diff --git a/hosts/bastille/auto-hostname.nix b/hosts/bastille/auto-hostname.nix
new file mode 100644
index 0000000..8ec374d
--- /dev/null
+++ b/hosts/bastille/auto-hostname.nix
@@ -0,0 +1,55 @@
+{ pkgs, lib, ... }:
+let
+  names = import ./blade-names.nix;
+
+  bash-sets = lib.mapAttrsToList (mac: name: "names['${mac}']='${name}'") names;
+
+  auto-hostname = pkgs.writeShellApplication {
+    name = "auto-hostname";
+
+    runtimeInputs = [
+      pkgs.hostname
+    ];
+
+    text = ''
+      if [[ -e "/sys/class/net/eno2/address" ]]; then
+        mac_file="/sys/class/net/eno2/address"
+      else
+        mac_file=/sys/class/net/enp0s25/address
+      fi
+
+      mac=$(cat $mac_file | tr -d '\r\n ')
+
+      declare -A names
+      ${lib.concatLines bash-sets}
+
+      if [[ -v names[$mac] ]]; then
+        name=''${names[$mac]}
+      else
+        name="node-(echo $mac | tr ':' '-')"
+      fi
+
+      echo "mac:  '$mac'"
+      echo "name: '$name'"
+
+      hostname "$name"
+      echo "hostname set to '$(hostname)'"
+    '';
+  };
+in {
+  networking.hostName = "";
+
+  systemd.services."auto-hostname" = {
+    wantedBy = [ "multi-user.target" ];
+    after = [ "network.target" ];
+
+    unitConfig = {
+      Description = "Automatically set the hostname ";
+    };
+
+    serviceConfig = {
+      Type = "oneshot";
+      ExecStart = "${lib.getExe auto-hostname}";
+    };
+  };
+}
diff --git a/hosts/bastille/blade-names.nix b/hosts/bastille/blade-names.nix
index f656f2d..083cad3 100644
--- a/hosts/bastille/blade-names.nix
+++ b/hosts/bastille/blade-names.nix
@@ -1,16 +1,18 @@
-# keep-sorted start
-[
-  "backbiter"
-  "damocles"
-  "durendal"
-  "eyelander"
-  "excalibur"
-  "gram"
-  "gryffindor"
-  "kusanagi"
-  "narsil"
-  "oathbringer"
-  "riptide"
-  "sting"
-]
-# keep-sorted end
+{
+  # TODO: prospit's a special case and won't remain here forever
+  "d8:9e:f3:3e:f9:41" = "prospit";
+
+  "40:f2:e9:c6:65:5f" = "backbiter";
+  "40:f2:e9:c6:69:43" = "damocles";
+  "40:f2:e9:c6:69:67" = "durendal";
+  "40:f2:e9:c6:74:59" = "eyelander";
+  "40:f2:e9:c6:75:f1" = "excalibur";
+  "40:f2:e9:c6:76:21" = "gram";
+
+  "unassigned-0" = "gryffindor";
+  "unassigned-1" = "kusanagi";
+  "unassigned-2" = "narsil";
+  "unassigned-3" = "oathbringer";
+  "unassigned-4" = "riptide";
+  "unassigned-5" = "sting";
+}
diff --git a/hosts/bastille/blade.nix b/hosts/bastille/blade.nix
new file mode 100644
index 0000000..208bfb9
--- /dev/null
+++ b/hosts/bastille/blade.nix
@@ -0,0 +1,20 @@
+{ modulesPath, pkgs, lib, ... }: {
+  imports = [
+    ./auto-hostname.nix
+    (import ../common/k3s.nix {})
+    ../common/nix.nix
+    ../common/sshd.nix
+    ../common/users-local.nix
+    (modulesPath + "/installer/netboot/netboot-minimal.nix")
+  ];
+
+  # when making the ISO, the initialHashedPassword is set to "" for some reason
+  # we already set a hashed password, so null this
+  users.users.root.initialHashedPassword = lib.mkForce null;
+
+  environment.systemPackages = [
+    pkgs.fastfetch
+  ];
+
+  system.stateVersion = "25.11";
+}
diff --git a/hosts/common/k3s.nix b/hosts/common/k3s.nix
new file mode 100644
index 0000000..1ad0ded
--- /dev/null
+++ b/hosts/common/k3s.nix
@@ -0,0 +1,17 @@
+{ role ? "agent", clusterInit ? false }: {
+  networking.firewall.allowedTCPPorts = [
+    6443
+  ];
+
+  networking.firewall.allowedUDPPorts = [
+    8472
+  ];
+
+  services.k3s = {
+    inherit role clusterInit;
+
+    enable = true;
+    token = "garbage secret";
+    serverAddr = "https://10.98.3.2:6443";
+  };
+}
diff --git a/hosts/vesuvius/configuration.nix b/hosts/vesuvius/configuration.nix
index 482f77b..3e9e43a 100644
--- a/hosts/vesuvius/configuration.nix
+++ b/hosts/vesuvius/configuration.nix
@@ -2,6 +2,7 @@
 {
   imports = [
     ./hardware-configuration.nix
+    (import ../common/k3s.nix { role = "server"; clusterInit = true; })
     ./nix.nix
     ./zfs.nix
     ./netboot.nix
diff --git a/hosts/vesuvius/netboot.nix b/hosts/vesuvius/netboot.nix
index 9222a1c..e0c090c 100644
--- a/hosts/vesuvius/netboot.nix
+++ b/hosts/vesuvius/netboot.nix
@@ -1,38 +1,33 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 let
-  dom_ip = "10.98.2.1";
+  dom_ip = "10.98.3.2";
+  vlan_router_ip = "10.98.3.1";
+  dns_server_ip = "10.98.0.1";
   dhcp_iface = "enp1s0f1";
-  client_range = "10.98.2.2,10.98.2.100";
+  client_range = "10.98.3.3,10.98.3.100";
 
-  sub_image = pkgs.nixos {
-    imports = [ "${pkgs.path}/nixos/modules/installer/netboot/netboot-minimal.nix" ];
 
-    system.stateVersion = "25.05";
-    services.openssh = {
-      enable = true;
-      settings.PasswordAuthentication = true;
-      settings.KbdInteractiveAuthentication = false;
-    };
+  sub_image = lib.nixosSystem {
+    system = "x86_64-linux";
 
-    users.users.papatux = {
-      isNormalUser = true;
-      description = "papatux";
-      extraGroups = [ "networkmanager" "wheel" ];
-      hashedPassword = "$6$6GnvJWpo8oOWM1tb$GhuldW5iIdS6OuRyq5u1hSSu0VotQCLac7emA.Kui2hWLozR7EIO4Su6PCo5hTRG8iWnAOlGemQVyejIA9l4j/";
-      openssh.authorizedKeys.keys = import ../../papatux-keys.nix;
-    };
+    modules = [
+      ../bastille/blade.nix
+    ];
   };
-  
+
+  blade = sub_image.config.system.build;
+
   ipxe_config = pkgs.writeText "boot.ipxe" ''
     #!ipxe
-    kernel http://${dom_ip}:8080/netboot-nixtest/kernel init=/init boot.shell_on_fail
-    initrd http://${dom_ip}:8080/netboot-nixtest/initrd
+    kernel http://${dom_ip}:8080/netboot-kernel/bzImage init=${blade.toplevel}/init boot.shell_on_fail
+    initrd http://${dom_ip}:8080/netboot-initrd/initrd
 
     boot
   '';
 
   webroot = pkgs.linkFarm "netboot" [
-    { name = "netboot-nixtest"; path = sub_image.config.system.build.toplevel; }
+    { name = "netboot-kernel"; path = blade.kernel; }
+    { name = "netboot-initrd"; path = blade.netbootRamdisk; }
     { name = "boot.ipxe"; path = ipxe_config; }
   ];
 
@@ -54,14 +49,18 @@ in
 
   services.dnsmasq = {
     enable = true;
+    settings.domain = "bastille.vtluug.org";
+    settings.interface = "${dhcp_iface}";
+    settings.bind-interfaces = true;
+    settings.server = [ "${dns_server_ip}" ];
     settings.enable-tftp = true;
     settings.tftp-root = "${tftproot}";
     settings.dhcp-range = "${client_range},12h";
-    settings.dhcp-option = [ "option:router,${dom_ip}" ];
+    settings.dhcp-option = [ "option:router,${vlan_router_ip}" ];
     settings.dhcp-userclass = [ "set:ipxe,iPXE" ];
     settings.dhcp-boot = [
       "tag:!ipxe,ipxe.efi"
-      "http://${dom_ip}:8080/boot.ipxe" 
+      "http://${dom_ip}:8080/boot.ipxe"
     ];
   };
 
@@ -77,4 +76,4 @@ in
     allowedTCPPorts = [ 8080 ];
     allowedUDPPorts = [ 67 69 ];
   };
-}
\ No newline at end of file
+}