diff --git a/docker_swarm/playbooks/stacks.yml b/docker_swarm/playbooks/stacks.yml
index 4329372..d261901 100644
--- a/docker_swarm/playbooks/stacks.yml
+++ b/docker_swarm/playbooks/stacks.yml
@@ -6,7 +6,6 @@
     - {role: forgejo, tags: forgejo}
     - {role: hedgedoc, tags: hedgedoc}
     - {role: swarm_dashboard, tags: swarm_dashboard}
-    - {role: pihole, tags: pihole}
     - {role: nextcloud, tags: nextcloud}
     - {role: kitchenowl, tags: kitchenowl}
     - {role: paperless-ngx, tags: paperless-ngx}
diff --git a/docker_swarm/roles/traefik/docker-stack.yml.j2 b/docker_swarm/roles/traefik/docker-stack.yml.j2
index 05a8132..daeac2a 100644
--- a/docker_swarm/roles/traefik/docker-stack.yml.j2
+++ b/docker_swarm/roles/traefik/docker-stack.yml.j2
@@ -84,6 +84,12 @@ services:
         - traefik.http.routers.syncthing.rule=Host(`sync.kun.is`)
         - traefik.http.routers.syncthing.tls=true
         - traefik.http.routers.syncthing.tls.certresolver=letsencrypt
+
+        - traefik.http.routers.pihole.entrypoints=localsecure
+        - traefik.http.routers.pihole.service=k3s@file
+        - traefik.http.routers.pihole.rule=Host(`pihole.kun.is`)
+        - traefik.http.routers.pihole.tls=true
+        - traefik.http.routers.pihole.tls.certresolver=letsencrypt
     volumes:
       - type: bind
         source: /var/run/docker.sock
diff --git a/nix/flake/kubenix/default.nix b/nix/flake/kubenix/default.nix
index 1b69ab5..c76c76a 100644
--- a/nix/flake/kubenix/default.nix
+++ b/nix/flake/kubenix/default.nix
@@ -14,6 +14,7 @@
           ./radicale.nix
           ./syncthing.nix
           ./nextcloud.nix
+          ./pihole.nix
         ];
         kubernetes.kubeconfig = "~/.kube/config";
         kubenix.project = "home";
diff --git a/nix/flake/kubenix/freshrss.nix b/nix/flake/kubenix/freshrss.nix
index 8de2b9c..55fa464 100644
--- a/nix/flake/kubenix/freshrss.nix
+++ b/nix/flake/kubenix/freshrss.nix
@@ -8,7 +8,7 @@
     };
 
     # TODO: encrypt this with sops and commit to git repo.
-    secrets.freshrss.stringData.adminPassword = "ref+file:///home/pim/.config/home/vals.yaml";
+    secrets.freshrss.stringData.adminPassword = "ref+file:///home/pim/.config/home/vals.yaml#/freshrss/password";
 
     deployments.freshrss = {
       metadata.labels.app = "freshrss";
diff --git a/nix/flake/kubenix/pihole.nix b/nix/flake/kubenix/pihole.nix
new file mode 100644
index 0000000..da66704
--- /dev/null
+++ b/nix/flake/kubenix/pihole.nix
@@ -0,0 +1,152 @@
+{
+  kubernetes.resources = {
+    configMaps.pihole.data = {
+      TZ = "Europe/Amsterdam";
+      PIHOLE_DNS_ = "192.168.40.1";
+    };
+
+    secrets.pihole.stringData.webPassword = "ref+file:///home/pim/.config/home/vals.yaml#/pihole/password";
+
+    deployments.pihole = {
+      metadata.labels.app = "pihole";
+
+      spec = {
+        selector.matchLabels.app = "pihole";
+
+        template = {
+          metadata.labels.app = "pihole";
+
+          spec = {
+            containers.pihole = {
+              image = "pihole/pihole:latest";
+              envFrom = [{ configMapRef.name = "pihole"; }];
+
+              ports = [
+                {
+                  containerPort = 80;
+                  protocol = "TCP";
+                }
+                {
+                  containerPort = 53;
+                  protocol = "UDP";
+                }
+              ];
+
+              env = [{
+                # TODO: simplify this by using env.WEBPASSWORD?
+                name = "WEBPASSWORD";
+
+                valueFrom.secretKeyRef = {
+                  name = "pihole";
+                  key = "webPassword";
+                };
+              }];
+
+              volumeMounts = [
+                {
+                  name = "data";
+                  mountPath = "/etc/pihole";
+                }
+                {
+                  name = "dnsmasq";
+                  mountPath = "/etc/dnsmasq.d";
+                }
+              ];
+            };
+
+            volumes = [
+              {
+                name = "data";
+                persistentVolumeClaim.claimName = "pihole-data";
+              }
+              {
+                name = "dnsmasq";
+                persistentVolumeClaim.claimName = "pihole-dnsmasq";
+              }
+            ];
+          };
+        };
+      };
+    };
+
+    persistentVolumes = {
+      pihole-data.spec = {
+        capacity.storage = "1Mi";
+        accessModes = [ "ReadWriteMany" ];
+
+        nfs = {
+          server = "lewis.hyp";
+          path = "/mnt/data/nfs/pihole/data";
+        };
+      };
+
+      pihole-dnsmasq.spec = {
+        capacity.storage = "1Mi";
+        accessModes = [ "ReadWriteMany" ];
+
+        nfs = {
+          server = "lewis.hyp";
+          path = "/mnt/data/nfs/pihole/dnsmasq";
+        };
+      };
+    };
+
+    persistentVolumeClaims = {
+      pihole-data.spec = {
+        accessModes = [ "ReadWriteMany" ];
+        storageClassName = "";
+        resources.requests.storage = "1Mi";
+        volumeName = "pihole-data";
+      };
+
+      pihole-dnsmasq.spec = {
+        accessModes = [ "ReadWriteMany" ];
+        storageClassName = "";
+        resources.requests.storage = "1Mi";
+        volumeName = "pihole-dnsmasq";
+      };
+    };
+
+    services = {
+      pihole-web.spec = {
+        selector.app = "pihole";
+
+        ports = [{
+          protocol = "TCP";
+          port = 80;
+          targetPort = 80;
+        }];
+      };
+
+      pihole-dns.spec = {
+        type = "LoadBalancer";
+        loadBalancerIP = "192.168.30.131";
+        selector.app = "pihole";
+
+        ports = [{
+          protocol = "UDP";
+          port = 53;
+          targetPort = 53;
+        }];
+      };
+    };
+
+    ingresses.pihole-web.spec = {
+      ingressClassName = "traefik";
+
+      rules = [{
+        host = "pihole.kun.is";
+
+        http.paths = [{
+          path = "/";
+          pathType = "Prefix";
+
+          backend.service = {
+            name = "pihole-web";
+            port.number = 80;
+          };
+        }];
+      }];
+    };
+  };
+}