diff --git a/nixos/kubeadm/modules/k8s-common.nix b/nixos/kubeadm/modules/k8s-common.nix
index b7bbf1d..8658c4d 100644
--- a/nixos/kubeadm/modules/k8s-common.nix
+++ b/nixos/kubeadm/modules/k8s-common.nix
@@ -149,13 +149,26 @@ in
       systemctl daemon-reload
       systemctl unmask kubelet || true
 
+      echo "==> Ensuring containerd is running"
+      systemctl start containerd || true
+      sleep 2
+      if ! systemctl is-active containerd; then
+        echo "ERROR: containerd not running"
+        journalctl -xeu containerd --no-pager -n 30
+        exit 1
+      fi
+
       env -i PATH=/run/current-system/sw/bin:/usr/bin:/bin kubeadm init \
         --control-plane-endpoint "$vip:6443" \
         --upload-certs \
         --ignore-preflight-errors=NumCPU,HTTPProxyCIDR,Port-10250 \
         --pod-network-cidr "$pod_subnet" \
         --service-cidr "$service_subnet" \
-        --service-dns-domain "$domain"
+        --service-dns-domain "$domain" || {
+        echo "==> kubeadm init failed, kubelet logs:"
+        journalctl -xeu kubelet --no-pager -n 50
+        exit 1
+      }
 
       mkdir -p /root/.kube
       cp /etc/kubernetes/admin.conf /root/.kube/config
@@ -256,6 +269,8 @@ in
   systemd.tmpfiles.rules = [
     "d /etc/kubernetes 0755 root root -"
     "d /etc/kubernetes/manifests 0755 root root -"
+    "d /var/lib/kubelet 0755 root root -"
+    "d /var/lib/kubelet/pki 0755 root root -"
   ];
   };
 }