* adapt IPs in inventory.yaml

* add host keys `./trust-hosts.sh`

* change wg encryption keys in host\_vars: `./generate-keys.sh`
    * requires wireguard-tools, yq

* run play for the first time `ansible-playbook -i inventory.yaml -u root -t initial setup.yaml` - this will upgrade all packages and reboot the system

* run play again, without the tag