6 changed files with 5 additions and 34 deletions
--- a/roles/tooling/tooling.yml
+++ b/roles/tooling/tooling.yml
@ -22,9 +22,3 @@
    name: wget
    state: present
  changed_when: false
-
- name: Install dig utility
-  package:
-    name: "{{ (ansible_facts['os_family'] == 'Archlinux') | ternary('bind', 'dnsutils') }}"
-    state: present
-  changed_when: false
--- a/roles/unbound/tasks/main.yml
+++ b/roles/unbound/tasks/main.yml
@ -107,17 +107,10 @@
      ansible.builtin.file:
        path: /tmp/hosts.txt
        state: absent
- name: Check if root.key exists
-  ansible.builtin.stat:
-    path: "{{ unbound_anchor_root_key }}"
-  register: root_key_stat
-
 - name: Initialize dnssec trust anchor if missing
  ansible.builtin.command: unbound-anchor -a {{ unbound_anchor_root_key }}
-  when: not root_key_stat.stat.exists
-  register: unbound_anchor_result
-  failed_when: unbound_anchor_result.rc != 0 and unbound_anchor_result.rc != 1
-  changed_when: unbound_anchor_result.rc == 0
+  args:
+    creates: "{{ unbound_anchor_root_key }}"

 - name: Ensure root.key has correct ownership and permissions
  ansible.builtin.file:
--- a/roles/unbound/templates/custom-vpn.conf.j2
+++ b/roles/unbound/templates/custom-vpn.conf.j2
@ -2,13 +2,11 @@
 view:
    name: "vpn"
    view-first: yes
-{% if unbound_custom_vpn_records is defined %}
 {% for host, ips in unbound_custom_vpn_records.items() %}
    local-data: "{{ host }}.        IN A {{ ips.v4 }}"
    {% if ips.v6 is defined %}
    local-data: "{{ host }}.        IN AAAA {{ ips.v6 }}"
    {% endif %}
 {% endfor %}
-{% endif %}

 include: "{{ unbound_ad_servers_config_path }}"
--- a/roles/unbound/templates/unbound.conf.j2
+++ b/roles/unbound/templates/unbound.conf.j2
@ -12,8 +12,7 @@ server:
    ip-freebind: yes

    # Define interface binds by IP address
-    interface: 127.0.0.1                      # lo (IPv4)
-    interface: ::1                            # lo (IPv6)
+    interface: 127.0.0.1                      # lo
    interface: {{ unbound_interface_lan }}    # lan0
    interface: {{ unbound_interface_vpn }}    # wg0

@ -96,7 +95,6 @@ server:

    # Ensure kernel buffer is large enough to not lose messages in traffic spikes
    so-rcvbuf: 1m
-    so-sndbuf: 0

    # Ensure privacy of local IP ranges
    private-address: 192.168.0.0/16
--- a/roles/wireguard/defaults/main.yml
+++ b/roles/wireguard/defaults/main.yml
@ -4,6 +4,6 @@ wireguard_port: 51820 # static port to receive input connections
 wireguard_server_mode: true # enables NAT and open port
 wireguard_interface: wg0
 wireguard_config_base_path: /etc/wireguard
-# wireguard_address: 192.168.27.1/27  # Intentionally undefined - role will fail if not set
-# wireguard_dns: 192.168.27.1          # Intentionally undefined - role will fail if not set
+wireguard_address: 192.168.27.1/27
+wireguard_dns: 192.168.27.1
 wireguard_peers: []
--- a/roles/wireguard/tasks/main.yml
+++ b/roles/wireguard/tasks/main.yml
@ -1,16 +1,4 @@
 ---
- name: Validate required variables are set
-  ansible.builtin.assert:
-    that:
-      - wireguard_address is defined
-      - wireguard_address | length > 0
-      - wireguard_dns is defined
-      - wireguard_dns | length > 0
-    fail_msg: |
-      wireguard_address and wireguard_dns are required.
-      See roles/wireguard/defaults/main.yml for configuration instructions.
-    success_msg: "Variable validation passed"
-
 - name: Install wireguard
  ansible.builtin.package:
    name: "{{ (ansible_facts['os_family'] == 'Archlinux') | ternary('wireguard-tools', 'wireguard') }}"