README.md

@@ -18,7 +18,6 @@ This is a good playground to learn and I encourage you to adapt these roles to y
 - Rootless Podman: Containers run as `{{ ansible_user }}` (daemonless, `sudo podman ps` shows nothing)
 - User systemd services: `systemctl --user status <service>` with lingering enabled
 - Nginx reverse proxy for web services
-- IP Freebind when available (e.g. unbound does not wait for wireguard to be up to start resolving DNS)
 
 **Available Services:**
 

inventory/host_vars/example.yml

@@ -19,33 +19,6 @@ network_interfaces:
     ipv4:
       address: "{{ podman_gw_gateway }}/10"
 
-# Unbound DNS resolver configuration
-# ----------------------------------
-# Interface IPs for binding
-unbound_interface_lan: 192.168.1.2
-unbound_interface_vpn: 192.168.20.4
-
-# unbound LAN configuration
-unbound_custom_lan_domain: "example.lan"
-unbound_custom_lan_config_path: "{{ unbound_config_base_path }}/lan.conf"
-unbound_custom_lan_records:
-  "server.example.lan":
-    v4: 192.168.1.2
-    aliases:
-      - "server"
-
-# unbound VPN configuration
-unbound_custom_vpn_config_path: "{{ unbound_config_base_path }}/vpn.conf"
-unbound_custom_vpn_records:
-  "server.example.lan":
-    v4: 192.168.20.4
-    aliases:
-      - "server"
-
-unbound_firewall_allowed_sources:
-  - { src: "192.168.1.0/24", comment: "DNS from LAN" }
-  - { src: "192.168.20.0/27", comment: "DNS from VPN" }
-
 # NTP servers configuration
 # -------------------------
 ntp_pools:

roles/unbound/defaults/main.yml

@@ -9,14 +9,9 @@ unbound_custom_vpn_config_path: "{{ unbound_config_base_path }}/vpn.conf"
 unbound_custom_lan_domain: "example.lan"
 unbound_port: 53
 unbound_apparmor_profile_path: /etc/apparmor.d/usr.sbin.unbound
-
-unbound_interface_lan: 192.168.1.1
-unbound_interface_vpn: 192.168.27.1
-
 unbound_firewall_allowed_sources:
   - { src: "192.168.1.0/24", comment: "DNS from LAN" }
   - { src: "192.168.27.0/27", comment: "DNS from VPN" }
-
 unbound_custom_lan_records:
   "example.lan":
     v4: 192.168.1.2

roles/unbound/tasks/main.yml

@@ -151,11 +151,24 @@
     - Check Unbound config syntax
     - Reload systemd and restart unbound
 
-- name: Remove WireGuard dependency from unbound (using ip-freebind instead)
+- name: Make sure unbound starts after wg-quick@wg0
-  ansible.builtin.file:
+  block:
-    path: /etc/systemd/system/unbound.service.d
+    - name: Ensure unbound.service.d directory exists
-    state: absent
+      ansible.builtin.file:
-  notify: Reload systemd and restart unbound
+        path: /etc/systemd/system/unbound.service.d
+        state: directory
+        mode: "0755"
+    - name: Configure unbound systemd service
+      ansible.builtin.copy:
+        dest: /etc/systemd/system/unbound.service.d/override.conf
+        content: |
+          [Unit]
+          After=wg-quick@wg0.service
+          Requires=wg-quick@wg0.service
+          # Make Unbound part of network-online.target (provides DNS)
+          Before=network-online.target
+          Wants=network-online.target
+      notify: Reload systemd and restart unbound
 
 - name: Enables unbound service
   ansible.builtin.service:

roles/unbound/templates/unbound.conf.j2

@@ -8,13 +8,10 @@ server:
     # listening port
     port: {{ unbound_port }}
 
-    # Allow binding to IP addresses that don't exist yet (e.g., WireGuard at boot)
+    # Define interfaces binds
-    ip-freebind: yes
+    interface: lo
-
+    interface: lan0
-    # Define interface binds by IP address
+    interface: wg0
-    interface: 127.0.0.1                      # lo
-    interface: {{ unbound_interface_lan }}    # lan0
-    interface: {{ unbound_interface_vpn }}    # wg0
 
     # Define access controls (note that ufw might be also configured)
     access-control: 0.0.0.0/0 refuse