diff --git a/nixos/kubeadm/scripts/rebuild-and-bootstrap.sh b/nixos/kubeadm/scripts/rebuild-and-bootstrap.sh
index f815c69..ca86980 100755
--- a/nixos/kubeadm/scripts/rebuild-and-bootstrap.sh
+++ b/nixos/kubeadm/scripts/rebuild-and-bootstrap.sh
@@ -263,9 +263,10 @@ fi
 
 echo "==> Initializing control plane on $PRIMARY_CONTROL_PLANE"
 detect_ssh_user "$PRIMARY_CP_IP"
-if cluster_ready; then
+if has_admin_conf && cluster_ready; then
   echo "==> Existing cluster detected on $PRIMARY_CONTROL_PLANE; skipping kubeadm init"
 else
+  echo "==> Control plane not fully initialized; running kubeadm init on $PRIMARY_CONTROL_PLANE"
   remote "$PRIMARY_CP_IP" "sudo th-kubeadm-init"
 
   echo "==> Installing Cilium on $PRIMARY_CONTROL_PLANE"
@@ -281,6 +282,11 @@ if ! has_admin_conf; then
   remote "$PRIMARY_CP_IP" "sudo th-kubeadm-init"
 fi
 
+if ! has_admin_conf; then
+  echo "==> admin.conf still missing after init attempt; aborting"
+  exit 1
+fi
+
 JOIN_CMD="$(remote "$PRIMARY_CP_IP" "sudo KUBECONFIG=/etc/kubernetes/admin.conf kubeadm token create --print-join-command")"
 CERT_KEY="$(remote "$PRIMARY_CP_IP" "sudo KUBECONFIG=/etc/kubernetes/admin.conf kubeadm init phase upload-certs --upload-certs | tail -n 1")"
 CP_JOIN_CMD="$JOIN_CMD --control-plane --certificate-key $CERT_KEY"