fix: add dig to test our dns setup

roles/tooling/tooling.yml

@@ -22,3 +22,9 @@
     name: wget
     state: present
   changed_when: false
+
+- name: Install dig utility
+  package:
+    name: "{{ (ansible_facts['os_family'] == 'Archlinux') | ternary('bind', 'dnsutils') }}"
+    state: present
+  changed_when: false

roles/unbound/tasks/main.yml

@@ -107,10 +107,17 @@
       ansible.builtin.file:
         path: /tmp/hosts.txt
         state: absent
+- name: Check if root.key exists
+  ansible.builtin.stat:
+    path: "{{ unbound_anchor_root_key }}"
+  register: root_key_stat
+
 - name: Initialize dnssec trust anchor if missing
   ansible.builtin.command: unbound-anchor -a {{ unbound_anchor_root_key }}
-  args:
+  when: not root_key_stat.stat.exists
-    creates: "{{ unbound_anchor_root_key }}"
+  register: unbound_anchor_result
+  failed_when: unbound_anchor_result.rc != 0 and unbound_anchor_result.rc != 1
+  changed_when: unbound_anchor_result.rc == 0
 
 - name: Ensure root.key has correct ownership and permissions
   ansible.builtin.file:

roles/unbound/templates/custom-vpn.conf.j2

@@ -2,11 +2,13 @@
 view:
     name: "vpn"
     view-first: yes
+{% if unbound_custom_vpn_records is defined %}
 {% for host, ips in unbound_custom_vpn_records.items() %}
     local-data: "{{ host }}.        IN A {{ ips.v4 }}"
     {% if ips.v6 is defined %}
     local-data: "{{ host }}.        IN AAAA {{ ips.v6 }}"
     {% endif %}
 {% endfor %}
+{% endif %}
 
 include: "{{ unbound_ad_servers_config_path }}"

roles/unbound/templates/unbound.conf.j2

@@ -12,7 +12,8 @@ server:
     ip-freebind: yes
 
     # Define interface binds by IP address
-    interface: 127.0.0.1                      # lo
+    interface: 127.0.0.1                      # lo (IPv4)
+    interface: ::1                            # lo (IPv6)
     interface: {{ unbound_interface_lan }}    # lan0
     interface: {{ unbound_interface_vpn }}    # wg0
 
@@ -95,6 +96,7 @@ server:
 
     # Ensure kernel buffer is large enough to not lose messages in traffic spikes
     so-rcvbuf: 1m
+    so-sndbuf: 0
 
     # Ensure privacy of local IP ranges
     private-address: 192.168.0.0/16

roles/wireguard/defaults/main.yml

@@ -4,6 +4,6 @@ wireguard_port: 51820 # static port to receive input connections
 wireguard_server_mode: true # enables NAT and open port
 wireguard_interface: wg0
 wireguard_config_base_path: /etc/wireguard
-wireguard_address: 192.168.27.1/27
+# wireguard_address: 192.168.27.1/27  # Intentionally undefined - role will fail if not set
-wireguard_dns: 192.168.27.1
+# wireguard_dns: 192.168.27.1          # Intentionally undefined - role will fail if not set
 wireguard_peers: []

roles/wireguard/tasks/main.yml

@@ -1,4 +1,16 @@
 ---
+- name: Validate required variables are set
+  ansible.builtin.assert:
+    that:
+      - wireguard_address is defined
+      - wireguard_address | length > 0
+      - wireguard_dns is defined
+      - wireguard_dns | length > 0
+    fail_msg: |
+      wireguard_address and wireguard_dns are required.
+      See roles/wireguard/defaults/main.yml for configuration instructions.
+    success_msg: "Variable validation passed"
+
 - name: Install wireguard
   ansible.builtin.package:
     name: "{{ (ansible_facts['os_family'] == 'Archlinux') | ternary('wireguard-tools', 'wireguard') }}"