diff --git a/.forgejo/workflows/ci.yml b/.forgejo/workflows/ci.yml
index 87bf0c0..6fdf512 100644
--- a/.forgejo/workflows/ci.yml
+++ b/.forgejo/workflows/ci.yml
@@ -2,11 +2,8 @@ name: CI - Validation
 
 on:
   push:
-    branches:
-      - '**'
-      - '!main'  # Exclude main branch (CD workflow handles it)
+    branches: ['**']  # All branches
   pull_request:
-  workflow_call:  # Allow this workflow to be called by other workflows
 
 jobs:
   ci-terraform:
@@ -45,33 +42,21 @@ jobs:
               echo "--- Planning $dir ---"
               (
                 cd "$dir" && \
+                cp ../terraform.tfvars.example terraform.tfvars && \
                 tofu init && \
                 tofu plan -out="tfplan-$(basename $dir)" || echo "WARNING: Plan failed for $(basename $dir) - node may be unavailable"
               )
             fi
           done
         env:
-          TF_VAR_proxmox_api_url: "https://192.168.100.10:8006/api2/json"
           TF_VAR_proxmox_token_id: ${{ secrets.PROXMOX_TOKEN_ID }}
           TF_VAR_proxmox_token_secret: ${{ secrets.PROXMOX_TOKEN_SECRET }}
-          TF_VAR_proxmox_tls_insecure: "true"
           TF_VAR_ssh_public_key: ${{ secrets.SSH_PUBLIC_KEY }}
-          TF_VAR_forgejo_token: ${{ secrets.GIT_TOKEN }}
-          TF_VAR_forgejo_repo_url: ${{ secrets.GIT_REPO_URL }}
-          TF_VAR_k3s_version: "v1.28.5+k3s1"
-          TF_VAR_ubuntu_template: "ubuntu-2404-cloudinit"
-          TF_VAR_storage_pool: "linstor_storage"
-          TF_VAR_snippets_storage: "local"
-          TF_VAR_k3s_network_bridge: "k3s"
-          TF_VAR_k3s_gateway: "10.100.20.1"
-          TF_VAR_k3s_dns: '["10.100.20.1", "1.1.1.1"]'
-          TF_VAR_k3s_server_1_config: '{ ip = "10.100.20.10/24", cores = 6, memory = 12288, disk_size = "100G" }'
-          TF_VAR_k3s_server_2_config: '{ ip = "10.100.20.20/24", cores = 6, memory = 12288, disk_size = "100G" }'
-          TF_VAR_etcd_witness_config: '{ ip = "10.100.20.30/24", cores = 2, memory = 2048, disk_size = "20G" }'
+          TF_VAR_forgejo_token: ${{ secrets.FORGEJO_TOKEN }}
 
       - name: Upload Terraform Plan
         if: github.event_name == 'push' && github.ref == 'refs/heads/main'
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: tfplans
           path: terraform/pve*/tfplan-*
diff --git a/.forgejo/workflows/deploy.yml b/.forgejo/workflows/deploy.yml
index 45f0716..094f013 100644
--- a/.forgejo/workflows/deploy.yml
+++ b/.forgejo/workflows/deploy.yml
@@ -4,82 +4,23 @@ on:
   push:
     branches:
       - main
-  workflow_dispatch:
+  workflow_dispatch:  # Allow manual trigger
 
 jobs:
-  ci-terraform:
-    name: Terraform Validation
-    runs-on: self-hosted
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Setup OpenTofu
-        run: |
-          if ! command -v tofu &> /dev/null; then
-            curl -fsSL https://get.opentofu.org/install-opentofu.sh | bash -s -- --install-method standalone --opentofu-version 1.10.7
-          fi
-
-      - name: Terraform Format Check
-        run: |
-          cd terraform
-          tofu fmt -check -recursive
-        continue-on-error: false
-
-      - name: Terraform Validate
-        run: |
-          for dir in terraform/pve*; do
-            if [ -d "$dir" ]; then
-              echo "--- Validating $dir ---"
-              (cd "$dir" && tofu init -backend=false && tofu validate)
-            fi
-          done
-
-      - name: Terraform Plan
-        run: |
-          for dir in terraform/pve*; do
-            if [ -d "$dir" ]; then
-              echo "--- Planning $dir ---"
-              (
-                cd "$dir" && \
-                tofu init && \
-                tofu plan || echo "WARNING: Plan failed for $(basename $dir) - node may be unavailable"
-              )
-            fi
-          done
-        env:
-          TF_VAR_proxmox_api_url: "https://192.168.100.10:8006/api2/json"
-          TF_VAR_proxmox_token_id: ${{ secrets.PROXMOX_TOKEN_ID }}
-          TF_VAR_proxmox_token_secret: ${{ secrets.PROXMOX_TOKEN_SECRET }}
-          TF_VAR_proxmox_tls_insecure: "true"
-          TF_VAR_ssh_public_key: ${{ secrets.SSH_PUBLIC_KEY }}
-          TF_VAR_forgejo_token: ${{ secrets.GIT_TOKEN }}
-          TF_VAR_forgejo_repo_url: ${{ secrets.GIT_REPO_URL }}
-          TF_VAR_k3s_version: "v1.28.5+k3s1"
-          TF_VAR_ubuntu_template: "ubuntu-2404-cloudinit"
-          TF_VAR_storage_pool: "linstor_storage"
-          TF_VAR_snippets_storage: "local"
-          TF_VAR_k3s_network_bridge: "k3s"
-          TF_VAR_k3s_gateway: "10.100.20.1"
-          TF_VAR_k3s_dns: '["10.100.20.1", "1.1.1.1"]'
-          TF_VAR_k3s_token: ${{ secrets.K3S_TOKEN }}
-          TF_VAR_k3s_server_1_config: '{ ip = "10.100.20.10/24", cores = 6, memory = 12288, disk_size = "40G" }'
-          TF_VAR_k3s_server_2_config: '{ ip = "10.100.20.20/24", cores = 6, memory = 12288, disk_size = "40G" }'
-          TF_VAR_etcd_witness_config: '{ ip = "10.100.20.30/24", cores = 2, memory = 2048, disk_size = "20G" }'
+  # Run CI first
+  ci:
+    uses: ./.forgejo/workflows/ci.yml
+    secrets: inherit
 
+  # Deploy infrastructure in parallel
   deploy-pve1:
     name: Deploy on pve1
     runs-on: self-hosted
-    needs: ci-terraform
+    needs: ci
     continue-on-error: true
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
-      - name: Setup OpenTofu
-        run: |
-          if ! command -v tofu &> /dev/null; then
-            curl -fsSL https://get.opentofu.org/install-opentofu.sh | bash -s -- --install-method standalone --opentofu-version 1.10.7
-          fi
       - name: Terraform Apply on pve1
         run: |
           cd terraform/pve1
@@ -87,18 +28,16 @@ jobs:
           proxmox_token_id      = "${{ secrets.PROXMOX_TOKEN_ID }}"
           proxmox_token_secret  = "${{ secrets.PROXMOX_TOKEN_SECRET }}"
           ssh_public_key        = "${{ secrets.SSH_PUBLIC_KEY }}"
-          forgejo_token         = "${{ secrets.GIT_TOKEN }}"
-          forgejo_repo_url      = "${{ secrets.GIT_REPO_URL }}"
-          k3s_version                = "v1.28.5+k3s1"
-          k3s_token                  = "${{ secrets.K3S_TOKEN }}"
-          ubuntu_template            = "ubuntu-2404-cloudinit"
-          storage_pool               = "linstor_storage"
-          k3s_server_1_storage_pool  = "local-nvme"
-          snippets_storage           = "local"
-          k3s_network_bridge         = "k3s"
-          k3s_gateway                = "10.100.20.1"
-          k3s_dns                    = ["10.100.20.1", "1.1.1.1"]
-          k3s_server_1_config        = { ip = "10.100.20.10/24", cores = 6, memory = 12288, disk_size = "40G" }
+          forgejo_token         = "${{ secrets.FORGEJO_TOKEN }}"
+          forgejo_repo_url      = "${{ secrets.FORGEJO_REPO_URL }}"
+          k3s_version           = "v1.28.5+k3s1"
+          ubuntu_template       = "ubuntu-2404-cloudinit"
+          storage_pool          = "linstor_storage"
+          snippets_storage      = "local"
+          k3s_network_bridge    = "k3s"
+          k3s_gateway           = "10.100.20.1"
+          k3s_dns               = ["10.100.20.1", "1.1.1.1"]
+          k3s_server_1_config   = { ip = "10.100.20.10/24", cores = 6, memory = 12288, disk_size = "100G" }
           EOF
           tofu init
           tofu apply -auto-approve
@@ -106,35 +45,28 @@ jobs:
   deploy-pve2:
     name: Deploy on pve2
     runs-on: self-hosted
-    needs: ci-terraform
+    needs: ci
     continue-on-error: true
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
-      - name: Setup OpenTofu
-        run: |
-          if ! command -v tofu &> /dev/null; then
-            curl -fsSL https://get.opentofu.org/install-opentofu.sh | bash -s -- --install-method standalone --opentofu-version 1.10.7
-          fi
       - name: Terraform Apply on pve2
         run: |
           cd terraform/pve2
           cat > terraform.tfvars <<EOF
-          proxmox_token_id           = "${{ secrets.PROXMOX_TOKEN_ID }}"
-          proxmox_token_secret       = "${{ secrets.PROXMOX_TOKEN_SECRET }}"
-          ssh_public_key             = "${{ secrets.SSH_PUBLIC_KEY }}"
-          forgejo_token              = "${{ secrets.GIT_TOKEN }}"
-          forgejo_repo_url           = "${{ secrets.GIT_REPO_URL }}"
-          k3s_version                = "v1.28.5+k3s1"
-          k3s_token                  = "${{ secrets.K3S_TOKEN }}"
-          ubuntu_template            = "ubuntu-2404-cloudinit"
-          storage_pool               = "linstor_storage"
-          k3s_server_2_storage_pool  = "local-nvme"
-          snippets_storage           = "local"
-          k3s_network_bridge         = "k3s"
-          k3s_gateway                = "10.100.20.1"
-          k3s_dns                    = ["10.100.20.1", "1.1.1.1"]
-          k3s_server_2_config        = { ip = "10.100.20.20/24", cores = 6, memory = 12288, disk_size = "40G" }
+          proxmox_token_id      = "${{ secrets.PROXMOX_TOKEN_ID }}"
+          proxmox_token_secret  = "${{ secrets.PROXMOX_TOKEN_SECRET }}"
+          ssh_public_key        = "${{ secrets.SSH_PUBLIC_KEY }}"
+          forgejo_token         = "${{ secrets.FORGEJO_TOKEN }}"
+          forgejo_repo_url      = "${{ secrets.FORGEJO_REPO_URL }}"
+          k3s_version           = "v1.28.5+k3s1"
+          ubuntu_template       = "ubuntu-2404-cloudinit"
+          storage_pool          = "linstor_storage"
+          snippets_storage      = "local"
+          k3s_network_bridge    = "k3s"
+          k3s_gateway           = "10.100.20.1"
+          k3s_dns               = ["10.100.20.1", "1.1.1.1"]
+          k3s_server_2_config   = { ip = "10.100.20.20/24", cores = 6, memory = 12288, disk_size = "100G" }
           EOF
           tofu init
           tofu apply -auto-approve
@@ -142,35 +74,28 @@ jobs:
   deploy-pve3:
     name: Deploy on pve3
     runs-on: self-hosted
-    needs: ci-terraform
+    needs: ci
     continue-on-error: true
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
-      - name: Setup OpenTofu
-        run: |
-          if ! command -v tofu &> /dev/null; then
-            curl -fsSL https://get.opentofu.org/install-opentofu.sh | bash -s -- --install-method standalone --opentofu-version 1.10.7
-          fi
       - name: Terraform Apply on pve3
         run: |
           cd terraform/pve3
           cat > terraform.tfvars <<EOF
-          proxmox_token_id           = "${{ secrets.PROXMOX_TOKEN_ID }}"
-          proxmox_token_secret       = "${{ secrets.PROXMOX_TOKEN_SECRET }}"
-          ssh_public_key             = "${{ secrets.SSH_PUBLIC_KEY }}"
-          forgejo_token              = "${{ secrets.GIT_TOKEN }}"
-          forgejo_repo_url           = "${{ secrets.GIT_REPO_URL }}"
-          k3s_version                = "v1.28.5+k3s1"
-          k3s_token                  = "${{ secrets.K3S_TOKEN }}"
-          ubuntu_template            = "ubuntu-2404-cloudinit"
-          storage_pool               = "linstor_storage"
-          etcd_witness_storage_pool  = "local-lvm"
-          snippets_storage           = "local"
-          k3s_network_bridge         = "k3s"
-          k3s_gateway                = "10.100.20.1"
-          k3s_dns                    = ["10.100.20.1", "1.1.1.1"]
-          etcd_witness_config        = { ip = "10.100.20.30/24", cores = 2, memory = 2048, disk_size = "20G" }
+          proxmox_token_id      = "${{ secrets.PROXMOX_TOKEN_ID }}"
+          proxmox_token_secret  = "${{ secrets.PROXMOX_TOKEN_SECRET }}"
+          ssh_public_key        = "${{ secrets.SSH_PUBLIC_KEY }}"
+          forgejo_token         = "${{ secrets.FORGEJO_TOKEN }}"
+          forgejo_repo_url      = "${{ secrets.FORGEJO_REPO_URL }}"
+          k3s_version           = "v1.28.5+k3s1"
+          ubuntu_template       = "ubuntu-2404-cloudinit"
+          storage_pool          = "linstor_storage"
+          snippets_storage      = "local"
+          k3s_network_bridge    = "k3s"
+          k3s_gateway           = "10.100.20.1"
+          k3s_dns               = ["10.100.20.1", "1.1.1.1"]
+          etcd_witness_config   = { ip = "10.100.20.30/24", cores = 2, memory = 2048, disk_size = "20G" }
           EOF
           tofu init
           tofu apply -auto-approve
@@ -194,12 +119,13 @@ jobs:
       - name: Wait for K3s cluster
         run: |
           echo "Waiting for K3s cluster to be ready..."
-          sleep 300
-      - name: Check cluster status
+          sleep 300  # Wait 5 minutes for ansible-pull to configure K3s
+      - name: Check cluster status (optional)
         run: |
           echo "Cluster validation completed"
         continue-on-error: true
 
+  # Notify on completion
   notify:
     name: Deployment Notification
     runs-on: self-hosted
diff --git a/.forgejo/workflows/destroy.yml b/.forgejo/workflows/destroy.yml
index 5d1cc8a..8063d91 100644
--- a/.forgejo/workflows/destroy.yml
+++ b/.forgejo/workflows/destroy.yml
@@ -40,8 +40,8 @@ jobs:
           proxmox_token_id     = "${{ secrets.PROXMOX_TOKEN_ID }}"
           proxmox_token_secret = "${{ secrets.PROXMOX_TOKEN_SECRET }}"
           ssh_public_key       = "${{ secrets.SSH_PUBLIC_KEY }}"
-          forgejo_token        = "${{ secrets.GIT_TOKEN }}"
-          forgejo_repo_url     = "${{ secrets.GIT_REPO_URL }}"
+          forgejo_token        = "${{ secrets.FORGEJO_TOKEN }}"
+          forgejo_repo_url     = "${{ secrets.FORGEJO_REPO_URL }}"
           EOF
 
           tofu init
diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml
index e766079..7ac4183 100644
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@@ -1,32 +1,44 @@
 ---
+# Global variables for all nodes
+
+# K3s Configuration
 k3s_version: "v1.28.5+k3s1"
 k3s_install_url: "https://get.k3s.io"
 
+# K3s Server Configuration
 k3s_server_1_ip: "10.100.20.10"
 k3s_server_2_ip: "10.100.20.20"
 k3s_witness_ip: "10.100.20.30"
 
+# K3s token (shared between servers)
+# In production, this should be stored in a vault
 k3s_token_file: "/etc/rancher/k3s/token"
 
+# Network Configuration
 pod_cidr: "10.42.0.0/16"
 service_cidr: "10.43.0.0/16"
 cluster_dns: "10.43.0.10"
 
+# System Configuration
 timezone: "Europe/Paris"
 swap_enabled: false
 
+# Unattended Upgrades Configuration
 unattended_upgrades_enabled: true
 unattended_upgrades_automatic_reboot: true
 unattended_upgrades_automatic_reboot_with_users: false
 
+# Reboot schedule (staggered to maintain availability)
 reboot_schedule:
   k3s-server-1: "02:00"
   k3s-server-2: "04:00"
   etcd-witness: "06:00"
 
+# FluxCD Configuration
 flux_version: "v2.2.0"
 flux_namespace: "flux-system"
 
+# System packages to install on all nodes
 common_packages:
   - curl
   - wget
@@ -40,6 +52,7 @@ common_packages:
   - python3
   - python3-pip
 
+# Kernel parameters for K3s
 sysctl_config:
   net.bridge.bridge-nf-call-iptables: 1
   net.bridge.bridge-nf-call-ip6tables: 1
diff --git a/ansible/roles/etcd-witness/tasks/main.yml b/ansible/roles/etcd-witness/tasks/main.yml
index b46e079..efd1a89 100644
--- a/ansible/roles/etcd-witness/tasks/main.yml
+++ b/ansible/roles/etcd-witness/tasks/main.yml
@@ -1,19 +1,19 @@
 ---
+# etcd witness node configuration
+# This node participates in etcd quorum but does not run K8s workloads
+
 - name: Check if K3s is already installed
   stat:
     path: /usr/local/bin/k3s
   register: k3s_binary
 
-- name: Load K3s token from environment
+- name: Get K3s token from first server
   set_fact:
-    k3s_token: "{{ lookup('env', 'K3S_TOKEN') }}"
-
-- name: Wait for first server API
-  wait_for:
-    host: "{{ k3s_server_1_ip }}"
-    port: 6443
-    delay: 60
-    timeout: 900
+    k3s_token: >-
+      {{
+        lookup('file', k3s_token_file, errors='ignore')
+        | default('PLACEHOLDER')
+      }}
 
 - name: Install K3s as server (witness mode)
   shell: >
diff --git a/ansible/roles/k3s-server/files/k3s-pre-reboot.sh b/ansible/roles/k3s-server/files/k3s-pre-reboot.sh
index aa359a0..e7538db 100644
--- a/ansible/roles/k3s-server/files/k3s-pre-reboot.sh
+++ b/ansible/roles/k3s-server/files/k3s-pre-reboot.sh
@@ -1,13 +1,19 @@
 #!/bin/bash
+# K3s pre-reboot script
+# Drains the node before system reboot to migrate workloads gracefully
+
 set -e
 
+# Only run if k3s is active
 if systemctl is-active --quiet k3s; then
   NODE_NAME=$(hostname)
 
   echo "$(date): Starting pre-reboot drain for node $NODE_NAME" | logger -t k3s-pre-reboot
 
+  # Set KUBECONFIG
   export KUBECONFIG=/etc/rancher/k3s/k3s.yaml
 
+  # Drain the node (migrate pods to other nodes)
   /usr/local/bin/k3s kubectl drain "$NODE_NAME" \
     --ignore-daemonsets \
     --delete-emptydir-data \
diff --git a/ansible/roles/k3s-server/tasks/flux.yml b/ansible/roles/k3s-server/tasks/flux.yml
index ba8e84a..f7dd1a7 100644
--- a/ansible/roles/k3s-server/tasks/flux.yml
+++ b/ansible/roles/k3s-server/tasks/flux.yml
@@ -1,4 +1,6 @@
 ---
+# Install and configure FluxCD
+
 - name: Check if flux is already installed
   command: k3s kubectl get namespace {{ flux_namespace }}
   register: flux_installed
@@ -42,73 +44,9 @@
   changed_when: false
   when: flux_installed.rc != 0
 
-- name: Load Forgejo token from environment
-  set_fact:
-    forgejo_token: "{{ lookup('env', 'FORGEJO_TOKEN') }}"
-    forgejo_repo_url: "{{ lookup('env', 'REPO_URL') }}"
-
-- name: Create Forgejo secret for FluxCD
-  shell: |
-    export KUBECONFIG=/etc/rancher/k3s/k3s.yaml
-    k3s kubectl create secret generic forgejo-auth \
-      --namespace={{ flux_namespace }} \
-      --from-literal=username=git \
-      --from-literal=password={{ forgejo_token }} \
-      --dry-run=client -o yaml | k3s kubectl apply -f -
-  when: flux_installed.rc != 0
-
-- name: Create GitRepository manifest
-  copy:
-    dest: /tmp/gitrepository.yaml
-    content: |
-      apiVersion: source.toolkit.fluxcd.io/v1
-      kind: GitRepository
-      metadata:
-        name: infra
-        namespace: {{ flux_namespace }}
-      spec:
-        interval: 1m
-        url: {{ forgejo_repo_url }}
-        ref:
-          branch: main
-        secretRef:
-          name: forgejo-auth
-    mode: '0644'
-  when: flux_installed.rc != 0
-
-- name: Apply GitRepository
-  shell: |
-    export KUBECONFIG=/etc/rancher/k3s/k3s.yaml
-    k3s kubectl apply -f /tmp/gitrepository.yaml
-  when: flux_installed.rc != 0
-
-- name: Create Kustomization manifest
-  copy:
-    dest: /tmp/kustomization.yaml
-    content: |
-      apiVersion: kustomize.toolkit.fluxcd.io/v1
-      kind: Kustomization
-      metadata:
-        name: apps
-        namespace: {{ flux_namespace }}
-      spec:
-        interval: 1m
-        sourceRef:
-          kind: GitRepository
-          name: infra
-        path: ./k8s
-        prune: true
-        wait: true
-    mode: '0644'
-  when: flux_installed.rc != 0
-
-- name: Apply Kustomization
-  shell: |
-    export KUBECONFIG=/etc/rancher/k3s/k3s.yaml
-    k3s kubectl apply -f /tmp/kustomization.yaml
-  when: flux_installed.rc != 0
-
 - name: Display FluxCD installation status
   debug:
-    msg: "FluxCD configured to sync from {{ forgejo_repo_url }}"
+    msg: >-
+      FluxCD installed successfully.
+      Configure GitRepository in kubernetes/flux-system/
   when: flux_installed.rc != 0
diff --git a/ansible/roles/k3s-server/tasks/main.yml b/ansible/roles/k3s-server/tasks/main.yml
index 83a50c6..4ddc3d4 100644
--- a/ansible/roles/k3s-server/tasks/main.yml
+++ b/ansible/roles/k3s-server/tasks/main.yml
@@ -1,4 +1,6 @@
 ---
+# K3s server installation and configuration
+
 - name: Check if K3s is already installed
   stat:
     path: /usr/local/bin/k3s
@@ -15,15 +17,10 @@
   set_fact:
     is_first_server: "{{ ansible_default_ipv4.address == k3s_server_1_ip }}"
 
-- name: Load K3s token from environment
-  set_fact:
-    k3s_token: "{{ lookup('env', 'K3S_TOKEN') }}"
-
 - name: Install K3s on first server (cluster-init)
   shell: >
     curl -sfL {{ k3s_install_url }} |
     INSTALL_K3S_VERSION="{{ k3s_version }}"
-    K3S_TOKEN="{{ k3s_token }}"
     sh -s - server
       --cluster-init
       --tls-san {{ k3s_server_1_ip }}
@@ -47,13 +44,17 @@
     timeout: 300
   when: is_first_server
 
-- name: Wait for first server API (second server)
-  wait_for:
-    host: "{{ k3s_server_1_ip }}"
-    port: 6443
-    delay: 30
-    timeout: 600
-  when: not is_first_server
+- name: Get K3s token from first server
+  slurp:
+    src: /var/lib/rancher/k3s/server/node-token
+  register: k3s_token_encoded
+  when: is_first_server
+  run_once: true
+
+- name: Save K3s token
+  set_fact:
+    k3s_token: "{{ k3s_token_encoded.content | b64decode | trim }}"
+  when: is_first_server
 
 - name: Install K3s on second server (join cluster)
   shell: >
@@ -61,7 +62,7 @@
     INSTALL_K3S_VERSION="{{ k3s_version }}"
     sh -s - server
       --server https://{{ k3s_server_1_ip }}:6443
-      --token {{ k3s_token }}
+      --token {{ k3s_token | default('PLACEHOLDER') }}
       --tls-san {{ k3s_server_2_ip }}
       --write-kubeconfig-mode 644
       --disable traefik
diff --git a/ansible/site.yml b/ansible/site.yml
index 92859c0..51ceac8 100644
--- a/ansible/site.yml
+++ b/ansible/site.yml
@@ -1,10 +1,14 @@
 ---
+# Main playbook for K3s GitOps infrastructure
+# This playbook is executed by ansible-pull on each VM
+
 - name: Configure K3s Infrastructure
   hosts: localhost
   connection: local
   become: true
 
   vars:
+    # Read node role from file created by cloud-init
     node_role: >-
       {{
         lookup('file', '/etc/node-role', errors='ignore')
@@ -30,11 +34,14 @@
         cache_valid_time: 3600
 
   roles:
+    # Common role applies to all nodes
     - role: common
 
+    # K3s server role (server + worker)
     - role: k3s-server
       when: node_role == 'server'
 
+    # etcd witness role (etcd only, no k8s workloads)
     - role: etcd-witness
       when: node_role == 'witness'
 
diff --git a/k8s/hello-world/deployment.yaml b/k8s/hello-world/deployment.yaml
deleted file mode 100644
index ea03ea8..0000000
--- a/k8s/hello-world/deployment.yaml
+++ /dev/null
@@ -1,37 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: hello-world
-  namespace: demo
-spec:
-  replicas: 3
-  selector:
-    matchLabels:
-      app: hello-world
-  template:
-    metadata:
-      labels:
-        app: hello-world
-    spec:
-      containers:
-        - name: hello-world
-          image: bashofmann/rancher-demo:1.0.0
-          imagePullPolicy: Always
-          resources:
-            requests:
-              memory: "12Mi"
-              cpu: "2m"
-          ports:
-            - containerPort: 8080
-              name: web
-          env:
-            - name: COW_COLOR
-              value: purple
-          readinessProbe:
-            httpGet:
-              path: /
-              port: web
-          livenessProbe:
-            httpGet:
-              path: /
-              port: web
diff --git a/k8s/hello-world/namespace.yaml b/k8s/hello-world/namespace.yaml
deleted file mode 100644
index 18434a6..0000000
--- a/k8s/hello-world/namespace.yaml
+++ /dev/null
@@ -1,4 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: demo
diff --git a/k8s/hello-world/service.yaml b/k8s/hello-world/service.yaml
deleted file mode 100644
index 56ec09c..0000000
--- a/k8s/hello-world/service.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: hello-world-service
-  namespace: demo
-spec:
-  type: LoadBalancer
-  selector:
-    app: hello-world
-  ports:
-    - protocol: TCP
-      port: 8080
-      targetPort: 8080
diff --git a/snippets/README.md b/snippets/README.md
deleted file mode 100644
index 251f895..0000000
--- a/snippets/README.md
+++ /dev/null
@@ -1,34 +0,0 @@
-# Cloud-Init Snippets pour Proxmox
-
-## Avant l'upload
-
-Remplace les placeholders dans chaque fichier YAML :
-
-- `YOUR_SSH_PUBLIC_KEY` : Ta clé SSH publique
-- `YOUR_FORGEJO_REPO_URL` : URL du dépôt Forgejo (ex: https://forgejo.tellserv.fr/Tellsanguis/Homelab.git)
-- `YOUR_FORGEJO_TOKEN` : Token Forgejo
-- `YOUR_K3S_TOKEN` : Token K3S cluster
-
-## Upload via interface Proxmox
-
-### acemagician (k3s-server-1)
-1. Proxmox → acemagician → Datacenter → Storage → local
-2. Content → Snippets → Upload
-3. Upload `cloud-init-k3s-server-1.yaml`
-
-### elitedesk (k3s-server-2)
-1. Proxmox → elitedesk → Datacenter → Storage → local
-2. Content → Snippets → Upload
-3. Upload `cloud-init-k3s-server-2.yaml`
-
-### thinkpad (etcd-witness)
-1. Proxmox → thinkpad → Datacenter → Storage → local
-2. Content → Snippets → Upload
-3. Upload `cloud-init-etcd-witness.yaml`
-
-## Vérification
-
-Après upload, les fichiers doivent être présents dans :
-- `/var/lib/vz/snippets/cloud-init-k3s-server-1.yaml` (acemagician)
-- `/var/lib/vz/snippets/cloud-init-k3s-server-2.yaml` (elitedesk)
-- `/var/lib/vz/snippets/cloud-init-etcd-witness.yaml` (thinkpad)
diff --git a/snippets/cloud-init-etcd-witness.yaml b/snippets/cloud-init-etcd-witness.yaml
deleted file mode 100644
index c7b5ccd..0000000
--- a/snippets/cloud-init-etcd-witness.yaml
+++ /dev/null
@@ -1,50 +0,0 @@
-package_upgrade: true
-packages:
-  - ansible
-  - git
-  - curl
-  - wget
-  - ca-certificates
-  - gnupg
-  - lsb-release
-users:
-  - name: ansible
-    sudo: ALL=(ALL) NOPASSWD:ALL
-    shell: /bin/bash
-    ssh_authorized_keys:
-      - YOUR_SSH_PUBLIC_KEY
-    groups: sudo
-timezone: Europe/Paris
-write_files:
-  - path: /etc/node-role
-    content: witness
-    permissions: "0644"
-  - path: /etc/ansible-pull.conf
-    content: |
-      REPO_URL=YOUR_FORGEJO_REPO_URL
-      FORGEJO_TOKEN=YOUR_FORGEJO_TOKEN
-      K3S_VERSION=v1.28.5+k3s1
-      K3S_TOKEN=YOUR_K3S_TOKEN
-    permissions: "0600"
-  - path: /usr/local/bin/ansible-pull-wrapper.sh
-    content: |
-      #!/bin/bash
-      set -e
-      source /etc/ansible-pull.conf
-      export K3S_TOKEN
-      export FORGEJO_TOKEN
-      export REPO_URL
-      WORK_DIR="/var/lib/ansible-local"
-      mkdir -p $WORK_DIR
-      cd $WORK_DIR
-      REPO_WITH_AUTH=$(echo $REPO_URL | sed "s|https://|https://git:$FORGEJO_TOKEN@|")
-      if [ -d ".git" ]; then
-        git pull origin main 2>&1 | logger -t ansible-pull
-      else
-        git clone $REPO_WITH_AUTH . 2>&1 | logger -t ansible-pull
-      fi
-      ansible-playbook ansible/site.yml -i localhost, --connection=local -e "k3s_version=$K3S_VERSION" 2>&1 | logger -t ansible-pull
-    permissions: "0755"
-runcmd:
-  - echo '*/15 * * * * root /usr/local/bin/ansible-pull-wrapper.sh' > /etc/cron.d/ansible-pull
-  - sleep 60 && /usr/local/bin/ansible-pull-wrapper.sh &
diff --git a/snippets/cloud-init-k3s-server-1.yaml b/snippets/cloud-init-k3s-server-1.yaml
deleted file mode 100644
index 4d55fbf..0000000
--- a/snippets/cloud-init-k3s-server-1.yaml
+++ /dev/null
@@ -1,50 +0,0 @@
-package_upgrade: true
-packages:
-  - ansible
-  - git
-  - curl
-  - wget
-  - ca-certificates
-  - gnupg
-  - lsb-release
-users:
-  - name: ansible
-    sudo: ALL=(ALL) NOPASSWD:ALL
-    shell: /bin/bash
-    ssh_authorized_keys:
-      - YOUR_SSH_PUBLIC_KEY
-    groups: sudo
-timezone: Europe/Paris
-write_files:
-  - path: /etc/node-role
-    content: server
-    permissions: "0644"
-  - path: /etc/ansible-pull.conf
-    content: |
-      REPO_URL=YOUR_FORGEJO_REPO_URL
-      FORGEJO_TOKEN=YOUR_FORGEJO_TOKEN
-      K3S_VERSION=v1.28.5+k3s1
-      K3S_TOKEN=YOUR_K3S_TOKEN
-    permissions: "0600"
-  - path: /usr/local/bin/ansible-pull-wrapper.sh
-    content: |
-      #!/bin/bash
-      set -e
-      source /etc/ansible-pull.conf
-      export K3S_TOKEN
-      export FORGEJO_TOKEN
-      export REPO_URL
-      WORK_DIR="/var/lib/ansible-local"
-      mkdir -p $WORK_DIR
-      cd $WORK_DIR
-      REPO_WITH_AUTH=$(echo $REPO_URL | sed "s|https://|https://git:$FORGEJO_TOKEN@|")
-      if [ -d ".git" ]; then
-        git pull origin main 2>&1 | logger -t ansible-pull
-      else
-        git clone $REPO_WITH_AUTH . 2>&1 | logger -t ansible-pull
-      fi
-      ansible-playbook ansible/site.yml -i localhost, --connection=local -e "k3s_version=$K3S_VERSION" 2>&1 | logger -t ansible-pull
-    permissions: "0755"
-runcmd:
-  - echo '*/15 * * * * root /usr/local/bin/ansible-pull-wrapper.sh' > /etc/cron.d/ansible-pull
-  - sleep 60 && /usr/local/bin/ansible-pull-wrapper.sh &
diff --git a/snippets/cloud-init-k3s-server-2.yaml b/snippets/cloud-init-k3s-server-2.yaml
deleted file mode 100644
index 4d55fbf..0000000
--- a/snippets/cloud-init-k3s-server-2.yaml
+++ /dev/null
@@ -1,50 +0,0 @@
-package_upgrade: true
-packages:
-  - ansible
-  - git
-  - curl
-  - wget
-  - ca-certificates
-  - gnupg
-  - lsb-release
-users:
-  - name: ansible
-    sudo: ALL=(ALL) NOPASSWD:ALL
-    shell: /bin/bash
-    ssh_authorized_keys:
-      - YOUR_SSH_PUBLIC_KEY
-    groups: sudo
-timezone: Europe/Paris
-write_files:
-  - path: /etc/node-role
-    content: server
-    permissions: "0644"
-  - path: /etc/ansible-pull.conf
-    content: |
-      REPO_URL=YOUR_FORGEJO_REPO_URL
-      FORGEJO_TOKEN=YOUR_FORGEJO_TOKEN
-      K3S_VERSION=v1.28.5+k3s1
-      K3S_TOKEN=YOUR_K3S_TOKEN
-    permissions: "0600"
-  - path: /usr/local/bin/ansible-pull-wrapper.sh
-    content: |
-      #!/bin/bash
-      set -e
-      source /etc/ansible-pull.conf
-      export K3S_TOKEN
-      export FORGEJO_TOKEN
-      export REPO_URL
-      WORK_DIR="/var/lib/ansible-local"
-      mkdir -p $WORK_DIR
-      cd $WORK_DIR
-      REPO_WITH_AUTH=$(echo $REPO_URL | sed "s|https://|https://git:$FORGEJO_TOKEN@|")
-      if [ -d ".git" ]; then
-        git pull origin main 2>&1 | logger -t ansible-pull
-      else
-        git clone $REPO_WITH_AUTH . 2>&1 | logger -t ansible-pull
-      fi
-      ansible-playbook ansible/site.yml -i localhost, --connection=local -e "k3s_version=$K3S_VERSION" 2>&1 | logger -t ansible-pull
-    permissions: "0755"
-runcmd:
-  - echo '*/15 * * * * root /usr/local/bin/ansible-pull-wrapper.sh' > /etc/cron.d/ansible-pull
-  - sleep 60 && /usr/local/bin/ansible-pull-wrapper.sh &
diff --git a/terraform/pve1/cloud-init.tf b/terraform/pve1/cloud-init.tf
index b5ee9ed..3479f34 100644
--- a/terraform/pve1/cloud-init.tf
+++ b/terraform/pve1/cloud-init.tf
@@ -27,9 +27,6 @@ locals {
     #!/bin/bash
     set -e
     source /etc/ansible-pull.conf
-    export K3S_TOKEN
-    export FORGEJO_TOKEN
-    export REPO_URL
     WORK_DIR="/var/lib/ansible-local"
     mkdir -p $WORK_DIR
     cd $WORK_DIR
@@ -51,7 +48,7 @@ locals {
       },
       {
         path        = "/etc/ansible-pull.conf"
-        content     = "REPO_URL=${var.forgejo_repo_url}\nFORGEJO_TOKEN=${var.forgejo_token}\nK3S_VERSION=${var.k3s_version}\nK3S_TOKEN=${var.k3s_token}"
+        content     = "REPO_URL=${var.forgejo_repo_url}\nFORGEJO_TOKEN=${var.forgejo_token}\nK3S_VERSION=${var.k3s_version}"
         permissions = "0600"
       },
       {
diff --git a/terraform/pve1/main.tf b/terraform/pve1/main.tf
index 3700953..ee89a30 100644
--- a/terraform/pve1/main.tf
+++ b/terraform/pve1/main.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     proxmox = {
       source  = "telmate/proxmox"
-      version = "3.0.2-rc05"
+      version = "~> 2.9"
     }
     local = {
       source  = "hashicorp/local"
@@ -20,44 +20,32 @@ provider "proxmox" {
   pm_tls_insecure     = var.proxmox_tls_insecure
 }
 
-# K3s Server VM on acemagician
+# K3s Server VM on pve1
 resource "proxmox_vm_qemu" "k3s_server_1" {
-  vmid        = 1000
   name        = "k3s-server-1"
-  target_node = "acemagician"
+  target_node = "pve1"
   clone       = var.ubuntu_template
-  full_clone  = true
 
-  cpu {
-    cores   = var.k3s_server_1_config.cores
-    sockets = 1
-  }
-
-  memory = var.k3s_server_1_config.memory
-  agent  = 1
+  cores   = var.k3s_server_1_config.cores
+  sockets = 1
+  memory  = var.k3s_server_1_config.memory
+  agent   = 1
 
   boot   = "order=scsi0"
   scsihw = "virtio-scsi-single"
   onboot = true
 
   network {
-    id     = 0
     model  = "virtio"
     bridge = var.k3s_network_bridge
   }
 
   disk {
-    slot     = "scsi0"
+    slot     = 0
     size     = var.k3s_server_1_config.disk_size
-    type     = "disk"
-    storage  = var.k3s_server_1_storage_pool
-    iothread = true
-  }
-
-  disk {
-    slot    = "ide2"
-    type    = "cloudinit"
-    storage = var.k3s_server_1_storage_pool
+    type     = "scsi"
+    storage  = var.storage_pool
+    iothread = 1
   }
 
   ipconfig0  = "ip=${var.k3s_server_1_config.ip},gw=${var.k3s_gateway}"
diff --git a/terraform/pve1/variables.tf b/terraform/pve1/variables.tf
index d7ed579..85cab35 100644
--- a/terraform/pve1/variables.tf
+++ b/terraform/pve1/variables.tf
@@ -53,12 +53,6 @@ variable "storage_pool" {
   type        = string
 }
 
-variable "k3s_server_1_storage_pool" {
-  description = "Storage pool for k3s-server-1 disk (local-nvme for acemagician)"
-  type        = string
-  default     = "local-nvme"
-}
-
 variable "snippets_storage" {
   description = "Proxmox storage for cloud-init snippets"
   type        = string
@@ -88,9 +82,3 @@ variable "k3s_server_1_config" {
     disk_size = string
   })
 }
-
-variable "k3s_token" {
-  description = "K3s cluster token"
-  type        = string
-  sensitive   = true
-}
diff --git a/terraform/pve2/cloud-init.tf b/terraform/pve2/cloud-init.tf
index 0931fc7..2eab5cb 100644
--- a/terraform/pve2/cloud-init.tf
+++ b/terraform/pve2/cloud-init.tf
@@ -27,9 +27,6 @@ locals {
     #!/bin/bash
     set -e
     source /etc/ansible-pull.conf
-    export K3S_TOKEN
-    export FORGEJO_TOKEN
-    export REPO_URL
     WORK_DIR="/var/lib/ansible-local"
     mkdir -p $WORK_DIR
     cd $WORK_DIR
@@ -51,7 +48,7 @@ locals {
       },
       {
         path        = "/etc/ansible-pull.conf"
-        content     = "REPO_URL=${var.forgejo_repo_url}\nFORGEJO_TOKEN=${var.forgejo_token}\nK3S_VERSION=${var.k3s_version}\nK3S_TOKEN=${var.k3s_token}"
+        content     = "REPO_URL=${var.forgejo_repo_url}\nFORGEJO_TOKEN=${var.forgejo_token}\nK3S_VERSION=${var.k3s_version}"
         permissions = "0600"
       },
       {
diff --git a/terraform/pve2/main.tf b/terraform/pve2/main.tf
index 22e973d..36975b1 100644
--- a/terraform/pve2/main.tf
+++ b/terraform/pve2/main.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     proxmox = {
       source  = "telmate/proxmox"
-      version = "3.0.2-rc05"
+      version = "~> 2.9"
     }
     local = {
       source  = "hashicorp/local"
@@ -20,44 +20,32 @@ provider "proxmox" {
   pm_tls_insecure     = var.proxmox_tls_insecure
 }
 
-# K3s Server VM on elitedesk
+# K3s Server VM on pve2
 resource "proxmox_vm_qemu" "k3s_server_2" {
-  vmid        = 1001
   name        = "k3s-server-2"
-  target_node = "elitedesk"
+  target_node = "pve2"
   clone       = var.ubuntu_template
-  full_clone  = true
 
-  cpu {
-    cores   = var.k3s_server_2_config.cores
-    sockets = 1
-  }
-
-  memory = var.k3s_server_2_config.memory
-  agent  = 1
+  cores   = var.k3s_server_2_config.cores
+  sockets = 1
+  memory  = var.k3s_server_2_config.memory
+  agent   = 1
 
   boot   = "order=scsi0"
   scsihw = "virtio-scsi-single"
   onboot = true
 
   network {
-    id     = 0
     model  = "virtio"
     bridge = var.k3s_network_bridge
   }
 
   disk {
-    slot     = "scsi0"
+    slot     = 0
     size     = var.k3s_server_2_config.disk_size
-    type     = "disk"
-    storage  = var.k3s_server_2_storage_pool
-    iothread = true
-  }
-
-  disk {
-    slot    = "ide2"
-    type    = "cloudinit"
-    storage = var.k3s_server_2_storage_pool
+    type     = "scsi"
+    storage  = var.storage_pool
+    iothread = 1
   }
 
   ipconfig0  = "ip=${var.k3s_server_2_config.ip},gw=${var.k3s_gateway}"
diff --git a/terraform/pve2/variables.tf b/terraform/pve2/variables.tf
index 7ba47ea..6a90582 100644
--- a/terraform/pve2/variables.tf
+++ b/terraform/pve2/variables.tf
@@ -53,12 +53,6 @@ variable "storage_pool" {
   type        = string
 }
 
-variable "k3s_server_2_storage_pool" {
-  description = "Storage pool for k3s-server-2 disk (local-nvme for elitedesk)"
-  type        = string
-  default     = "local-nvme"
-}
-
 variable "snippets_storage" {
   description = "Proxmox storage for cloud-init snippets"
   type        = string
@@ -88,9 +82,3 @@ variable "k3s_server_2_config" {
     disk_size = string
   })
 }
-
-variable "k3s_token" {
-  description = "K3s cluster token"
-  type        = string
-  sensitive   = true
-}
diff --git a/terraform/pve3/cloud-init.tf b/terraform/pve3/cloud-init.tf
index e61efc4..b9e2036 100644
--- a/terraform/pve3/cloud-init.tf
+++ b/terraform/pve3/cloud-init.tf
@@ -27,9 +27,6 @@ locals {
     #!/bin/bash
     set -e
     source /etc/ansible-pull.conf
-    export K3S_TOKEN
-    export FORGEJO_TOKEN
-    export REPO_URL
     WORK_DIR="/var/lib/ansible-local"
     mkdir -p $WORK_DIR
     cd $WORK_DIR
@@ -51,7 +48,7 @@ locals {
       },
       {
         path        = "/etc/ansible-pull.conf"
-        content     = "REPO_URL=${var.forgejo_repo_url}\nFORGEJO_TOKEN=${var.forgejo_token}\nK3S_VERSION=${var.k3s_version}\nK3S_TOKEN=${var.k3s_token}"
+        content     = "REPO_URL=${var.forgejo_repo_url}\nFORGEJO_TOKEN=${var.forgejo_token}\nK3S_VERSION=${var.k3s_version}"
         permissions = "0600"
       },
       {
diff --git a/terraform/pve3/main.tf b/terraform/pve3/main.tf
index f9ce1c5..323f68e 100644
--- a/terraform/pve3/main.tf
+++ b/terraform/pve3/main.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     proxmox = {
       source  = "telmate/proxmox"
-      version = "3.0.2-rc05"
+      version = "~> 2.9"
     }
     local = {
       source  = "hashicorp/local"
@@ -20,44 +20,32 @@ provider "proxmox" {
   pm_tls_insecure     = var.proxmox_tls_insecure
 }
 
-# etcd Witness VM on thinkpad
+# etcd Witness VM on pve3
 resource "proxmox_vm_qemu" "etcd_witness" {
-  vmid        = 1002
   name        = "etcd-witness"
-  target_node = "thinkpad"
+  target_node = "pve3"
   clone       = var.ubuntu_template
-  full_clone  = true
 
-  cpu {
-    cores   = var.etcd_witness_config.cores
-    sockets = 1
-  }
-
-  memory = var.etcd_witness_config.memory
-  agent  = 1
+  cores   = var.etcd_witness_config.cores
+  sockets = 1
+  memory  = var.etcd_witness_config.memory
+  agent   = 1
 
   boot   = "order=scsi0"
   scsihw = "virtio-scsi-single"
   onboot = true
 
   network {
-    id     = 0
     model  = "virtio"
     bridge = var.k3s_network_bridge
   }
 
   disk {
-    slot     = "scsi0"
+    slot     = 0
     size     = var.etcd_witness_config.disk_size
-    type     = "disk"
-    storage  = var.etcd_witness_storage_pool
-    iothread = true
-  }
-
-  disk {
-    slot    = "ide2"
-    type    = "cloudinit"
-    storage = var.etcd_witness_storage_pool
+    type     = "scsi"
+    storage  = var.storage_pool
+    iothread = 1
   }
 
   ipconfig0  = "ip=${var.etcd_witness_config.ip},gw=${var.k3s_gateway}"
diff --git a/terraform/pve3/variables.tf b/terraform/pve3/variables.tf
index e2e4d58..afd1599 100644
--- a/terraform/pve3/variables.tf
+++ b/terraform/pve3/variables.tf
@@ -53,12 +53,6 @@ variable "storage_pool" {
   type        = string
 }
 
-variable "etcd_witness_storage_pool" {
-  description = "Proxmox storage pool for etcd witness VM disk (thinkpad uses local storage)"
-  type        = string
-  default     = "local-lvm"
-}
-
 variable "snippets_storage" {
   description = "Proxmox storage for cloud-init snippets"
   type        = string
@@ -88,9 +82,3 @@ variable "etcd_witness_config" {
     disk_size = string
   })
 }
-
-variable "k3s_token" {
-  description = "K3s cluster token"
-  type        = string
-  sensitive   = true
-}
diff --git a/terraform/terraform.tfvars.example b/terraform/terraform.tfvars.example
index 06ffcf7..04d0dcc 100644
--- a/terraform/terraform.tfvars.example
+++ b/terraform/terraform.tfvars.example
@@ -1,36 +1,44 @@
+# Copy this file to terraform.tfvars and fill in your values
+
+# Proxmox Configuration
 proxmox_api_url          = "https://192.168.100.10:8006/api2/json"
-proxmox_token_id         = "root@pam!opentofu"
+proxmox_token_id         = "root@pam!terraform"
 proxmox_token_secret     = "your-proxmox-token-secret"
 proxmox_tls_insecure     = true
 
+# SSH Access
 ssh_public_key = "ssh-ed25519 AAAAC3... your-email@example.com"
 
+# Forgejo Configuration
 forgejo_token    = "your-forgejo-token"
 forgejo_repo_url = "ssh://git@forgejo.tellserv.fr:222/Tellsanguis/infra.git"
 
+# K3s Version
 k3s_version = "v1.28.5+k3s1"
-k3s_token   = "your-k3s-cluster-token"
 
+# Template and Storage
 ubuntu_template     = "ubuntu-2404-cloudinit"
 storage_pool        = "linstor_storage"
 snippets_storage    = "local"
 
+# Network
 k3s_network_bridge = "k3s"
 k3s_gateway        = "10.100.20.1"
 k3s_dns            = ["10.100.20.1", "1.1.1.1"]
 
+# VM Configurations
 k3s_server_1_config = {
   ip        = "10.100.20.10/24"
   cores     = 6
   memory    = 12288
-  disk_size = "40G"
+  disk_size = "100G"
 }
 
 k3s_server_2_config = {
   ip        = "10.100.20.20/24"
   cores     = 6
   memory    = 12288
-  disk_size = "40G"
+  disk_size = "100G"
 }
 
 etcd_witness_config = {