From 056f0cdb1d35af68dd4fe03e4da6f7c650e00d77 Mon Sep 17 00:00:00 2001
From: Daniel <hola@danielcortes.xyz>
Date: Sat, 8 Nov 2025 21:38:24 -0300
Subject: [PATCH] =?UTF-8?q?Agregando=20nueva=20configuraci=C3=B3n=20para?=
 =?UTF-8?q?=20instalar=20pihole?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 proxmox/pihole/README.md                      |   58 +
 proxmox/pihole/ansible/.gitignore             |    1 +
 proxmox/pihole/ansible/ansible.cfg            |    3 +
 proxmox/pihole/ansible/install.yaml           |   38 +
 proxmox/pihole/ansible/inventory.yaml         |    8 +
 proxmox/pihole/ansible/pihole.toml.example    | 1674 +++++++++++++++++
 proxmox/pihole/terraform/.gitignore           |   47 +
 proxmox/pihole/terraform/.terraform.lock.hcl  |   44 +
 proxmox/pihole/terraform/main.tf              |  127 ++
 .../pihole/terraform/terraform.tfvars.example |   14 +
 proxmox/pihole/terraform/variables.tf         |   19 +
 11 files changed, 2033 insertions(+)
 create mode 100644 proxmox/pihole/README.md
 create mode 100644 proxmox/pihole/ansible/.gitignore
 create mode 100644 proxmox/pihole/ansible/ansible.cfg
 create mode 100644 proxmox/pihole/ansible/install.yaml
 create mode 100755 proxmox/pihole/ansible/inventory.yaml
 create mode 100644 proxmox/pihole/ansible/pihole.toml.example
 create mode 100644 proxmox/pihole/terraform/.gitignore
 create mode 100644 proxmox/pihole/terraform/.terraform.lock.hcl
 create mode 100644 proxmox/pihole/terraform/main.tf
 create mode 100644 proxmox/pihole/terraform/terraform.tfvars.example
 create mode 100644 proxmox/pihole/terraform/variables.tf

diff --git a/proxmox/pihole/README.md b/proxmox/pihole/README.md
new file mode 100644
index 0000000..8d23985
--- /dev/null
+++ b/proxmox/pihole/README.md
@@ -0,0 +1,58 @@
+# Pi-hole instalation
+
+These files allow you to install Pi-hole in an idempotent way. Terraform creates
+the VM on Proxmox, and Ansible installs Pi-hole unattended, using the configuration
+defined in `pihole.toml`.
+
+## Terraform execution
+
+To create the VM with Terraform, the configuration must be defined in the `terraform.tfvars`
+file. You can use `terraform.tfvars.example` as a base.
+
+Then to execute the following commands:
+
+1. Intialize terraform
+    ```bash
+    terraform init
+    ```
+
+2. Review the plan
+    ```bash
+    terraform plan
+    ```
+
+3. Apply the plan.
+
+  This step might take a few minutes but if it takes significantly longer,
+  there may be an issue with cloud-init.
+  ```bash
+  terraform apply
+  ```
+
+After execution, the `ansible` folder should contain a new `inventory.yaml` file.
+
+## Ansible execution
+
+To install Pi-hole with Ansible, make sure the `inventory.yaml` file exists,
+and adjust `pihole.toml` if needed.
+
+Then run:
+
+```bash
+ansible-playbook install.yaml
+```
+
+
+## Reinstallation
+
+If you need to reinstall everything in the same environment,
+destroy and recreate the Terraform resources using:
+
+```bash
+terraform destroy
+```
+
+## Reference
+[Unattended Pi-hole v6 Setup with Ansible](https://www.paulcourt.co.uk/articles/2025/unattended-pihole-ansible)
+
+[Configure a VM with Cloud-Init](https://registry.terraform.io/providers/bpg/proxmox/latest/docs/guides/cloud-init)
diff --git a/proxmox/pihole/ansible/.gitignore b/proxmox/pihole/ansible/.gitignore
new file mode 100644
index 0000000..3dc7902
--- /dev/null
+++ b/proxmox/pihole/ansible/.gitignore
@@ -0,0 +1 @@
+pihole.toml
diff --git a/proxmox/pihole/ansible/ansible.cfg b/proxmox/pihole/ansible/ansible.cfg
new file mode 100644
index 0000000..74be0dd
--- /dev/null
+++ b/proxmox/pihole/ansible/ansible.cfg
@@ -0,0 +1,3 @@
+[defaults]
+inventory = ./inventory.yaml
+host_key_checking = False
diff --git a/proxmox/pihole/ansible/install.yaml b/proxmox/pihole/ansible/install.yaml
new file mode 100644
index 0000000..e9252f9
--- /dev/null
+++ b/proxmox/pihole/ansible/install.yaml
@@ -0,0 +1,38 @@
+- name: Install Pihole
+  hosts: all
+  become: true
+
+  tasks:
+    - name: Update packages
+      apt:
+        update_cache: true
+        upgrade: safe
+
+    - name: Install curl
+      apt:
+        name: curl
+
+    - name: Create pihole directory
+      file:
+        path: /etc/pihole
+        state: directory
+        force: false
+
+    - name: Load pihole pre-configuration
+      copy:
+        src: pihole.toml
+        dest: /etc/pihole/pihole.toml
+
+    - name: Download install script
+      get_url:
+        url: https://install.pi-hole.net
+        dest: /tmp/install_pihole.sh
+        mode: "0755"
+
+    - name: Install pihole
+      command: /tmp/install_pihole.sh --unattended
+      args:
+        creates: "/usr/local/bin/pihole"
+
+    - name: Update gravity lists
+      command: pihole -g
diff --git a/proxmox/pihole/ansible/inventory.yaml b/proxmox/pihole/ansible/inventory.yaml
new file mode 100755
index 0000000..65fbfc5
--- /dev/null
+++ b/proxmox/pihole/ansible/inventory.yaml
@@ -0,0 +1,8 @@
+all:
+  children:
+    servers:
+      hosts:
+        pihole:
+          ansible_host: 192.168.3.1
+          ansible_user: ubuntu
+          ansible_ssh_private_key_file: /home/ryuuji/.ssh/id_ed25519
diff --git a/proxmox/pihole/ansible/pihole.toml.example b/proxmox/pihole/ansible/pihole.toml.example
new file mode 100644
index 0000000..15785d5
--- /dev/null
+++ b/proxmox/pihole/ansible/pihole.toml.example
@@ -0,0 +1,1674 @@
+# Pi-hole configuration file (v6.3.3)
+# Encoding: UTF-8
+# This file is managed by pihole-FTL
+# Last updated on 2025-11-08 20:55:48 -03
+
+[dns]
+  # Upstream DNS Servers to be used by Pi-hole. If this is not set, Pi-hole will not
+  # resolve any non-local queries.
+  #
+  # Example: [ "8.8.8.8", "127.0.0.1#5335", "docker-resolver" ]
+  #
+  # Allowed values are:
+  #     Array of IP addresses and/or hostnames, optionally with a port (#...)
+  upstreams = [
+    "8.8.8.8",
+    "8.8.4.4",
+    "208.67.222.222",
+    "208.67.220.220",
+    "1.0.0.1",
+    "1.1.1.1"
+  ] ### CHANGED, default = []
+
+  # Use this option to control deep CNAME inspection. Disabling it might be beneficial
+  # for very low-end devices
+  #
+  # Allowed values are:
+  #     true or false
+  CNAMEdeepInspect = true
+
+  # Should _esni. subdomains be blocked by default? Encrypted Server Name Indication
+  # (ESNI) is certainly a good step into the right direction to enhance privacy on the
+  # web. It prevents on-path observers, including ISPs, coffee shop owners and
+  # firewalls, from intercepting the TLS Server Name Indication (SNI) extension by
+  # encrypting it. This prevents the SNI from being used to determine which websites
+  # users are visiting.
+  #
+  # ESNI will obviously cause issues for pixelserv-tls which will be unable to generate
+  # matching certificates on-the-fly when it cannot read the SNI. Cloudflare and Firefox
+  # are already enabling ESNI. According to the IETF draft (link above), we can easily
+  # restore pixelserv-tls's operation by replying NXDOMAIN to _esni. subdomains of
+  # blocked domains as this mimics a "not configured for this domain" behavior.
+  #
+  # Allowed values are:
+  #     true or false
+  blockESNI = true
+
+  # Should we overwrite the query source when client information is provided through
+  # EDNS0 client subnet (ECS) information? This allows Pi-hole to obtain client IPs even
+  # if they are hidden behind the NAT of a router. This feature has been requested and
+  # discussed on Discourse where further information how to use it can be found:
+  # https://discourse.pi-hole.net/t/support-for-add-subnet-option-from-dnsmasq-ecs-edns0-client-subnet/35940
+  #
+  # Allowed values are:
+  #     true or false
+  EDNS0ECS = true
+
+  # Should FTL hide queries made by localhost?
+  #
+  # Allowed values are:
+  #     true or false
+  ignoreLocalhost = false
+
+  # Should FTL analyze and show internally generated DNSSEC queries?
+  #
+  # Allowed values are:
+  #     true or false
+  showDNSSEC = true
+
+  # Should FTL analyze *only* A and AAAA queries?
+  #
+  # Allowed values are:
+  #     true or false
+  analyzeOnlyAandAAAA = false
+
+  # Controls whether and how FTL will reply with for address for which a local interface
+  # exists. Changing this setting causes FTL to restart.
+  #
+  # Allowed values are:
+  #   - "NONE"
+  #       Pi-hole will not respond automatically on PTR requests to local interface
+  #       addresses. Ensure pi.hole and/or hostname records exist elsewhere.
+  #   - "HOSTNAME"
+  #       Serve the machine's hostname. The hostname is queried from the kernel through
+  #       uname(2)->nodename. If the machine has multiple network interfaces, it can
+  #       also have multiple nodenames. In this case, it is unspecified and up to the
+  #       kernel which one will be returned. On Linux, the returned string is what has
+  #       been set using sethostname(2) which is typically what has been set in
+  #       /etc/hostname.
+  #   - "HOSTNAMEFQDN"
+  #       Serve the machine's hostname (see limitations above) as fully qualified domain
+  #       by adding the local domain. If no local domain has been defined (config option
+  #       dns.domain.name), FTL tries to query the domain name from the kernel using
+  #       getdomainname(2). If this fails, FTL appends ".no_fqdn_available" to the
+  #       hostname.
+  #   - "PI.HOLE"
+  #       Respond with "pi.hole".
+  piholePTR = "PI.HOLE"
+
+  # How should FTL handle queries when the gravity database is not available?
+  #
+  # Allowed values are:
+  #   - "BLOCK"
+  #       Block all queries when the database is busy.
+  #   - "ALLOW"
+  #       Allow all queries when the database is busy.
+  #   - "REFUSE"
+  #       Refuse all queries which arrive while the database is busy.
+  #   - "DROP"
+  #       Just drop the queries, i.e., never reply to them at all. Despite "REFUSE"
+  #       sounding similar to "DROP", it turned out that many clients will just
+  #       immediately retry, causing up to several thousands of queries per second. This
+  #       does not happen in "DROP" mode.
+  replyWhenBusy = "ALLOW"
+
+  # FTL's internal TTL to be handed out for blocked queries in seconds. This settings
+  # allows users to select a value different from the dnsmasq config option local-ttl.
+  # This is useful in context of locally used hostnames that are known to stay constant
+  # over long times (printers, etc.).
+  #
+  # Note that large values may render whitelisting ineffective due to client-side
+  # caching of blocked queries.
+  #
+  # Allowed values are:
+  #     A positive integer value in seconds
+  blockTTL = 2
+
+  # Array of custom DNS records
+  #
+  # Example: [ "127.0.0.1 mylocal", "192.168.0.1 therouter" ]
+  #
+  # Allowed values are:
+  #     Array of custom DNS records each one in HOSTS form: "IP HOSTNAME [HOSTNAME ...]"
+  hosts = []
+
+  # If set, queries for plain names, without dots or domain parts, are never forwarded to
+  # upstream nameservers
+  #
+  # Allowed values are:
+  #     true or false
+  domainNeeded = false
+
+  # If set, the domain is added to simple names (without a period) in /etc/hosts in the
+  # same way as for DHCP-derived names
+  #
+  # Allowed values are:
+  #     true or false
+  expandHosts = false
+
+  # Should all reverse lookups for private IP ranges (i.e., 192.168.x.y, etc) which are
+  # not found in /etc/hosts or the DHCP leases file be answered with "no such domain"
+  # rather than being forwarded upstream?
+  #
+  # Allowed values are:
+  #     true or false
+  bogusPriv = true
+
+  # Validate DNS replies using DNSSEC?
+  #
+  # Allowed values are:
+  #     true or false
+  dnssec = true ### CHANGED, default = false
+
+  # Interface to use for DNS (see also dns.listeningMode) and DHCP (if enabled). Leave
+  # empty for auto-detection.
+  #
+  # Allowed values are:
+  #     a valid interface name
+  interface = ""
+
+  # Add an A, AAAA and PTR record to the DNS. This adds a singular name to the DNS with
+  # associated IPv4 (A) and IPv6 (AAAA) records
+  #
+  # Example: "laptop,laptop.lan,192.168.0.1,1234::100"
+  #
+  # Allowed values are:
+  #     A string in the format
+  #     "<name>[,<name>....],[<IPv4-address>],[<IPv6-address>][,<TTL>]"
+  hostRecord = ""
+
+  # Pi-hole interface listening modes
+  #
+  # Allowed values are:
+  #   - "LOCAL"
+  #       Allow only local requests. This setting accepts DNS queries only from hosts
+  #       whose address is on a local subnet, i.e., a subnet for which an interface
+  #       exists on the server. It is intended to be set as a default on installation,
+  #       to allow unconfigured installations to be useful but also safe from being used
+  #       for DNS amplification attacks if (accidentally) running public.
+  #   - "SINGLE"
+  #       Permit all origins, accept only on the specified interface. Respond only to
+  #       queries arriving on the specified interface. The loopback (lo) interface is
+  #       automatically added to the list of interfaces to use when this option is used.
+  #       Make sure your Pi-hole is properly firewalled!
+  #   - "BIND"
+  #       By default, FTL binds the wildcard address. If this is not what you want, you
+  #       can use this option as it forces FTL to really bind only the interfaces it is
+  #       listening on. Note that this may result in issues when the interface may go
+  #       down (cable unplugged, etc.). About the only time when this is useful is when
+  #       running another nameserver on the same port on the same machine. This may also
+  #       happen if you run a virtualization API such as libvirt. When this option is
+  #       used, IP alias interface labels (e.g. enp2s0:0) are checked rather than
+  #       interface names.
+  #   - "ALL"
+  #       Permit all origins, accept on all interfaces. Make sure your Pi-hole is
+  #       properly firewalled! This truly allows any traffic to be replied to and is a
+  #       dangerous thing to do as your Pi-hole could become an open resolver. You
+  #       should always ask yourself if the first option doesn't work for you as well.
+  #   - "NONE"
+  #       Do not add any configuration concerning the listening mode to the dnsmasq
+  #       configuration file. This is useful if you want to manually configure the
+  #       listening mode in auxiliary configuration files. This option is really meant
+  #       for advanced users only, support for this option may be limited.
+  listeningMode = "LOCAL"
+
+  # Log DNS queries and replies to pihole.log
+  #
+  # Allowed values are:
+  #     true or false
+  queryLogging = true
+
+  # List of CNAME records which indicate that <cname> is really <target>. If the <TTL> is
+  # given, it overwrites the value of local-ttl
+  #
+  # Allowed values are:
+  #     Array of CNAMEs, each one in the following form: "<cname>,<target>[,<TTL>]"
+  cnameRecords = []
+
+  # Port used by the DNS server
+  #
+  # Allowed values are:
+  #     Any available valid (1 - 65535) port number
+  port = 53
+
+  # Enable/Disable the localise-queries option of dnsmasq. When this setting is disabled
+  # dnsmasq will return all possible values for local DNS Records. Enabled by default
+  #
+  # Allowed values are:
+  #     true or false
+  localise = true
+
+  # Reverse server (formerly called "conditional forwarding")
+  #
+  # If not configured as your DHCP server, Pi-hole typically won't be able to determine
+  # the names of devices on your local network. As a result, tables such as Top Clients
+  # will only show IP addresses.
+  #
+  # One solution for this is to configure Pi-hole to forward these requests to your DHCP
+  # server (most likely your router), but only for devices on your home network. To
+  # configure this we will need to know the IP address of your DHCP server and which
+  # addresses belong to your local network.
+  #
+  # Example: [ "true,192.168.0.0/24,192.168.0.1,fritz.box" ]
+  #
+  # Allowed values are:
+  #     Array of reverse servers each one in the following form:
+  #
+  #     "<enabled>,<ip-address>[/<prefix-len>],<server>[#<port>][,<domain>]"
+  #
+  #    Explanation of individual components:
+  #
+  #     - "<enabled>": either "true" or "false"
+  #
+  #     - "<ip-address>[/<prefix-len>]": Address range for the reverse server feature in
+  #     CIDR notation. If the prefix length is omitted, either 32 (IPv4) or 128 (IPv6)
+  #     are substituted (exact address match). This is almost certainly not what you
+  #     want here.
+  #     Example: "192.168.0.0/24" for the range 192.168.0.1 - 192.168.0.255
+  #
+  #     - "<server>[#<port>]": Target server to be used for the reverse server feature
+  #     Example: "192.168.0.1#53"
+  #
+  #     - "<domain>": Domain used for the reverse server feature (e.g., "fritz.box")
+  #     Example: "fritz.box"
+  revServers = []
+
+  [dns.domain]
+    # The DNS domain used by your Pi-hole.
+    #
+    # This DNS domain is purely local. FTL may answer queries from its local cache and
+    # configuration but *never* forwards any requests upstream *unless* you have
+    # configured a dns.revServer exactly for this domain. In the latter case, all queries
+    # for this domain are sent exclusively to this server (including reverse lookups).
+    #
+    # For DHCP, this has two effects; firstly it causes the DHCP server to return the
+    # domain to any hosts which request it, and secondly it sets the domain which it is
+    # legal for DHCP-configured hosts to claim. The intention is to constrain hostnames so
+    # that an untrusted host on the LAN cannot advertise its name via DHCP as e.g.
+    # "google.com" and capture traffic not meant for it. If no domain suffix is specified,
+    # then any DHCP hostname with a domain part (ie with a period) will be disallowed and
+    # logged. If a domain is specified, then hostnames with a domain part are allowed,
+    # provided the domain part matches the suffix. In addition, when a suffix is set then
+    # hostnames without a domain part have the suffix added as an optional domain part.
+    # For instance, we can set domain=mylab.com and have a machine whose DHCP hostname is
+    # "laptop". The IP address for that machine is available both as "laptop" and
+    # "laptop.mylab.com".
+    #
+    # You can disable setting a domain by setting this option to an empty string.
+    #
+    # Allowed values are:
+    #     Any valid domain
+    name = "lan"
+
+    # If set, the domain configured by dns.domain.name is considered local and queries for
+    # this domain are never forwarded upstream unless a dns.revServer is configured for
+    # this domain.
+    #
+    # If unset, queries for this domain are forwarded upstream to (possibly public) server
+    # which is probably not what you want *unless* you have added extra configuration for
+    # this domain *or* your upstream servers are able to handle local domains (e.g.,
+    # router).
+    #
+    # Allowed values are:
+    #     true or false
+    local = true
+
+  [dns.cache]
+    # Cache size of the DNS server. Note that expiring cache entries naturally make room
+    # for new insertions over time.
+    #
+    #Setting this number too high will have an adverse effect as not only more space is
+    # needed, but also lookup speed gets degraded in the 10,000+ range. dnsmasq may issue
+    # a warning when you go beyond 10,000+ cache entries.
+    #
+    # Allowed values are:
+    #     A positive integer value
+    size = 10000
+
+    # Query cache optimizer: If a DNS name exists in the cache, but its time-to-live has
+    # expired only recently, the data will be used anyway (a refreshing from upstream is
+    # triggered). This can improve DNS query delays especially over unreliable Internet
+    # connections. This feature comes at the expense of possibly sometimes returning
+    # out-of-date data and less efficient cache utilization, since old data cannot be
+    # flushed when its TTL expires, so the cache becomes mostly least-recently-used. To
+    # mitigate issues caused by massively outdated DNS replies, the maximum overaging of
+    # cached records is limited. We strongly recommend staying below 86400 (1 day) with
+    # this option.
+    #
+    # Setting the TTL excess time to zero will serve stale cache data regardless how long
+    # it has expired. This is not recommended as it may lead to stale data being served
+    # for a long time. Setting this option to any negative value will disable this feature
+    # altogether.
+    #
+    # Allowed values are:
+    #     A positive integer value in seconds, or any negative to disable this feature
+    optimizer = 3600
+
+    # This setting allows you to specify the TTL used for queries blocked upstream. Once
+    # the TTL expires, the query will be forwarded to the upstream server again to check
+    # if the block is still valid. Defaults to caching for one day (86400 seconds).
+    # Setting this value to zero disables caching of queries blocked upstream.
+    #
+    # Allowed values are:
+    #     A positive integer value in seconds, or zero to disable caching of upstream
+    #     blocked queries
+    upstreamBlockedTTL = 86400
+
+  [dns.blocking]
+    # Should FTL block queries?
+    #
+    # Allowed values are:
+    #     true or false
+    active = true
+
+    # How should FTL reply to blocked queries?
+    #
+    # Allowed values are:
+    #   - "NULL"
+    #       In NULL mode, which is both the default and recommended mode for Pi-hole
+    #       FTLDNS, blocked queries will be answered with the "unspecified address"
+    #       (0.0.0.0 or ::). The "unspecified address" is a reserved IP address specified
+    #       by RFC 3513 - Internet Protocol Version 6 (IPv6) Addressing Architecture,
+    #       section 2.5.2.
+    #   - "IP_NODATA_AAAA"
+    #       In IP-NODATA-AAAA mode, blocked queries will be answered with the local IPv4
+    #       addresses of your Pi-hole. Blocked AAAA queries will be answered with
+    #       NODATA-IPV6 and clients will only try to reach your Pi-hole over its static
+    #       IPv4 address.
+    #   - "IP"
+    #       In IP mode, blocked queries will be answered with the local IP addresses of
+    #       your Pi-hole.
+    #   - "NX"
+    #       In NXDOMAIN mode, blocked queries will be answered with an empty response
+    #       (i.e., there won't be an answer section) and status NXDOMAIN. A NXDOMAIN
+    #       response should indicate that there is no such domain to the client making the
+    #       query.
+    #   - "NODATA"
+    #       In NODATA mode, blocked queries will be answered with an empty response (no
+    #       answer section) and status NODATA. A NODATA response indicates that the domain
+    #       exists, but there is no record for the requested query type.
+    mode = "NULL"
+
+    # Should FTL enrich blocked replies with EDNS0 information?
+    #
+    # Allowed values are:
+    #   - "NONE"
+    #       In NONE mode, no additional EDNS information is added to blocked queries
+    #   - "CODE"
+    #       In CODE mode, blocked queries will be enriched with EDNS info-code BLOCKED (15)
+    #   - "TEXT"
+    #       In TEXT mode, blocked queries will be enriched with EDNS info-code BLOCKED (15)
+    #       and a text message describing the reason for the block
+    edns = "TEXT"
+
+  [dns.specialDomains]
+    # Should Pi-hole always reply with NXDOMAIN to A and AAAA queries of
+    # use-application-dns.net to disable Firefox automatic DNS-over-HTTP?
+    #
+    # This follows the recommendation on
+    # https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https
+    #
+    # Allowed values are:
+    #     true or false
+    mozillaCanary = true
+
+    # Should Pi-hole always reply with NXDOMAIN to A and AAAA queries of mask.icloud.com
+    # and mask-h2.icloud.com to disable Apple's iCloud Private Relay to prevent Apple
+    # devices from bypassing Pi-hole?
+    #
+    # This follows the recommendation on
+    # https://developer.apple.com/support/prepare-your-network-for-icloud-private-relay
+    #
+    # Allowed values are:
+    #     true or false
+    iCloudPrivateRelay = true
+
+    # Should Pi-hole always reply with NODATA to all queries to zone resolver.arpa to
+    # prevent devices from bypassing Pi-hole using Discovery of Designated Resolvers?
+    #
+    # This is based on recommendations at the end of RFC 9462, section 4.
+    #
+    # Allowed values are:
+    #     true or false
+    designatedResolver = true
+
+    [dns.reply.host]
+      # Use a specific IPv4 address for the Pi-hole host? By default, FTL determines the
+      # address of the interface a query arrived on and uses this address for replying to A
+      # queries with the most suitable address for the requesting client.
+      #
+      # This setting can be used to use a fixed, rather than the dynamically obtained,
+      # address when Pi-hole responds to the following names:
+      # - "pi.hole"
+      # - "<the device's hostname>"
+      # - "pi.hole.<local domain>"
+      # - "<the device's hostname>.<local domain>"
+      #
+      # Allowed values are:
+      #     true or false
+      force4 = false
+
+      # Custom IPv4 address for the Pi-hole host
+      #
+      # Allowed values are:
+      #     A valid IPv4 address or empty string ("")
+      IPv4 = ""
+
+      # Use a specific IPv6 address for the Pi-hole host? See description for the IPv4
+      # variant above for further details.
+      #
+      # Allowed values are:
+      #     true or false
+      force6 = false
+
+      # Custom IPv6 address for the Pi-hole host
+      #
+      # Allowed values are:
+      #     A valid IPv6 address or empty string ("")
+      IPv6 = ""
+
+    [dns.reply.blocking]
+      # Use a specific IPv4 address in IP blocking mode? By default, FTL determines the
+      # address of the interface a query arrived on and uses this address for replying to A
+      # queries with the most suitable address for the requesting client.
+      #
+      # This setting can be used to use a fixed, rather than the dynamically obtained,
+      # address when Pi-hole responds in the following cases:
+      # - IP blocking mode is used and this query is to be blocked
+      # - regular expressions with the ;reply=IP regex extension.
+      #
+      # Allowed values are:
+      #     true or false
+      force4 = false
+
+      # Custom IPv4 address for IP blocking mode
+      #
+      # Allowed values are:
+      #     A valid IPv4 address or empty string ("")
+      IPv4 = ""
+
+      # Use a specific IPv6 address in IP blocking mode? See description for the IPv4 variant
+      # above for further details.
+      #
+      # Allowed values are:
+      #     true or false
+      force6 = false
+
+      # Custom IPv6 address for IP blocking mode
+      #
+      # Allowed values are:
+      #     A valid IPv6 address or empty string ("")
+      IPv6 = ""
+
+  [dns.rateLimit]
+    # Rate-limited queries are answered with a REFUSED reply and not further processed by
+    # FTL.
+    #
+    # The default settings for FTL's rate-limiting are to permit no more than 1000 queries
+    # in 60 seconds. Both numbers can be customized independently. It is important to note
+    # that rate-limiting is happening on a per-client basis. Other clients can continue to
+    # use FTL while rate-limited clients are short-circuited at the same time.
+    #
+    # For this setting, both numbers, the maximum number of queries within a given time,
+    # and the length of the time interval (seconds) have to be specified. For instance, if
+    # you want to set a rate limit of 1 query per hour, the option should look like
+    # dns.rateLimit.count=1 and dns.rateLimit.interval=3600. The time interval is relative
+    # to when FTL has finished starting (start of the daemon + possible delay by
+    # DELAY_STARTUP) then it will advance in steps of the rate-limiting interval. If a
+    # client reaches the maximum number of queries it will be blocked until the end of the
+    # current interval. This will be logged to /var/log/pihole/FTL.log, e.g. Rate-limiting
+    # 10.0.1.39 for at least 44 seconds. If the client continues to send queries while
+    # being blocked already and this number of queries during the blocking exceeds the
+    # limit the client will continue to be blocked until the end of the next interval
+    # (FTL.log will contain lines like Still rate-limiting 10.0.1.39 as it made additional
+    # 5007 queries). As soon as the client requests less than the set limit, it will be
+    # unblocked (Ending rate-limitation of 10.0.1.39).
+    #
+    # Rate-limiting may be disabled altogether by setting both values to zero (this
+    # results in the same behavior as before FTL v5.7).
+    #
+    # How many queries are permitted...
+    #
+    # Allowed values are:
+    #     A positive integer value
+    count = 1000
+
+    # ... in the set interval before rate-limiting?
+    #
+    # Allowed values are:
+    #     A positive integer value in seconds
+    interval = 60
+
+[dhcp]
+  # Is the embedded DHCP server enabled?
+  #
+  # Allowed values are:
+  #     true or false
+  active = true ### CHANGED, default = false
+
+  # Start address of the DHCP address pool
+  #
+  # Example: "192.168.0.10"
+  #
+  # Allowed values are:
+  #     A valid IPv4 address, or empty string ("")
+  start = "192.168.1.2" ### CHANGED, default = ""
+
+  # End address of the DHCP address pool
+  #
+  # Example: "192.168.0.250"
+  #
+  # Allowed values are:
+  #     A valid IPv4 address, or empty string ("")
+  end = "192.168.1.100" ### CHANGED, default = ""
+
+  # Address of the gateway to be used (typically the address of your router in a home
+  # installation)
+  #
+  # Example: "192.168.0.1"
+  #
+  # Allowed values are:
+  #     A valid IPv4 address, or empty string ("")
+  router = "192.168.1.1" ### CHANGED, default = ""
+
+  # The netmask used by your Pi-hole. For directly connected networks (i.e., networks on
+  # which the machine running Pi-hole has an interface) the netmask is optional and may
+  # be set to an empty string (""): it will then be determined from the interface
+  # configuration itself.
+  #
+  # For networks which receive DHCP service via a relay agent, we cannot determine the
+  # netmask itself, so it should explicitly be specified, otherwise Pi-hole guesses
+  # based on the class (A, B or C) of the network address.
+  #
+  # Example: "255.255.255.0"
+  #
+  # Allowed values are:
+  #     Any valid netmask, or an empty string ("") for auto-discovery
+  netmask = "255.255.0.0" ### CHANGED, default = ""
+
+  # If the lease time is given, then leases will be given for that length of time. If not
+  # given, the default lease time is one hour for IPv4 and one day for IPv6.
+  #
+  # Allowed values are:
+  #     The lease time can be in seconds, or minutes (e.g., "45m") or hours (e.g., "1h")
+  #     or days (like "2d") or even weeks ("1w"). You may also use "infinite" as string
+  #     but be aware of the drawbacks
+  leaseTime = ""
+
+  # Should Pi-hole make an attempt to also satisfy IPv6 address requests (be aware that
+  # IPv6 works a whole lot different than IPv4)
+  #
+  # Allowed values are:
+  #     true or false
+  ipv6 = false
+
+  # Enable DHCPv4 Rapid Commit Option specified in RFC 4039. Should only be enabled if
+  # either the server is the only server for the subnet to avoid conflicts
+  #
+  # Allowed values are:
+  #     true or false
+  rapidCommit = false
+
+  # Advertise DNS server multiple times to clients. Some devices will add their own
+  # proprietary DNS servers to the list of DNS servers, which can cause issues with
+  # Pi-hole. This option will advertise the Pi-hole DNS server multiple times to
+  # clients, which should prevent this from happening.
+  #
+  # Allowed values are:
+  #     true or false
+  multiDNS = false
+
+  # Enable logging for DHCP. This will log all relevant DHCP-related activity, including,
+  # e.g., all the options sent to DHCP clients and the tags used to determine them (if
+  # any). This can be useful for debugging DHCP issues. The generated output is saved to
+  # the file specified by files.log.dnsmasq below.
+  #
+  # Allowed values are:
+  #     true or false
+  logging = false
+
+  # Ignore unknown DHCP clients.
+  # If this option is set, Pi-hole ignores all clients which are not explicitly
+  # configured through dhcp.hosts. This can be useful to prevent unauthorized clients
+  # from getting an IP address from the DHCP server.
+  #
+  # It should be noted that this option is not a security feature, as clients can still
+  # assign themselves an IP address and use the network. It is merely a convenience
+  # feature to prevent unknown clients from getting a valid IP configuration assigned
+  # automatically.
+  #
+  # Note that you will need to configure new clients manually in dhcp.hosts before they
+  # can use the network when this feature is enabled.
+  #
+  # Allowed values are:
+  #     true or false
+  ignoreUnknownClients = false
+
+  # Per host parameters for the DHCP server. This allows a machine with a particular
+  # hardware address to be always allocated the same hostname, IP address and lease time
+  # or to specify static DHCP leases
+  #
+  # Example: [ "00:20:e0:3b:13:af,192.168.0.123,laptop,24h",
+  # "00:20:e0:ab:cd:ef,192.168.0.124,desktop,24h"]
+  #
+  # Allowed values are:
+  #     Array of static leases each one in the following form:
+  #     "[<hwaddr>][,id:<client_id>|*][,set:<tag>][,tag:<tag>][,<ipaddr>][,<hostname>][,<lease_time>][,ignore]"
+  hosts = []
+
+  [ntp.ipv4]
+    # Should FTL act as network time protocol (NTP) server (IPv4)?
+    #
+    # Allowed values are:
+    #     true or false
+    active = true
+
+    # IPv4 address to listen on for NTP requests
+    #
+    # Allowed values are:
+    #     A valid IPv4 address, or empty string (""). For wildcard (0.0.0.0)
+    address = ""
+
+  [ntp.ipv6]
+    # Should FTL act as network time protocol (NTP) server (IPv6)?
+    #
+    # Allowed values are:
+    #     true or false
+    active = true
+
+    # IPv6 address to listen on for NTP requests
+    #
+    # Allowed values are:
+    #     A valid IPv6 address, or empty string (""). For wildcard (::)
+    address = ""
+
+  [ntp.sync]
+    # Should FTL try to synchronize the system time with an upstream NTP server?
+    #
+    # Allowed values are:
+    #     true or false
+    active = true
+
+    # NTP upstream server to sync with, e.g., "pool.ntp.org". Note that the NTP server
+    # should be located as close as possible to you in order to minimize the time offset
+    # possibly introduced by different routing paths.
+    #
+    # Allowed values are:
+    #     A valid NTP upstream server
+    server = "pool.ntp.org"
+
+    # Interval in seconds between successive synchronization attempts with the NTP server
+    #
+    # Allowed values are:
+    #     A positive integer value in seconds
+    interval = 3600
+
+    # Number of NTP syncs to perform and average before updating the system time
+    #
+    # Allowed values are:
+    #     A positive integer value
+    count = 8
+
+    [ntp.sync.rtc]
+      # Should FTL update a real-time clock (RTC) if available?
+      #
+      # Allowed values are:
+      #     true or false
+      set = false
+
+      # Path to the RTC device to update.
+      #
+      # Example: "/dev/rtc0"
+      #
+      # Allowed values are:
+      #     A valid RTC device path, or empty string ("") for auto-discovery
+      device = ""
+
+      # Should the RTC be set to UTC?
+      #
+      # Allowed values are:
+      #     true or false
+      utc = true
+
+[resolver]
+  # Should FTL try to resolve IPv4 addresses to hostnames?
+  #
+  # Allowed values are:
+  #     true or false
+  resolveIPv4 = true
+
+  # Should FTL try to resolve IPv6 addresses to hostnames?
+  #
+  # Allowed values are:
+  #     true or false
+  resolveIPv6 = true
+
+  # Control whether FTL should use the fallback option to try to obtain client names from
+  # checking the network table. This behavior can be disabled with this option.
+  #
+  # Assume an IPv6 client without a host names. However, the network table knows -
+  # though the client's MAC address - that this is the same device where we have a host
+  # name for another IP address (e.g., a DHCP server managed IPv4 address). In this
+  # case, we use the host name associated to the other address as this is the same
+  # device.
+  #
+  # Allowed values are:
+  #     true or false
+  networkNames = true
+
+  # With this option, you can change how (and if) hourly PTR requests are made to check
+  # for changes in client and upstream server hostnames.
+  #
+  # Allowed values are:
+  #   - "IPV4_ONLY"
+  #       Do hourly PTR lookups only for IPv4 addresses. This is the new default since
+  #       Pi-hole FTL v5.3.2. It should resolve issues with more and more very
+  #       short-lived PE IPv6 addresses coming up in a lot of networks.
+  #   - "ALL"
+  #       Do hourly PTR lookups for all addresses. This was the default until FTL
+  #       v5.3(.1). It has been replaced as it can create a lot of PTR queries for those
+  #       with many IPv6 addresses in their networks.
+  #   - "UNKNOWN"
+  #       Only resolve unknown hostnames. Already existing hostnames are never refreshed,
+  #       i.e., there will be no PTR queries made for clients where hostnames are known.
+  #       This also means that known hostnames will not be updated once known.
+  #   - "NONE"
+  #       Don't do any hourly PTR lookups. This means we look host names up exactly once
+  #       (when we first see a client) and never again. You may miss future changes of
+  #       host names.
+  refreshNames = "IPV4_ONLY"
+
+[database]
+  # Should FTL load information from the database on startup to be aware of the most
+  # recent history?
+  #
+  # Allowed values are:
+  #     true or false
+  DBimport = true
+
+  # How long should queries be stored in the database [days]?
+  #
+  # Allowed values are:
+  #     A positive integer value in days, or 0 to disable the database
+  maxDBdays = 91
+
+  # How often do we store queries in FTL's database [seconds]?
+  #
+  # Allowed values are:
+  #     A positive integer value in seconds
+  DBinterval = 60
+
+  # Should FTL enable Write-Ahead Log (WAL) mode for the on-disk query database
+  # (configured via files.database)?
+  #
+  # It is recommended to leave this setting enabled for performance reasons. About the
+  # only reason to disable WAL mode is if you are experiencing specific issues with it,
+  # e.g., when using a database that is accessed from multiple hosts via a network
+  # share. When this setting is disabled, FTL will use SQLite3's default journal mode
+  # (rollback journal in DELETE mode).
+  #
+  # Allowed values are:
+  #     true or false
+  useWAL = true
+
+  [database.network]
+    # Should FTL analyze the local ARP cache? When disabled, client identification and the
+    # network table will stop working reliably.
+    #
+    # Allowed values are:
+    #     true or false
+    parseARPcache = true
+
+    # How long should IP addresses be kept in the network_addresses table [days]? IP
+    # addresses (and associated host names) older than the specified number of days are
+    # removed to avoid dead entries in the network overview table.
+    #
+    # Allowed values are:
+    #     A positive integer value in days
+    expire = 91
+
+[webserver]
+  # On which domain is the web interface served?
+  #
+  # Allowed values are:
+  #     A valid domain
+  domain = "pi.hole"
+
+  # Webserver access control list (ACL) allowing for restrictions to be put on the list
+  # of IP addresses which have access to the web server. The ACL is a comma separated
+  # list of IP subnets, where each subnet is prepended by either a - or a + sign. A plus
+  # sign means allow, where a minus sign means deny.
+  #
+  # If a subnet mask is omitted, such as -1.2.3.4, this means to deny only that single
+  # IP address. If this value is not set (empty string), all accesses are allowed.
+  # Otherwise, the default setting is to deny all accesses. On each request the full
+  # list is traversed, and the last (!) match wins. IPv6 addresses may be specified in
+  # CIDR-form [a:b::c]/64.
+  #
+  # Example 1: "+127.0.0.1,+[::1]" ---> deny all access, except from 127.0.0.1 and ::1
+  #
+  # Example 2: "+192.168.0.0/16" ---> deny all accesses, except from the 192.168.0.0/16
+  # subnet
+  #
+  # Example 3: "+[::]/0" ---> allow only IPv6 access.
+  #
+  # Allowed values are:
+  #     A valid ACL
+  acl = ""
+
+  # Ports to be used by the webserver.
+  #
+  # Comma-separated list of ports to listen on. It is possible to specify an IP address
+  # to bind to. In this case, an IP address and a colon must be prepended to the port
+  # number. For example, to bind to the loopback interface on port 80 (IPv4) and to all
+  # interfaces port 8080 (IPv4), use "127.0.0.1:80,8080". "[::]:80" can be used to
+  # listen to IPv6 connections to port 80. IPv6 addresses of network interfaces can be
+  # specified as well, e.g. "[::1]:80" for the IPv6 loopback interface. "[::]:80" will
+  # bind to port 80 IPv6 only.
+  #
+  # In order to use port 80 for all interfaces, both IPv4 and IPv6, use either the
+  # configuration "80,[::]:80" (create one socket for IPv4 and one for IPv6 only), or
+  # "+80" (create one socket for both, IPv4 and IPv6). The '+' notation to use IPv4 and
+  # IPv6 will only work if no network interface is specified. Depending on your
+  # operating system version and IPv6 network environment, some configurations might not
+  # work as expected, so you have to test to find the configuration most suitable for
+  # your needs. In case "+80" does not work for your environment, you need to use
+  # "80,[::]:80".
+  #
+  # If the port is TLS/SSL, a letter 's' (secure) must be appended, for example,
+  # "80,443s" will open port 80 and port 443, and connections on port 443 will be
+  # encrypted. For non-encrypted ports, it is allowed to append letter 'r' (as in
+  # redirect). Redirected ports will redirect all their traffic to the first configured
+  # SSL port. For example, if webserver.port is "80r,443s", then all HTTP traffic coming
+  # at port 80 will be redirected to HTTPS port 443.
+  #
+  # When specifying 'o' (optional) behind a port, inability to use this port is not
+  # considered an error. For instance, specifying "80o,8080o" will allow the webserver
+  # to listen on either 80, 8080, both or even none of the two ports. This flag may be
+  # combined with 'r' and 's' like "80or,443os,8080,4443s" (80 redirecting to SSL if
+  # available, 443 encrypted if available, 8080 mandatory and unencrypted, 4443
+  # mandatory and encrypted).
+  #
+  # If this value is not set (empty string), the web server will not be started and,
+  # hence, the API will not be available.
+  #
+  # Allowed values are:
+  #     A comma-separated list of <[ip_address:]port>
+  port = "80o,443os,[::]:80o,[::]:443os"
+
+  # Maximum number of worker threads allowed.
+  #
+  # The Pi-hole web server handles each incoming connection in a separate thread.
+  # Therefore, the value of this option is effectively the number of concurrent HTTP
+  # connections that can be handled. Any other connections are queued until they can be
+  # processed by a unoccupied thread.
+  #
+  # The total number of threads you see may be lower than the configured value as
+  # threads are only created when needed due to incoming connections.
+  #
+  # The value 0 means the number of threads is 50 (as per default settings of CivetWeb)
+  # for backwards-compatible behavior.
+  #
+  # Allowed values are:
+  #     A positive integer value, or 0 for default (50)
+  threads = 50
+
+  # Additional HTTP headers added to the web server responses.
+  #
+  # The headers are added to all responses, including those for the API.
+  # Note about the default additional headers:
+  # - X-DNS-Prefetch-Control: off: Usually browsers proactively perform domain name
+  # resolution on links that the user may choose to follow. We disable DNS prefetching
+  # here.
+  # - Content-Security-Policy: [...] 'unsafe-inline' is both required by Chart.js
+  # styling some elements directly, and index.html containing some inlined Javascript
+  # code.
+  # - X-Frame-Options: DENY: The page can not be displayed in a frame, regardless of the
+  # site attempting to do so.
+  # - X-Xss-Protection: 0: Disables XSS filtering in browsers that support it. This
+  # header is usually enabled by default in browsers, and is not recommended as it can
+  # hurt the security of the site.
+  # (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection).
+  # - X-Content-Type-Options: nosniff: Marker used by the server to indicate that the
+  # MIME types advertised in the  Content-Type headers should not be changed and be
+  # followed. This allows to opt-out of MIME type sniffing, or, in other words, it is a
+  # way to say that the webmasters knew what they were doing. Site security testers
+  # usually expect this header to be set.
+  # - Referrer-Policy: strict-origin-when-cross-origin: A referrer will be sent for
+  # same-site origins, but cross-origin requests will send no referrer information.
+  # The latter four headers are set as expected by https://securityheaders.io
+  #
+  # Allowed values are:
+  #     An array of HTTP headers
+  headers = [
+    "X-DNS-Prefetch-Control: off",
+    "Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;",
+    "X-Frame-Options: DENY",
+    "X-XSS-Protection: 0",
+    "X-Content-Type-Options: nosniff",
+    "Referrer-Policy: strict-origin-when-cross-origin"
+  ]
+
+  # Should the web server serve all files in webserver.paths.webroot directory?
+  #
+  # If disabled, only files within the path defined through webserver.paths.webhome and
+  # /api will be served.
+  #
+  # Allowed values are:
+  #     true or false
+  serve_all = false
+
+  # Additional options passed directly to the web server.
+  #
+  # This can be used to set any option supported by the underlying web server
+  # (CivetWeb). See the CivetWeb documentation for a list of supported options. The
+  # options are passed as an array of strings, where each string is an option in the
+  # form "<option>=<value>". Be aware that this is an advanced option and that setting
+  # options here may break the web server if invalid or conflicting with other settings
+  # applied based on other settings in this file. The config options specified here are
+  # added to the end of the passed options. This makes it possible to overwrite settings
+  # set by Pi-hole (only the last values is used when a config option is specified
+  # multiple times). Use with caution.
+  #
+  # Example: [ "ssl_protocol_version=4", "ssl_cipher_list=AES128:!MD5" ]
+  #
+  # Allowed values are:
+  #     An array of valid CivetWeb options
+  advancedOpts = []
+
+  [webserver.session]
+    # Session timeout in seconds.
+    #
+    # If a session is inactive for more than this time, it will be terminated. Sessions
+    # are continuously refreshed by the web interface, preventing sessions from timing out
+    # while the web interface is open.
+    #
+    # This option may also be used to make logins persistent for long times, e.g. 86400
+    # seconds (24 hours), 604800 seconds (7 days) or 2592000 seconds (30 days). Note that
+    # the total number of concurrent sessions is limited so setting this value too high
+    # may result in users being rejected and unable to log in if there are already too
+    # many sessions active.
+    #
+    # Allowed values are:
+    #     A positive integer value in seconds
+    timeout = 1800
+
+    # Should Pi-hole backup and restore sessions from the database?
+    #
+    # This is useful if you want to keep your sessions after a restart of the web
+    # interface.
+    #
+    # Allowed values are:
+    #     true or false
+    restore = true
+
+  [webserver.tls]
+    # Path to the TLS (SSL) certificate file.
+    #
+    # All directories along the path must be readable and accessible by the user running
+    # FTL (typically 'pihole'). This option is only required when at least one of
+    # webserver.port is TLS. The file must be in PEM format, and it must have both,
+    # private key and certificate (the *.pem file created must contain a 'CERTIFICATE'
+    # section as well as a 'RSA PRIVATE KEY' section).
+    #
+    # The *.pem file can be created using `cp server.crt server.pem && cat server.key >>
+    # server.pem` if you have these files instead
+    #
+    # Allowed values are:
+    #     A valid TLS certificate file (*.pem)
+    cert = "/etc/pihole/tls.pem"
+
+    # Number of days the automatically generated self-signed TLS/SSL certificate will be
+    # valid for.
+    #
+    # Defaults to 47 days. A minimum of 7 days is enforced.
+    # Some devices may enforce shorter validity ranges. Note that defining a lower
+    # validity range may require you to accept the self-signed certificate more often in
+    # your browser.
+    # Pi-hole will regenerate certificates it created itself two days prior to expiration.
+    # If you are using your own certificate, you need to regenerate it yourself. In this
+    # case, it is advised to set the validity range to 0 days, so that Pi-hole does not
+    # try to regenerate your certificate. If you set the validity range to 0 days and
+    # still try to generate a certificate, Pi-hole will set a fixed validity range of
+    # roughly 30 years for the certificate.
+    validity = 47
+
+  [webserver.paths]
+    # Server root on the host
+    #
+    # Allowed values are:
+    #     A valid path
+    webroot = "/var/www/html"
+
+    # Sub-directory of the root containing the web interface
+    #
+    # Allowed values are:
+    #     A valid subpath, both slashes are needed!
+    webhome = "/admin/"
+
+    # Prefix where the web interface is served
+    #
+    # This is useful when you are using a reverse proxy serving the web interface, e.g.,
+    # at http://<ip>/pihole/admin/ instead of http://<ip>/admin/. In this example, the
+    # prefix would be "/pihole". Note that the prefix has to be stripped away by the
+    # reverse proxy, e.g., for traefik:
+    # - traefik.http.routers.pihole.rule=PathPrefix(`/pihole`)
+    # - traefik.http.middlewares.piholehttp.stripprefix.prefixes=/pihole
+    # The prefix should start with a slash. If you don't use a prefix, leave this field
+    # empty. Setting this field to an incorrect value may result in the web interface not
+    # being accessible.
+    # Don't use this setting if you are not using a reverse proxy!
+    #
+    # Allowed values are:
+    #     A valid URL prefix or empty
+    prefix = ""
+
+  [webserver.interface]
+    # Should the web interface use the boxed layout?
+    #
+    # Allowed values are:
+    #     true or false
+    boxed = false ### CHANGED, default = true
+
+    # Theme used by the Pi-hole web interface
+    #
+    # Allowed values are:
+    #   - "default-auto"
+    #       Pi-hole auto
+    #   - "default-light"
+    #       Pi-hole day
+    #   - "default-dark"
+    #       Pi-hole midnight
+    #   - "default-darker"
+    #       Pi-hole deep-midnight
+    #   - "high-contrast"
+    #       High-contrast light
+    #   - "high-contrast-dark"
+    #       High-contrast dark
+    #   - "lcars"
+    #       Star Trek LCARS
+    theme = "default-auto"
+
+  [webserver.api]
+    # Number of concurrent sessions allowed for the API. If the number of sessions exceeds
+    # this value, no new sessions will be allowed until the number of sessions drops due
+    # to session expiration or logout.
+    #
+    # Note that the number of concurrent sessions is irrelevant if authentication is
+    # disabled as no sessions are used in this case.
+    #
+    # Allowed values are:
+    #     A positive integer value
+    max_sessions = 16
+
+    # Should FTL prettify the API output (add extra spaces, newlines and indentation)?
+    #
+    # Allowed values are:
+    #     true or false
+    prettyJSON = false
+
+    # API password hash
+    #
+    # Allowed values are:
+    #     A valid Pi-hole password hash
+    pwhash = ""
+
+    # Pi-hole 2FA TOTP secret. When set to something different than "", 2FA authentication
+    # will be enforced for the API and the web interface. This setting is write-only, you
+    # can not read the secret back.
+    #
+    # Allowed values are:
+    #     A valid TOTP secret (20 Bytes in Base32 encoding)
+    totp_secret = ""
+
+    # Pi-hole application password.
+    #
+    # After you turn on two-factor (2FA) verification and set up an Authenticator app, you
+    # may run into issues if you use apps or other services that don't support two-step
+    # verification. In this case, you can create and use an app password to sign in.
+    #
+    # An app password is a long, randomly generated password that can be used instead of
+    # your regular password + TOTP token when signing in to the API. The app password can
+    # be generated through the API and will be shown only once.
+    #
+    # You can revoke the app password at any time. If you revoke the app password, be sure
+    # to generate a new one and update your app with the new password.
+    #
+    # Allowed values are:
+    #     A valid Pi-hole password hash
+    app_pwhash = ""
+
+    # Should application password API sessions be allowed to modify config settings?
+    #
+    # Setting this to true allows third-party applications using the application password
+    # to modify settings, e.g., the upstream DNS servers, DHCP server settings, or
+    # changing passwords. This setting should only be enabled if really needed and only if
+    # you trust the applications using the application password.
+    #
+    # Allowed values are:
+    #     true or false
+    app_sudo = false
+
+    # Should FTL create a temporary CLI password?
+    #
+    # This password is stored in clear in /etc/pihole and can be used by the CLI (pihole
+    # ...  commands) to authenticate against the API. Note that the password is only valid
+    # for the current session and regenerated on each FTL restart. Sessions initiated with
+    # this password cannot modify the Pi-hole configuration (change passwords, etc.) for
+    # security reasons but can still use the API to query data and manage lists.
+    #
+    # Allowed values are:
+    #     true or false
+    cli_pw = true
+
+    # Array of clients to be excluded from certain API responses (regex):
+    # - Query Log (/api/queries)
+    # - Top Clients (/api/stats/top_clients)
+    # This setting accepts both IP addresses (IPv4 and IPv6) as well as hostnames.
+    # Note that backslashes "\" need to be escaped, i.e. "\\" in this setting
+    #
+    # Example: [ "^192\\.168\\.2\\.56$", "^fe80::341:[0-9a-f]*$", "^localhost$" ]
+    #
+    # Allowed values are:
+    #     An array of regular expressions describing clients
+    excludeClients = []
+
+    # Array of domains to be excluded from certain API responses (regex):
+    # - Query Log (/api/queries)
+    # - Top Clients (/api/stats/top_domains)
+    # Note that backslashes "\" need to be escaped, i.e. "\\" in this setting
+    #
+    # Example: [ "(^|\\.)\\.google\\.de$", "\\.pi-hole\\.net$" ]
+    #
+    # Allowed values are:
+    #     An array of regular expressions describing domains
+    excludeDomains = []
+
+    # How much history should be imported from the database and returned by the API
+    # [seconds]? (max 24hrs = 86400)
+    #
+    # Allowed values are:
+    #     A positive integer value in seconds up to 86400
+    maxHistory = 86400
+
+    # Up to how many clients should be returned in the activity graph endpoint
+    # (/api/history/clients)?
+    #
+    # This setting can be overwritten at run-time using the parameter N. Setting this to 0
+    # will always send all clients. Be aware that this may be challenging for the GUI if
+    # you have many (think > 1.000 clients) in your network
+    #
+    # Allowed values are:
+    #     A positive integer value
+    maxClients = 10
+
+    # How should the API compute the most active clients? If set to true, the API will
+    # return the clients with the most queries globally (within 24 hours). If set to
+    # false, the API will return the clients with the most queries per time slot
+    # individually.
+    #
+    # Allowed values are:
+    #     true or false
+    client_history_global_max = true
+
+    # Allow destructive API calls (e.g. restart DNS server, flush logs, ...)
+    #
+    # Allowed values are:
+    #     true or false
+    allow_destructive = true
+
+    [webserver.api.temp]
+      # Which upper temperature limit should be used by Pi-hole? Temperatures above this
+      # limit will be shown as "hot". The number specified here is in the unit defined below
+      #
+      # Allowed values are:
+      #     A positive floating point value in the unit defined below
+      limit = 60.000000
+
+      # Which temperature unit should be used for temperatures processed by FTL?
+      #
+      # Allowed values are:
+      #   - "C"
+      #       Celsius
+      #   - "F"
+      #       Fahrenheit
+      #   - "K"
+      #       Kelvin
+      unit = "C"
+
+[files]
+  # The file which contains the PID of FTL's main process.
+  #
+  # Allowed values are:
+  #     Any writable file
+  pid = "/run/pihole-FTL.pid"
+
+  # The location of FTL's long-term database
+  #
+  # Allowed values are:
+  #     Any FTL database
+  database = "/etc/pihole/pihole-FTL.db"
+
+  # The location of Pi-hole's gravity database
+  #
+  # Allowed values are:
+  #     Any Pi-hole gravity database
+  gravity = "/etc/pihole/gravity.db"
+
+  # A temporary directory where Pi-hole can store files during gravity updates. This
+  # directory must be writable by the user running gravity (typically pihole).
+  #
+  # Allowed values are:
+  #     Any existing world-writable writable directory
+  gravity_tmp = "/tmp"
+
+  # The database containing MAC -> Vendor information for the network table
+  #
+  # Allowed values are:
+  #     Any Pi-hole macvendor database
+  macvendor = "/etc/pihole/macvendor.db"
+
+  # An optional file containing a pcap capture of the network traffic. This file is used
+  # for debugging purposes only. If you don't know what this is, you don't need it.
+  #
+  # Setting this to an empty string disables pcap recording. The file must be writable
+  # by the user running FTL (typically pihole). Failure to write to this file will
+  # prevent the DNS resolver from starting. The file is appended to if it already
+  # exists.
+  #
+  # Allowed values are:
+  #     Any writable pcap file
+  pcap = ""
+
+  [files.log]
+    # The location of FTL's log file
+    #
+    # Allowed values are:
+    #     any writable file
+    ftl = "/var/log/pihole/FTL.log"
+
+    # The log file used by the embedded dnsmasq DNS server
+    #
+    # Allowed values are:
+    #     Any writable file
+    dnsmasq = "/var/log/pihole/pihole.log"
+
+    # The log file used by the webserver
+    #
+    # Allowed values are:
+    #     Any writable file
+    webserver = "/var/log/pihole/webserver.log"
+
+[misc]
+  # Using privacy levels you can specify which level of detail you want to see in your
+  # Pi-hole statistics. Changing this setting will trigger a restart of FTL
+  #
+  # Allowed values are:
+  #   - 0
+  #       Don't hide anything, all statistics are available.
+  #   - 1
+  #       Hide domains. This setting disables Top Domains and Top Ads
+  #   - 2
+  #       Hide domains and clients. This setting disables Top Domains, Top Ads, Top
+  #       Clients and Clients over time.
+  #   - 3
+  #       Anonymize everything. This setting disables almost any statistics and query
+  #       analysis. There will be no long-term database logging and no Query Log. You
+  #       will also lose most regex features.
+  privacylevel = 0
+
+  # During startup, in some configurations, network interfaces appear only late during
+  # system startup and are not ready when FTL tries to bind to them. Therefore, you may
+  # want FTL to wait a given amount of time before trying to start the DNS resolver.
+  #
+  # This setting takes any integer value between 0 and 300 seconds. To prevent delayed
+  # startup while the system is already running and FTL is restarted, the delay only
+  # takes place within the first 180 seconds (hard-coded) after booting.
+  #
+  # Allowed values are:
+  #     A positive integer value between 0 and 300
+  delay_startup = 0
+
+  # Set niceness of pihole-FTL. Defaults to -10 and can be disabled altogether by setting
+  # a value of -999. The nice value is an attribute that can be used to influence the
+  # CPU scheduler to favor or disfavor a process in scheduling decisions.
+  #
+  # The range of the nice value varies across UNIX systems. On modern Linux, the range
+  # is -20 (high priority = not very nice to other processes) to +19 (low priority).
+  #
+  # Allowed values are:
+  #     A signed integer value between -20 and 19, or -999 to disable niceness
+  nice = -10
+
+  # Should FTL translate its own stack addresses into code lines during the bug
+  # backtrace? This improves the analysis of crashed significantly. It is recommended to
+  # leave the option enabled.
+  #
+  # This option should only be disabled when addr2line is known to not be working
+  # correctly on the machine because, in this case, the malfunctioning addr2line can
+  # prevent from generating any backtrace at all.
+  #
+  # Allowed values are:
+  #     true or false
+  addr2line = true
+
+  # Should FTL load additional dnsmasq configuration files from /etc/dnsmasq.d/?
+  #
+  # Warning: This is an advanced setting and should only be used with care.
+  # Incorrectly formatted or config files specifying options which can only be defined
+  # once can result in conflicts with the automatic configuration of Pi-hole (see
+  # /etc/pihole/dnsmasq.conf) and may stop DNS resolution from working.
+  #
+  # Allowed values are:
+  #     true or false
+  etc_dnsmasq_d = false
+
+  # Additional lines to inject into the generated dnsmasq configuration.
+  # Warning: This is an advanced setting and should only be used with care. Incorrectly
+  # formatted or duplicated lines as well as lines conflicting with the automatic
+  # configuration of Pi-hole can break the embedded dnsmasq and will stop DNS resolution
+  # from working.
+  #
+  # Use this option with extra care.
+  #
+  # Allowed values are:
+  #     Array of valid dnsmasq config line options
+  dnsmasq_lines = []
+
+  # Log additional information about queries and replies to pihole.log
+  #
+  # When this setting is enabled, the log has extra information at the start of each
+  # line. This consists of a serial number which ties together the log lines associated
+  # with an individual query, and the IP address of the requestor. This setting is only
+  # effective if dns.queryLogging is enabled, too. This option is only useful for
+  # debugging and is not recommended for normal use.
+  #
+  # Allowed values are:
+  #     true or false
+  extraLogging = false
+
+  # Put configuration into read-only mode. This will prevent any changes to the
+  # configuration file via the API or CLI. This setting useful when a configuration is
+  # to be forced/modified by some third-party application (like infrastructure-as-code
+  # providers) and should not be changed by any means.
+  #
+  # Allowed values are:
+  #     true or false
+  readOnly = false
+
+  # Should FTL normalize reported CPU usage?
+  #
+  # On multi-core systems, a high workload can lead to CPU usage numbers exceeding 100%
+  # (e.g., 200% on a quad-core system if two out of four cores are fully utilized). This
+  # may look alarming at first glance even though the system is not actually overloaded.
+  # Enabling this setting will divide the CPU usage by the number of cores, leading to
+  # more intuitive numbers (e.g., 50% for the same load on a quad-core system).
+  # Note that this setting only affects how CPU usage is *reported*, it does not change
+  # the actual CPU usage.
+  #
+  # Allowed values are:
+  #     true or false
+  normalizeCPU = true
+
+  # Should FTL hide warnings coming from dnsmasq?
+  #
+  # By default, FTL reports warnings coming from the embedded dnsmasq DNS server to the
+  # FTL log file. These warnings can be useful to identify misconfigurations or problems
+  # with the DNS server. However, some warnings may be harmless and can be ignored in
+  # certain setups. Enabling this setting will hide all dnsmasq warnings.
+  #
+  # Allowed values are:
+  #     true or false
+  hide_dnsmasq_warn = false
+
+  [misc.check]
+    # Pi-hole is very lightweight on resources. Nevertheless, this does not mean that you
+    # should run Pi-hole on a server that is otherwise extremely busy as queuing on the
+    # system can lead to unnecessary delays in DNS operation as the system becomes less
+    # and less usable as the system load increases because all resources are permanently
+    # in use. To account for this, FTL regularly checks the system load. To bring this to
+    # your attention, FTL warns about excessive load when the 15 minute system load
+    # average exceeds the number of cores.
+    #
+    # This check can be disabled with this setting.
+    #
+    # Allowed values are:
+    #     true or false
+    load = true
+
+    # FTL stores history in shared memory to allow inter-process communication with forked
+    # dedicated TCP workers. If FTL runs out of memory, it cannot continue to work as
+    # queries cannot be analyzed any further. Hence, FTL checks if enough shared memory is
+    # available on your system and warns you if this is not the case.
+    # By default, FTL warns if the shared-memory usage exceeds 90%. You can set any
+    # integer limit between 0 to 100 (interpreted as percentages) where 0 means that
+    # checking of shared-memory usage is disabled.
+    #
+    # Allowed values are:
+    #     A positive integer value between 0 and 100
+    shmem = 90
+
+    # FTL stores its long-term history in a database file on disk. Furthermore, FTL stores
+    # log files. By default, FTL warns if usage of the disk holding any crucial file
+    # exceeds 90%. You can set any integer limit between 0 to 100 (interpreted as
+    # percentages) where 0 means that checking of disk usage is disabled.
+    #
+    # Allowed values are:
+    #     A positive integer value between 0 and 100
+    disk = 90
+
+[debug]
+  # Print debugging information about database actions. This prints performed SQL
+  # statements as well as some general information such as the time it took to store the
+  # queries and how many have been saved to the database.
+  #
+  # Allowed values are:
+  #     true or false
+  database = false
+
+  # Prints a list of the detected interfaces on the startup of pihole-FTL. Also, prints
+  # whether these interfaces are IPv4 or IPv6 interfaces.
+  #
+  # Allowed values are:
+  #     true or false
+  networking = false
+
+  # Print information about shared memory locks. Messages will be generated when waiting,
+  # obtaining, and releasing a lock.
+  #
+  # Allowed values are:
+  #     true or false
+  locks = false
+
+  # Print extensive query information (domains, types, replies, etc.). This has always
+  # been part of the legacy debug mode of pihole-FTL.
+  #
+  # Allowed values are:
+  #     true or false
+  queries = false
+
+  # Print flags of queries received by the DNS hooks. Only effective when DEBUG_QUERIES
+  # is enabled as well.
+  #
+  # Allowed values are:
+  #     true or false
+  flags = false
+
+  # Print information about shared memory buffers. Messages are either about creating or
+  # enlarging shmem objects or string injections.
+  #
+  # Allowed values are:
+  #     true or false
+  shmem = false
+
+  # Print information about garbage collection (GC): What is to be removed, how many have
+  # been removed and how long did GC take.
+  #
+  # Allowed values are:
+  #     true or false
+  gc = false
+
+  # Print information about ARP table processing: How long did parsing take, whether read
+  # MAC addresses are valid, and if the macvendor.db file exists.
+  #
+  # Allowed values are:
+  #     true or false
+  arp = false
+
+  # Controls if FTLDNS should print extended details about regex matching into FTL.log.
+  #
+  # Allowed values are:
+  #     true or false
+  regex = false
+
+  # Print extra debugging information concerning API calls. This includes the request,
+  # the request parameters, and the internal details about how the algorithms decide
+  # which data to present and in what form. This very verbose output should only be used
+  # when debugging specific API issues and can be helpful, e.g., when a client cannot
+  # connect due to an obscure API error. Furthermore, this setting enables logging of
+  # all API requests (auth log) and details about user authentication attempts.
+  #
+  # Allowed values are:
+  #     true or false
+  api = false
+
+  # Print extra debugging information about TLS connections. This includes the TLS
+  # version, the cipher suite, the certificate chain and much more. This very verbose
+  # output should only be used when debugging specific TLS issues and can be helpful,
+  # e.g., when a client cannot connect due to an obscure TLS error as modern browsers do
+  # not provide much information about the underlying TLS connection and most often give
+  # only very generic error messages without much/any underlying technical information.
+  #
+  # Allowed values are:
+  #     true or false
+  tls = false
+
+  # Print information about overTime memory operations, such as initializing or moving
+  # overTime slots.
+  #
+  # Allowed values are:
+  #     true or false
+  overtime = false
+
+  # Print information about status changes for individual queries. This can be useful to
+  # identify unexpected unknown queries.
+  #
+  # Allowed values are:
+  #     true or false
+  status = false
+
+  # Print information about capabilities granted to the pihole-FTL process. The current
+  # capabilities are printed on receipt of SIGHUP, i.e., the current set of capabilities
+  # can be queried without restarting pihole-FTL (by setting DEBUG_CAPS=true and
+  # thereafter sending killall -HUP pihole-FTL).
+  #
+  # Allowed values are:
+  #     true or false
+  caps = false
+
+  # Print information about DNSSEC activity
+  #
+  # Allowed values are:
+  #     true or false
+  dnssec = false
+
+  # FTL uses dynamically allocated vectors for various tasks. This config option enables
+  # extensive debugging information such as information about allocation, referencing,
+  # deletion, and appending.
+  #
+  # Allowed values are:
+  #     true or false
+  vectors = false
+
+  # Extensive information about hostname resolution like which DNS servers are used in
+  # the first and second hostname resolving tries (only affecting internally generated
+  # PTR queries).
+  #
+  # Allowed values are:
+  #     true or false
+  resolver = false
+
+  # Print debugging information about received EDNS(0) data.
+  #
+  # Allowed values are:
+  #     true or false
+  edns0 = false
+
+  # Log various important client events such as change of interface (e.g., client
+  # switching from WiFi to wired or VPN connection), as well as extensive reporting
+  # about how clients were assigned to its groups.
+  #
+  # Allowed values are:
+  #     true or false
+  clients = false
+
+  # Log information related to alias-client processing.
+  #
+  # Allowed values are:
+  #     true or false
+  aliasclients = false
+
+  # Log information regarding FTL's embedded event handling queue.
+  #
+  # Allowed values are:
+  #     true or false
+  events = false
+
+  # Log information about script helpers, e.g., due to dhcp-script.
+  #
+  # Allowed values are:
+  #     true or false
+  helper = false
+
+  # Print config parsing details
+  #
+  # Allowed values are:
+  #     true or false
+  config = false
+
+  # Debug monitoring of /etc/pihole filesystem events
+  #
+  # Allowed values are:
+  #     true or false
+  inotify = false
+
+  # Debug monitoring of the webserver (CivetWeb) events
+  #
+  # Allowed values are:
+  #     true or false
+  webserver = false
+
+  # Temporary flag that may print additional information. This debug flag is meant to be
+  # used whenever needed for temporary investigations. The logged content may change
+  # without further notice at any time.
+  #
+  # Allowed values are:
+  #     true or false
+  extra = false
+
+  # Reserved debug flag
+  #
+  # Allowed values are:
+  #     true or false
+  reserved = false
+
+  # Print information about NTP synchronization
+  #
+  # Allowed values are:
+  #     true or false
+  ntp = false
+
+  # Print information about netlink communication and parsing
+  #
+  # Allowed values are:
+  #     true or false
+  netlink = false
+
+  # Set all debug flags at once. This is a convenience option to enable all debug flags
+  # at once. Note that this option is not persistent, setting it to true will enable all
+  # *remaining* debug flags but unsetting it will disable *all* debug flags.
+  all = false
+
+# Configuration statistics:
+# 161 total entries out of which 152 entries are default
+# --> 9 entries are modified
diff --git a/proxmox/pihole/terraform/.gitignore b/proxmox/pihole/terraform/.gitignore
new file mode 100644
index 0000000..0023b4d
--- /dev/null
+++ b/proxmox/pihole/terraform/.gitignore
@@ -0,0 +1,47 @@
+# Created by https://gitignore.org
+# Terraform.gitignore
+
+# Local .terraform directories
+.terraform/
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
+# to change depending on the environment.
+*.tfvars
+*.tfvars.json
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Ignore transient lock info files created by terraform apply
+.terraform.tfstate.lock.info
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
+
+# Optional: ignore graph output files generated by `terraform graph`
+# *.dot
+
+# Optional: ignore plan files saved before destroying Terraform configuration
+# Uncomment the line below if you want to ignore planout files.
+# planout
diff --git a/proxmox/pihole/terraform/.terraform.lock.hcl b/proxmox/pihole/terraform/.terraform.lock.hcl
new file mode 100644
index 0000000..c5bd52f
--- /dev/null
+++ b/proxmox/pihole/terraform/.terraform.lock.hcl
@@ -0,0 +1,44 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/bpg/proxmox" {
+  version     = "0.86.0"
+  constraints = "0.86.0"
+  hashes = [
+    "h1:0OH908XIuDk42UTevFCfMMEnDdbsqNzSZBLGqjoj8S0=",
+    "zh:09b627b92a59848769fadfc3d8103eebf070a3800144bf03cb93f44472327f44",
+    "zh:0e19eb7f1047d541e50b97d7ac440ea73685d0c28ed2dbe64217cbe2f0b353e0",
+    "zh:20f1e70091ff3056876618c93afd79527c8995f955d153993e8fbb10fa42593b",
+    "zh:3920315be565976f5a9da0803f8f1a108221282f1bc9e21160669d793af4e0c8",
+    "zh:5133b2a2027428d3926eaa3bcdc0ab65a75305d54f6cbc7c54cce746dfddbc8e",
+    "zh:514c588b04738d55c9e6b1c5a4e3fb1ef4041dfb809d2268f14d29839ecfba59",
+    "zh:55916034025b4833bd6a93bb5948dfb7d00830a772ef74fa70898c6f7de0da0b",
+    "zh:58b485a4b0bde56ca7032fca0ac09cb4c6ff2579e06cf4f2a311bb695baa0df1",
+    "zh:75ebe44e6da4108af5fe02a9cd99ed0189985b486a2a56594952098d161ceb3d",
+    "zh:a8c870bfb5958a3d49d639db3c2761cfb453c6a6f95e5e241890922b11c8a4d8",
+    "zh:c2df2748b9be47a6c3e613667c64874d5cb1d3fbb5b985d6eb9c3af5af298454",
+    "zh:c3059668f4f81e450e555a47310e7042044b335f131643262fd51f9ba96f2214",
+    "zh:ddbbb23910666f70cf4a9587ba57b45f5f58c53a1f8d7cee1d6f90a3d3ef38ef",
+    "zh:e430138b897edcd3b64e4309db34ac872526187782626aa074d8d1647a0abfa8",
+    "zh:f26e0763dbe6a6b2195c94b44696f2110f7f55433dc142839be16b9697fa5597",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/local" {
+  version = "2.5.3"
+  hashes = [
+    "h1:1Nkh16jQJMp0EuDmvP/96f5Unnir0z12WyDuoR6HjMo=",
+    "zh:284d4b5b572eacd456e605e94372f740f6de27b71b4e1fd49b63745d8ecd4927",
+    "zh:40d9dfc9c549e406b5aab73c023aa485633c1b6b730c933d7bcc2fa67fd1ae6e",
+    "zh:6243509bb208656eb9dc17d3c525c89acdd27f08def427a0dce22d5db90a4c8b",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:885d85869f927853b6fe330e235cd03c337ac3b933b0d9ae827ec32fa1fdcdbf",
+    "zh:bab66af51039bdfcccf85b25fe562cbba2f54f6b3812202f4873ade834ec201d",
+    "zh:c505ff1bf9442a889ac7dca3ac05a8ee6f852e0118dd9a61796a2f6ff4837f09",
+    "zh:d36c0b5770841ddb6eaf0499ba3de48e5d4fc99f4829b6ab66b0fab59b1aaf4f",
+    "zh:ddb6a407c7f3ec63efb4dad5f948b54f7f4434ee1a2607a49680d494b1776fe1",
+    "zh:e0dafdd4500bec23d3ff221e3a9b60621c5273e5df867bc59ef6b7e41f5c91f6",
+    "zh:ece8742fd2882a8fc9d6efd20e2590010d43db386b920b2a9c220cfecc18de47",
+    "zh:f4c6b3eb8f39105004cf720e202f04f57e3578441cfb76ca27611139bc116a82",
+  ]
+}
diff --git a/proxmox/pihole/terraform/main.tf b/proxmox/pihole/terraform/main.tf
new file mode 100644
index 0000000..bc8adb2
--- /dev/null
+++ b/proxmox/pihole/terraform/main.tf
@@ -0,0 +1,127 @@
+terraform {
+  required_providers {
+    proxmox = {
+      source  = "bpg/proxmox"
+      version = "0.86.0"
+    }
+  }
+}
+
+data "local_file" "ssh_public_key" {
+  filename = var.ssh_pubkey_path
+}
+data "local_file" "proxmox_ssh_private_key" {
+  filename = var.proxmox_ssh_privkey_path
+}
+
+provider "proxmox" {
+  endpoint = var.proxmox_endpoint
+  username = var.proxmox_user
+  password = var.proxmox_password
+  insecure = true
+
+  ssh {
+    agent       = true
+    username    = var.proxmox_ssh_username
+    private_key = trimspace(data.local_file.proxmox_ssh_private_key.content)
+  }
+}
+
+resource "proxmox_virtual_environment_download_file" "ubuntu_cloud_image" {
+  content_type = "import"
+  datastore_id = var.proxmox_datastore
+  node_name    = var.proxmox_node
+  url          = "https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64.img"
+  file_name    = "noble-server-cloudimg-amd64.qcow2"
+}
+
+resource "proxmox_virtual_environment_file" "user_data_cloud_config" {
+  content_type = "snippets"
+  datastore_id = var.proxmox_datastore
+  node_name    = var.proxmox_node
+
+  source_raw {
+    data = <<-EOF
+    #cloud-config
+    hostname: ${var.vm_name}
+    timezone: America/Santiago
+    users:
+      - default
+      - name: ubuntu
+        groups:
+          - sudo
+        shell: /bin/bash
+        ssh_authorized_keys:
+          - ${trimspace(data.local_file.ssh_public_key.content)}
+        sudo: ALL=(ALL) NOPASSWD:ALL
+    package_update: true
+    packages:
+      - qemu-guest-agent
+      - net-tools
+      - curl
+    runcmd:
+      - systemctl enable qemu-guest-agent
+      - systemctl start qemu-guest-agent
+      - echo "done" > /tmp/cloud-config.done
+    EOF
+
+    file_name = "user-data-cloud-config.yaml"
+  }
+}
+
+resource "proxmox_virtual_environment_vm" "pihole" {
+  name      = var.vm_name
+  node_name = var.proxmox_node
+
+  agent { enabled = true }
+
+  cpu {
+    cores = 1
+    type  = "host"
+  }
+
+  memory {
+    dedicated = 2048
+  }
+
+  disk {
+    datastore_id = var.vm_datastore
+    import_from  = proxmox_virtual_environment_download_file.ubuntu_cloud_image.id
+    interface    = "virtio0"
+    iothread     = true
+    discard      = "on"
+    size         = 20
+  }
+
+  initialization {
+    datastore_id = var.vm_datastore
+
+    ip_config {
+      ipv4 {
+        address = "${var.vm_address}/${var.vm_cidr}"
+        gateway = var.vm_gateway
+      }
+    }
+
+    user_data_file_id = proxmox_virtual_environment_file.user_data_cloud_config.id
+  }
+
+  network_device {
+    bridge = var.bridge
+  }
+}
+
+resource "local_file" "ansible_inventory" {
+  filename   = "${path.module}/../ansible/inventory.yaml"
+  content    = <<-YAML
+  all:
+    children:
+      servers:
+        hosts:
+          ${var.vm_name}:
+            ansible_host: ${var.vm_address}
+            ansible_user: ubuntu
+            ansible_ssh_private_key_file: ${var.ssh_privkey_path}
+  YAML
+  depends_on = [proxmox_virtual_environment_vm.pihole]
+}
diff --git a/proxmox/pihole/terraform/terraform.tfvars.example b/proxmox/pihole/terraform/terraform.tfvars.example
new file mode 100644
index 0000000..f5f16bf
--- /dev/null
+++ b/proxmox/pihole/terraform/terraform.tfvars.example
@@ -0,0 +1,14 @@
+proxmox_endpoint = "https://192.168.1.1:8006"
+proxmox_user     = "terraform@pam"
+proxmox_password = "secret"
+proxmox_node     = "pve"
+
+proxmox_ssh_username     = "terraform"
+proxmox_ssh_privkey_path = "/home/user/.ssh/id_ed25519"
+
+ssh_pubkey_path  = "/home/user/.ssh/id_ed25519.pub"
+ssh_privkey_path = "/home/user/.ssh/id_ed25519"
+
+vm_address = "192.168.3.1"
+vm_cidr    = "16"
+vm_gateway = "192.168.1.1"
diff --git a/proxmox/pihole/terraform/variables.tf b/proxmox/pihole/terraform/variables.tf
new file mode 100644
index 0000000..b377494
--- /dev/null
+++ b/proxmox/pihole/terraform/variables.tf
@@ -0,0 +1,19 @@
+variable "proxmox_endpoint" {}
+variable "proxmox_user" {}
+variable "proxmox_password" { sensitive = true }
+variable "proxmox_node" { default = "pve" }
+
+variable "proxmox_ssh_username" {}
+variable "proxmox_ssh_privkey_path" {}
+variable "proxmox_datastore" { default = "local" }
+
+variable "vm_name" { default = "pihole" }
+variable "vm_datastore" { default = "local-vm" }
+variable "vm_address" {}
+variable "vm_cidr" {}
+variable "vm_gateway" {}
+
+variable "ssh_pubkey_path" {}
+variable "ssh_privkey_path" {}
+
+variable "bridge" { default = "vmbr0" }