Merge pull request 'fix: ignore stale SSH host keys for ephemeral homelab VMs' (#130) from stage into master

Reviewed-on: #130

.gitea/workflows/kubeadm-bootstrap.yml

@@ -27,7 +27,7 @@ jobs:
           fi
 
       - name: Checkout repository
-        uses: https://gitea.com/actions/checkout@v4
+        uses: actions/checkout@v4
 
       - name: Create SSH key
         run: |
@@ -104,8 +104,8 @@ jobs:
         env:
           KUBEADM_SSH_USER: ${{ secrets.KUBEADM_SSH_USER }}
         run: |
-          TF_OUTPUT_JSON="$(terraform -chdir=terraform output -json)"
-          printf '%s' "$TF_OUTPUT_JSON" | ./nixos/kubeadm/scripts/render-inventory-from-tf-output.py > nixos/kubeadm/scripts/inventory.env
+          set -euo pipefail
+          terraform -chdir=terraform output -json | ./nixos/kubeadm/scripts/render-inventory-from-tf-output.py > nixos/kubeadm/scripts/inventory.env
 
       - name: Validate nix installation
         run: |
@@ -165,6 +165,10 @@ jobs:
       - name: Run cluster rebuild and bootstrap
         env:
           NIX_CONFIG: experimental-features = nix-command flakes
+          FAST_MODE: "1"
+          WORKER_PARALLELISM: "3"
+          REBUILD_TIMEOUT: "45m"
+          REBUILD_RETRIES: "2"
         run: |
           if [ -f "$HOME/.nix-profile/etc/profile.d/nix.sh" ]; then
             . "$HOME/.nix-profile/etc/profile.d/nix.sh"

.gitea/workflows/kubeadm-reset.yml

@@ -27,7 +27,7 @@ jobs:
           fi
 
       - name: Checkout repository
-        uses: https://gitea.com/actions/checkout@v4
+        uses: actions/checkout@v4
 
       - name: Create SSH key
         run: |
@@ -104,8 +104,8 @@ jobs:
         env:
           KUBEADM_SSH_USER: ${{ secrets.KUBEADM_SSH_USER }}
         run: |
-          TF_OUTPUT_JSON="$(terraform -chdir=terraform output -json)"
-          printf '%s' "$TF_OUTPUT_JSON" | ./nixos/kubeadm/scripts/render-inventory-from-tf-output.py > nixos/kubeadm/scripts/inventory.env
+          set -euo pipefail
+          terraform -chdir=terraform output -json | ./nixos/kubeadm/scripts/render-inventory-from-tf-output.py > nixos/kubeadm/scripts/inventory.env
 
       - name: Run cluster reset
         run: |

.gitea/workflows/terraform-apply.yml

@@ -16,7 +16,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: https://gitea.com/actions/checkout@v4
+        uses: actions/checkout@v4
 
       - name: Create secrets.tfvars
         working-directory: terraform
@@ -53,7 +53,20 @@ jobs:
 
       - name: Terraform Plan
         working-directory: terraform
-        run: terraform plan -out=tfplan
+        run: |
+          set -euo pipefail
+          for attempt in 1 2; do
+            echo "Terraform plan attempt $attempt/2"
+            if timeout 20m terraform plan -refresh=false -parallelism=1 -out=tfplan; then
+              exit 0
+            fi
+            if [ "$attempt" -eq 1 ]; then
+              echo "Plan attempt failed or timed out; retrying in 20s"
+              sleep 20
+            fi
+          done
+          echo "Terraform plan failed after retries"
+          exit 1
 
       - name: Block accidental destroy
         env:
@@ -139,8 +152,8 @@ jobs:
         env:
           KUBEADM_SSH_USER: ${{ secrets.KUBEADM_SSH_USER }}
         run: |
-          TF_OUTPUT_JSON="$(terraform -chdir=terraform output -json)"
-          printf '%s' "$TF_OUTPUT_JSON" | ./nixos/kubeadm/scripts/render-inventory-from-tf-output.py > nixos/kubeadm/scripts/inventory.env
+          set -euo pipefail
+          terraform -chdir=terraform output -json | ./nixos/kubeadm/scripts/render-inventory-from-tf-output.py > nixos/kubeadm/scripts/inventory.env
 
       - name: Ensure nix and nixos-rebuild
         env:
@@ -180,6 +193,10 @@ jobs:
       - name: Rebuild and bootstrap/reconcile kubeadm cluster
         env:
           NIX_CONFIG: experimental-features = nix-command flakes
+          FAST_MODE: "1"
+          WORKER_PARALLELISM: "3"
+          REBUILD_TIMEOUT: "45m"
+          REBUILD_RETRIES: "2"
         run: |
           if [ -f "$HOME/.nix-profile/etc/profile.d/nix.sh" ]; then
             . "$HOME/.nix-profile/etc/profile.d/nix.sh"

.gitea/workflows/terraform-destroy.yml

@@ -36,7 +36,7 @@ jobs:
           fi
 
       - name: Checkout repository
-        uses: https://gitea.com/actions/checkout@v4
+        uses: actions/checkout@v4
 
       - name: Create Terraform secret files
         working-directory: terraform
@@ -74,15 +74,16 @@ jobs:
       - name: Terraform Destroy Plan
         working-directory: terraform
         run: |
+          set -euo pipefail
           case "${{ inputs.target }}" in
             all)
-              terraform plan -destroy -out=tfdestroy
+              TF_PLAN_CMD="terraform plan -refresh=false -parallelism=1 -destroy -out=tfdestroy"
               ;;
             control-planes)
-              terraform plan -destroy -target=proxmox_vm_qemu.control_planes -out=tfdestroy
+              TF_PLAN_CMD="terraform plan -refresh=false -parallelism=1 -destroy -target=proxmox_vm_qemu.control_planes -out=tfdestroy"
               ;;
             workers)
-              terraform plan -destroy -target=proxmox_vm_qemu.workers -out=tfdestroy
+              TF_PLAN_CMD="terraform plan -refresh=false -parallelism=1 -destroy -target=proxmox_vm_qemu.workers -out=tfdestroy"
               ;;
             *)
               echo "Invalid destroy target: ${{ inputs.target }}"
@@ -90,6 +91,20 @@ jobs:
               ;;
           esac
 
+          for attempt in 1 2; do
+            echo "Terraform destroy plan attempt $attempt/2"
+            if timeout 20m sh -c "$TF_PLAN_CMD"; then
+              exit 0
+            fi
+            if [ "$attempt" -eq 1 ]; then
+              echo "Destroy plan attempt failed or timed out; retrying in 20s"
+              sleep 20
+            fi
+          done
+
+          echo "Terraform destroy plan failed after retries"
+          exit 1
+
       - name: Terraform Destroy Apply
         working-directory: terraform
         run: |

.gitea/workflows/terraform-plan.yml

@@ -17,7 +17,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: https://gitea.com/actions/checkout@v4
+        uses: actions/checkout@v4
 
       - name: Create secrets.tfvars
         working-directory: terraform
@@ -67,7 +67,20 @@ jobs:
 
       - name: Terraform Plan
         working-directory: terraform
-        run: terraform plan -out=tfplan
+        run: |
+          set -euo pipefail
+          for attempt in 1 2; do
+            echo "Terraform plan attempt $attempt/2"
+            if timeout 20m terraform plan -refresh=false -parallelism=1 -out=tfplan; then
+              exit 0
+            fi
+            if [ "$attempt" -eq 1 ]; then
+              echo "Plan attempt failed or timed out; retrying in 20s"
+              sleep 20
+            fi
+          done
+          echo "Terraform plan failed after retries"
+          exit 1
 
       - name: Block accidental destroy
         env:

nixos/kubeadm/README.md

@@ -13,11 +13,19 @@ This folder defines role-based NixOS configs for a kubeadm cluster.
 - Shared cluster defaults in `modules/k8s-cluster-settings.nix`
 - Role-specific settings for control planes and workers
 - Generated per-node host configs from `flake.nix` (no duplicated host files)
-- Bootstrap helper commands:
+- Bootstrap helper commands on each node:
   - `th-kubeadm-init`
   - `th-kubeadm-join-control-plane`
   - `th-kubeadm-join-worker`
   - `th-kubeadm-status`
+- A Python bootstrap controller for orchestration:
+  - `bootstrap/controller.py`
+
+## Layered architecture
+
+- `terraform/`: VM lifecycle only
+- `nixos/kubeadm/modules/`: declarative node OS config only
+- `nixos/kubeadm/bootstrap/controller.py`: imperative cluster reconciliation state machine
 
 ## Hardware config files
 
@@ -42,7 +50,7 @@ sudo nixos-rebuild switch --flake .#cp-1
 For remote target-host workflows, use your preferred deploy wrapper later
 (`nixos-rebuild --target-host ...` or deploy-rs/colmena).
 
-## Bootstrap runbook (kubeadm + kube-vip + Cilium)
+## Bootstrap runbook (kubeadm + kube-vip + Flannel)
 
 1. Apply Nix config on all nodes (`cp-*`, then `wk-*`).
 2. On `cp-1`, run:
@@ -54,14 +62,10 @@ sudo th-kubeadm-init
 This infers the control-plane VIP as `<node-subnet>.250` on `eth0`, creates the
 kube-vip static pod manifest, and runs `kubeadm init`.
 
-3. Install Cilium from `cp-1`:
+3. Install Flannel from `cp-1`:
 
 ```bash
-helm repo add cilium https://helm.cilium.io
-helm repo update
-helm upgrade --install cilium cilium/cilium \
-  --namespace kube-system \
-  --set kubeProxyReplacement=true
+kubectl apply -f https://raw.githubusercontent.com/flannel-io/flannel/v0.25.5/Documentation/kube-flannel.yml
 ```
 
 4. Generate join commands on `cp-1`:
@@ -90,7 +94,7 @@ kubectl get nodes -o wide
 kubectl -n kube-system get pods -o wide
 ```
 
-## Repeatable rebuild flow (recommended)
+## Fresh bootstrap flow (recommended)
 
 1. Copy and edit inventory:
 
@@ -99,12 +103,30 @@ cp ./scripts/inventory.example.env ./scripts/inventory.env
 $EDITOR ./scripts/inventory.env
 ```
 
-2. Rebuild all nodes and bootstrap/reconcile cluster:
+2. Rebuild all nodes and bootstrap a fresh cluster:
 
 ```bash
 ./scripts/rebuild-and-bootstrap.sh
 ```
 
+Optional tuning env vars:
+
+```bash
+FAST_MODE=1 WORKER_PARALLELISM=3 REBUILD_TIMEOUT=45m REBUILD_RETRIES=2 ./scripts/rebuild-and-bootstrap.sh
+```
+
+- `FAST_MODE=1` skips pre-rebuild remote GC cleanup to reduce wall-clock time.
+- Set `FAST_MODE=0` for a slower but more aggressive space cleanup pass.
+
+### Bootstrap controller state
+
+The controller stores checkpoints in both places:
+
+- Remote (source of truth): `/var/lib/terrahome/bootstrap-state.json` on `cp-1`
+- Local copy (workflow/debug artifact): `nixos/kubeadm/bootstrap/bootstrap-state-last.json`
+
+This makes retries resumable and keeps failure context visible from CI.
+
 3. If you only want to reset Kubernetes state on existing VMs:
 
 ```bash
@@ -115,15 +137,15 @@ For a full nuke/recreate lifecycle:
 - run Terraform destroy/apply for VMs first,
 - then run `./scripts/rebuild-and-bootstrap.sh` again.
 
-Node lists are discovered from Terraform outputs, so adding new workers/control
-planes in Terraform is picked up automatically by the bootstrap/reconcile flow.
+Node lists now come directly from static Terraform outputs, so bootstrap no longer
+depends on Proxmox guest-agent IP discovery or SSH subnet scanning.
 
 ## Optional Gitea workflow automation
 
 Primary flow:
 
 - Push to `master` triggers `.gitea/workflows/terraform-apply.yml`
-- That workflow now does Terraform apply and then runs kubeadm rebuild/bootstrap reconciliation automatically
+- That workflow now does Terraform apply and then runs a fresh kubeadm bootstrap automatically
 
 Manual dispatch workflows are available:
 
@@ -138,8 +160,7 @@ Required repository secrets:
 Optional secrets:
 
 - `KUBEADM_SSH_USER` (defaults to `micqdf`)
-
-Node IPs are auto-discovered from Terraform state outputs (`control_plane_vm_ipv4`, `worker_vm_ipv4`), so you do not need per-node IP secrets.
+Node IPs are rendered directly from static Terraform outputs (`control_plane_vm_ipv4`, `worker_vm_ipv4`), so you do not need per-node IP secrets or SSH discovery fallbacks.
 
 ## Notes
 

nixos/kubeadm/bootstrap/controller.py

@@ -0,0 +1,447 @@
+#!/usr/bin/env python3
+import argparse
+import base64
+import json
+import os
+import shlex
+import subprocess
+import sys
+import time
+from concurrent.futures import ThreadPoolExecutor, as_completed
+from pathlib import Path
+
+
+def run_local(cmd, check=True, capture=False):
+    if isinstance(cmd, str):
+        shell = True
+    else:
+        shell = False
+    return subprocess.run(
+        cmd,
+        shell=shell,
+        check=check,
+        text=True,
+        capture_output=capture,
+    )
+
+
+def load_inventory(inventory_file):
+    inventory_file = Path(inventory_file).resolve()
+    if not inventory_file.exists():
+        raise RuntimeError(f"Missing inventory file: {inventory_file}")
+    cmd = (
+        "set -a; "
+        f"source {shlex.quote(str(inventory_file))}; "
+        "python3 - <<'PY'\n"
+        "import json, os\n"
+        "print(json.dumps(dict(os.environ)))\n"
+        "PY"
+    )
+    proc = run_local(["bash", "-lc", cmd], capture=True)
+    env = json.loads(proc.stdout)
+
+    node_ips = {}
+    cp_names = []
+    wk_names = []
+
+    control_planes = env.get("CONTROL_PLANES", "").strip()
+    workers = env.get("WORKERS", "").strip()
+
+    if control_planes:
+        for pair in control_planes.split():
+            name, ip = pair.split("=", 1)
+            node_ips[name] = ip
+            cp_names.append(name)
+    else:
+        for key in sorted(k for k in env if k.startswith("CP_") and k[3:].isdigit()):
+            idx = key.split("_", 1)[1]
+            name = f"cp-{idx}"
+            node_ips[name] = env[key]
+            cp_names.append(name)
+
+    if workers:
+        for pair in workers.split():
+            name, ip = pair.split("=", 1)
+            node_ips[name] = ip
+            wk_names.append(name)
+    else:
+        for key in sorted(k for k in env if k.startswith("WK_") and k[3:].isdigit()):
+            idx = key.split("_", 1)[1]
+            name = f"wk-{idx}"
+            node_ips[name] = env[key]
+            wk_names.append(name)
+
+    if not cp_names or not wk_names:
+        raise RuntimeError("Inventory must include control planes and workers")
+
+    primary_cp = env.get("PRIMARY_CONTROL_PLANE", "cp-1")
+    if primary_cp not in node_ips:
+        primary_cp = cp_names[0]
+
+    return {
+        "env": env,
+        "node_ips": node_ips,
+        "cp_names": cp_names,
+        "wk_names": wk_names,
+        "primary_cp": primary_cp,
+        "inventory_file": str(inventory_file),
+    }
+
+
+class Controller:
+    def __init__(self, cfg):
+        self.env = cfg["env"]
+        self.node_ips = cfg["node_ips"]
+        self.cp_names = cfg["cp_names"]
+        self.wk_names = cfg["wk_names"]
+        self.primary_cp = cfg["primary_cp"]
+        self.primary_ip = self.node_ips[self.primary_cp]
+
+        self.script_dir = Path(__file__).resolve().parent
+        self.flake_dir = Path(self.env.get("FLAKE_DIR") or (self.script_dir.parent)).resolve()
+
+        self.ssh_user = self.env.get("SSH_USER", "micqdf")
+        self.ssh_candidates = self.env.get("SSH_USER_CANDIDATES", f"root {self.ssh_user}").split()
+        self.active_ssh_user = self.ssh_user
+        self.ssh_key = self.env.get("SSH_KEY_PATH", str(Path.home() / ".ssh" / "id_ed25519"))
+        self.ssh_opts = [
+            "-o",
+            "BatchMode=yes",
+            "-o",
+            "IdentitiesOnly=yes",
+            "-o",
+            "StrictHostKeyChecking=no",
+            "-o",
+            "UserKnownHostsFile=/dev/null",
+            "-i",
+            self.ssh_key,
+        ]
+
+        self.rebuild_timeout = self.env.get("REBUILD_TIMEOUT", "45m")
+        self.rebuild_retries = int(self.env.get("REBUILD_RETRIES", "2"))
+        self.worker_parallelism = int(self.env.get("WORKER_PARALLELISM", "3"))
+        self.fast_mode = self.env.get("FAST_MODE", "1")
+        self.skip_rebuild = self.env.get("SKIP_REBUILD", "0") == "1"
+        self.force_reinit = True
+        self.ssh_ready_retries = int(self.env.get("SSH_READY_RETRIES", "20"))
+        self.ssh_ready_delay = int(self.env.get("SSH_READY_DELAY_SEC", "15"))
+
+    def log(self, msg):
+        print(f"==> {msg}")
+
+    def _ssh(self, user, ip, cmd, check=True):
+        full = ["ssh", *self.ssh_opts, f"{user}@{ip}", f"bash -lc {shlex.quote(cmd)}"]
+        return run_local(full, check=check, capture=True)
+
+    def detect_user(self, ip):
+        for attempt in range(1, self.ssh_ready_retries + 1):
+            for user in self.ssh_candidates:
+                proc = self._ssh(user, ip, "true", check=False)
+                if proc.returncode == 0:
+                    self.active_ssh_user = user
+                    self.log(f"Using SSH user '{user}' for {ip}")
+                    return
+            if attempt < self.ssh_ready_retries:
+                self.log(
+                    f"SSH not ready on {ip} yet; retrying in {self.ssh_ready_delay}s "
+                    f"({attempt}/{self.ssh_ready_retries})"
+                )
+                time.sleep(self.ssh_ready_delay)
+        raise RuntimeError(
+            "Unable to authenticate to "
+            f"{ip} with users: {', '.join(self.ssh_candidates)}. "
+            "If this is a freshly cloned VM, the Proxmox source template likely does not yet include the "
+            "current cloud-init-capable NixOS template configuration from nixos/template-base. "
+            "Terraform can only clone what exists in Proxmox; it cannot retrofit cloud-init support into an old template."
+        )
+
+    def remote(self, ip, cmd, check=True):
+        ordered = [self.active_ssh_user] + [u for u in self.ssh_candidates if u != self.active_ssh_user]
+        last = None
+        for user in ordered:
+            proc = self._ssh(user, ip, cmd, check=False)
+            if proc.returncode == 0:
+                self.active_ssh_user = user
+                return proc
+            if proc.returncode != 255:
+                last = proc
+                break
+            last = proc
+        if check:
+            stdout = (last.stdout or "").strip()
+            stderr = (last.stderr or "").strip()
+            raise RuntimeError(f"Remote command failed on {ip}: {cmd}\n{stdout}\n{stderr}")
+        return last
+
+    def prepare_known_hosts(self):
+        pass
+
+    def prepare_remote_nix(self, ip):
+        self.remote(ip, "sudo mkdir -p /etc/nix")
+        self.remote(ip, "if [ -f /etc/nix/nix.conf ]; then sudo sed -i '/^trusted-users[[:space:]]*=/d' /etc/nix/nix.conf; fi")
+        self.remote(ip, "echo 'trusted-users = root micqdf' | sudo tee -a /etc/nix/nix.conf >/dev/null")
+        self.remote(ip, "sudo systemctl restart nix-daemon 2>/dev/null || true")
+
+    def prepare_remote_kubelet(self, ip):
+        self.remote(ip, "sudo systemctl stop kubelet >/dev/null 2>&1 || true")
+        self.remote(ip, "sudo systemctl disable kubelet >/dev/null 2>&1 || true")
+        self.remote(ip, "sudo systemctl mask kubelet >/dev/null 2>&1 || true")
+        self.remote(ip, "sudo systemctl reset-failed kubelet >/dev/null 2>&1 || true")
+        self.remote(ip, "sudo rm -f /var/lib/kubelet/config.yaml /var/lib/kubelet/kubeadm-flags.env || true")
+
+    def prepare_remote_space(self, ip):
+        self.remote(ip, "sudo nix-collect-garbage -d || true")
+        self.remote(ip, "sudo nix --extra-experimental-features nix-command store gc || true")
+        self.remote(ip, "sudo rm -rf /tmp/nix* /tmp/nixos-rebuild* || true")
+
+    def rebuild_node_once(self, name, ip):
+        self.detect_user(ip)
+        cmd = [
+            "timeout",
+            self.rebuild_timeout,
+            "nixos-rebuild",
+            "switch",
+            "--flake",
+            f"{self.flake_dir}#{name}",
+            "--target-host",
+            f"{self.active_ssh_user}@{ip}",
+            "--use-remote-sudo",
+        ]
+        env = os.environ.copy()
+        env["NIX_SSHOPTS"] = " ".join(self.ssh_opts)
+        proc = subprocess.run(cmd, text=True, env=env)
+        return proc.returncode == 0
+
+    def rebuild_with_retry(self, name, ip):
+        max_attempts = self.rebuild_retries + 1
+        for attempt in range(1, max_attempts + 1):
+            self.log(f"Rebuild attempt {attempt}/{max_attempts} for {name}")
+            if self.rebuild_node_once(name, ip):
+                return
+            if attempt < max_attempts:
+                self.log(f"Rebuild failed for {name}, retrying in 20s")
+                time.sleep(20)
+        raise RuntimeError(f"Rebuild failed permanently for {name}")
+
+    def stage_preflight(self):
+        self.prepare_known_hosts()
+        self.detect_user(self.primary_ip)
+
+    def stage_rebuild(self):
+        if self.skip_rebuild:
+            self.log("Node rebuild already complete")
+            return
+
+        self.detect_user(self.primary_ip)
+        for name in self.cp_names:
+            ip = self.node_ips[name]
+            self.log(f"Preparing and rebuilding {name} ({ip})")
+            self.prepare_remote_nix(ip)
+            self.prepare_remote_kubelet(ip)
+            if self.fast_mode != "1":
+                self.prepare_remote_space(ip)
+            self.rebuild_with_retry(name, ip)
+
+        for name in self.wk_names:
+            ip = self.node_ips[name]
+            self.log(f"Preparing {name} ({ip})")
+            self.prepare_remote_nix(ip)
+            self.prepare_remote_kubelet(ip)
+            if self.fast_mode != "1":
+                self.prepare_remote_space(ip)
+
+        failures = []
+        with ThreadPoolExecutor(max_workers=self.worker_parallelism) as pool:
+            futures = {pool.submit(self.rebuild_with_retry, name, self.node_ips[name]): name for name in self.wk_names}
+            for fut in as_completed(futures):
+                name = futures[fut]
+                try:
+                    fut.result()
+                except Exception as exc:
+                    failures.append((name, str(exc)))
+        if failures:
+            raise RuntimeError(f"Worker rebuild failures: {failures}")
+
+    def has_admin_conf(self):
+        return self.remote(self.primary_ip, "sudo test -f /etc/kubernetes/admin.conf", check=False).returncode == 0
+
+    def cluster_ready(self):
+        cmd = "sudo test -f /etc/kubernetes/admin.conf && sudo kubectl --kubeconfig /etc/kubernetes/admin.conf get --raw=/readyz >/dev/null 2>&1"
+        return self.remote(self.primary_ip, cmd, check=False).returncode == 0
+
+    def stage_init_primary(self):
+        self.log(f"Initializing primary control plane on {self.primary_cp}")
+        self.remote(self.primary_ip, "sudo th-kubeadm-init")
+
+    def stage_install_cni(self):
+        self.log("Installing Flannel")
+        manifest_path = self.script_dir.parent / "manifests" / "kube-flannel.yml"
+        manifest_b64 = base64.b64encode(manifest_path.read_bytes()).decode()
+
+        self.remote(
+            self.primary_ip,
+            (
+                "sudo mkdir -p /var/lib/terrahome && "
+                f"echo {shlex.quote(manifest_b64)} | base64 -d | sudo tee /var/lib/terrahome/kube-flannel.yml >/dev/null"
+            ),
+        )
+
+        self.log("Waiting for API readiness before applying Flannel")
+        ready = False
+        for _ in range(30):
+            if self.cluster_ready():
+                ready = True
+                break
+            time.sleep(10)
+        if not ready:
+            raise RuntimeError("API server did not become ready before Flannel install")
+
+        last_error = None
+        for attempt in range(1, 6):
+            proc = self.remote(
+                self.primary_ip,
+                "sudo kubectl --kubeconfig /etc/kubernetes/admin.conf apply -f /var/lib/terrahome/kube-flannel.yml",
+                check=False,
+            )
+            if proc.returncode == 0:
+                return
+            last_error = (proc.stdout or "") + ("\n" if proc.stdout and proc.stderr else "") + (proc.stderr or "")
+            self.log(f"Flannel apply attempt {attempt}/5 failed; retrying in 15s")
+            time.sleep(15)
+
+        raise RuntimeError(f"Flannel apply failed after retries\n{last_error or ''}")
+
+    def cluster_has_node(self, name):
+        cmd = f"sudo kubectl --kubeconfig /etc/kubernetes/admin.conf get node {shlex.quote(name)} >/dev/null 2>&1"
+        return self.remote(self.primary_ip, cmd, check=False).returncode == 0
+
+    def build_join_cmds(self):
+        join_cmd = self.remote(
+            self.primary_ip,
+            "sudo KUBECONFIG=/etc/kubernetes/admin.conf kubeadm token create --print-join-command",
+        ).stdout.strip()
+        cert_key = self.remote(
+            self.primary_ip,
+            "sudo KUBECONFIG=/etc/kubernetes/admin.conf kubeadm init phase upload-certs --upload-certs | tail -n 1",
+        ).stdout.strip()
+        cp_join = f"{join_cmd} --control-plane --certificate-key {cert_key}"
+        return join_cmd, cp_join
+
+    def stage_join_control_planes(self):
+        _, cp_join = self.build_join_cmds()
+        for node in self.cp_names:
+            if node == self.primary_cp:
+                continue
+            if self.cluster_has_node(node):
+                self.log(f"{node} already joined")
+                continue
+            self.log(f"Joining control plane {node}")
+            ip = self.node_ips[node]
+            node_join = f"{cp_join} --node-name {node} --ignore-preflight-errors=NumCPU,HTTPProxyCIDR"
+            self.remote(ip, f"sudo th-kubeadm-join-control-plane {shlex.quote(node_join)}")
+
+    def stage_join_workers(self):
+        join_cmd, _ = self.build_join_cmds()
+        for node in self.wk_names:
+            if self.cluster_has_node(node):
+                self.log(f"{node} already joined")
+                continue
+            self.log(f"Joining worker {node}")
+            ip = self.node_ips[node]
+            node_join = f"{join_cmd} --node-name {node} --ignore-preflight-errors=HTTPProxyCIDR"
+            self.remote(ip, f"sudo th-kubeadm-join-worker {shlex.quote(node_join)}")
+
+    def stage_verify(self):
+        self.log("Final node verification")
+        try:
+            self.remote(
+                self.primary_ip,
+                "sudo kubectl --kubeconfig /etc/kubernetes/admin.conf -n kube-flannel rollout status ds/kube-flannel-ds --timeout=10m",
+            )
+        except Exception:
+            self.log("Flannel rollout failed; collecting diagnostics")
+            proc = self.remote(
+                self.primary_ip,
+                "sudo kubectl --kubeconfig /etc/kubernetes/admin.conf -n kube-flannel get ds -o wide || true",
+                check=False,
+            )
+            print(proc.stdout)
+            proc = self.remote(
+                self.primary_ip,
+                "sudo kubectl --kubeconfig /etc/kubernetes/admin.conf -n kube-flannel get pods -o wide || true",
+                check=False,
+            )
+            print(proc.stdout)
+            proc = self.remote(
+                self.primary_ip,
+                "for p in $(sudo kubectl --kubeconfig /etc/kubernetes/admin.conf -n kube-flannel get pods -o name 2>/dev/null); do echo \"--- describe $p ---\"; sudo kubectl --kubeconfig /etc/kubernetes/admin.conf -n kube-flannel describe $p || true; done",
+                check=False,
+            )
+            print(proc.stdout)
+            proc = self.remote(
+                self.primary_ip,
+                "for p in $(sudo kubectl --kubeconfig /etc/kubernetes/admin.conf -n kube-flannel get pods -o name 2>/dev/null); do echo \"--- logs $p kube-flannel ---\"; sudo kubectl --kubeconfig /etc/kubernetes/admin.conf -n kube-flannel logs $p -c kube-flannel --tail=120 || true; echo \"--- logs $p install-cni-plugin ---\"; sudo kubectl --kubeconfig /etc/kubernetes/admin.conf -n kube-flannel logs $p -c install-cni-plugin --tail=120 || true; echo \"--- logs $p install-cni ---\"; sudo kubectl --kubeconfig /etc/kubernetes/admin.conf -n kube-flannel logs $p -c install-cni --tail=120 || true; done",
+                check=False,
+            )
+            print(proc.stdout)
+            proc = self.remote(
+                self.primary_ip,
+                "for p in $(sudo kubectl --kubeconfig /etc/kubernetes/admin.conf -n kube-flannel get pods -o name 2>/dev/null); do sudo kubectl --kubeconfig /etc/kubernetes/admin.conf -n kube-flannel logs --tail=120 $p || true; done",
+                check=False,
+            )
+            print(proc.stdout)
+            raise
+        self.remote(
+            self.primary_ip,
+            "sudo kubectl --kubeconfig /etc/kubernetes/admin.conf wait --for=condition=Ready nodes --all --timeout=10m",
+        )
+        proc = self.remote(self.primary_ip, "sudo kubectl --kubeconfig /etc/kubernetes/admin.conf get nodes -o wide")
+        print(proc.stdout)
+
+    def reconcile(self):
+        self.stage_preflight()
+        self.stage_rebuild()
+        self.stage_init_primary()
+        self.stage_install_cni()
+        self.stage_join_control_planes()
+        self.stage_join_workers()
+        self.stage_verify()
+
+
+def main():
+    parser = argparse.ArgumentParser(description="TerraHome kubeadm bootstrap controller")
+    parser.add_argument("command", choices=[
+        "reconcile",
+        "preflight",
+        "rebuild",
+        "init-primary",
+        "install-cni",
+        "join-control-planes",
+        "join-workers",
+        "verify",
+    ])
+    parser.add_argument("--inventory", default=str(Path(__file__).resolve().parent.parent / "scripts" / "inventory.env"))
+    args = parser.parse_args()
+
+    cfg = load_inventory(args.inventory)
+    ctl = Controller(cfg)
+
+    dispatch = {
+        "reconcile": ctl.reconcile,
+        "preflight": ctl.stage_preflight,
+        "rebuild": ctl.stage_rebuild,
+        "init-primary": ctl.stage_init_primary,
+        "install-cni": ctl.stage_install_cni,
+        "join-control-planes": ctl.stage_join_control_planes,
+        "join-workers": ctl.stage_join_workers,
+        "verify": ctl.stage_verify,
+    }
+    try:
+        dispatch[args.command]()
+    except Exception as exc:
+        print(f"ERROR: {exc}", file=sys.stderr)
+        sys.exit(1)
+
+
+if __name__ == "__main__":
+    main()

nixos/kubeadm/manifests/kube-flannel.yml

@@ -0,0 +1,212 @@
+---
+kind: Namespace
+apiVersion: v1
+metadata:
+  name: kube-flannel
+  labels:
+    k8s-app: flannel
+    pod-security.kubernetes.io/enforce: privileged
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  labels:
+    k8s-app: flannel
+  name: flannel
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes/status
+  verbs:
+  - patch
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  labels:
+    k8s-app: flannel
+  name: flannel
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: flannel
+subjects:
+- kind: ServiceAccount
+  name: flannel
+  namespace: kube-flannel
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    k8s-app: flannel
+  name: flannel
+  namespace: kube-flannel
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: kube-flannel-cfg
+  namespace: kube-flannel
+  labels:
+    tier: node
+    k8s-app: flannel
+    app: flannel
+data:
+  cni-conf.json: |
+    {
+      "name": "cbr0",
+      "cniVersion": "0.3.1",
+      "plugins": [
+        {
+          "type": "flannel",
+          "delegate": {
+            "hairpinMode": true,
+            "isDefaultGateway": true
+          }
+        },
+        {
+          "type": "portmap",
+          "capabilities": {
+            "portMappings": true
+          }
+        }
+      ]
+    }
+  net-conf.json: |
+    {
+      "Network": "10.244.0.0/16",
+      "EnableNFTables": false,
+      "Backend": {
+        "Type": "vxlan"
+      }
+    }
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: kube-flannel-ds
+  namespace: kube-flannel
+  labels:
+    tier: node
+    app: flannel
+    k8s-app: flannel
+spec:
+  selector:
+    matchLabels:
+      app: flannel
+  template:
+    metadata:
+      labels:
+        tier: node
+        app: flannel
+    spec:
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - key: kubernetes.io/os
+                operator: In
+                values:
+                - linux
+      hostNetwork: true
+      priorityClassName: system-node-critical
+      tolerations:
+      - operator: Exists
+        effect: NoSchedule
+      serviceAccountName: flannel
+      initContainers:
+      - name: install-cni-plugin
+        image: docker.io/flannel/flannel-cni-plugin:v1.5.1-flannel1
+        command:
+        - cp
+        args:
+        - -f
+        - /flannel
+        - /opt/cni/bin/flannel
+        volumeMounts:
+        - name: cni-plugin
+          mountPath: /opt/cni/bin
+      - name: install-cni
+        image: docker.io/flannel/flannel:v0.25.5
+        command:
+        - cp
+        args:
+        - -f
+        - /etc/kube-flannel/cni-conf.json
+        - /etc/cni/net.d/10-flannel.conflist
+        volumeMounts:
+        - name: cni
+          mountPath: /etc/cni/net.d
+        - name: flannel-cfg
+          mountPath: /etc/kube-flannel/
+      containers:
+      - name: kube-flannel
+        image: docker.io/flannel/flannel:v0.25.5
+        command:
+        - /opt/bin/flanneld
+        args:
+        - --ip-masq
+        - --kube-subnet-mgr
+        resources:
+          requests:
+            cpu: "100m"
+            memory: "50Mi"
+        securityContext:
+          privileged: false
+          capabilities:
+            add: ["NET_ADMIN", "NET_RAW"]
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: EVENT_QUEUE_DEPTH
+          value: "5000"
+        volumeMounts:
+        - name: run
+          mountPath: /run/flannel
+        - name: flannel-cfg
+          mountPath: /etc/kube-flannel/
+        - name: xtables-lock
+          mountPath: /run/xtables.lock
+      volumes:
+      - name: run
+        hostPath:
+          path: /run/flannel
+          type: DirectoryOrCreate
+      - name: cni-plugin
+        hostPath:
+          path: /opt/cni/bin
+          type: DirectoryOrCreate
+      - name: cni
+        hostPath:
+          path: /etc/cni/net.d
+          type: DirectoryOrCreate
+      - name: flannel-cfg
+        configMap:
+          name: kube-flannel-cfg
+      - name: xtables-lock
+        hostPath:
+          path: /run/xtables.lock
+          type: FileOrCreate

nixos/kubeadm/modules/k8s-common.nix

@@ -59,6 +59,21 @@ in
     KbdInteractiveAuthentication = false;
   };
 
+  users.users.micqdf = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" ];
+  };
+
+  security.sudo.wheelNeedsPassword = false;
+
+  nix.settings.trusted-users = [ "root" "micqdf" ];
+  nix.gc = {
+    automatic = true;
+    dates = "daily";
+    options = "--delete-older-than 3d";
+  };
+  nix.settings.auto-optimise-store = true;
+
   environment.variables = {
     KUBECONFIG = "/etc/kubernetes/admin.conf";
     KUBE_VIP_IMAGE = kubeVipImage;
@@ -85,11 +100,23 @@ in
     (pkgs.writeShellScriptBin "th-kubeadm-init" ''
       set -euo pipefail
 
+      unset http_proxy https_proxy HTTP_PROXY HTTPS_PROXY no_proxy NO_PROXY
+
       iface="${config.terrahome.kubeadm.controlPlaneInterface}"
+      if ! ip link show "$iface" >/dev/null 2>&1; then
+        iface="$(ip -o -4 route show to default | awk 'NR==1 {print $5}')"
+      fi
+
+      if [ -z "''${iface:-}" ]; then
+        echo "Could not determine network interface for kube-vip"
+        exit 1
+      fi
+
       suffix="${toString config.terrahome.kubeadm.controlPlaneVipSuffix}"
       pod_subnet="${config.terrahome.kubeadm.podSubnet}"
       service_subnet="${config.terrahome.kubeadm.serviceSubnet}"
       domain="${config.terrahome.kubeadm.clusterDomain}"
+      node_name="${config.networking.hostName}"
 
       local_ip_cidr=$(ip -4 -o addr show dev "$iface" | awk 'NR==1 {print $4}')
       if [ -z "''${local_ip_cidr:-}" ]; then
@@ -102,25 +129,164 @@ in
 
       echo "Using control-plane endpoint: $vip:6443"
       echo "Using kube-vip interface: $iface"
+      echo "Using kubeadm node name: $node_name"
+
+      hostname "$node_name" || true
+
+      rm -f /var/lib/kubelet/config.yaml /var/lib/kubelet/kubeadm-flags.env
+
+      systemctl unmask kubelet || true
+      systemctl stop kubelet || true
+      systemctl reset-failed kubelet || true
+      env -i PATH=/run/current-system/sw/bin:/usr/bin:/bin kubeadm reset -f || true
+      rm -f /etc/kubernetes/kubelet.conf /etc/kubernetes/bootstrap-kubelet.conf
+      rm -f /var/lib/kubelet/kubeconfig /var/lib/kubelet/instance-config.yaml
+      rm -rf /var/lib/kubelet/pki
+
+      systemctl daemon-reload
+      systemctl unmask kubelet || true
+      systemctl enable kubelet || true
+
+      echo "==> Ensuring containerd is running"
+      systemctl start containerd || true
+      sleep 2
+      if ! systemctl is-active containerd; then
+        echo "ERROR: containerd not running"
+        journalctl -xeu containerd --no-pager -n 30
+        exit 1
+      fi
 
       mkdir -p /etc/kubernetes/manifests
-      ctr image pull "$KUBE_VIP_IMAGE"
+      mkdir -p /tmp/kubeadm
+      cat > /tmp/kubeadm/init-config.yaml << 'KUBEADMCONFIG'
+      apiVersion: kubeadm.k8s.io/v1beta4
+      kind: InitConfiguration
+      nodeRegistration:
+        name: "KUBEADM_NODE_NAME"
+        criSocket: unix:///run/containerd/containerd.sock
+        kubeletExtraArgs:
+          - name: hostname-override
+            value: "KUBEADM_NODE_NAME"
+      ---
+      apiVersion: kubeadm.k8s.io/v1beta4
+      kind: ClusterConfiguration
+      controlPlaneEndpoint: "KUBEADM_ENDPOINT"
+      networking:
+        podSubnet: "KUBEADM_POD_SUBNET"
+        serviceSubnet: "KUBEADM_SERVICE_SUBNET"
+        dnsDomain: "KUBEADM_DNS_DOMAIN"
+      KUBEADMCONFIG
 
-      ctr run --rm --net-host "$KUBE_VIP_IMAGE" kube-vip /kube-vip manifest pod \
+      sed -i "s|KUBEADM_ENDPOINT|$vip:6443|g" /tmp/kubeadm/init-config.yaml
+      sed -i "s|KUBEADM_POD_SUBNET|$pod_subnet|g" /tmp/kubeadm/init-config.yaml
+      sed -i "s|KUBEADM_SERVICE_SUBNET|$service_subnet|g" /tmp/kubeadm/init-config.yaml
+      sed -i "s|KUBEADM_DNS_DOMAIN|$domain|g" /tmp/kubeadm/init-config.yaml
+      sed -i "s|KUBEADM_NODE_NAME|$node_name|g" /tmp/kubeadm/init-config.yaml
+
+      echo "==> Pre-pulling kubeadm images"
+      env -i PATH=/run/current-system/sw/bin:/usr/bin:/bin kubeadm config images pull --config /tmp/kubeadm/init-config.yaml || true
+
+      echo "==> Creating kube-vip static pod manifest"
+      ctr image pull "${kubeVipImage}"
+      ctr run --rm --net-host "${kubeVipImage}" kube-vip-manifest /kube-vip manifest pod \
+        --log 4 \
         --interface "$iface" \
         --address "$vip" \
         --controlplane \
-        --services \
         --arp \
-        --leaderElection \
         > /etc/kubernetes/manifests/kube-vip.yaml
 
-      kubeadm init \
-        --control-plane-endpoint "$vip:6443" \
+      # kube-vip bootstrap workaround for Kubernetes >=1.29.
+      # During early kubeadm phases, super-admin.conf is available before admin.conf is fully usable.
+      sed -i 's#path: /etc/kubernetes/admin.conf#path: /etc/kubernetes/super-admin.conf#' /etc/kubernetes/manifests/kube-vip.yaml || true
+      echo "==> kube-vip manifest kubeconfig mount"
+      grep -E 'mountPath:|path:' /etc/kubernetes/manifests/kube-vip.yaml | grep -E 'kubernetes/(admin|super-admin)\.conf' || true
+
+      KUBEADM_INIT_LOG=/tmp/kubeadm-init.log
+      if ! env -i PATH=/run/current-system/sw/bin:/usr/bin:/bin kubeadm init \
+        --config /tmp/kubeadm/init-config.yaml \
         --upload-certs \
-        --pod-network-cidr "$pod_subnet" \
-        --service-cidr "$service_subnet" \
-        --service-dns-domain "$domain"
+        --ignore-preflight-errors=NumCPU,HTTPProxyCIDR,Port-10250 2>&1 | tee "$KUBEADM_INIT_LOG"; then
+        if grep -q "error writing CRISocket for this node: nodes" "$KUBEADM_INIT_LOG" && [ -f /etc/kubernetes/admin.conf ]; then
+          echo "==> kubeadm hit CRISocket race; waiting for node registration"
+          echo "==> forcing kubelet restart to pick bootstrap flags"
+          systemctl daemon-reload || true
+          systemctl restart kubelet || true
+          sleep 3
+          echo "==> kubelet bootstrap flags"
+          cat /var/lib/kubelet/kubeadm-flags.env || true
+          registered=0
+          for i in $(seq 1 60); do
+            if KUBECONFIG=/etc/kubernetes/admin.conf kubectl get node "$node_name" >/dev/null 2>&1; then
+              echo "==> node $node_name registered; uploading kubelet config"
+              env -i PATH=/run/current-system/sw/bin:/usr/bin:/bin kubeadm init phase upload-config kubelet --config /tmp/kubeadm/init-config.yaml
+              registered=1
+              break
+            fi
+            sleep 2
+          done
+          if [ "$registered" -ne 1 ]; then
+            echo "==> node $node_name did not register after kubeadm init failure"
+            KUBECONFIG=/etc/kubernetes/admin.conf kubectl get nodes -o wide || true
+            echo "==> kubelet logs (registration hints)"
+            journalctl -u kubelet --no-pager -n 120 | grep -Ei "register|node|bootstrap|certificate|forbidden|unauthorized|refused|x509" || true
+            exit 1
+          fi
+        else
+          echo "==> kubeadm init failed, checking pod status:"
+          crictl pods || true
+          crictl ps -a || true
+          echo "==> kube-vip containers:"
+          crictl ps -a --name kube-vip || true
+          echo "==> kube-vip logs:"
+          for container_id in $(crictl ps -a --name kube-vip -q 2>/dev/null); do
+            echo "--- kube-vip container $container_id ---"
+            crictl logs "$container_id" 2>/dev/null || true
+            crictl inspect "$container_id" 2>/dev/null | jq -r '.status | "exitCode=\(.exitCode) reason=\(.reason // "") message=\(.message // "")"' || true
+          done
+          echo "==> Checking if VIP is bound:"
+          ip -4 addr show | grep "$vip" || echo "VIP NOT BOUND"
+          echo "==> kubelet logs:"
+          journalctl -xeu kubelet --no-pager -n 50
+          exit 1
+        fi
+      fi
+
+      echo "==> Waiting for kube-vip to claim VIP $vip"
+      for i in $(seq 1 90); do
+        if ip -4 addr show | grep -q "$vip"; then
+          echo "==> VIP $vip is bound"
+          break
+        fi
+        if [ "$i" -eq 90 ]; then
+          echo "==> ERROR: VIP not bound after 3 minutes"
+          crictl ps -a --name kube-vip || true
+          for container_id in $(crictl ps -a --name kube-vip -q 2>/dev/null); do
+            echo "--- kube-vip container $container_id ---"
+            crictl logs "$container_id" 2>/dev/null || true
+          done
+          exit 1
+        fi
+        sleep 2
+      done
+
+      echo "==> Waiting for API server to be ready"
+      for i in $(seq 1 60); do
+        if curl -sk "https://$vip:6443/healthz" 2>/dev/null | grep -q "ok"; then
+          echo "==> API server is healthy"
+          break
+        fi
+        if [ "$i" -eq 60 ]; then
+          echo "==> ERROR: API server not healthy after 2 minutes"
+          crictl pods || true
+          crictl ps -a || true
+          exit 1
+        fi
+        sleep 2
+      done
+
+      # Switch kube-vip to normal admin.conf after bootstrap finishes.
+      sed -i 's#path: /etc/kubernetes/super-admin.conf#path: /etc/kubernetes/admin.conf#' /etc/kubernetes/manifests/kube-vip.yaml || true
 
       mkdir -p /root/.kube
       cp /etc/kubernetes/admin.conf /root/.kube/config
@@ -134,12 +300,22 @@ in
 
     (pkgs.writeShellScriptBin "th-kubeadm-join-control-plane" ''
       set -euo pipefail
+      unset http_proxy https_proxy HTTP_PROXY HTTPS_PROXY no_proxy NO_PROXY
       if [ "$#" -lt 1 ]; then
         echo "Usage: th-kubeadm-join-control-plane '<kubeadm join ... --control-plane --certificate-key ...>'"
         exit 1
       fi
 
       iface="${config.terrahome.kubeadm.controlPlaneInterface}"
+      if ! ip link show "$iface" >/dev/null 2>&1; then
+        iface="$(ip -o -4 route show to default | awk 'NR==1 {print $5}')"
+      fi
+
+      if [ -z "''${iface:-}" ]; then
+        echo "Could not determine network interface for kube-vip"
+        exit 1
+      fi
+
       suffix="${toString config.terrahome.kubeadm.controlPlaneVipSuffix}"
       local_ip_cidr=$(ip -4 -o addr show dev "$iface" | awk 'NR==1 {print $4}')
       if [ -z "''${local_ip_cidr:-}" ]; then
@@ -151,26 +327,49 @@ in
       vip="$subnet_prefix.$suffix"
 
       mkdir -p /etc/kubernetes/manifests
-      ctr image pull "$KUBE_VIP_IMAGE"
-      ctr run --rm --net-host "$KUBE_VIP_IMAGE" kube-vip /kube-vip manifest pod \
+      ctr image pull "${kubeVipImage}"
+      ctr run --rm --net-host "${kubeVipImage}" kube-vip /kube-vip manifest pod \
+        --log 4 \
         --interface "$iface" \
         --address "$vip" \
         --controlplane \
-        --services \
         --arp \
         --leaderElection \
         > /etc/kubernetes/manifests/kube-vip.yaml
 
+      rm -f /var/lib/kubelet/config.yaml /var/lib/kubelet/kubeadm-flags.env
+      rm -f /etc/kubernetes/kubelet.conf /etc/kubernetes/bootstrap-kubelet.conf
+      rm -f /var/lib/kubelet/kubeconfig /var/lib/kubelet/instance-config.yaml
+      rm -rf /var/lib/kubelet/pki
+
+      systemctl unmask kubelet || true
+      systemctl stop kubelet || true
+      systemctl enable kubelet || true
+      systemctl reset-failed kubelet || true
+      systemctl daemon-reload
+      env -i PATH=/run/current-system/sw/bin:/usr/bin:/bin kubeadm reset -f || true
       eval "$1"
     '')
 
     (pkgs.writeShellScriptBin "th-kubeadm-join-worker" ''
       set -euo pipefail
+      unset http_proxy https_proxy HTTP_PROXY HTTPS_PROXY no_proxy NO_PROXY
       if [ "$#" -lt 1 ]; then
         echo "Usage: th-kubeadm-join-worker '<kubeadm join ...>'"
         exit 1
       fi
 
+      rm -f /var/lib/kubelet/config.yaml /var/lib/kubelet/kubeadm-flags.env
+      rm -f /etc/kubernetes/kubelet.conf /etc/kubernetes/bootstrap-kubelet.conf
+      rm -f /var/lib/kubelet/kubeconfig /var/lib/kubelet/instance-config.yaml
+      rm -rf /var/lib/kubelet/pki
+
+      systemctl unmask kubelet || true
+      systemctl stop kubelet || true
+      systemctl enable kubelet || true
+      systemctl reset-failed kubelet || true
+      systemctl daemon-reload
+      env -i PATH=/run/current-system/sw/bin:/usr/bin:/bin kubeadm reset -f || true
       eval "$1"
     '')
 
@@ -185,18 +384,37 @@ in
   systemd.services.kubelet = {
     description = "Kubernetes Kubelet";
     wantedBy = [ "multi-user.target" ];
+    path = [ pkgs.util-linux ];
     wants = [ "network-online.target" ];
     after = [ "containerd.service" "network-online.target" ];
     serviceConfig = {
-      ExecStart = "${pinnedK8s}/bin/kubelet";
-      Restart = "always";
+      Environment = [
+        "KUBELET_CONFIG_ARGS=--config=/var/lib/kubelet/config.yaml"
+        "KUBELET_KUBEADM_ARGS="
+        "KUBELET_EXTRA_ARGS="
+      ];
+      EnvironmentFile = [
+        "-/var/lib/kubelet/kubeadm-flags.env"
+        "-/etc/default/kubelet"
+      ];
+      ExecStart = "${pinnedK8s}/bin/kubelet --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf \$KUBELET_CONFIG_ARGS \$KUBELET_KUBEADM_ARGS \$KUBELET_EXTRA_ARGS";
+      Restart = "on-failure";
       RestartSec = "10";
     };
+    unitConfig = {
+      ConditionPathExists = "/var/lib/kubelet/config.yaml";
+      ConditionPathExistsGlob = "/etc/kubernetes/*kubelet.conf";
+    };
   };
 
   systemd.tmpfiles.rules = [
     "d /etc/kubernetes 0755 root root -"
     "d /etc/kubernetes/manifests 0755 root root -"
+    "d /etc/cni/net.d 0755 root root -"
+    "d /opt/cni/bin 0755 root root -"
+    "d /run/flannel 0755 root root -"
+    "d /var/lib/kubelet 0755 root root -"
+    "d /var/lib/kubelet/pki 0755 root root -"
   ];
   };
 }

nixos/kubeadm/scripts/discover-inventory-from-ssh.py

@@ -0,0 +1,182 @@
+#!/usr/bin/env python3
+
+import concurrent.futures
+import ipaddress
+import json
+import os
+import subprocess
+import sys
+from typing import Dict, Set, Tuple
+
+
+def derive_prefix(payload: dict) -> str:
+    explicit = os.environ.get("KUBEADM_SUBNET_PREFIX", "").strip()
+    if explicit:
+        return explicit
+
+    for key in ("control_plane_vm_ipv4", "worker_vm_ipv4"):
+        values = payload.get(key, {}).get("value", {})
+        for ip in values.values():
+            if ip:
+                parts = ip.split(".")
+                if len(parts) == 4:
+                    return ".".join(parts[:3])
+
+    return "10.27.27"
+
+
+def ssh_probe(ip: str, users: list[str], key_path: str, timeout_sec: int) -> Tuple[str, str, str] | None:
+    cmd_tail = [
+        "-o",
+        "BatchMode=yes",
+        "-o",
+        "IdentitiesOnly=yes",
+        "-o",
+        "StrictHostKeyChecking=accept-new",
+        "-o",
+        f"ConnectTimeout={timeout_sec}",
+        "-i",
+        key_path,
+    ]
+    for user in users:
+        cmd = [
+            "ssh",
+            *cmd_tail,
+            f"{user}@{ip}",
+            "hn=$(hostnamectl --static 2>/dev/null || hostname); serial=$(cat /sys/class/dmi/id/product_serial 2>/dev/null || true); printf '%s|%s\n' \"$hn\" \"$serial\"",
+        ]
+        try:
+            out = subprocess.check_output(cmd, stderr=subprocess.DEVNULL, text=True, timeout=timeout_sec + 2).strip()
+        except Exception:
+            continue
+        if out:
+            line = out.splitlines()[0].strip()
+            if "|" in line:
+                host, serial = line.split("|", 1)
+            else:
+                host, serial = line, ""
+            return host.strip(), ip, serial.strip()
+    return None
+
+
+def build_inventory(names: Set[str], found: Dict[str, str], ssh_user: str) -> str:
+    cp = sorted([n for n in names if n.startswith("cp-")], key=lambda x: int(x.split("-")[1]))
+    wk = sorted([n for n in names if n.startswith("wk-")], key=lambda x: int(x.split("-")[1]))
+
+    cp_pairs = " ".join(f"{n}={found[n]}" for n in cp)
+    wk_pairs = " ".join(f"{n}={found[n]}" for n in wk)
+    primary = cp[0] if cp else "cp-1"
+
+    return "\n".join(
+        [
+            f"SSH_USER={ssh_user}",
+            f"PRIMARY_CONTROL_PLANE={primary}",
+            f'CONTROL_PLANES="{cp_pairs}"',
+            f'WORKERS="{wk_pairs}"',
+            "",
+        ]
+    )
+
+
+def main() -> int:
+    payload = json.load(sys.stdin)
+
+    cp_names = set(payload.get("control_plane_vm_ids", {}).get("value", {}).keys())
+    wk_names = set(payload.get("worker_vm_ids", {}).get("value", {}).keys())
+    target_names = cp_names | wk_names
+    if not target_names:
+        raise SystemExit("Could not determine target node names from Terraform outputs")
+
+    ssh_user = os.environ.get("KUBEADM_SSH_USER", "").strip() or "micqdf"
+    users = [u for u in os.environ.get("SSH_USER_CANDIDATES", f"{ssh_user} root").split() if u]
+    key_path = os.environ.get("SSH_KEY_PATH", os.path.expanduser("~/.ssh/id_ed25519"))
+    timeout_sec = int(os.environ.get("SSH_DISCOVERY_TIMEOUT_SEC", "6"))
+    max_workers = int(os.environ.get("SSH_DISCOVERY_WORKERS", "32"))
+
+    prefix = derive_prefix(payload)
+    start = int(os.environ.get("KUBEADM_SUBNET_START", "2"))
+    end = int(os.environ.get("KUBEADM_SUBNET_END", "254"))
+    vip_suffix = int(os.environ.get("KUBEADM_CONTROL_PLANE_VIP_SUFFIX", "250"))
+
+    def is_vip_ip(ip: str) -> bool:
+        try:
+            return int(ip.split(".")[-1]) == vip_suffix
+        except Exception:
+            return False
+
+    scan_ips = [
+        str(ipaddress.IPv4Address(f"{prefix}.{i}"))
+        for i in range(start, end + 1)
+        if i != vip_suffix
+    ]
+    found: Dict[str, str] = {}
+    vmid_to_name: Dict[str, str] = {}
+    for name, vmid in payload.get("control_plane_vm_ids", {}).get("value", {}).items():
+        vmid_to_name[str(vmid)] = name
+    for name, vmid in payload.get("worker_vm_ids", {}).get("value", {}).items():
+        vmid_to_name[str(vmid)] = name
+
+    seen_hostnames: Dict[str, str] = {}
+    seen_ips: Dict[str, Tuple[str, str]] = {}
+
+    def run_pass(pass_timeout: int, pass_workers: int) -> None:
+        with concurrent.futures.ThreadPoolExecutor(max_workers=pass_workers) as pool:
+            futures = [pool.submit(ssh_probe, ip, users, key_path, pass_timeout) for ip in scan_ips]
+            for fut in concurrent.futures.as_completed(futures):
+                result = fut.result()
+                if not result:
+                    continue
+                host, ip, serial = result
+                if host not in seen_hostnames:
+                    seen_hostnames[host] = ip
+                if ip not in seen_ips:
+                    seen_ips[ip] = (host, serial)
+                target = None
+                if serial in vmid_to_name:
+                    inferred = vmid_to_name[serial]
+                    target = inferred
+                elif host in target_names:
+                    target = host
+
+                if target:
+                    existing = found.get(target)
+                    if existing is None or (is_vip_ip(existing) and not is_vip_ip(ip)):
+                        found[target] = ip
+                if all(name in found for name in target_names):
+                    return
+
+    run_pass(timeout_sec, max_workers)
+    if not all(name in found for name in target_names):
+        # Slower second pass for busy runners/networks.
+        run_pass(max(timeout_sec + 2, 8), max(8, max_workers // 2))
+
+    # Heuristic fallback: if nodes still missing, assign from remaining SSH-reachable
+    # IPs not already used, ordered by IP. This helps when cloned nodes temporarily
+    # share a generic hostname (e.g. "flex") and DMI serial mapping is unavailable.
+    missing = sorted([n for n in target_names if n not in found])
+    if missing:
+        used_ips = set(found.values())
+        candidates = sorted(ip for ip in seen_ips.keys() if ip not in used_ips)
+        if len(candidates) >= len(missing):
+            for name, ip in zip(missing, candidates):
+                found[name] = ip
+
+    missing = sorted([n for n in target_names if n not in found])
+    if missing:
+        discovered = ", ".join(sorted(seen_hostnames.keys())[:20])
+        if discovered:
+            sys.stderr.write(f"Discovered hostnames during scan: {discovered}\n")
+        if seen_ips:
+            sample = ", ".join(f"{ip}={meta[0]}" for ip, meta in list(sorted(seen_ips.items()))[:20])
+            sys.stderr.write(f"SSH-reachable IPs: {sample}\n")
+        raise SystemExit(
+            "Failed SSH-based IP discovery for nodes: " + ", ".join(missing) +
+            f" (scanned {prefix}.{start}-{prefix}.{end})"
+        )
+
+    sys.stdout.write(build_inventory(target_names, found, ssh_user))
+    return 0
+
+
+if __name__ == "__main__":
+    raise SystemExit(main())

nixos/kubeadm/scripts/rebuild-and-bootstrap.sh

@@ -2,8 +2,8 @@
 set -euo pipefail
 
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-FLAKE_DIR="${FLAKE_DIR:-$(cd "$SCRIPT_DIR/.." && pwd)}"
 INVENTORY_FILE="${1:-$SCRIPT_DIR/inventory.env}"
+CONTROLLER="$SCRIPT_DIR/../bootstrap/controller.py"
 
 if [ ! -f "$INVENTORY_FILE" ]; then
   echo "Missing inventory file: $INVENTORY_FILE"
@@ -11,179 +11,4 @@ if [ ! -f "$INVENTORY_FILE" ]; then
   exit 1
 fi
 
-# shellcheck disable=SC1090
-source "$INVENTORY_FILE"
-
-SSH_USER="${SSH_USER:-micqdf}"
-SSH_KEY_PATH="${SSH_KEY_PATH:-$HOME/.ssh/id_ed25519}"
-SSH_OPTS="${SSH_OPTS:--o BatchMode=yes -o IdentitiesOnly=yes -o StrictHostKeyChecking=accept-new -i $SSH_KEY_PATH}"
-
-declare -A NODE_IPS=()
-declare -a CP_NAMES=()
-declare -a WK_NAMES=()
-
-add_node_pair() {
-  local role="$1"
-  local pair="$2"
-  local name="${pair%%=*}"
-  local ip="${pair#*=}"
-
-  if [ -z "$name" ] || [ -z "$ip" ] || [ "$name" = "$ip" ]; then
-    echo "Invalid node pair '$pair' (expected name=ip)."
-    exit 1
-  fi
-
-  NODE_IPS["$name"]="$ip"
-  if [ "$role" = "cp" ]; then
-    CP_NAMES+=("$name")
-  else
-    WK_NAMES+=("$name")
-  fi
-}
-
-populate_nodes() {
-  if [ -n "${CONTROL_PLANES:-}" ]; then
-    for pair in $CONTROL_PLANES; do
-      add_node_pair "cp" "$pair"
-    done
-  else
-    while IFS= read -r var_name; do
-      idx="${var_name#CP_}"
-      add_node_pair "cp" "cp-$idx=${!var_name}"
-    done < <(compgen -A variable | grep -E '^CP_[0-9]+$' | sort -V)
-  fi
-
-  if [ -n "${WORKERS:-}" ]; then
-    for pair in $WORKERS; do
-      add_node_pair "wk" "$pair"
-    done
-  else
-    while IFS= read -r var_name; do
-      idx="${var_name#WK_}"
-      add_node_pair "wk" "wk-$idx=${!var_name}"
-    done < <(compgen -A variable | grep -E '^WK_[0-9]+$' | sort -V)
-  fi
-
-  if [ "${#CP_NAMES[@]}" -eq 0 ]; then
-    echo "No control planes found in inventory."
-    exit 1
-  fi
-
-  if [ "${#WK_NAMES[@]}" -eq 0 ]; then
-    echo "No workers found in inventory."
-    exit 1
-  fi
-}
-
-remote() {
-  local host_ip="$1"
-  local cmd="$2"
-  ssh $SSH_OPTS "$SSH_USER@$host_ip" "$cmd"
-}
-
-prepare_known_hosts() {
-  mkdir -p "$HOME/.ssh"
-  chmod 700 "$HOME/.ssh"
-  touch "$HOME/.ssh/known_hosts"
-  chmod 600 "$HOME/.ssh/known_hosts"
-
-  for node in "${!NODE_IPS[@]}"; do
-    ssh-keygen -R "${NODE_IPS[$node]}" >/dev/null 2>&1 || true
-    ssh-keyscan -H "${NODE_IPS[$node]}" >> "$HOME/.ssh/known_hosts" 2>/dev/null || true
-  done
-}
-
-cluster_has_node() {
-  local node_name="$1"
-  remote "$PRIMARY_CP_IP" "sudo kubectl --kubeconfig /etc/kubernetes/admin.conf get node $node_name >/dev/null 2>&1"
-}
-
-cluster_ready() {
-  remote "$PRIMARY_CP_IP" "test -f /etc/kubernetes/admin.conf && sudo kubectl --kubeconfig /etc/kubernetes/admin.conf get nodes >/dev/null 2>&1"
-}
-
-rebuild_node() {
-  local node_name="$1"
-  local node_ip="$2"
-
-  echo "==> Rebuilding $node_name on $node_ip"
-  nixos-rebuild switch \
-    --flake "$FLAKE_DIR#$node_name" \
-    --target-host "$SSH_USER@$node_ip" \
-    --use-remote-sudo
-}
-
-populate_nodes
-prepare_known_hosts
-export NIX_SSHOPTS="$SSH_OPTS"
-
-PRIMARY_CONTROL_PLANE="${PRIMARY_CONTROL_PLANE:-cp-1}"
-if [ -z "${NODE_IPS[$PRIMARY_CONTROL_PLANE]:-}" ]; then
-  PRIMARY_CONTROL_PLANE="${CP_NAMES[0]}"
-fi
-PRIMARY_CP_IP="${NODE_IPS[$PRIMARY_CONTROL_PLANE]}"
-
-for node in "${CP_NAMES[@]}"; do
-  rebuild_node "$node" "${NODE_IPS[$node]}"
-done
-
-for node in "${WK_NAMES[@]}"; do
-  rebuild_node "$node" "${NODE_IPS[$node]}"
-done
-
-echo "==> Initializing control plane on $PRIMARY_CONTROL_PLANE"
-if cluster_ready; then
-  echo "==> Existing cluster detected on $PRIMARY_CONTROL_PLANE; skipping kubeadm init"
-else
-  remote "$PRIMARY_CP_IP" "sudo th-kubeadm-init"
-
-  echo "==> Installing Cilium on $PRIMARY_CONTROL_PLANE"
-  remote "$PRIMARY_CP_IP" "helm repo add cilium https://helm.cilium.io >/dev/null 2>&1 || true"
-  remote "$PRIMARY_CP_IP" "helm repo update >/dev/null"
-  remote "$PRIMARY_CP_IP" "kubectl create namespace kube-system >/dev/null 2>&1 || true"
-  remote "$PRIMARY_CP_IP" "helm upgrade --install cilium cilium/cilium --namespace kube-system --set kubeProxyReplacement=true"
-fi
-
-echo "==> Building kubeadm join commands"
-JOIN_CMD="$(remote "$PRIMARY_CP_IP" "sudo kubeadm token create --print-join-command")"
-CERT_KEY="$(remote "$PRIMARY_CP_IP" "sudo kubeadm init phase upload-certs --upload-certs | tail -n 1")"
-CP_JOIN_CMD="$JOIN_CMD --control-plane --certificate-key $CERT_KEY"
-
-join_control_plane() {
-  local node_ip="$1"
-  local encoded
-  encoded="$(printf '%s' "$CP_JOIN_CMD" | base64 -w0)"
-  remote "$node_ip" "sudo th-kubeadm-join-control-plane \"\$(echo $encoded | base64 -d)\""
-}
-
-join_worker() {
-  local node_ip="$1"
-  local encoded
-  encoded="$(printf '%s' "$JOIN_CMD" | base64 -w0)"
-  remote "$node_ip" "sudo th-kubeadm-join-worker \"\$(echo $encoded | base64 -d)\""
-}
-
-echo "==> Joining remaining control planes"
-for node in "${CP_NAMES[@]}"; do
-  if [ "$node" = "$PRIMARY_CONTROL_PLANE" ]; then
-    continue
-  fi
-
-  if cluster_has_node "$node"; then
-    echo "$node already joined; skipping"
-  else
-    join_control_plane "${NODE_IPS[$node]}"
-  fi
-done
-
-echo "==> Joining workers"
-for node in "${WK_NAMES[@]}"; do
-  if cluster_has_node "$node"; then
-    echo "$node already joined; skipping"
-  else
-    join_worker "${NODE_IPS[$node]}"
-  fi
-done
-
-echo "==> Final node list"
-remote "$PRIMARY_CP_IP" "kubectl get nodes -o wide"
+python3 "$CONTROLLER" reconcile --inventory "$INVENTORY_FILE"

nixos/kubeadm/scripts/render-inventory-from-tf-output.py

@@ -18,6 +18,28 @@ def map_to_pairs(items: dict[str, str]) -> str:
     return " ".join(f"{k}={v}" for k, v in ordered)
 
 
+def require_non_empty_ips(label: str, items: dict[str, str]) -> dict[str, str]:
+    cleaned: dict[str, str] = {}
+    missing: list[str] = []
+
+    for name, ip in items.items():
+        ip_value = (ip or "").strip()
+        if not ip_value:
+            missing.append(name)
+            continue
+        cleaned[name] = ip_value
+
+    if missing:
+        names = ", ".join(sorted(missing, key=natural_key))
+        raise SystemExit(
+            f"Missing IPv4 addresses for {label}: {names}. "
+            "Terraform outputs are present but empty. "
+            "This usually means Proxmox guest IP discovery is unavailable for these VMs yet."
+        )
+
+    return cleaned
+
+
 def main() -> int:
     payload = json.load(sys.stdin)
 
@@ -27,6 +49,9 @@ def main() -> int:
     if not cp_map or not wk_map:
         raise SystemExit("Missing control_plane_vm_ipv4 or worker_vm_ipv4 in terraform output")
 
+    cp_map = require_non_empty_ips("control planes", cp_map)
+    wk_map = require_non_empty_ips("workers", wk_map)
+
     ssh_user = os.environ.get("KUBEADM_SSH_USER", "").strip() or "micqdf"
 
     print(f"SSH_USER={ssh_user}")

nixos/kubeadm/scripts/reset-cluster-nodes.sh

@@ -16,6 +16,7 @@ source "$INVENTORY_FILE"
 SSH_USER="${SSH_USER:-micqdf}"
 SSH_KEY_PATH="${SSH_KEY_PATH:-$HOME/.ssh/id_ed25519}"
 SSH_OPTS="${SSH_OPTS:--o BatchMode=yes -o IdentitiesOnly=yes -o StrictHostKeyChecking=accept-new -i $SSH_KEY_PATH}"
+SSH_USER_CANDIDATES="${SSH_USER_CANDIDATES:-root $SSH_USER}"
 
 declare -A NODE_IPS=()
 
@@ -59,6 +60,22 @@ if [ "${#NODE_IPS[@]}" -eq 0 ]; then
   exit 1
 fi
 
+detect_ssh_user() {
+  local probe_ip="$1"
+  local candidate
+
+  for candidate in $SSH_USER_CANDIDATES; do
+    if ssh $SSH_OPTS "$candidate@$probe_ip" "true" >/dev/null 2>&1; then
+      ACTIVE_SSH_USER="$candidate"
+      echo "==> Using SSH user '$ACTIVE_SSH_USER'"
+      return 0
+    fi
+  done
+
+  echo "Unable to authenticate to $probe_ip with candidates: $SSH_USER_CANDIDATES"
+  return 1
+}
+
 mkdir -p "$HOME/.ssh"
 chmod 700 "$HOME/.ssh"
 touch "$HOME/.ssh/known_hosts"
@@ -72,9 +89,16 @@ reset_node() {
   local node_name="$1"
   local node_ip="$2"
   echo "==> Resetting $node_name ($node_ip)"
-  ssh $SSH_OPTS "$SSH_USER@$node_ip" "sudo kubeadm reset -f && sudo systemctl stop kubelet && sudo rm -rf /etc/kubernetes /var/lib/etcd /var/lib/cni /etc/cni/net.d"
+  local cmd="sudo kubeadm reset -f && sudo systemctl stop kubelet && sudo rm -rf /etc/kubernetes /var/lib/etcd /var/lib/cni /etc/cni/net.d"
+  local quoted_cmd
+  quoted_cmd="$(printf '%q' "$cmd")"
+  ssh $SSH_OPTS "$ACTIVE_SSH_USER@$node_ip" "bash -lc $quoted_cmd"
 }
 
+FIRST_NODE_IP="${NODE_IPS[$(printf '%s\n' "${!NODE_IPS[@]}" | sort -V | head -n1)]}"
+ACTIVE_SSH_USER="$SSH_USER"
+detect_ssh_user "$FIRST_NODE_IP"
+
 while IFS= read -r node_name; do
   reset_node "$node_name" "${NODE_IPS[$node_name]}"
 done < <(printf '%s\n' "${!NODE_IPS[@]}" | sort -V)

nixos/template-base/README.md

@@ -1,17 +1,16 @@
-# NixOS Proxmox Template Base
+# NixOS Proxmox k8s-base Template
 
-This folder contains a minimal NixOS base config you can copy into a new
+This folder contains a Kubernetes-ready NixOS base config for your Proxmox
 template VM build.
 
 ## Files
 
-- `flake.nix`: pins `nixos-24.11` and exposes one host config.
-- `configuration.nix`: base settings for Proxmox guest use.
+- `flake.nix`: pins `nixos-25.05` and exposes one host config.
+- `configuration.nix`: k8s-base settings for Proxmox guests.
 
 ## Before first apply
 
-1. Replace `REPLACE_WITH_YOUR_SSH_PUBLIC_KEY` in `configuration.nix`.
-2. Add `hardware-configuration.nix` from the VM install:
+1. Add `hardware-configuration.nix` from the VM install:
    - `nixos-generate-config --root /`
    - copy `/etc/nixos/hardware-configuration.nix` next to `configuration.nix`
 
@@ -23,5 +22,6 @@ sudo nixos-rebuild switch --flake .#template
 
 ## Notes
 
-- This is intentionally minimal and avoids cloud-init assumptions.
-- If you want host-specific settings, create additional modules and import them.
+- This pre-installs heavy shared Kubernetes dependencies (containerd + kube tools)
+  to reduce per-node bootstrap time.
+- Cloud-init still injects the runtime SSH key and per-node hostname/IP.

nixos/template-base/configuration.nix

@@ -1,12 +1,17 @@
 { lib, pkgs, ... }:
 
+let
+  pinnedK8s = lib.attrByPath [ "kubernetes_1_31" ] pkgs.kubernetes pkgs;
+in
+
 {
   imports =
     lib.optional (builtins.pathExists ./hardware-configuration.nix)
       ./hardware-configuration.nix;
 
-  networking.hostName = "nixos-template";
+  networking.hostName = "k8s-base-template";
   networking.useDHCP = lib.mkDefault true;
+  networking.useNetworkd = true;
   networking.nameservers = [ "1.1.1.1" "8.8.8.8" ];
 
   boot.loader.systemd-boot.enable = lib.mkForce false;
@@ -16,14 +21,40 @@
   };
 
   services.qemuGuest.enable = true;
+  services.cloud-init.enable = true;
+  services.cloud-init.network.enable = true;
   services.openssh.enable = true;
-  services.tailscale.enable = true;
   services.openssh.settings = {
     PasswordAuthentication = false;
     KbdInteractiveAuthentication = false;
     PermitRootLogin = "prohibit-password";
   };
 
+  boot.kernelModules = [ "overlay" "br_netfilter" ];
+  boot.kernel.sysctl = {
+    "net.ipv4.ip_forward" = 1;
+    "net.bridge.bridge-nf-call-iptables" = 1;
+    "net.bridge.bridge-nf-call-ip6tables" = 1;
+  };
+
+  virtualisation.containerd.enable = true;
+  virtualisation.containerd.settings = {
+    plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options.SystemdCgroup = true;
+  };
+
+  swapDevices = lib.mkForce [ ];
+
+  nix.settings = {
+    trusted-users = [ "root" "micqdf" ];
+    auto-optimise-store = true;
+  };
+
+  nix.gc = {
+    automatic = true;
+    dates = "daily";
+    options = "--delete-older-than 3d";
+  };
+
   programs.fish.enable = true;
 
   users.users.micqdf = {
@@ -36,16 +67,27 @@
 
   environment.systemPackages = with pkgs; [
     btop
+    cni-plugins
+    conntrack-tools
+    containerd
+    cri-tools
     curl
     dig
+    ebtables
+    ethtool
     eza
     fd
     fzf
     git
     htop
+    iproute2
+    iptables
+    ipvsadm
     jq
+    kubernetes-helm
+    pinnedK8s
     ripgrep
-    tailscale
+    socat
     tree
     unzip
     vim

nixos/template-base/flake.lock

@@ -0,0 +1,27 @@
+{
+  "nodes": {
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1767313136,
+        "narHash": "sha256-16KkgfdYqjaeRGBaYsNrhPRRENs0qzkQVUooNHtoy2w=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "ac62194c3917d5f474c1a844b6fd6da2db95077d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-25.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

nixos/template-base/flake.nix

@@ -1,8 +1,8 @@
 {
-  description = "Base NixOS config for Proxmox template";
+  description = "Kubernetes-ready NixOS base template";
 
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
   };
 
   outputs = { nixpkgs, ... }: {

terraform/main.tf

@@ -9,6 +9,15 @@ terraform {
   }
 }
 
+locals {
+  control_plane_ipconfig = [
+    for ip in var.control_plane_ips : "ip=${ip}/${var.network_prefix_length},gw=${var.network_gateway}"
+  ]
+  worker_ipconfig = [
+    for ip in var.worker_ips : "ip=${ip}/${var.network_prefix_length},gw=${var.network_gateway}"
+  ]
+}
+
 provider "proxmox" {
   pm_api_url          = var.pm_api_url
   pm_api_token_id     = var.pm_api_token_id
@@ -24,7 +33,7 @@ resource "proxmox_vm_qemu" "control_planes" {
   clone            = var.clone_template
   full_clone       = true
   os_type          = "cloud-init"
-  agent            = 1
+  agent            = var.qemu_agent_enabled ? 1 : 0
   automatic_reboot = true
 
   cpu {
@@ -35,7 +44,7 @@ resource "proxmox_vm_qemu" "control_planes" {
   scsihw    = "virtio-scsi-pci"
   boot      = "order=scsi0"
   bootdisk  = "scsi0"
-  ipconfig0 = "ip=dhcp"
+  ipconfig0 = local.control_plane_ipconfig[count.index]
   ciuser    = "micqdf"
   sshkeys   = var.SSH_KEY_PUBLIC
 
@@ -66,10 +75,7 @@ resource "proxmox_vm_qemu" "control_planes" {
   }
 
   lifecycle {
-    ignore_changes = [
-      ciuser,
-      sshkeys,
-    ]
+    ignore_changes = all
   }
 }
 
@@ -82,7 +88,7 @@ resource "proxmox_vm_qemu" "workers" {
   clone            = var.clone_template
   full_clone       = true
   os_type          = "cloud-init"
-  agent            = 1
+  agent            = var.qemu_agent_enabled ? 1 : 0
   automatic_reboot = true
 
   cpu {
@@ -93,7 +99,7 @@ resource "proxmox_vm_qemu" "workers" {
   scsihw    = "virtio-scsi-pci"
   boot      = "order=scsi0"
   bootdisk  = "scsi0"
-  ipconfig0 = "ip=dhcp"
+  ipconfig0 = local.worker_ipconfig[count.index]
   ciuser    = "micqdf"
   sshkeys   = var.SSH_KEY_PUBLIC
 
@@ -124,9 +130,6 @@ resource "proxmox_vm_qemu" "workers" {
   }
 
   lifecycle {
-    ignore_changes = [
-      ciuser,
-      sshkeys,
-    ]
+    ignore_changes = all
   }
 }

terraform/outputs.tf

@@ -11,8 +11,8 @@ output "control_plane_vm_names" {
 
 output "control_plane_vm_ipv4" {
   value = {
-    for vm in proxmox_vm_qemu.control_planes :
-    vm.name => vm.default_ipv4_address
+    for i in range(var.control_plane_count) :
+    proxmox_vm_qemu.control_planes[i].name => var.control_plane_ips[i]
   }
 }
 
@@ -29,7 +29,7 @@ output "worker_vm_names" {
 
 output "worker_vm_ipv4" {
   value = {
-    for vm in proxmox_vm_qemu.workers :
-    vm.name => vm.default_ipv4_address
+    for i in range(var.worker_count) :
+    proxmox_vm_qemu.workers[i].name => var.worker_ips[i]
   }
 }

terraform/terraform.tfvars

@@ -1,5 +1,5 @@
 target_node     = "flex"
-clone_template  = "nixos-template"
+clone_template  = "k8s-base-template"
 bridge          = "vmbr0"
 storage         = "Flash"
 pm_api_url      = "https://100.105.0.115:8006/api2/json"
@@ -12,8 +12,14 @@ worker_vmid_start        = 711
 
 control_plane_cores     = 1
 control_plane_memory_mb = 4096
-control_plane_disk_size = "40G"
+control_plane_disk_size = "80G"
 
 worker_cores     = [4, 4, 4]
 worker_memory_mb = [12288, 12288, 12288]
-worker_disk_size = "60G"
+worker_disk_size = "120G"
+
+network_prefix_length = 10
+network_gateway       = "10.27.27.1"
+
+control_plane_ips = ["10.27.27.50", "10.27.27.51", "10.27.27.49"]
+worker_ips        = ["10.27.27.47", "10.27.27.46", "10.27.27.48"]

terraform/variables.tf

@@ -77,16 +77,50 @@ variable "worker_memory_mb" {
 
 variable "control_plane_disk_size" {
   type        = string
-  default     = "40G"
+  default     = "80G"
   description = "Disk size for control plane VMs"
 }
 
 variable "worker_disk_size" {
   type        = string
-  default     = "60G"
+  default     = "120G"
   description = "Disk size for worker VMs"
 }
 
+variable "network_prefix_length" {
+  type        = number
+  default     = 10
+  description = "CIDR prefix length for static VM addresses"
+}
+
+variable "network_gateway" {
+  type        = string
+  default     = "10.27.27.1"
+  description = "Gateway for static VM addresses"
+}
+
+variable "control_plane_ips" {
+  type        = list(string)
+  default     = ["10.27.27.50", "10.27.27.51", "10.27.27.49"]
+  description = "Static IPv4 addresses for control plane VMs"
+
+  validation {
+    condition     = length(var.control_plane_ips) == 3
+    error_message = "control_plane_ips must contain exactly 3 IPs."
+  }
+}
+
+variable "worker_ips" {
+  type        = list(string)
+  default     = ["10.27.27.47", "10.27.27.46", "10.27.27.48"]
+  description = "Static IPv4 addresses for worker VMs"
+
+  validation {
+    condition     = length(var.worker_ips) == 3
+    error_message = "worker_ips must contain exactly 3 IPs."
+  }
+}
+
 variable "bridge" {
   type = string
 }
@@ -99,6 +133,12 @@ variable "pm_api_url" {
   type = string
 }
 
+variable "qemu_agent_enabled" {
+  type        = bool
+  default     = false
+  description = "Enable QEMU guest agent integration in Proxmox resources"
+}
+
 variable "SSH_KEY_PUBLIC" {
   type        = string
   description = "Public SSH key injected via cloud-init"