---
# WireGuard setup — iklim-db-01 (prod VPN gateway for developer DB access)
#
# Full setup (WireGuard + db_stack firewall rules on all DB nodes):
#   ansible-playbook prod-db-wireguard.yml --vault-password-file=../.vault_pass
#
# WireGuard only (re-deploy config or update peers):
#   ansible-playbook prod-db-wireguard.yml --vault-password-file=../.vault_pass --tags wireguard
#
# DB node firewall rules only:
#   ansible-playbook prod-db-wireguard.yml --vault-password-file=../.vault_pass --tags db_stack

- name: DB-01 — WireGuard (Prod Developer Access)
  hosts: iklim-db-01
  become: yes
  roles:
    - role: wireguard
      tags: [wireguard]

- name: DB Nodes — Firewalld DB/etcd Port Rules
  hosts: iklim-db-*
  become: yes
  roles:
    - role: db_stack
      tags: [db_stack]