version: '3.2'

services:
  pihole:
    image: pihole/pihole:latest
    volumes:
      - {{ pihole_base }}/volumes/pihole:/etc/pihole
      - {{ pihole_base }}/volumes/dnsmasq:/etc/dnsmasq.d
    environment:
      - TZ={{ timezone }}
      - FTLCONF_webserver_api_password={{ pihole_webpwd }}
      - FTLCONF_dns_upstreams={{ upstream_dns_servers | join(';') }}
    networks:
      - proxy
    deploy:
      mode: replicated
      replicas: 1
      labels:
        - traefik.enable=true
        - traefik.swarm.network=proxy
        - traefik.http.routers.piholeweb.tls=true
        - traefik.http.routers.piholeweb.tls.certResolver=letsencrypt
        - traefik.http.routers.piholeweb.rule=Host(`pihole.{{ traefik_domain }}`)
        - traefik.http.routers.piholeweb.entrypoints=websecure
        - traefik.http.services.piholeweb.loadbalancer.server.port=80
        # 53/udp
        - traefik.udp.routers.pihole-dns-udp.entrypoints=dns_udp
        - traefik.udp.routers.pihole-dns-udp.service=pihole-dns-udp
        - traefik.udp.services.pihole-dns-udp.loadbalancer.server.port=53
        # 53/tcp
        - traefik.tcp.routers.pihole-dns-tcp.rule=HostSNI(`*`)
        - traefik.tcp.routers.pihole-dns-tcp.entrypoints=dns_tcp
        - traefik.tcp.routers.pihole-dns-tcp.service=pihole-dns-tcp
        - traefik.tcp.services.pihole-dns-tcp.loadbalancer.server.port=53

networks:
  proxy:
    external: true