services:
  unbound_valkey:
    container_name: unbound_valkey
    image: ghcr.io/valkey-io/valkey:9.0.3@sha256:3b55fbaa0cd93cf0d9d961f405e4dfcc70efe325e2d84da207a0a8e6d8fde4f9
    restart: unless-stopped
    hostname: unbound_valkey
    volumes:
      - ./valkey-data:/data
    networks:
      - backend
    healthcheck:
      test: ["CMD-SHELL", "valkey-cli ping | grep PONG"]
      interval: 10s
      timeout: 5s
      retries: 3
      start_period: 10s

  unbound:
    container_name: unbound
    image: klutchell/unbound:1.24.2@sha256:cb9a0f06c803c764395e2ff50bd8a244470601290c78fb2cdcf1bd200a027cd6
    restart: unless-stopped
    depends_on:
      unbound_valkey:
        condition: service_healthy
    volumes:
      - ./unbound.conf:/etc/unbound/unbound.conf
      - ./unbound-custom-conf:/etc/unbound/custom.conf.d
    ports:
      - 5354:53
      - 5354:53/udp
    networks:
      - backend
    healthcheck:
      test: ['CMD', 'drill-hc', '@127.0.0.1', 'dnssec.works']
      interval: 10s
      timeout: 5s
      retries: 3
      start_period: 10s

  pihole:
    container_name: pihole
    image: ghcr.io/pi-hole/pihole:2026.02.0@sha256:ee348529cea9601df86ad94d62a39cad26117e1eac9e82d8876aa0ec7fe1ba27
    restart: unless-stopped
    cap_add:
      - SYS_NICE
    environment:
      - TZ=${TZ}
      - FTLCONF_dns_upstreams=unbound
      - FTLCONF_dns_listeningMode=all
      - FTLCONF_webserver_api_password=${FTLCONF_webserver_api_password}
    volumes:
      - ./pihole:/etc/pihole
    ports:
      - 5355:53/tcp
      - 5355:53/udp
      - 8055:80/tcp
      - 4435:443/tcp
    networks:
      - frontend
      - backend

networks:
  frontend:
    external: true
  backend:
    external: true