apiVersion: apps/v1
kind: Deployment
metadata:
  name: pihole
  namespace: pihole
  labels:
    app: pihole
spec:
  replicas: 1
  strategy:
    type: RollingUpdate
  selector:
    matchLabels:
      app: pihole
  template:
    metadata:
      labels:
        app: pihole
    spec:
      initContainers:
        - name: fix-permissions
          image: busybox:1.37
          imagePullPolicy: IfNotPresent
          command: ["sh", "-c", "chown 1000:1000 /data"]
          volumeMounts:
            - name: pihole-ftl-db
              mountPath: /data
      containers:
        - name: pihole
          image: pihole/pihole:2026.02.0
          envFrom:
            - configMapRef:
                name: pihole-config
          env:
            - name: FTLCONF_webserver_api_password
              valueFrom:
                secretKeyRef:
                  name: pihole-credentials
                  key: WEBPASSWORD
          ports:
            - containerPort: 53
              protocol: TCP
              name: dns-tcp
            - containerPort: 53
              protocol: UDP
              name: dns-udp
            - containerPort: 80
              protocol: TCP
              name: http
          readinessProbe:
            exec:
              command:
                - dig
                - +norecurse
                - +retry=0
                - +time=2
                - healthcheck.pi.hole
                - "@127.0.0.1"
            initialDelaySeconds: 5
            periodSeconds: 10
          lifecycle:
            postStart:
              exec:
                command:
                  - /bin/bash
                  - -c
                  - |
                    (
                      SID=""
                      until curl -sf "http://localhost/api/lists?sid=$SID" | grep -q '"lists"'; do
                        SID=$(curl -s -X POST http://localhost/api/auth \
                          -d "{\"password\":\"$FTLCONF_webserver_api_password\"}" | \
                          grep -o '"sid":"[^"]*"' | cut -d'"' -f4)
                        sleep 5
                      done
                      grep -v '^#\|^$' /etc/pihole-adlists/adlists.txt | while read -r url; do
                        curl -s -X POST "http://localhost/api/lists?type=block&sid=$SID" \
                          -d "{\"address\":\"$url\"}"
                      done
                      grep -v '^#\|^$' /etc/pihole-adlists/unfiltered-clients.txt | while read -r client; do
                        curl -s -X POST "http://localhost/api/clients?sid=$SID" \
                          -d "{\"client\":\"$client\",\"groups\":[]}"
                      done
                      # NOTE: gravity must be last — it blocks until complete and may outlive the SID
                      curl -s -X POST "http://localhost/api/action/gravity?sid=$SID"
                    ) &
          volumeMounts:
            - name: pihole-config
              mountPath: /etc/pihole
            - name: pihole-dnsmasq
              mountPath: /etc/dnsmasq.d
            - name: pihole-adlists
              mountPath: /etc/pihole-adlists
            - name: pihole-ftl-db
              mountPath: /data

        - name: dnscrypt-proxy
          image: klutchell/dnscrypt-proxy:v2.1.15
          imagePullPolicy: IfNotPresent
          env:
            - name: TZ
              value: Europe/Kyiv
          volumeMounts:
            - name: dnscrypt-config
              mountPath: /config/dnscrypt-proxy.toml
              subPath: dnscrypt-proxy.toml
            - name: dnscrypt-tmp
              mountPath: /tmp

      volumes:
        - name: pihole-config
          emptyDir: {}
        - name: pihole-dnsmasq
          emptyDir: {}
        - name: pihole-ftl-db
          hostPath:
            path: /var/hostPath/pihole
            type: DirectoryOrCreate
        - name: pihole-adlists
          configMap:
            name: pihole-adlists
        - name: dnscrypt-tmp
          emptyDir: {}
        - name: dnscrypt-config
          configMap:
            name: dnscrypt-config