fix: unbound boot ordering

README.md

@@ -18,6 +18,7 @@ This is a good playground to learn and I encourage you to adapt these roles to y
 - Rootless Podman: Containers run as `{{ ansible_user }}` (daemonless, `sudo podman ps` shows nothing)
 - User systemd services: `systemctl --user status <service>` with lingering enabled
 - Nginx reverse proxy for web services
+- IP Freebind when available (e.g. unbound does not wait for wireguard to be up to start resolving DNS)
 
 **Available Services:**
 

roles/unbound/tasks/main.yml

@@ -151,24 +151,11 @@
     - Check Unbound config syntax
     - Reload systemd and restart unbound
 
-- name: Make sure unbound starts after wg-quick@wg0
+- name: Remove WireGuard dependency from unbound (using ip-freebind instead)
-  block:
+  ansible.builtin.file:
-    - name: Ensure unbound.service.d directory exists
+    path: /etc/systemd/system/unbound.service.d
-      ansible.builtin.file:
+    state: absent
-        path: /etc/systemd/system/unbound.service.d
+  notify: Reload systemd and restart unbound
-        state: directory
-        mode: "0755"
-    - name: Configure unbound systemd service
-      ansible.builtin.copy:
-        dest: /etc/systemd/system/unbound.service.d/override.conf
-        content: |
-          [Unit]
-          After=wg-quick@wg0.service
-          Requires=wg-quick@wg0.service
-          # Make Unbound part of network-online.target (provides DNS)
-          Before=network-online.target
-          Wants=network-online.target
-      notify: Reload systemd and restart unbound
 
 - name: Enables unbound service
   ansible.builtin.service:

roles/unbound/templates/unbound.conf.j2

@@ -8,6 +8,9 @@ server:
     # listening port
     port: {{ unbound_port }}
 
+    # Allow binding to interfaces that don't exist yet (e.g., WireGuard at boot)
+    ip-freebind: yes
+
     # Define interfaces binds
     interface: lo
     interface: lan0