diff --git a/hardware-configuration/homeserver.nix b/hardware-configuration/homeserver.nix
index 2489623..64e5818 100644
--- a/hardware-configuration/homeserver.nix
+++ b/hardware-configuration/homeserver.nix
@@ -5,7 +5,8 @@
 
 {
   imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
+    [
+      (modulesPath + "/installer/scan/not-detected.nix")
     ];
 
   boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
@@ -14,19 +15,21 @@
   boot.extraModulePackages = [ ];
 
   fileSystems."/" =
-    { device = "/dev/disk/by-uuid/439a1beb-1443-495b-9891-012605819803";
+    {
+      device = "/dev/disk/by-uuid/439a1beb-1443-495b-9891-012605819803";
       fsType = "ext4";
     };
 
   fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/47A1-0296";
+    {
+      device = "/dev/disk/by-uuid/47A1-0296";
       fsType = "vfat";
       options = [ "fmask=0022" "dmask=0022" ];
     };
 
   fileSystems."/nas" = {
-	device = "/dev/disk/by-label/WD_RED_4T_1";
-	fsType = "ext4";
+    device = "/dev/disk/by-label/WD_RED_4T_1";
+    fsType = "ext4";
   };
 
   swapDevices = [ ];
@@ -36,7 +39,24 @@
   # still possible to use this option, but it's recommended to use it in conjunction
   # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
   networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp9s0.useDHCP = lib.mkDefault true;
+  networking.defaultGateway = "192.168.100.1";
+  networking.interfaces.enp9s0 = {
+    useDHCP = false;
+    ipv4.addresses = [
+      {
+        address = "192.168.100.3";
+        prefixLength = 24;
+      }
+      {
+        address = "192.168.100.4";
+        prefixLength = 24;
+      }
+      {
+        address = "192.168.100.5";
+        prefixLength = 24;
+      }
+    ];
+  };
 
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
   hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
diff --git a/options/podman.nix b/options/podman.nix
index 862e595..000a8af 100644
--- a/options/podman.nix
+++ b/options/podman.nix
@@ -4,5 +4,6 @@
     enable = lib.mkEnableOption "podman";
     caddy.enable = lib.mkEnableOption "caddy podman";
     kavita.enable = lib.mkEnableOption "kavita podman";
+    pihole.enable = lib.mkEnableOption "pihole podman";
   };
 }
diff --git a/profiles/homeserver.nix b/profiles/homeserver.nix
index f48e9a6..5fbc9ad 100644
--- a/profiles/homeserver.nix
+++ b/profiles/homeserver.nix
@@ -23,11 +23,12 @@
     networking.firewall.enable = true;
     networking.firewall.allowedTCPPorts = [ 80 443 ];
     podman = {
-      enable = false;
+      enable = true;
+      pihole.enable = true;
     };
 
     docker = {
-      enable = true;
+      enable = false;
     };
 
     services = {
diff --git a/secrets/pihole.yaml b/secrets/pihole.yaml
new file mode 100644
index 0000000..97e296c
--- /dev/null
+++ b/secrets/pihole.yaml
@@ -0,0 +1,22 @@
+pihole:
+    env: ENC[AES256_GCM,data:JLpWZwnefbu0mauukndehWjrsqjvnGdqKYev+UwqP3EoqG88o6c9,iv:u5iaBCjQdga/+O+/IN6dt86ElOO4sferh/BOnS/AXZw=,tag:4oRuUQJ8g11DkYGkRt6EPg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1kruum2varzua7w5n6n52vhwyek2arc685rhcwt0u7k2jf5mecsjslkl9ll
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoWFhuaFp4Zm5idmFXUGRO
+            RG9YbzV3WUdJcHRFWlpISE5GNzVRZEpILzFvCjJUQlFqeWFsNU15Y1pINWgvc2wz
+            OU82L3ZPdW9GY1dyaXV4dndIUmNGRzQKLS0tIGpYMGZQeFJMMlhYUGR5c3lkbng2
+            VlpjTVo3NlIzR0QrVGZNdWdORjVMVmMKIrSq+w9oB3UdOxGNbwabXrpgPSfys+zo
+            M79xEqCUZ30jmfpPvL2VUiD25Bq/iWyj3x8d1xVGxQqUOg23AMb9mA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-06-16T17:29:06Z"
+    mac: ENC[AES256_GCM,data:e4VrmU1OtVuTxIz56NIumSoLTN2PDCYk5+f8UhPZyTF9rH/hz78LxhbPEPLy4TqQpxZZw/cH8wUUTNXUsYRdlbeL+IIbsEcwzjEBWZCSu38gMj/bNhBNwKU/oAWoKHdAQJYxYe3xnyji1xMLZofDVGQv2i46AI1TMXjFBU9Lz6Q=,iv:ILLCVVWxEKgVqCLHGuDmVINdgh0T3oYimdBIeWvQ7PE=,tag:7yvr0eEciG8yOVrHk1eGeg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
diff --git a/system/modules/networking.nix b/system/modules/networking.nix
index 672fdeb..de1261d 100644
--- a/system/modules/networking.nix
+++ b/system/modules/networking.nix
@@ -9,7 +9,9 @@
       cfg = config.profile.networking.firewall;
     in
     {
-      enable = cfg.enable;
+      # enable = cfg.enable;
+      enable = true;
       allowedTCPPorts = cfg.allowedTCPPorts;
+      allowedUDPPorts = [ 53 ];
     };
 }
diff --git a/system/podman/default.nix b/system/podman/default.nix
index 80322d1..451677f 100644
--- a/system/podman/default.nix
+++ b/system/podman/default.nix
@@ -32,5 +32,6 @@ in
   imports = [
     ./caddy.nix
     ./kavita.nix
+    ./pihole.nix
   ];
 }
diff --git a/system/podman/pihole.nix b/system/podman/pihole.nix
new file mode 100644
index 0000000..f6ed65c
--- /dev/null
+++ b/system/podman/pihole.nix
@@ -0,0 +1,66 @@
+{ config, lib, pkgs, ... }:
+let
+  name = "pihole";
+  podman = config.profile.podman;
+  pihole = podman.pihole;
+  inherit (lib) mkIf;
+  gateway = "10.1.1.1";
+  subnet = "10.1.1.0/29";
+  ip = "10.1.1.3";
+  ip-range = "10.1.1.3/29";
+  image = "pihole/pihole:latest";
+in
+{
+  config = mkIf (podman.enable && pihole.enable) {
+    services.caddy.virtualHosts."pihole.tigor.web.id".extraConfig = ''
+      @root path /
+      redir @root /admin
+      reverse_proxy ${ip}:80
+    '';
+
+    sops.secrets."pihole/env" = {
+      sopsFile = ../../secrets/pihole.yaml;
+    };
+
+
+    systemd.services.create-kavita-network = {
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = true;
+      };
+      wantedBy = [ "podman-pihole.service" ];
+      script = ''${pkgs.podman}/bin/podman network exists ${name} || ${pkgs.podman}/bin/podman network create --gateway=${gateway} --subnet=${subnet} --ip-range=${ip-range} ${name}'';
+    };
+
+    virtualisation.oci-containers.containers.pihole = {
+      inherit image;
+      environment = {
+        TZ = "Asia/Jakarta";
+        PIHOLE_DNS_ = "192.168.100.5";
+        DHCP_START = "192.168.100.20";
+        DHCP_END = "192.168.100.254";
+        DHCP_ROUTER = "192.168.100.1";
+      };
+      ports = [
+        "192.168.100.4:53:53/udp"
+        "67:67/udp"
+      ];
+      volumes = [
+        "pihole-etc:/etc/pihole"
+        "pihole-dnsmasq:/etc/dnsmasq.d"
+      ];
+      environmentFiles = [
+        config.sops.secrets."pihole/env".path
+      ];
+      extraOptions = [
+        "--ip=${ip}"
+        "--network=${name}"
+        "--cap-add=NET_ADMIN"
+        "--cap-add=NET_BIND_SERVICE"
+        "--cap-add=NET_RAW"
+        "--cap-add=SYS_NICE"
+        "--cap-add=CHOWN"
+      ];
+    };
+  };
+}
diff --git a/system/services/stubby.nix b/system/services/stubby.nix
index d413efa..1875070 100644
--- a/system/services/stubby.nix
+++ b/system/services/stubby.nix
@@ -5,13 +5,13 @@ let
 in
 {
   config = mkIf cfg.enable {
-    networking.resolvconf.useLocalResolver = true;
+    networking.resolvconf.useLocalResolver = false;
+    networking.nameservers = [ "192.168.100.5" ];
     services.stubby = {
       enable = true;
       settings = pkgs.stubby.passthru.settingsExample // {
         listen_addresses = [
-          "0.0.0.0@53"
-          "0::0"
+          "192.168.100.5"
         ];
         upstream_recursive_servers = [
           {