diff --git a/system/services/docker/pihole/default.nix b/system/services/docker/pihole/default.nix
index c157af7..faafa2c 100644
--- a/system/services/docker/pihole/default.nix
+++ b/system/services/docker/pihole/default.nix
@@ -1 +1,31 @@
-{ ... }: {}
+{ config, lib, ... }: {
+
+    options.sysconfig.docker.pihole.enable = with lib; mkOption {
+        type = with types; bool;
+        default = false;
+    };
+
+    config = lib.mkIf (config.sysconfig.docker.pihole.enable && config.sysconfig.docker.enable) {
+
+        virtualisation.oci-containers.containers.pihole = {
+            image = "pihole/pihole:latest";
+
+            # unstable, waiting for 26.05
+            #pull = "newer";
+
+            ports = [
+                "127.0.0.1:9001:80"
+                "127.0.0.1:53:53"
+            ];
+
+            volumes = [
+                "vol_pihole:/etc/pihole"
+            ];
+
+            environment = {
+                FTLCONF_webserver_api_password = "7567";
+                FTLCONF_dns_listeningMode = "ALL";
+            };
+        };
+    };
+}
diff --git a/system/services/docker/portainer/default.nix b/system/services/docker/portainer/default.nix
index a1adeaa..c6f9fcd 100644
--- a/system/services/docker/portainer/default.nix
+++ b/system/services/docker/portainer/default.nix
@@ -8,7 +8,7 @@
     config = lib.mkIf (config.sysconfig.docker.portainer.enable && config.sysconfig.docker.enable) {
 
         virtualisation.oci-containers.containers.portainer = {
-            image = "portainer/portainer-ce";
+            image = "portainer/portainer-ce:latest";
 
             # unstable, waiting for 26.05
             #pull = "newer";