fix: auto-detect kube-vip interface and tighten SSH fallback

nixos/kubeadm/modules/k8s-common.nix

@@ -101,6 +101,15 @@ in
       set -euo pipefail
 
       iface="${config.terrahome.kubeadm.controlPlaneInterface}"
+      if ! ip link show "$iface" >/dev/null 2>&1; then
+        iface="$(ip -o -4 route show to default | awk 'NR==1 {print $5}')"
+      fi
+
+      if [ -z "''${iface:-}" ]; then
+        echo "Could not determine network interface for kube-vip"
+        exit 1
+      fi
+
       suffix="${toString config.terrahome.kubeadm.controlPlaneVipSuffix}"
       pod_subnet="${config.terrahome.kubeadm.podSubnet}"
       service_subnet="${config.terrahome.kubeadm.serviceSubnet}"
@@ -155,6 +164,15 @@ in
       fi
 
       iface="${config.terrahome.kubeadm.controlPlaneInterface}"
+      if ! ip link show "$iface" >/dev/null 2>&1; then
+        iface="$(ip -o -4 route show to default | awk 'NR==1 {print $5}')"
+      fi
+
+      if [ -z "''${iface:-}" ]; then
+        echo "Could not determine network interface for kube-vip"
+        exit 1
+      fi
+
       suffix="${toString config.terrahome.kubeadm.controlPlaneVipSuffix}"
       local_ip_cidr=$(ip -4 -o addr show dev "$iface" | awk 'NR==1 {print $4}')
       if [ -z "''${local_ip_cidr:-}" ]; then

nixos/kubeadm/scripts/rebuild-and-bootstrap.sh

@@ -86,6 +86,7 @@ remote() {
   local quoted_cmd
   local candidate
   local candidates=()
+  local rc=0
 
   candidates+=("$ACTIVE_SSH_USER")
   for candidate in $SSH_USER_CANDIDATES; do
@@ -100,6 +101,11 @@ remote() {
       ACTIVE_SSH_USER="$candidate"
       return 0
     fi
+
+    rc=$?
+    if [ "$rc" -ne 255 ]; then
+      return "$rc"
+    fi
   done
 
   echo "Remote command failed for all SSH users on $host_ip"