From d42e83358cf69949c87660251e4dfc37dbd7d984 Mon Sep 17 00:00:00 2001
From: MichaelFisher1997 <contact@michaelfisher.tech>
Date: Mon, 2 Mar 2026 12:44:40 +0000
Subject: [PATCH] fix: mask kubelet before rebuild, unmask in kubeadm helpers

- Mask kubelet service entirely before nixos-rebuild to prevent systemd
  from restarting it during switch
- Unmask kubelet in th-kubeadm-init/join scripts before starting
---
 nixos/kubeadm/modules/k8s-common.nix           | 3 +++
 nixos/kubeadm/scripts/rebuild-and-bootstrap.sh | 5 +++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/nixos/kubeadm/modules/k8s-common.nix b/nixos/kubeadm/modules/k8s-common.nix
index 4c35d6d..fcc10fe 100644
--- a/nixos/kubeadm/modules/k8s-common.nix
+++ b/nixos/kubeadm/modules/k8s-common.nix
@@ -141,6 +141,7 @@ in
         --leaderElection \
         > /etc/kubernetes/manifests/kube-vip.yaml
 
+      systemctl unmask kubelet || true
       systemctl stop kubelet || true
       env -i PATH=/run/current-system/sw/bin:/usr/bin:/bin kubeadm reset -f || true
 
@@ -201,6 +202,7 @@ in
         --leaderElection \
         > /etc/kubernetes/manifests/kube-vip.yaml
 
+      systemctl unmask kubelet || true
       systemctl stop kubelet || true
       eval "$1"
     '')
@@ -213,6 +215,7 @@ in
         exit 1
       fi
 
+      systemctl unmask kubelet || true
       systemctl stop kubelet || true
       eval "$1"
     '')
diff --git a/nixos/kubeadm/scripts/rebuild-and-bootstrap.sh b/nixos/kubeadm/scripts/rebuild-and-bootstrap.sh
index d795ded..ff873cc 100755
--- a/nixos/kubeadm/scripts/rebuild-and-bootstrap.sh
+++ b/nixos/kubeadm/scripts/rebuild-and-bootstrap.sh
@@ -211,9 +211,10 @@ prepare_remote_space() {
 prepare_remote_kubelet() {
   local node_ip="$1"
   echo "==> Quiescing kubelet on $node_ip"
-  remote "$node_ip" "sudo systemctl disable --now kubelet >/dev/null 2>&1 || true"
+  remote "$node_ip" "sudo systemctl stop kubelet >/dev/null 2>&1 || true"
+  remote "$node_ip" "sudo systemctl disable kubelet >/dev/null 2>&1 || true"
+  remote "$node_ip" "sudo systemctl mask kubelet >/dev/null 2>&1 || true"
   remote "$node_ip" "sudo systemctl reset-failed kubelet >/dev/null 2>&1 || true"
-  remote "$node_ip" "sudo rm -f /etc/systemd/system/multi-user.target.wants/kubelet.service || true"
 }
 
 populate_nodes