roles/tooling/tooling.yml

@@ -22,9 +22,3 @@
     name: wget
     state: present
   changed_when: false
-
-- name: Install dig utility
-  package:
-    name: "{{ (ansible_facts['os_family'] == 'Archlinux') | ternary('bind', 'dnsutils') }}"
-    state: present
-  changed_when: false

roles/unbound/tasks/main.yml

@@ -107,17 +107,10 @@
       ansible.builtin.file:
         path: /tmp/hosts.txt
         state: absent
-- name: Check if root.key exists
-  ansible.builtin.stat:
-    path: "{{ unbound_anchor_root_key }}"
-  register: root_key_stat
-
 - name: Initialize dnssec trust anchor if missing
   ansible.builtin.command: unbound-anchor -a {{ unbound_anchor_root_key }}
-  when: not root_key_stat.stat.exists
+  args:
-  register: unbound_anchor_result
+    creates: "{{ unbound_anchor_root_key }}"
-  failed_when: unbound_anchor_result.rc != 0 and unbound_anchor_result.rc != 1
-  changed_when: unbound_anchor_result.rc == 0
 
 - name: Ensure root.key has correct ownership and permissions
   ansible.builtin.file:

roles/unbound/templates/custom-vpn.conf.j2

@@ -2,13 +2,11 @@
 view:
     name: "vpn"
     view-first: yes
-{% if unbound_custom_vpn_records is defined %}
 {% for host, ips in unbound_custom_vpn_records.items() %}
     local-data: "{{ host }}.        IN A {{ ips.v4 }}"
     {% if ips.v6 is defined %}
     local-data: "{{ host }}.        IN AAAA {{ ips.v6 }}"
     {% endif %}
 {% endfor %}
-{% endif %}
 
 include: "{{ unbound_ad_servers_config_path }}"

roles/unbound/templates/unbound.conf.j2

@@ -12,8 +12,7 @@ server:
     ip-freebind: yes
 
     # Define interface binds by IP address
-    interface: 127.0.0.1                      # lo (IPv4)
+    interface: 127.0.0.1                      # lo
-    interface: ::1                            # lo (IPv6)
     interface: {{ unbound_interface_lan }}    # lan0
     interface: {{ unbound_interface_vpn }}    # wg0
 
@@ -96,7 +95,6 @@ server:
 
     # Ensure kernel buffer is large enough to not lose messages in traffic spikes
     so-rcvbuf: 1m
-    so-sndbuf: 0
 
     # Ensure privacy of local IP ranges
     private-address: 192.168.0.0/16

roles/wireguard/defaults/main.yml

@@ -4,6 +4,6 @@ wireguard_port: 51820 # static port to receive input connections
 wireguard_server_mode: true # enables NAT and open port
 wireguard_interface: wg0
 wireguard_config_base_path: /etc/wireguard
-# wireguard_address: 192.168.27.1/27  # Intentionally undefined - role will fail if not set
+wireguard_address: 192.168.27.1/27
-# wireguard_dns: 192.168.27.1          # Intentionally undefined - role will fail if not set
+wireguard_dns: 192.168.27.1
 wireguard_peers: []

roles/wireguard/tasks/main.yml

@@ -1,16 +1,4 @@
 ---
-- name: Validate required variables are set
-  ansible.builtin.assert:
-    that:
-      - wireguard_address is defined
-      - wireguard_address | length > 0
-      - wireguard_dns is defined
-      - wireguard_dns | length > 0
-    fail_msg: |
-      wireguard_address and wireguard_dns are required.
-      See roles/wireguard/defaults/main.yml for configuration instructions.
-    success_msg: "Variable validation passed"
-
 - name: Install wireguard
   ansible.builtin.package:
     name: "{{ (ansible_facts['os_family'] == 'Archlinux') | ternary('wireguard-tools', 'wireguard') }}"