From 8bd064c828c2e321d9c1975d83951e49fd04729a Mon Sep 17 00:00:00 2001
From: MichaelFisher1997 <contact@michaelfisher.tech>
Date: Sun, 1 Mar 2026 13:31:36 +0000
Subject: [PATCH 1/2] fix: keep micqdf user during kubeadm node rebuilds

---
 nixos/kubeadm/modules/k8s-common.nix | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/nixos/kubeadm/modules/k8s-common.nix b/nixos/kubeadm/modules/k8s-common.nix
index 97e2aed..3f9d1fd 100644
--- a/nixos/kubeadm/modules/k8s-common.nix
+++ b/nixos/kubeadm/modules/k8s-common.nix
@@ -59,6 +59,13 @@ in
     KbdInteractiveAuthentication = false;
   };
 
+  users.users.micqdf = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" ];
+  };
+
+  security.sudo.wheelNeedsPassword = false;
+
   nix.settings.trusted-users = [ "root" "micqdf" ];
   nix.gc = {
     automatic = true;

From 88db11292d181b76e0f9136f66a716812a38140d Mon Sep 17 00:00:00 2001
From: MichaelFisher1997 <contact@michaelfisher.tech>
Date: Sun, 1 Mar 2026 13:34:15 +0000
Subject: [PATCH 2/2] fix: fallback SSH user per host during bootstrap steps

---
 .../kubeadm/scripts/rebuild-and-bootstrap.sh  | 22 ++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/nixos/kubeadm/scripts/rebuild-and-bootstrap.sh b/nixos/kubeadm/scripts/rebuild-and-bootstrap.sh
index 458177e..5d67f0c 100755
--- a/nixos/kubeadm/scripts/rebuild-and-bootstrap.sh
+++ b/nixos/kubeadm/scripts/rebuild-and-bootstrap.sh
@@ -84,8 +84,26 @@ remote() {
   local host_ip="$1"
   local cmd="$2"
   local quoted_cmd
+  local candidate
+  local candidates=()
+
+  candidates+=("$ACTIVE_SSH_USER")
+  for candidate in $SSH_USER_CANDIDATES; do
+    if [ "$candidate" != "$ACTIVE_SSH_USER" ]; then
+      candidates+=("$candidate")
+    fi
+  done
+
   quoted_cmd="$(printf '%q' "$cmd")"
-  ssh $SSH_OPTS "$ACTIVE_SSH_USER@$host_ip" "bash -lc $quoted_cmd"
+  for candidate in "${candidates[@]}"; do
+    if ssh $SSH_OPTS "$candidate@$host_ip" "bash -lc $quoted_cmd"; then
+      ACTIVE_SSH_USER="$candidate"
+      return 0
+    fi
+  done
+
+  echo "Remote command failed for all SSH users on $host_ip"
+  return 1
 }
 
 detect_ssh_user() {
@@ -130,6 +148,7 @@ rebuild_node() {
   local node_ip="$2"
 
   echo "==> Rebuilding $node_name on $node_ip"
+  detect_ssh_user "$node_ip"
   timeout "$REBUILD_TIMEOUT" nixos-rebuild switch \
     --flake "$FLAKE_DIR#$node_name" \
     --target-host "$ACTIVE_SSH_USER@$node_ip" \
@@ -233,6 +252,7 @@ if [ "$worker_failures" -gt 0 ]; then
 fi
 
 echo "==> Initializing control plane on $PRIMARY_CONTROL_PLANE"
+detect_ssh_user "$PRIMARY_CP_IP"
 if cluster_ready; then
   echo "==> Existing cluster detected on $PRIMARY_CONTROL_PLANE; skipping kubeadm init"
 else