- hosts: all
  become: true
  vars_files:
    - ../inventory/group_vars/all.yaml
    - ../inventory/group_vars/secrets.sops.yaml
  roles:
    - role: base
    - role: sops_agent
    - role: custodian_agent   # injects ~/.ssh/id_custodian_agent.pub into authorized_keys
    - role: swapfile          # provisions swap file (size + swappiness from host_vars)
    - role: resource_limits   # nproc PAM caps + systemd user slice memory limits
    # - role: wireguard   # enable if you configure WireGuard variables