diff --git a/kubernetes/app/pihole/configmap-adlists.yaml b/kubernetes/app/pihole/configmap-adlists.yaml
new file mode 100644
index 0000000..c60b07a
--- /dev/null
+++ b/kubernetes/app/pihole/configmap-adlists.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: pihole-adlists
+  namespace: pihole
+data:
+  adlists.txt: |
+    # Hagezi Multi Pro — ads, tracking, malware, scam, crypto
+    https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/hosts/pro.txt
+    # Hagezi Threat Intelligence Feeds — malware, C2, phishing
+    https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/hosts/tif.txt
+    # Ukrainian Security Filter — phishing/fraud targeting Ukrainian citizens
+    https://raw.githubusercontent.com/braveinnovators/ukrainian-security-filter/main/lists/domains.txt
+    # Phishing Army Extended
+    https://phishing.army/download/phishing_army_blocklist_extended.txt
diff --git a/kubernetes/app/pihole/configmap-pihole.yaml b/kubernetes/app/pihole/configmap-pihole.yaml
new file mode 100644
index 0000000..866004e
--- /dev/null
+++ b/kubernetes/app/pihole/configmap-pihole.yaml
@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: pihole-config
+  namespace: pihole
+data:
+  TZ: Europe/Kyiv
+  FTLCONF_dns_listeningMode: all
+  FTLCONF_dns_upstreams: "127.0.0.1#5353"
+  FTLCONF_misc_etc_dnsmasq_d: "true"
+  FTLCONF_dns_revServers: "true,10.127.0.0/16,10.127.1.1,lviv"
+  FTLCONF_files_database: /data/pihole-FTL.db
+  # Local DNS records (one per line: "IP HOSTNAME")
+  # Uncomment and add entries as needed:
+  # FTLCONF_dns_hosts: |
+  #   192.168.1.1 router.lan
+  #   192.168.1.2 nas.lan
diff --git a/kubernetes/app/pihole/deployment.yaml b/kubernetes/app/pihole/deployment.yaml
index 906d3a3..dc2b574 100644
--- a/kubernetes/app/pihole/deployment.yaml
+++ b/kubernetes/app/pihole/deployment.yaml
@@ -8,7 +8,7 @@ metadata:
 spec:
   replicas: 1
   strategy:
-    type: Recreate
+    type: RollingUpdate
   selector:
     matchLabels:
       app: pihole
@@ -17,23 +17,25 @@ spec:
       labels:
         app: pihole
     spec:
+      initContainers:
+        - name: fix-permissions
+          image: busybox:latest
+          command: ["sh", "-c", "chown 1000:1000 /data"]
+          volumeMounts:
+            - name: pihole-ftl-db
+              mountPath: /data
       containers:
         - name: pihole
-          image: pihole/pihole:2025.08.0
+          image: pihole/pihole:2026.02.0
+          envFrom:
+            - configMapRef:
+                name: pihole-config
           env:
-            - name: TZ
-              value: Europe/Kyiv
             - name: FTLCONF_webserver_api_password
               valueFrom:
                 secretKeyRef:
                   name: pihole-credentials
                   key: WEBPASSWORD
-            - name: FTLCONF_dns_listeningMode
-              value: all
-            - name: FTLCONF_dns_upstreams
-              value: "127.0.0.1#5353"
-            - name: FTLCONF_misc_etc_dnsmasq_d
-              value: "true"
           ports:
             - containerPort: 53
               protocol: TCP
@@ -44,11 +46,47 @@ spec:
             - containerPort: 80
               protocol: TCP
               name: http
+          readinessProbe:
+            exec:
+              command:
+                - dig
+                - +norecurse
+                - +retry=0
+                - +time=2
+                - healthcheck.pi.hole
+                - "@127.0.0.1"
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          lifecycle:
+            postStart:
+              exec:
+                command:
+                  - /bin/bash
+                  - -c
+                  - |
+                    (
+                      SID=""
+                      until curl -sf "http://localhost/api/lists?sid=$SID" | grep -q '"lists"'; do
+                        SID=$(curl -s -X POST http://localhost/api/auth \
+                          -d "{\"password\":\"$FTLCONF_webserver_api_password\"}" | \
+                          grep -o '"sid":"[^"]*"' | cut -d'"' -f4)
+                        sleep 5
+                      done
+                      grep -v '^#\|^$' /etc/pihole-adlists/adlists.txt | while read -r url; do
+                        curl -s -X POST "http://localhost/api/lists?type=block&sid=$SID" \
+                          -d "{\"address\":\"$url\"}" > /dev/null
+                      done
+                      curl -s -X POST "http://localhost/api/action/gravity?sid=$SID" > /dev/null
+                    ) &
           volumeMounts:
             - name: pihole-config
               mountPath: /etc/pihole
             - name: pihole-dnsmasq
               mountPath: /etc/dnsmasq.d
+            - name: pihole-adlists
+              mountPath: /etc/pihole-adlists
+            - name: pihole-ftl-db
+              mountPath: /data
 
         - name: dnscrypt-proxy
           image: klutchell/dnscrypt-proxy:latest
@@ -62,11 +100,16 @@ spec:
 
       volumes:
         - name: pihole-config
-          persistentVolumeClaim:
-            claimName: pihole-config
+          emptyDir: {}
         - name: pihole-dnsmasq
-          persistentVolumeClaim:
-            claimName: pihole-dnsmasq
+          emptyDir: {}
+        - name: pihole-ftl-db
+          hostPath:
+            path: /var/hostPath/pihole
+            type: DirectoryOrCreate
+        - name: pihole-adlists
+          configMap:
+            name: pihole-adlists
         - name: dnscrypt-config
           configMap:
             name: dnscrypt-config
diff --git a/kubernetes/app/pihole/namespace.yaml b/kubernetes/app/pihole/namespace.yaml
index 9693809..0b274ba 100644
--- a/kubernetes/app/pihole/namespace.yaml
+++ b/kubernetes/app/pihole/namespace.yaml
@@ -2,3 +2,5 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: pihole
+  labels:
+    pod-security.kubernetes.io/enforce: privileged
diff --git a/kubernetes/app/pihole/pv.yaml b/kubernetes/app/pihole/pv.yaml
deleted file mode 100644
index 530f5f2..0000000
--- a/kubernetes/app/pihole/pv.yaml
+++ /dev/null
@@ -1,35 +0,0 @@
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: pihole-config
-spec:
-  capacity:
-    storage: 2Gi
-  accessModes:
-    - ReadWriteOnce
-  storageClassName: ""
-  persistentVolumeReclaimPolicy: Retain
-  mountOptions:
-    - hard
-    - nointr
-  nfs:
-    server: synology.storage.lviv
-    path: /volume3/k8s-storage/pihole-config
----
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: pihole-dnsmasq
-spec:
-  capacity:
-    storage: 1Gi
-  accessModes:
-    - ReadWriteOnce
-  storageClassName: ""
-  persistentVolumeReclaimPolicy: Retain
-  mountOptions:
-    - hard
-    - nointr
-  nfs:
-    server: synology.storage.lviv
-    path: /volume3/k8s-storage/pihole-dnsmasq
diff --git a/kubernetes/app/pihole/pvc.yaml b/kubernetes/app/pihole/pvc.yaml
deleted file mode 100644
index bb75376..0000000
--- a/kubernetes/app/pihole/pvc.yaml
+++ /dev/null
@@ -1,27 +0,0 @@
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: pihole-config
-  namespace: pihole
-spec:
-  accessModes:
-    - ReadWriteOnce
-  storageClassName: ""
-  volumeName: pihole-config
-  resources:
-    requests:
-      storage: 2Gi
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: pihole-dnsmasq
-  namespace: pihole
-spec:
-  accessModes:
-    - ReadWriteOnce
-  storageClassName: ""
-  volumeName: pihole-dnsmasq
-  resources:
-    requests:
-      storage: 1Gi
diff --git a/kubernetes/app/pihole/service-dns.yaml b/kubernetes/app/pihole/service-dns.yaml
index 29400f9..63aaa10 100644
--- a/kubernetes/app/pihole/service-dns.yaml
+++ b/kubernetes/app/pihole/service-dns.yaml
@@ -7,6 +7,7 @@ metadata:
     metallb.io/loadBalancerIPs: 10.127.1.200
 spec:
   type: LoadBalancer
+  externalTrafficPolicy: Local
   selector:
     app: pihole
   ports: