{ lib, ... }:
let
  ip = "10.0.0.203";
  interface = "eno1";
  directory = "/opt/pihole";
in
{
  systemd.tmpfiles.rules =
    map (x: "d ${x} 0755 share share - -") (lib.lists.singleton directory);

  virtualisation.oci-containers.containers.pihole = {
    image = "pihole/pihole:latest";
    autoStart = true;
    ports = [
      "53:53/udp"
      "53:53/tcp"
      "80:80/tcp"
    ];
    volumes = [
      "${directory}/etc:/etc/pihole"
      "${directory}/etc-dnsmasq.d:/etc/dnsmasq.d"
    ];
    environment = {
      TZ = "America/Detroit";
      WEBPASSWORD = "CHANGE_ME_PLEASE!";
      FTLCONF_LOCAL_IPV4 = ip;
      INTERFACE = interface;
    };
    extraOptions = [ "--network=host" ];
  };

  networking.firewall = {
    allowedTCPPorts = [ 53 80 ];
    allowedUDPPorts = [ 53 ];
  };
}