diff --git a/handlers/main.yml b/handlers/main.yml
index 452e2e9..7d7cca3 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -1,18 +1,3 @@
-- name: Reload unbound
-  systemd:
-        name: unbound
-        state: reloaded
-- name: Enable unbound
-  systemd:
-        name: unbound
-        enabled: yes
-        state: restarted
-        daemon_reload: yes
-- name: Set unbound as default dns
-  replace:
-        path: /etc/resolv.conf
-        regexp: "^nameserver.*$"
-        replace: "nameserver 127.0.0.1"
 - name: Disable systemd-resolved
   systemd:
         name: systemd-resolved
@@ -21,8 +6,3 @@
   notify:
         - Enable unbound
         - Set unbound as default dns
-- name: Save netfilter rules
-  command:
-        argv:
-                - '/usr/sbin/netfilter-persistent'
-                - 'save'
diff --git a/tasks/main.yml b/tasks/main.yml
index 3b0977f..636e21e 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,13 +1,3 @@
-- name: Install Unbound
-  apt:
-        install_recommends: no
-        name: unbound
-        state: present
-        cache_valid_time: 3600
-  notify: Disable systemd-resolved
-  tags:
-        - setup
-        - packages
 - name: Copy configuration files
   loop:
         - internal.conf
@@ -16,30 +6,16 @@
   template:
         follow: yes
         src: '{{ item }}.j2'
-        dest: /etc/unbound/{{ item }}
-  notify:
-        - Reload unbound
+        dest: "/etc/unbound/{{ item }}"
+  notify: Run service actions
   tags:
-        - update
+        - config
         - unbound
-- name: Allow Unbound through iptables
-  loop:
-        - { ipv: 'ipv4', proto: 'tcp' }
-        - { ipv: 'ipv6', proto: 'tcp' }
-        - { ipv: 'ipv4', proto: 'udp' }
-        - { ipv: 'ipv6', proto: 'udp' }
-  iptables:
-        chain: INPUT
-        ctstate:
-                - NEW
-                - ESTABLISHED
-                - RELATED
-        destination_port: "53"
-        jump: ACCEPT
-        ip_version: '{{ item.ipv }}'
-        protocol: '{{ item.proto }}'
-  notify:
-        - Save netfilter rules
+- name: Set unbound as default dns
+  replace:
+        path: /etc/resolv.conf
+        regexp: "^nameserver.*$"
+        replace: "nameserver 127.0.0.1"
   tags:
-        - update
-        - firewall
+        - config
+        - unbound
diff --git a/vars/main.yml b/vars/main.yml
new file mode 100644
index 0000000..75066c9
--- /dev/null
+++ b/vars/main.yml
@@ -0,0 +1,11 @@
+firewall:
+        - { port: 53, ipv: "v4", proto: "tcp" }
+        - { port: 53, ipv: "v4", proto: "udp" }
+        - { port: 53, ipv: "v6", proto: "tcp" }
+        - { port: 53, ipv: "v6", proto: "udp" }
+systemd:
+        services:
+                - { name: "systemd-resolved", state: stopped }
+                - { name: "unbound", enabled: true, state: reloaded }
+apt_packages:
+        - { package: "unbound", state: present }