diff --git a/nixos/template-base/README.md b/nixos/template-base/README.md
index 6270ea5..8279725 100644
--- a/nixos/template-base/README.md
+++ b/nixos/template-base/README.md
@@ -1,17 +1,16 @@
-# NixOS Proxmox Template Base
+# NixOS Proxmox k8s-base Template
 
-This folder contains a minimal NixOS base config you can copy into a new
+This folder contains a Kubernetes-ready NixOS base config for your Proxmox
 template VM build.
 
 ## Files
 
-- `flake.nix`: pins `nixos-24.11` and exposes one host config.
-- `configuration.nix`: base settings for Proxmox guest use.
+- `flake.nix`: pins `nixos-25.05` and exposes one host config.
+- `configuration.nix`: k8s-base settings for Proxmox guests.
 
 ## Before first apply
 
-1. Replace `REPLACE_WITH_YOUR_SSH_PUBLIC_KEY` in `configuration.nix`.
-2. Add `hardware-configuration.nix` from the VM install:
+1. Add `hardware-configuration.nix` from the VM install:
    - `nixos-generate-config --root /`
    - copy `/etc/nixos/hardware-configuration.nix` next to `configuration.nix`
 
@@ -23,5 +22,6 @@ sudo nixos-rebuild switch --flake .#template
 
 ## Notes
 
-- This is intentionally minimal and avoids cloud-init assumptions.
-- If you want host-specific settings, create additional modules and import them.
+- This pre-installs heavy shared Kubernetes dependencies (containerd + kube tools)
+  to reduce per-node bootstrap time.
+- Cloud-init still injects the runtime SSH key and per-node hostname/IP.
diff --git a/nixos/template-base/configuration.nix b/nixos/template-base/configuration.nix
index 9b3d133..752c636 100644
--- a/nixos/template-base/configuration.nix
+++ b/nixos/template-base/configuration.nix
@@ -1,11 +1,15 @@
 { lib, pkgs, ... }:
 
+let
+  pinnedK8s = lib.attrByPath [ "kubernetes_1_31" ] pkgs.kubernetes pkgs;
+in
+
 {
   imports =
     lib.optional (builtins.pathExists ./hardware-configuration.nix)
       ./hardware-configuration.nix;
 
-  networking.hostName = "nixos-template";
+  networking.hostName = "k8s-base-template";
   networking.useDHCP = lib.mkDefault true;
   networking.nameservers = [ "1.1.1.1" "8.8.8.8" ];
 
@@ -17,13 +21,37 @@
 
   services.qemuGuest.enable = true;
   services.openssh.enable = true;
-  services.tailscale.enable = true;
   services.openssh.settings = {
     PasswordAuthentication = false;
     KbdInteractiveAuthentication = false;
     PermitRootLogin = "prohibit-password";
   };
 
+  boot.kernelModules = [ "overlay" "br_netfilter" ];
+  boot.kernel.sysctl = {
+    "net.ipv4.ip_forward" = 1;
+    "net.bridge.bridge-nf-call-iptables" = 1;
+    "net.bridge.bridge-nf-call-ip6tables" = 1;
+  };
+
+  virtualisation.containerd.enable = true;
+  virtualisation.containerd.settings = {
+    plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options.SystemdCgroup = true;
+  };
+
+  swapDevices = lib.mkForce [ ];
+
+  nix.settings = {
+    trusted-users = [ "root" "micqdf" ];
+    auto-optimise-store = true;
+  };
+
+  nix.gc = {
+    automatic = true;
+    dates = "daily";
+    options = "--delete-older-than 3d";
+  };
+
   programs.fish.enable = true;
 
   users.users.micqdf = {
@@ -36,16 +64,27 @@
 
   environment.systemPackages = with pkgs; [
     btop
+    cni-plugins
+    conntrack-tools
+    containerd
+    cri-tools
     curl
     dig
+    ebtables
+    ethtool
     eza
     fd
     fzf
     git
     htop
+    iproute2
+    iptables
+    ipvsadm
     jq
+    kubernetes-helm
+    pinnedK8s
     ripgrep
-    tailscale
+    socat
     tree
     unzip
     vim
diff --git a/nixos/template-base/flake.lock b/nixos/template-base/flake.lock
new file mode 100644
index 0000000..f428ce8
--- /dev/null
+++ b/nixos/template-base/flake.lock
@@ -0,0 +1,27 @@
+{
+  "nodes": {
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1767313136,
+        "narHash": "sha256-16KkgfdYqjaeRGBaYsNrhPRRENs0qzkQVUooNHtoy2w=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "ac62194c3917d5f474c1a844b6fd6da2db95077d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-25.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
diff --git a/nixos/template-base/flake.nix b/nixos/template-base/flake.nix
index 821c6e7..8def35c 100644
--- a/nixos/template-base/flake.nix
+++ b/nixos/template-base/flake.nix
@@ -1,8 +1,8 @@
 {
-  description = "Base NixOS config for Proxmox template";
+  description = "Kubernetes-ready NixOS base template";
 
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
   };
 
   outputs = { nixpkgs, ... }: {
diff --git a/terraform/terraform.tfvars b/terraform/terraform.tfvars
index 87ca229..c2ed336 100644
--- a/terraform/terraform.tfvars
+++ b/terraform/terraform.tfvars
@@ -1,5 +1,5 @@
 target_node     = "flex"
-clone_template  = "nixos-template"
+clone_template  = "k8s-base-template"
 bridge          = "vmbr0"
 storage         = "Flash"
 pm_api_url      = "https://100.105.0.115:8006/api2/json"