diff --git a/kubernetes/longhorn/README.md b/kubernetes/longhorn/README.md
new file mode 100644
index 0000000..b280c26
--- /dev/null
+++ b/kubernetes/longhorn/README.md
@@ -0,0 +1,9 @@
+# longhorn
+
+Mounting an external drive
+
+```bash
+mkfs.ext4 <device>
+sudo mkdir /mnt/longhorn
+sudo mount <device> /mnt/longhorn
+```
diff --git a/kubernetes/pihole/certificate.yaml b/kubernetes/pihole/certificate.yaml
deleted file mode 100644
index d7fe772..0000000
--- a/kubernetes/pihole/certificate.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: pihole-cert
-  namespace: pihole
-spec:
-  secretName: pihole-tls
-  issuerRef:
-    name: letsencrypt-prod
-    kind: ClusterIssuer
-  commonName: "pihole.homelab.jenniferpweir.comh"
-  dnsNames:
-    - "pihole.homelab.jenniferpweir.com"
diff --git a/kubernetes/pihole/configmap.yaml b/kubernetes/pihole/configmap.yaml
index 7508f01..604b758 100644
--- a/kubernetes/pihole/configmap.yaml
+++ b/kubernetes/pihole/configmap.yaml
@@ -4,14 +4,14 @@ metadata:
   name: pihole-configmap # https://docs.pi-hole.net/ftldns/dnsmasq_warn/
   namespace: pihole # changes to /etc/pihole/pihole.toml within pod
 data:
-  TZ: "America/New_York"
+  TZ: "America/Detroit"
   PIHOLE_DNS_: "8.8.8.8;8.8.4.4"
   pihole.toml: |
     [dns]
     listen_addresses = ["0.0.0.0"]
     listening_mode = "SINGLE"
 ---
-apiVersion: v1 # https://www.reddit.com/r/pihole/comments/1it1k2x/pihole_6_wildcard_dns_matches_no_longer_working/
+apiVersion: v1
 kind: ConfigMap
 metadata:
   name: pihole-wildcard-configmap
diff --git a/kubernetes/pihole/kustomization.yaml b/kubernetes/pihole/kustomization.yaml
index f0455d0..3dc01c4 100644
--- a/kubernetes/pihole/kustomization.yaml
+++ b/kubernetes/pihole/kustomization.yaml
@@ -3,13 +3,12 @@ kind: Kustomization
 metadata:
   namespace: pihole
 resources:
-  - certificate.yaml
   - configmap.yaml
   - dns-service.yaml
   - headless-service.yaml
   - ingress.yaml
   - namespace.yaml
-  - orbital-sync.yaml
+  # - orbital-sync.yaml # https://github.com/mattwebbio/orbital-sync/pull/567
   - pv.yaml
   - statefulset.yaml
   - web-service.yaml
\ No newline at end of file
diff --git a/kubernetes/pihole/orbital-sync.yaml b/kubernetes/pihole/orbital-sync.yaml
new file mode 100644
index 0000000..1a884af
--- /dev/null
+++ b/kubernetes/pihole/orbital-sync.yaml
@@ -0,0 +1,32 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: orbital-sync
+  namespace: pihole
+spec:
+  selector:
+    matchLabels:
+      app: orbital-sync
+  template:
+    metadata:
+      labels:
+        app: orbital-sync
+    spec:
+      containers:
+      - name: orbital-sync
+        image: ghcr.io/mattwebbio/orbital-sync:sha-b7c105d-distroless@sha256:1a7e1963b457185337665204db1c1e553338d43a59b4ee2aeff4d070213b0289 #https://github.com/mattwebbio/orbital-sync/issues/190
+        envFrom:
+          - configMapRef:
+              name: orbital-sync-config
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: orbital-sync-config
+  namespace: pihole
+data:
+  PRIMARY_HOST_BASE_URL: "http://pihole-0.pihole.pihole.svc.cluster.local"
+  PRIMARY_HOST_PASSWORD: ""
+  SECONDARY_HOST_1_BASE_URL: "http://pihole-1.pihole.pihole.svc.cluster.local"
+  SECONDARY_HOSTS_1_PASSWORD: ""
+  INTERVAL_MINUTES: "1"
diff --git a/kubernetes/pihole/statefulset.yaml b/kubernetes/pihole/statefulset.yaml
index 6a1a929..9e77018 100644
--- a/kubernetes/pihole/statefulset.yaml
+++ b/kubernetes/pihole/statefulset.yaml
@@ -8,7 +8,7 @@ spec:
     matchLabels:
       app: pihole
   serviceName: pihole
-  replicas: 3
+  replicas: 1
   template:
     metadata:
       labels:
@@ -16,7 +16,7 @@ spec:
     spec:
       containers:
         - name: pihole
-          image: pihole/pihole@sha256:6c872c3f8f1954423dbd1c7db661719b447e7b890e231489ada2a6a2904342ff
+          image: pihole/pihole:2025.03.0@sha256:6c872c3f8f1954423dbd1c7db661719b447e7b890e231489ada2a6a2904342ff
           lifecycle:
             postStart:
               exec:
@@ -36,7 +36,7 @@ spec:
             - name: svc-53-tcp-dns
               containerPort: 53
               protocol: TCP
-          # TODO: fix probes; works on 2022.12.01 image; fails with 403 in pihole v6
+          # TODO: create probes; fails with 403 in pihole v6
           # https://www.reddit.com/r/pihole/comments/1ivj7q0/dns_stopped_working_entirely_after_v6_upgrade/
           # livenessProbe:
           #   httpGet:
diff --git a/kubernetes/pihole/web-service.yaml b/kubernetes/pihole/web-service.yaml
index 9259e44..a2dbb5b 100644
--- a/kubernetes/pihole/web-service.yaml
+++ b/kubernetes/pihole/web-service.yaml
@@ -6,7 +6,7 @@ metadata:
 spec:
   selector:
     app: pihole
-    statefulset.kubernetes.io/pod-name: pihole-0
+    statefulset.kubernetes.io/pod-name: pihole-0 # direct web interface traffic to primary instance; secondaries would be overwritten with orbital-sync
   type: ClusterIP
   ports:
     - name: svc-80-tcp-web