From 08364cf2c855e90d71b4aa56eb2633d0950a06cb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cl=C3=A9ment=20D=C3=A9siles?=
 <1536672+cdesiles@users.noreply.github.com>
Date: Wed, 24 Dec 2025 16:47:38 +0100
Subject: [PATCH] fix: unbound boot ordering

---
 README.md                               |  1 +
 roles/unbound/tasks/main.yml            | 23 +++++------------------
 roles/unbound/templates/unbound.conf.j2 |  3 +++
 3 files changed, 9 insertions(+), 18 deletions(-)

diff --git a/README.md b/README.md
index bf13d92..4f88a2e 100644
--- a/README.md
+++ b/README.md
@@ -18,6 +18,7 @@ This is a good playground to learn and I encourage you to adapt these roles to y
 - Rootless Podman: Containers run as `{{ ansible_user }}` (daemonless, `sudo podman ps` shows nothing)
 - User systemd services: `systemctl --user status <service>` with lingering enabled
 - Nginx reverse proxy for web services
+- IP Freebind when available (e.g. unbound does not wait for wireguard to be up to start resolving DNS)
 
 **Available Services:**
 
diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml
index e6f9c98..f476703 100644
--- a/roles/unbound/tasks/main.yml
+++ b/roles/unbound/tasks/main.yml
@@ -151,24 +151,11 @@
     - Check Unbound config syntax
     - Reload systemd and restart unbound
 
-- name: Make sure unbound starts after wg-quick@wg0
-  block:
-    - name: Ensure unbound.service.d directory exists
-      ansible.builtin.file:
-        path: /etc/systemd/system/unbound.service.d
-        state: directory
-        mode: "0755"
-    - name: Configure unbound systemd service
-      ansible.builtin.copy:
-        dest: /etc/systemd/system/unbound.service.d/override.conf
-        content: |
-          [Unit]
-          After=wg-quick@wg0.service
-          Requires=wg-quick@wg0.service
-          # Make Unbound part of network-online.target (provides DNS)
-          Before=network-online.target
-          Wants=network-online.target
-      notify: Reload systemd and restart unbound
+- name: Remove WireGuard dependency from unbound (using ip-freebind instead)
+  ansible.builtin.file:
+    path: /etc/systemd/system/unbound.service.d
+    state: absent
+  notify: Reload systemd and restart unbound
 
 - name: Enables unbound service
   ansible.builtin.service:
diff --git a/roles/unbound/templates/unbound.conf.j2 b/roles/unbound/templates/unbound.conf.j2
index 0bbd617..0c1d624 100644
--- a/roles/unbound/templates/unbound.conf.j2
+++ b/roles/unbound/templates/unbound.conf.j2
@@ -8,6 +8,9 @@ server:
     # listening port
     port: {{ unbound_port }}
 
+    # Allow binding to interfaces that don't exist yet (e.g., WireGuard at boot)
+    ip-freebind: yes
+
     # Define interfaces binds
     interface: lo
     interface: lan0