z3dnitlB)i1L_1WYQJM@lN(H5Yl2jSbVlA2>3@}*{3?9G%++N)5J2T_6j8Zv85*Zq-
zhJXg|@BmnV5^!e%<y;gdS&L8O&5j+FJrO7o!+13owk=Z^g_KBlWz@+z0a1i>N7m^C
z=EA6GTd?Nw`~6-YX0#M;vW_<-BUjO4VFR>EL>rJywa7;>jp~}AnM5V3N*L-n+#D{Z
zx2_DYY&`n7vUH*|yL9)xVSZVE0qk8oIEn5qj%}R2H~RAN)#bgdCj;Z_Z@oXY<A1i#
zURqsyC{BMrSQ_o!dax#)3y$<&dy(6(-YkFkF>vSav7z~Q^OfhH2IbF*^S!zK``>nE
kIpJyg*Y>mN{*fW$)YrqQsX3>5<obBNcj5QK&7Cpr9|)cFO#lD@

diff --git a/services/pihole.nix b/services/pihole.nix
index 579de3f..0dc7625 100644
--- a/services/pihole.nix
+++ b/services/pihole.nix
@@ -18,15 +18,10 @@
             publishPorts =
               [ "53:53/tcp" "53:53/udp" "80:80/tcp" "443:443/tcp" ];
             environmentFiles = [ config.age.secrets.pihole-credentials.path ];
-            volumes =
-              [ "/etc/pihole:/etc/pihole:Z" "/etc/dnsmasq:/etc/dnsmasq:Z" ];
             networks = [ "bridge" ];
           };
         };
       };
     };
   };
-  systemd.tmpfiles.rules =
-    [ "d /etc/pihole 0770 root root -" "d /etc/dnsmasq 0770 root root -" ];
-
 }