From dede0052e93aa95cb25ead1492bc06db566b0deb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cl=C3=A9ment=20D=C3=A9siles?=
 <1536672+cdesiles@users.noreply.github.com>
Date: Tue, 9 Dec 2025 00:29:42 +0100
Subject: [PATCH] fix: wireguard dns resolver config

---
 roles/wireguard/tasks/main.yml | 27 ++++++++++++++++++++++++---
 1 file changed, 24 insertions(+), 3 deletions(-)

diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml
index 8ce8239..f59c8c6 100644
--- a/roles/wireguard/tasks/main.yml
+++ b/roles/wireguard/tasks/main.yml
@@ -4,12 +4,20 @@
     name: "{{ (ansible_facts['os_family'] == 'Archlinux') | ternary('wireguard-tools', 'wireguard') }}"
     state: present
 
-# to support "DNS=" if used in a "client way"
-- name: Install openresolv/resolveconf
+# Use systemd-resolved for DNS management (modern approach on all distributions)
+# Install systemd-resolvconf to provide resolvconf compatibility wrapper
+# "systemd-resolved" is prefered over "openresolv"
+- name: Install systemd-resolvconf
   ansible.builtin.package:
-    name: "{{ (ansible_facts['os_family'] == 'Archlinux') | ternary('openresolv', 'resolvconf') }}"
+    name: systemd-resolvconf
     state: present
 
+- name: Ensure systemd-resolved is enabled and started
+  ansible.builtin.systemd:
+    name: systemd-resolved
+    enabled: true
+    state: started
+
 - name: Ensure wireguard configuration is only owned by root
   ansible.builtin.file:
     path: "{{ wireguard_config_base_path }}"
@@ -46,6 +54,19 @@
     src: wireguard.conf.j2
     dest: /etc/wireguard/{{ wireguard_interface }}.conf
 
+- name: Create systemd override directory for wg-quick
+  ansible.builtin.file:
+    path: /etc/systemd/system/wg-quick@{{ wireguard_interface }}.service.d
+    state: directory
+    mode: "0755"
+
+- name: Deploy systemd override for network dependency
+  ansible.builtin.template:
+    src: systemd-override.conf.j2
+    dest: /etc/systemd/system/wg-quick@{{ wireguard_interface }}.service.d/network-dependency.conf
+    mode: "0644"
+  notify: Reload systemd
+
 - name: Configure the firewall for wireguard
   community.general.ufw:
     rule: allow