diff --git a/bastion/src/cli/src/commands/app.ts b/bastion/src/cli/src/commands/app.ts
index 0684b7e..89ee49f 100644
--- a/bastion/src/cli/src/commands/app.ts
+++ b/bastion/src/cli/src/commands/app.ts
@@ -70,7 +70,7 @@ export function registerAppCommand(program: Command): void {
     .command("install <target>")
     .description("Install k3s on a target machine (hostname, IP, or MAC)")
     .option("--role <role>", "k3s role: infra (server) or worker (agent)", "infra")
-    .option("--user <user>", "SSH user", "lab")
+    .option("--user <user>", "SSH user", "root")
     .option("--k3s-server <url>", "k3s server URL (required for worker role)")
     .option("--k3s-token <token>", "k3s join token (required for worker role)")
     .action(async (target: string, opts: {
@@ -164,7 +164,7 @@ export function registerAppCommand(program: Command): void {
   k3sCmd
     .command("health [target]")
     .description("Check k3s health (all hosts if no target given)")
-    .option("--user <user>", "SSH user", "lab")
+    .option("--user <user>", "SSH user", "root")
     .action(async (target: string | undefined, opts: { user: string }) => {
       const sshKey = findSshKey();
 
@@ -304,7 +304,7 @@ export function registerAppCommand(program: Command): void {
   k3sCmd
     .command("list")
     .description("List installed machines and their k3s status")
-    .option("--user <user>", "SSH user", "lab")
+    .option("--user <user>", "SSH user", "root")
     .action(async (opts: { user: string }) => {
       let state: BastionState;
       try {
diff --git a/bastion/src/cli/src/commands/asahi.ts b/bastion/src/cli/src/commands/asahi.ts
index 3d334c8..06a08e1 100644
--- a/bastion/src/cli/src/commands/asahi.ts
+++ b/bastion/src/cli/src/commands/asahi.ts
@@ -59,7 +59,7 @@ export function registerAsahiCommand(parent: Command): void {
       console.log(`    labvg/longhorn (remaining space)${RESET}`);
       console.log("");
       console.log(`  After first boot, SSH in and run the firstboot script:`);
-      console.log(`    ${BOLD}ssh lab@<ip> 'curl -sf ${bastionUrl}/asahi/firstboot.sh | sudo bash'${RESET}`);
+      console.log(`    ${BOLD}ssh root@<ip> 'curl -sf ${bastionUrl}/asahi/firstboot.sh | bash'${RESET}`);
       console.log("");
       console.log(`  This sets up LVM, detects hostname/MAC, and self-registers.`);
       console.log(`  Then install k3s:`);
diff --git a/bastion/src/cli/src/commands/labcontroller.ts b/bastion/src/cli/src/commands/labcontroller.ts
index b1b9efe..09c0648 100644
--- a/bastion/src/cli/src/commands/labcontroller.ts
+++ b/bastion/src/cli/src/commands/labcontroller.ts
@@ -38,7 +38,7 @@ export function registerLabcontrollerCommands(appCmd: Command): void {
   lcCmd
     .command("deploy <target>")
     .description("Deploy labcontroller stack to a k3s node")
-    .option("--user <user>", "SSH user", "lab")
+    .option("--user <user>", "SSH user", "root")
     .option("--crdb-replicas <n>", "CockroachDB replicas", "1")
     .action(async (target: string, opts: {
       user: string;
@@ -193,7 +193,7 @@ export function registerLabcontrollerCommands(appCmd: Command): void {
   lcCmd
     .command("status [target]")
     .description("Check labcontroller deployment status (all hosts if no target)")
-    .option("--user <user>", "SSH user", "lab")
+    .option("--user <user>", "SSH user", "root")
     .action(async (target: string | undefined, opts: { user: string }) => {
       const sshKey = findSshKey();
       const sshOpts = sshKey ? { keyPath: sshKey } : {};
diff --git a/bastion/src/modules/modules/k3s/src/k3s-module.ts b/bastion/src/modules/modules/k3s/src/k3s-module.ts
index ae2f5b4..7befe32 100644
--- a/bastion/src/modules/modules/k3s/src/k3s-module.ts
+++ b/bastion/src/modules/modules/k3s/src/k3s-module.ts
@@ -78,9 +78,10 @@ export class K3sModule implements Module {
       return toModuleResult("install", [...prepResults, ...k3sResults], start);
     }
 
-    // Phase 3: Networking (server only — agents don't install Cilium)
+    // Phase 3: Networking (initial server only — joining servers get Cilium via daemonset)
     let netResults: OperationResult[] = [];
-    if (isServer) {
+    const isJoiningServer = isServer && !!opCtx.config.k3sServerUrl;
+    if (isServer && !isJoiningServer) {
       netResults = await runNetworking(opCtx);
     }
 
diff --git a/bastion/src/modules/modules/k3s/src/operations/longhorn-disk.ts b/bastion/src/modules/modules/k3s/src/operations/longhorn-disk.ts
index 68babd4..59eb8f8 100644
--- a/bastion/src/modules/modules/k3s/src/operations/longhorn-disk.ts
+++ b/bastion/src/modules/modules/k3s/src/operations/longhorn-disk.ts
@@ -3,6 +3,7 @@
 
 import type { Operation, OperationResult } from "../types.js";
 import { sshOpts } from "../utils.js";
+import { sshExec as remoteSshExec } from "../../../../src/ssh.js";
 
 export const configureLonghornDisk: Operation = async (ctx): Promise<OperationResult> => {
   // Check if /var/lib/longhorn exists on this node
@@ -15,12 +16,11 @@ export const configureLonghornDisk: Operation = async (ctx): Promise<OperationRe
   const nodeNameResult = await ctx.ssh.exec("hostname -f 2>/dev/null || hostname", sshOpts(ctx));
   const nodeName = nodeNameResult.stdout.trim();
 
-  // Apply the annotation via kubectl (works on server nodes, or via KUBECONFIG on agents)
-  const kubectlPrefix = "k3s kubectl";
   const annotation = JSON.stringify([{ path: "/var/lib/longhorn", allowScheduling: true }]);
 
+  // Try kubectl locally first (works on server nodes)
   const result = await ctx.ssh.exec(
-    `${kubectlPrefix} annotate node "${nodeName}" "node.longhorn.io/default-disks-config=${annotation}" --overwrite 2>&1 || true`,
+    `k3s kubectl annotate node "${nodeName}" "node.longhorn.io/default-disks-config=${annotation}" --overwrite 2>&1 || true`,
     sshOpts(ctx),
   );
 
@@ -28,7 +28,23 @@ export const configureLonghornDisk: Operation = async (ctx): Promise<OperationRe
     return { success: true, changed: true, message: `Longhorn disk annotation applied to ${nodeName}` };
   }
 
-  // If kubectl isn't available (agent node without server access), that's OK —
-  // the label is set, annotation can be applied from the server later
+  // For worker/agent nodes without local kubectl: apply via the server
+  if (ctx.config.k3sServerUrl) {
+    // The CLI has SSH access to the server — use sshExec from there
+    const serverHost = new URL(ctx.config.k3sServerUrl).hostname;
+    try {
+      const remoteResult = await remoteSshExec(
+        serverHost, "root",
+        `k3s kubectl annotate node "${nodeName}" "node.longhorn.io/default-disks-config=${annotation}" --overwrite`,
+        { ...(ctx.ssh.keyPath ? { keyPath: ctx.ssh.keyPath } : {}), timeoutMs: 15_000 },
+      );
+      if (remoteResult.stdout.includes("annotated") || remoteResult.stdout.includes("unchanged")) {
+        return { success: true, changed: true, message: `Longhorn disk annotation applied to ${nodeName} (via server)` };
+      }
+    } catch {
+      // Fall through to manual instruction
+    }
+  }
+
   return { success: true, changed: false, message: "Longhorn disk label set (annotation requires server kubectl)" };
 };