diff --git a/playbooks/deploy-env.yaml b/playbooks/deploy-env.yaml
index 3efab3564..dd26203b2 100644
--- a/playbooks/deploy-env.yaml
+++ b/playbooks/deploy-env.yaml
@@ -12,6 +12,7 @@
 
 ---
 - hosts: all
+  strategy: linear
   become: true
   gather_facts: true
   roles:
diff --git a/roles/deploy-env/tasks/client_cluster_ssh.yaml b/roles/deploy-env/tasks/client_cluster_ssh.yaml
index 7bbf3ea85..7fcee1076 100644
--- a/roles/deploy-env/tasks/client_cluster_ssh.yaml
+++ b/roles/deploy-env/tasks/client_cluster_ssh.yaml
@@ -11,28 +11,28 @@
 # limitations under the License.
 
 ---
-- name: Setup passwordless ssh from primary and cluster nodes
+- name: Set client user home directory
+  set_fact:
+    client_user_home_directory: /home/{{ client_ssh_user }}
+  when: client_ssh_user != "root"
+
+- name: Set client user home directory
+  set_fact:
+    client_user_home_directory: /root
+  when: client_ssh_user == "root"
+
+- name: Set cluster user home directory
+  set_fact:
+    cluster_user_home_directory: /home/{{ cluster_ssh_user }}
+  when: cluster_ssh_user != "root"
+
+- name: Set cluster user home directory
+  set_fact:
+    cluster_user_home_directory: /root
+  when: cluster_ssh_user == "root"
+
+- name: Setup ssh keys
   block:
-    - name: Set client user home directory
-      set_fact:
-        client_user_home_directory: /home/{{ client_ssh_user }}
-      when: client_ssh_user != "root"
-
-    - name: Set client user home directory
-      set_fact:
-        client_user_home_directory: /root
-      when: client_ssh_user == "root"
-
-    - name: Set cluster user home directory
-      set_fact:
-        cluster_user_home_directory: /home/{{ cluster_ssh_user }}
-      when: cluster_ssh_user != "root"
-
-    - name: Set cluster user home directory
-      set_fact:
-        cluster_user_home_directory: /root
-      when: cluster_ssh_user == "root"
-
     - name: Generate ssh key pair
       shell: |
         ssh-keygen -t ed25519 -q -N "" -f {{ client_user_home_directory }}/.ssh/id_ed25519
@@ -45,6 +45,8 @@
       register: ssh_public_key
       when: (inventory_hostname in (groups['primary'] | default([])))
 
+- name: Setup passwordless ssh from primary and cluster nodes
+  block:
     - name: Set primary ssh public key
       set_fact:
         client_ssh_public_key: "{{ (groups['primary'] | map('extract', hostvars, ['ssh_public_key', 'stdout']))[0] }}"
diff --git a/roles/deploy-env/tasks/client_cluster_tunnel.yaml b/roles/deploy-env/tasks/client_cluster_tunnel.yaml
index 8a39f4ab6..31d3118b3 100644
--- a/roles/deploy-env/tasks/client_cluster_tunnel.yaml
+++ b/roles/deploy-env/tasks/client_cluster_tunnel.yaml
@@ -19,7 +19,7 @@
   set_fact:
     client_default_ip: "{{ (groups['primary'] | map('extract', hostvars, ['ansible_default_ipv4', 'address']))[0] }}"
 
-- name: Setup wireguard tunnel between primary and cluster control-plane node
+- name: Setup wireguard keys
   when: (groups['primary'] | difference(groups['k8s_control_plane']) | length > 0)
   block:
     - name: Generate wireguard key pair
@@ -33,6 +33,9 @@
       register: wg_public_key
       when: (inventory_hostname in (groups['primary'] | default([]))) or (inventory_hostname in (groups['k8s_control_plane'] | default([])))
 
+- name: Setup wireguard tunnel between primary and cluster control-plane node
+  when: (groups['primary'] | difference(groups['k8s_control_plane']) | length > 0)
+  block:
     - name: Set primary wireguard public key
       set_fact:
         client_wg_public_key: "{{ (groups['primary'] | map('extract', hostvars, ['wg_public_key', 'stdout']))[0] }}"