# Deployment Plan (Paused): Pi-hole + Unbound + Tailscale (LAN-wide)

Status: **not executing now**. This is a saved action plan for later.

## Current State (Observed)

- Root filesystem free: ~933 MB (`df -h /` showed 14G total, 12G used, 933M avail)
- Biggest top-level usage:
  - `/usr` ~6.5G
  - `/var` ~2.6G
  - `/home` ~2.6G
- Apt cache: ~355M (`/var/cache/apt`)
- systemd journal: ~153M

Implication: installs/upgrades are risky until we reclaim a few GB.

## Goal

LAN-wide ad-blocking DNS (clients on the router DHCP) using:

- Pi-hole (DNS on :53)
- Unbound (recursive resolver on 127.0.0.1:5335)
- Optional: also serve Tailscale clients

## Human-in-the-loop Items

- <HUMAN_NEEDED> Ensure `eth0` is connected and has a stable LAN IP.
- <HUMAN_NEEDED> Router DHCP: set DNS primary to the Pi's **LAN IP** (not the Tailscale IP).
- <HUMAN_NEEDED> If also doing remote blocking: Tailscale Admin Console: add Pi's Tailscale IP as a nameserver + enable "Override local DNS" for desired devices.

## Phase 0: Free Disk Space (Preflight)

### Checks

```bash
df -h /
sudo journalctl --disk-usage
sudo du -xhd1 /home
sudo du -xhd1 /usr
sudo du -sh /var/cache/apt /var/cache/apt/archives /var/log/journal 2>/dev/null || true
```

### Low-risk reclaim

```bash
sudo apt-get clean
sudo journalctl --vacuum-size=50M
```

### If still tight

- Prefer removing/moving large items from `/home` first (least likely to break OS).
- Avoid deleting arbitrary files under `/usr` unless we identify packages to remove.

Target before installing: ideally **>= 2-4 GB free** on `/`.

## Phase 1: Prevent Ubuntu DNS Port Conflicts

Problem: `systemd-resolved` can conflict with Pi-hole binding to `:53`.

### Checks

```bash
sudo ss -lntup | rg ':53\s' || true
sudo ss -lnup  | rg ':53\s' || true
```

### Fix

1. Edit `/etc/systemd/resolved.conf`:
   - Set `DNSStubListener=no`
2. Point `/etc/resolv.conf` away from 127.0.0.53 stub:

```bash
sudo ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf
sudo systemctl restart systemd-resolved
```

### Verify

```bash
readlink -f /etc/resolv.conf
sudo ss -lntup | rg ':53\s' || true
sudo ss -lnup  | rg ':53\s' || true
```

Expected: `systemd-resolved` not listening on `:53`.

## Phase 2: Configure Pi-hole for LAN-wide DNS

### Variables

- LAN interface: `eth0`
- LAN IP/CIDR: derived from `ip addr` (must be stable)

```bash
LAN_IF=eth0
LAN_CIDR="$(ip -4 -o addr show dev "$LAN_IF" | awk '{print $4}')"
LAN_IP="${LAN_CIDR%%/*}"
printf "LAN_IP=%s\nLAN_CIDR=%s\n" "$LAN_IP" "$LAN_CIDR"
```

### Write setupVars (non-interactive)

Notes:

- Uses LAN interface/IP (not tailscale0).
- Minimizes writes: `QUERY_LOGGING=false`.

```bash
sudo mkdir -p /etc/pihole
cat <<EOF | sudo tee /etc/pihole/setupVars.conf >/dev/null
PIHOLE_INTERFACE=${LAN_IF}
IPV4_ADDRESS=${LAN_CIDR}
QUERY_LOGGING=false
INSTALL_WEB_INTERFACE=true
LIGHTTPD_ENABLED=true
PIHOLE_DNS_1=127.0.0.1#5335
DNS_FQDN_REQUIRED=true
DNS_BOGUS_PRIV=true
DNSMASQ_LISTENING=local
EOF
sudo sed -n '1,200p' /etc/pihole/setupVars.conf
```

## Phase 3: Install Stack

### Install Pi-hole (unattended)

```bash
curl -sSL https://install.pi-hole.net | bash /dev/stdin --unattended
```

Verify:

```bash
pihole status
sudo systemctl is-active pihole-FTL
sudo ss -lnup | rg ':53\s'
```

### Install Unbound

```bash
sudo apt-get update
sudo apt-get install -y unbound
```

### Configure Unbound

```bash
sudo wget https://docs.pi-hole.net/guides/dns/unbound/unbound.conf.d.pi-hole.conf \
  -O /etc/unbound/unbound.conf.d/pi-hole.conf
sudo unbound-checkconf
sudo systemctl enable --now unbound
sudo ss -lnup | rg ':5335\s'
dig @127.0.0.1 -p 5335 google.com +noall +answer
```

### Point Pi-hole to Unbound

```bash
pihole -a setdns "127.0.0.1#5335"
pihole restartdns
dig @127.0.0.1 google.com +noall +answer
```

## Phase 4: LAN Integration (Router DHCP)

1. <HUMAN_NEEDED> Set router DHCP DNS = `LAN_IP`.
2. <HUMAN_NEEDED> Renew DHCP on 1-2 clients.

Verify from a LAN client:

```bash
nslookup google.com <LAN_IP>
nslookup doubleclick.net <LAN_IP>
```

## Optional: Also Serve Tailscale Clients

- Use Tailscale IP only for Tailscale clients.
- <HUMAN_NEEDED> Configure Tailscale DNS in the Admin Console.

Verify:

```bash
TS_IP="$(tailscale ip -4)"
nslookup doubleclick.net "$TS_IP"
```

## Notes for microSD (slow)

- Keep query logging off.
- Consider capping journald to avoid silent growth:

<HUMAN_NEEDED> Edit `/etc/systemd/journald.conf`:

- `SystemMaxUse=200M`
- `RuntimeMaxUse=100M`

Then:

```bash
sudo systemctl restart systemd-journald
sudo journalctl --disk-usage
```