diff --git a/06-data-and-persistence.md b/06-data-and-persistence.md
index 5765027..8775f01 100644
--- a/06-data-and-persistence.md
+++ b/06-data-and-persistence.md
@@ -17,7 +17,7 @@ Every service with persistent state uses **bind mounts to on-node directories**.
 |---------|-----------|---------------|---------------|
 | **Traefik** | `/opt/iron-legion/traefik/config/` `/opt/iron-legion/traefik/certs/` | MK7 (daily rsync) | < 50 MB |
 | **Technitium DNS** | `/opt/iron-legion/technitium/config/` | MK7 | < 10 MB |
-| **Pi-hole** | `/opt/iron-legion/pihole/etc-pihole/` `/opt/iron-legion/pihole/etc-dnsmasq.d/` | MK7 | < 500 MB |
+| **AdGuard Home** | `/opt/iron-legion/adguard/work/` `/opt/iron-legion/adguard/conf/` | MK7 | < 500 MB |
 | **Prometheus** | `/opt/iron-legion/prometheus/data/` | MK7 (retention: 15d local, 90d backup) | 5–20 GB |
 | **Grafana** | `/opt/iron-legion/grafana/data/` | MK7 | < 500 MB |
 | **Beszel** | `/opt/iron-legion/beszel/data/` | MK7 | < 1 GB |
diff --git a/07-security-model.md b/07-security-model.md
index b9b373b..16a3b6b 100644
--- a/07-security-model.md
+++ b/07-security-model.md
@@ -38,7 +38,7 @@ traefik.http.middlewares.authelia.forwardauth.address: http://authelia:9091/api/
 - **No VLANs.** Tailscale ACLs handle segment isolation.
 - **ACL policy (draft):**
   - `tag:admin` nodes (Bobby, Artemis) → all ports on all nodes
-  - `tag:services` (MK7, MK7, MK7, MK7) → only their assigned service ports, no cross-node SSH except via Tailscale SSH
+  - `tag:services` (MK7 manager + MK33, MK34, MK39, MK42 workers) → only their assigned service ports, no cross-node SSH except via Tailscale SSH
   - `tag:user` (Bobby's phone, laptop) → HTTPS 443 on MK7 only, Jellyfin 8096 on MK7 directly
 - **Default deny.** Any traffic not explicitly allowed in Tailscale ACL is dropped.
 
diff --git a/homelab-services-stack-prd.md b/homelab-services-stack-prd.md
index 22d0877..953a487 100644
--- a/homelab-services-stack-prd.md
+++ b/homelab-services-stack-prd.md
@@ -206,7 +206,7 @@ Client → Technitium (local record?) → AdGuard Home (recursive + blocklist) 
 ## Port Allocation (Reserved)
 | Port | Service |
 |------|---------|
-| 53 | DNS (Technitium / Pi-hole) |
+| 53 | DNS (Technitium / AdGuard) |
 | 80/443 | HTTP/S (Traefik) |
 | 3000 | Grafana |
 | 9090 | Prometheus |
@@ -242,7 +242,7 @@ Every service with persistent state uses **bind mounts to on-node directories**.
 |---------|-----------|---------------|---------------|
 | **Traefik** | `/opt/iron-legion/traefik/config/` `/opt/iron-legion/traefik/certs/` | MK7 (daily rsync) | < 50 MB |
 | **Technitium DNS** | `/opt/iron-legion/technitium/config/` | MK7 | < 10 MB |
-| **Pi-hole** | `/opt/iron-legion/pihole/etc-pihole/` `/opt/iron-legion/pihole/etc-dnsmasq.d/` | MK7 | < 500 MB |
+| **AdGuard Home** | `/opt/iron-legion/adguard/work/` `/opt/iron-legion/adguard/conf/` | MK7 | \u003c 500 MB |
 | **Prometheus** | `/opt/iron-legion/prometheus/data/` | MK7 (retention: 15d local, 90d backup) | 5–20 GB |
 | **Grafana** | `/opt/iron-legion/grafana/data/` | MK7 | < 500 MB |
 | **Beszel** | `/opt/iron-legion/beszel/data/` | MK7 | < 1 GB |
@@ -312,7 +312,7 @@ traefik.http.middlewares.authelia.forwardauth.address: http://authelia:9091/api/
 - **No VLANs.** Tailscale ACLs handle segment isolation.
 - **ACL policy (draft):**
   - `tag:admin` nodes (Bobby, Artemis) → all ports on all nodes
-  - `tag:services` (MK7, MK7, MK7, MK7) → only their assigned service ports, no cross-node SSH except via Tailscale SSH
+  - `tag:services` (MK7 manager + MK33, MK34, MK39, MK42 workers) → only their assigned service ports, no cross-node SSH except via Tailscale SSH
   - `tag:user` (Bobby's phone, laptop) → HTTPS 443 on MK7 only, Jellyfin 8096 on MK7 directly
 - **Default deny.** Any traffic not explicitly allowed in Tailscale ACL is dropped.
 
@@ -331,7 +331,7 @@ traefik.http.middlewares.authelia.forwardauth.address: http://authelia:9091/api/
 | Order | Service | Target Node | Why First | Dependencies |
 |-------|---------|-------------|-----------|--------------|
 | 1 | **Technitium DNS** | MK7 | Name resolution for internal services | None |
-| 2 | **Pi-hole** | MK7 | Recursive DNS + ad-block | Technitium (via conditional forwarding) |
+| 2 | **AdGuard Home** | MK7 | Recursive DNS + ad-block | Technitium (via conditional forwarding) |
 | 3 | **Traefik** | MK7 | Edge router for all HTTP ingress | DNS (needs `*.labs.internal` to resolve) |
 | 4 | **Authelia** | MK7 | Auth layer before exposing any mgmt UI | Traefik (depends on ForwardAuth middleware) |
 | 5 | **Portainer** | MK7 | Container management UI | Traefik + Authelia (for secured access) |
@@ -385,7 +385,7 @@ traefik.http.middlewares.authelia.forwardauth.address: http://authelia:9091/api/
 |---|----------|--------|----------------------|
 | 1 | **Domain name** — Does Bobby own a domain (e.g., `bobbysh.me`) or do we use a fake TLD (`labs.internal`)? | **Critical** — TLS certs, Authelia, and DNS all depend on this. | Use `labs.internal` + self-signed CA |
 | 2 | **Technitium upstream** — DoH, DoT, or plain UDP to upstream resolver (e.g., Cloudflare 1.1.1.1)? | Low — can default to DoH | DoH → `https://cloudflare-dns.com/dns-query` |
-| 3 | **Pi-hole vs Technitium conflict** — Both run on MK7 port 53. Run Pi-hole on non-standard port with Technitium as conditional forwarder? Or separate nodes? | **Critical** — port 53 collision | Technitium on 53, Pi-hole on 5053, forward to Pi-hole from Technitium |
+| 3 | **AdGuard Home vs Technitium layout** — AdGuard runs on port 3000, Technitium on 53. No collision, but conditional forwarding from Technitium to AdGuard needs config. | Low — both run independently | Technitium uses upstream AdGuard for recursive queries |
 | 4 | **Jellyfin media storage** — External USB on MK7? SMB share? NVMe? | Medium | External USB mounted at `/media` on MK7 |
 | 5 | **Backup target on MK7** — Capacity? Dedicated drive? Rsync target path? | Medium | `/backups/<service-name>/` on MK7 secondary storage |
 | 6 | **Nextcloud database** — Use existing PostgreSQL on MK7, or deploy Nextcloud AIO (bundled)? | Medium — affects resource allocation on MK7 | Deploy standalone PostgreSQL container on MK7 for Nextcloud AIO is too heavy |
@@ -395,7 +395,7 @@ traefik.http.middlewares.authelia.forwardauth.address: http://authelia:9091/api/
 | 10 | **Beszel alert thresholds** — CPU %, memory %, disk % triggers not defined. | Low | Defaults in Beszel container |
 
 ## Outstanding Decisions Required
-1. **Pi-hole inclusion** — Not in Bobby's original list. I added it as a DNS-layer complement to Technitium. **Remove if Bobby doesn't want it.**
+1. ~~Pi-hole inclusion~~ — **Resolved.** AdGuard Home replaces Pi-hole in Phase 1. Removed from catalog.
 2. **Authelia two-factor method** — TOTP via app (Google Authenticator) vs WebAuthn/FIDO2 keys?
 3. **Home vs remote access** — If Bobby wants to share Jellyfin with friends/family outside Tailscale, public domain + Authelia guard is required.
 
@@ -421,10 +421,9 @@ traefik.http.middlewares.authelia.forwardauth.address: http://authelia:9091/api/
 | Prowlarr | `linuxserver/prowlarr` | `linuxserver` | 35,913,487 | 403 | 2026-05-25 | ✅ 200 |
 | Vaultwarden | `vaultwarden/server` | `vaultwarden` | 287,182,978 | 1,454 | 2026-05-17 | ✅ 200 |
 | Nextcloud | `nextcloud` | `library` | 1,011,978,204 | 4,485 | 2026-05-23 | ✅ 200 |
-| Pi-hole | `pihole/pihole` | `pihole` | 961,220,209 | 2,943 | 2026-05-25 | ✅ 200 |
-| Authelia | `authelia/authelia` | `authelia` | 75,183,682 | 208 | 2026-05-25 | ✅ 200 |
+| **Authelia** | `authelia/authelia` | `authelia` | 75,183,682 | 208 | 2026-05-25 | ✅ 200 |
 
-**Total unique images:** 16 (including Pi-hole)
+**Total unique images:** 15
 **Community health indicator:** All images have > 10 stars, > 1M pulls (except Beszel 32 stars, Homepage 40 stars — acceptable for young projects)
 **Freshness:** All updated within 90 days except Beszel (30 days — still acceptable)