{ config, lib, ... }: {

    options.sysconfig.docker.pihole.enable = with lib; mkOption {
        type = with types; bool;
        default = false;
    };

    config = lib.mkIf (config.sysconfig.docker.pihole.enable && config.sysconfig.docker.enable) {

        environment.etc."resolv.conf" = {
            enable = true;
            text = ''
                nameserver 127.0.0.1
                options edns0
            '';

            user = "root";
            mode = "0664";
        };
/*
        environment.etc."nsswitch.conf" = {
            enable = true;
            text = ''
                passwd:    files systemd
                group:     files [success=merge] systemd
                shadow:    files systemd
                sudoers:   files

                hosts:     dns mymachines files myhostname
                networks:  files

                ethers:    files
                services:  files
                protocols: files
                rpc:       files
            '';

            user = "root";
        };
*/

        system.nssDatabases.hosts = lib.mkForce [ "dns" "mymachines" "files" "myhostname" ];

        virtualisation.oci-containers.containers.pihole = {
            image = "pihole/pihole:latest";

            # unstable, waiting for 26.05
            #pull = "newer";

            hostname = "pihole.local";

            ports = [
                "127.0.0.1:9001:80"
                "127.0.0.1:53:53/tcp"
                "127.0.0.1:53:53/udp"
            ];

            volumes = [
                "vol_pihole:/etc/pihole"
            ];

            environment = {
                FTLCONF_webserver_api_password = "7567";
                FTLCONF_dns_listeningMode = "ALL";
            };
        };
    };
}