Provision 3 thin control planes and 3 workers with role-specific sizing and VMID ranges (701/711), generate per-node cloud-init snippets with SSH key injection, and add NixOS kubeadm host/module scaffolding for cp-1..3 and wk-1..3.
Remove tailscale auth/bootstrap from cloud-init and workflows, keeping VM provisioning focused on core network behind pfSense while preserving SSH key cloud-init setup.
Remove guest-agent enrollment workflow, pass TS auth key through Terraform variables/secrets, and run tailscale up with tag:k8s during cloud-init bootstrap alongside SSH key injection.
Switch VM boot order/disks to scsi0 to match cloned NixOS template boot layout, add destroy guards to plan/apply workflows, and replace destroy workflow with a confirmed manual dispatch nuke flow that uses remote B2 state.
