diff --git a/ansible/inventories/home/hosts.yml b/ansible/inventories/home/hosts.yml
index d9ed16b..51a3845 100644
--- a/ansible/inventories/home/hosts.yml
+++ b/ansible/inventories/home/hosts.yml
@@ -2,9 +2,4 @@
 all:
   hosts:
     home.bdebyl.net:
-      ansible_user: ansible
-  children:
-    newhome:
-      hosts:
-        galactica.lan:
-          ansible_user: fedora
+      ansible_user: fedora
diff --git a/ansible/roles/git/handlers/main.yml b/ansible/roles/git/handlers/main.yml
index d43327e..755ef76 100644
--- a/ansible/roles/git/handlers/main.yml
+++ b/ansible/roles/git/handlers/main.yml
@@ -6,3 +6,12 @@
     state: started
     enabled: true
     daemon_reload: true
+  tags: git
+
+- name: restorecon git
+  become: true
+  ansible.builtin.command: |
+    restorecon -Frv {{ git_home }}
+  tags:
+    - git
+    - selinux
diff --git a/ansible/roles/git/tasks/main.yml b/ansible/roles/git/tasks/main.yml
index 36bc3dd..bbcd0c2 100644
--- a/ansible/roles/git/tasks/main.yml
+++ b/ansible/roles/git/tasks/main.yml
@@ -1,3 +1,4 @@
 ---
 - import_tasks: user.yml
 - import_tasks: systemd.yml
+- import_tasks: selinux.yml
diff --git a/ansible/roles/git/tasks/selinux.yml b/ansible/roles/git/tasks/selinux.yml
new file mode 100644
index 0000000..7c3037c
--- /dev/null
+++ b/ansible/roles/git/tasks/selinux.yml
@@ -0,0 +1,14 @@
+---
+- name: configure selinux git directories
+  become: true
+  community.general.sefcontext:
+    target: "{{ item.target }}(/.*)?"
+    setype: "{{ item.setype }}"
+    state: present
+  notify: restorecon git
+  loop:
+    - { target: "{{ git_home }}", setype: "user_home_dir_t" }
+    - { target: "{{ git_home }}/.ssh", setype: "ssh_home_t" }
+  tags:
+    - git
+    - selinux
diff --git a/ansible/roles/podman/defaults/main.yml b/ansible/roles/podman/defaults/main.yml
index 8c03e71..8f60c5d 100644
--- a/ansible/roles/podman/defaults/main.yml
+++ b/ansible/roles/podman/defaults/main.yml
@@ -4,6 +4,7 @@ graylog_path: "{{ podman_volumes }}/graylog"
 hass_path: "{{ podman_volumes }}/hass"
 nginx_path: "{{ podman_volumes }}/nginx"
 partkeepr_path: "{{ podman_volumes }}/partkeepr"
+pihole_path: "{{ podman_volumes }}/pihole"
 
 drone_server_proto: "https"
 drone_runner_capacity: "4"
diff --git a/ansible/roles/podman/tasks/configuration-nginx-http.yml b/ansible/roles/podman/tasks/configuration-nginx-http.yml
index 157ac26..7f2f72b 100644
--- a/ansible/roles/podman/tasks/configuration-nginx-http.yml
+++ b/ansible/roles/podman/tasks/configuration-nginx-http.yml
@@ -62,7 +62,7 @@
     mode: 0644
   loop:
     - "{{ ci_server_name }}.http.conf"
-    # - "{{ pi_server_name }}.conf"
+    - "{{ pi_server_name }}.conf"
     - "{{ home_server_name }}.conf"
     - "{{ assistant_server_name }}.conf"
     - "{{ video_server_name }}.conf"
@@ -83,7 +83,7 @@
     state: link
   loop:
     - "{{ ci_server_name }}.http.conf"
-    # - "{{ pi_server_name }}.conf"
+    - "{{ pi_server_name }}.conf"
     - "{{ parts_server_name }}.conf"
     - "{{ home_server_name }}.conf"
     - "{{ assistant_server_name }}.conf"
diff --git a/ansible/roles/podman/tasks/container-pihole.yml b/ansible/roles/podman/tasks/container-pihole.yml
new file mode 100644
index 0000000..eca4f06
--- /dev/null
+++ b/ansible/roles/podman/tasks/container-pihole.yml
@@ -0,0 +1,54 @@
+---
+- name: create required pihole volumes
+  become: true
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    owner: "{{ podman_user }}"
+    group: "{{ podman_user }}"
+    mode: 0755
+  notify: restorecon podman
+  loop:
+    - "{{ pihole_path }}/config"
+    - "{{ pihole_path }}/dnsmasq"
+  tags: pihole
+
+- name: flush handlers
+  ansible.builtin.meta: flush_handlers
+  tags: pihole
+
+- name: create pihole container
+  become: true
+  become_user: "{{ podman_user }}"
+  containers.podman.podman_container:
+    name: pihole
+    image: docker.io/pihole/pihole:2022.04.3
+    recreate: false
+    restart: true
+    restart_policy: on-failure
+    log_driver: journald
+    cap_add:
+      - CAP_NET_BIND_SERVICE
+      - NET_ADMIN
+    network:
+      - host
+    env:
+      DNSMASQ_USER: "root"
+      PIHOLE_UID: 0
+      TZ: "America/New_York"
+      WEBPASSWORD: "{{ pihole_password }}"
+      WEB_PORT: 8082
+    volumes:
+      - "{{ pihole_path }}/config:/etc/pihole"
+      - "{{ pihole_path }}/dnsmasq:/etc/dnsmasq.d"
+    ports:
+      - 53:53/udp
+      - 53:53/tcp
+      - 8082:80
+  tags: pihole
+
+- name: create systemd startup job for pihole
+  include_tasks: systemd-generate.yml
+  vars:
+    container_name: pihole
+  tags: pihole
diff --git a/ansible/roles/podman/tasks/firewall.yml b/ansible/roles/podman/tasks/firewall.yml
index 56a46d4..bfda749 100644
--- a/ansible/roles/podman/tasks/firewall.yml
+++ b/ansible/roles/podman/tasks/firewall.yml
@@ -6,6 +6,8 @@
     permanent: true
     state: enabled
   loop:
+    - 53/tcp
+    - 53/udp
     - 80/tcp
     - 443/tcp
     - "{{ syslog_udp_default }}/udp"
diff --git a/ansible/roles/podman/tasks/main.yml b/ansible/roles/podman/tasks/main.yml
index 25ab71e..22d9974 100644
--- a/ansible/roles/podman/tasks/main.yml
+++ b/ansible/roles/podman/tasks/main.yml
@@ -6,5 +6,6 @@
 - import_tasks: container-drone.yml
 - import_tasks: container-hass.yml
 - import_tasks: container-partkeepr.yml
-- import_tasks: container-nginx.yml
 - import_tasks: container-graylog.yml
+- import_tasks: container-pihole.yml
+- import_tasks: container-nginx.yml
diff --git a/ansible/roles/podman/tasks/podman.yml b/ansible/roles/podman/tasks/podman.yml
index 6d97c72..18c22af 100644
--- a/ansible/roles/podman/tasks/podman.yml
+++ b/ansible/roles/podman/tasks/podman.yml
@@ -91,7 +91,7 @@
   become: true
   ansible.posix.sysctl:
     name: net.ipv4.ip_unprivileged_port_start
-    value: "80"
+    value: "53"
     sysctl_set: true
     state: present
     reload: true
diff --git a/ansible/roles/podman/tasks/systemd-generate.yml b/ansible/roles/podman/tasks/systemd-generate.yml
index 6562c34..d123593 100644
--- a/ansible/roles/podman/tasks/systemd-generate.yml
+++ b/ansible/roles/podman/tasks/systemd-generate.yml
@@ -5,7 +5,7 @@
   changed_when: false
   ansible.builtin.shell: |
     podman generate systemd --name {{ container_name }} > {{ podman_home }}/.config/systemd/user/{{ container_name }}.service
-  tags: systemd
+  tags: always
 
 - name: enable systemd startup job for {{ container_name }}
   become: true
@@ -21,4 +21,4 @@
   delay: 1
   until: result is not failed
   ignore_errors: true
-  tags: systemd
+  tags: always
diff --git a/ansible/roles/podman/templates/nginx/sites/pi.bdebyl.net.conf.j2 b/ansible/roles/podman/templates/nginx/sites/pi.bdebyl.net.conf.j2
index 1bd518e..0659c94 100644
--- a/ansible/roles/podman/templates/nginx/sites/pi.bdebyl.net.conf.j2
+++ b/ansible/roles/podman/templates/nginx/sites/pi.bdebyl.net.conf.j2
@@ -1,57 +1,32 @@
-#
-# /etc/nginx/conf.d/pihole.conf
-#
-# https://github.com/pi-hole/pi-hole/wiki/Nginx-Configuration
-#
+upstream pihole {
+  server 127.0.0.1:8082;
+}
+
+geo $local_access {
+  default 0;
+  192.168.1.0/24 1;
+}
 
 server {
   modsecurity on;
   modsecurity_rules_file /etc/nginx/modsec_includes.conf;
 
-	listen 80;
+  listen 80;
+  server_name {{ pi_server_name }};
 
-	root /srv/http/pihole;
-	server_name {{ pi_server_name }};
-	autoindex off;
+  location / {
+    if ($local_access = 1) {
+      access_log off;
+    }
+    allow 192.168.1.0/24;
+    allow 127.0.0.1;
+    deny all;
 
-	proxy_intercept_errors on;
-	error_page 404 /pihole/index.php;
+    proxy_set_header X-Forwarded-For $remote_addr;
+    proxy_set_header Upgrade         $http_upgrade;
+    proxy_set_header Connection      $connection_upgrade;
 
-	index pihole/index.php index.php index.html index.htm;
-
-	allow 192.168.1.0/24;
-	allow 127.0.0.1;
-	deny all;
-
-	location / {
-		expires max;
-		try_files $uri $uri/ =404;
-		add_header X-Pi-hole "A black hole for Internet advertisements";
-	}
-
-	location ~ \.php$ {
-		include fastcgi.conf;
-		fastcgi_intercept_errors on;
-		fastcgi_pass  unix:/run/php-fpm/php-fpm.sock;
-		fastcgi_param VIRTUAL_HOST open_basedir="/srv/http/pihole:run/pihole-ftl/pihole-FTL.port:run/log/pihole/pihole.log:run/log/pihole-ftl/pihole-FTL.log:etc/pihole:etc/hosts:etc/hostname:etc/dnsmasq.d/02-pihole-dhcp.conf:etc/dnsmasq.d/03-pihole-wildcard.conf:etc/dnsmasq.d/04-pihole-static-dhcp.conf:var/log/lighttpd/error.log:proc/meminfo:proc/cpuinfo:sys/class/thermal/thermal_zone0/temp:tmp";
-	}
-
-	location /admin {
-		root /srv/http/pihole;
-		index index.php index.html index.htm;
-		add_header X-Pi-hole "The Pi-hole Web interface is working!";
-		add_header X-Frame-Options "DENY";
-	}
-
-	location ~ /\.ttf {
-		add_header Access-Control-Allow-Origin "*";
-	}
-
-	location ~ /admin/\. {
-		deny all;
-	}
-
-	location ~ /\.ht {
-		deny all;
-	}
+    proxy_buffering off;
+    proxy_pass http://pihole;
+  }
 }
\ No newline at end of file
diff --git a/ansible/vars/vault.yml b/ansible/vars/vault.yml
index 036950b..666a130 100644
Binary files a/ansible/vars/vault.yml and b/ansible/vars/vault.yml differ