diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index a1e30ac..307fc6c 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -270,7 +270,7 @@ jobs:
             kubectl -n flux-system get kustomizations,helmrepositories,helmcharts,helmreleases || true
             kubectl -n flux-system describe kustomization addon-external-secrets || true
             kubectl -n flux-system describe helmrepository external-secrets || true
-            kubectl -n flux-system describe helmchart flux-system-external-secrets || true
+            kubectl -n flux-system describe helmchart.source.toolkit.fluxcd.io flux-system-external-secrets || true
             kubectl -n flux-system describe helmrelease external-secrets || true
             kubectl -n external-secrets get pods -o wide || true
           }
@@ -283,7 +283,7 @@ jobs:
 
             kubectl -n flux-system get helmrepositories,helmcharts,helmreleases || true
             kubectl -n flux-system describe helmrepository "${repo_name}" || true
-            kubectl -n flux-system describe helmchart "${chart_name}" || true
+            kubectl -n flux-system describe helmchart.source.toolkit.fluxcd.io "${chart_name}" || true
             kubectl -n flux-system describe helmrelease "${release_name}" || true
             kubectl -n "${target_namespace}" get pods -o wide || true
           }
@@ -306,10 +306,10 @@ jobs:
 
             wait_for_resource flux-system "helmchart.source.toolkit.fluxcd.io/${chart_name}" 600
             reconcile_at="$(date +%s)"
-            kubectl -n flux-system annotate "helmchart/${chart_name}" reconcile.fluxcd.io/requestedAt="${reconcile_at}" --overwrite
+            kubectl -n flux-system annotate "helmchart.source.toolkit.fluxcd.io/${chart_name}" reconcile.fluxcd.io/requestedAt="${reconcile_at}" --overwrite
             kubectl -n flux-system annotate "helmrelease/${release_name}" reconcile.fluxcd.io/requestedAt="${reconcile_at}" --overwrite
 
-            if ! kubectl -n flux-system wait --for=condition=Ready "helmchart/${chart_name}" --timeout="${chart_timeout}"; then
+            if ! kubectl -n flux-system wait --for=condition=Ready "helmchart.source.toolkit.fluxcd.io/${chart_name}" --timeout="${chart_timeout}"; then
               flux_helm_diagnostics "${repo_name}" "${chart_name}" "${release_name}" "${target_namespace}"
               exit 1
             fi
diff --git a/ansible/roles/rancher-image-prepull/tasks/main.yml b/ansible/roles/rancher-image-prepull/tasks/main.yml
index 319a411..26b28c0 100644
--- a/ansible/roles/rancher-image-prepull/tasks/main.yml
+++ b/ansible/roles/rancher-image-prepull/tasks/main.yml
@@ -1,15 +1,19 @@
 ---
 - name: Pre-pull Rancher images into containerd
-  command: /usr/local/bin/ctr -n k8s.io images pull {{ item }}
+  command: timeout 180s /usr/local/bin/ctr -n k8s.io images pull {{ item }}
   register: rancher_image_pull
   loop: "{{ rancher_images_to_prepull }}"
+  retries: 6
+  delay: 20
+  until: rancher_image_pull.rc == 0
   changed_when: rancher_image_pull.rc == 0
   failed_when: false
 
-- name: Report Rancher images that did not pre-pull
+- name: Report Rancher images that did not pre-pull after retries
   debug:
     msg: >-
-      Rancher image pre-pull failed for {{ item.item }}: {{ item.stderr | default('no stderr') }}
+      Best-effort Rancher image pre-pull did not complete for {{ item.item }} after
+      {{ item.attempts | default(1) }} attempt(s): {{ item.stderr | default('no stderr') }}
   loop: "{{ rancher_image_pull.results | default([]) }}"
   loop_control:
     label: "{{ item.item }}"
diff --git a/ansible/roles/tailscale-cleanup/tasks/main.yml b/ansible/roles/tailscale-cleanup/tasks/main.yml
index 2f42698..967429d 100644
--- a/ansible/roles/tailscale-cleanup/tasks/main.yml
+++ b/ansible/roles/tailscale-cleanup/tasks/main.yml
@@ -13,18 +13,19 @@
     - name: Find stale devices matching reserved hostnames
       set_fact:
         stale_devices: >-
-          {{ ts_devices.json.devices | default([])
-             | selectattr('hostname', 'defined')
-             | selectattr('hostname', 'in', tailscale_reserved_hostnames)
-             | rejectattr('online', 'defined')
-             | list
-             +
-             ts_devices.json.devices | default([])
-             | selectattr('hostname', 'defined')
-             | selectattr('hostname', 'in', tailscale_reserved_hostnames)
-             | selectattr('online', 'defined')
-             | rejectattr('online', 'equalto', true)
-             | list }}
+          {{ (ts_devices.json.devices | default([])
+              | selectattr('hostname', 'defined')
+              | selectattr('hostname', 'in', tailscale_reserved_hostnames)
+              | selectattr('connectedToControl', 'defined')
+              | rejectattr('connectedToControl', 'equalto', true)
+              | list
+              +
+              ts_devices.json.devices | default([])
+              | selectattr('hostname', 'defined')
+              | selectattr('hostname', 'in', tailscale_reserved_hostnames)
+              | selectattr('online', 'defined')
+              | rejectattr('online', 'equalto', true)
+              | list) | unique(attribute='id') | list }}
 
     - name: Delete stale devices
       uri: