diff --git a/pi-hole/compose.yaml b/pi-hole/compose.yaml
new file mode 100644
index 0000000..229d239
--- /dev/null
+++ b/pi-hole/compose.yaml
@@ -0,0 +1,66 @@
+services:
+  unbound_valkey:
+    container_name: unbound_valkey
+    image: ghcr.io/valkey-io/valkey:9.0.3@sha256:3b55fbaa0cd93cf0d9d961f405e4dfcc70efe325e2d84da207a0a8e6d8fde4f9
+    restart: unless-stopped
+    hostname: unbound_valkey
+    volumes:
+      - ./valkey-data:/data
+    networks:
+      - backend
+    healthcheck:
+      test: ["CMD-SHELL", "valkey-cli ping | grep PONG"]
+      interval: 10s
+      timeout: 5s
+      retries: 3
+      start_period: 10s
+
+  unbound:
+    container_name: unbound
+    image: klutchell/unbound:1.24.2@sha256:cb9a0f06c803c764395e2ff50bd8a244470601290c78fb2cdcf1bd200a027cd6
+    restart: unless-stopped
+    depends_on:
+      unbound_valkey:
+        condition: service_healthy
+    volumes:
+      - ./unbound.conf:/etc/unbound/unbound.conf
+      - ./unbound-custom-conf:/etc/unbound/custom.conf.d
+    ports:
+      - 5354:53
+      - 5354:53/udp
+    networks:
+      - backend
+    healthcheck:
+      test: ['CMD', 'drill-hc', '@127.0.0.1', 'dnssec.works']
+      interval: 10s
+      timeout: 5s
+      retries: 3
+      start_period: 10s
+
+  pihole:
+    container_name: pihole
+    image: ghcr.io/pi-hole/pihole:2026.02.0@sha256:ee348529cea9601df86ad94d62a39cad26117e1eac9e82d8876aa0ec7fe1ba27
+    restart: unless-stopped
+    cap_add:
+      - SYS_NICE
+    environment:
+      - TZ=${TZ}
+      - FTLCONF_dns_upstreams=unbound
+      - FTLCONF_dns_listeningMode=all
+      - FTLCONF_webserver_api_password=${FTLCONF_webserver_api_password}
+    volumes:
+      - ./pihole:/etc/pihole
+    ports:
+      - 5355:53/tcp
+      - 5355:53/udp
+      - 8055:80/tcp
+      - 4435:443/tcp
+    networks:
+      - frontend
+      - backend
+
+networks:
+  frontend:
+    external: true
+  backend:
+    external: true