diff --git a/bastion/src/modules/modules/k3s/src/operations/k3s-config.ts b/bastion/src/modules/modules/k3s/src/operations/k3s-config.ts
index be43c60..05eaf4c 100644
--- a/bastion/src/modules/modules/k3s/src/operations/k3s-config.ts
+++ b/bastion/src/modules/modules/k3s/src/operations/k3s-config.ts
@@ -9,9 +9,13 @@ function isServerRole(role: string): boolean {
 
 function generateServerConfig(config: K3sConfig): string {
   const tlsSans = [config.hostname, config.ip, ...(config.tlsSans ?? [])];
-  const serverLine = config.k3sServerUrl ? `server: "${config.k3sServerUrl}"\ntoken: "${config.k3sToken}"\n` : "";
-  return `# k3s server configuration — CIS hardened
-${serverLine}protect-kernel-defaults: true
+  const isJoining = !!config.k3sServerUrl;
+  const clusterLines = isJoining
+    ? `server: "${config.k3sServerUrl}"\ntoken: "${config.k3sToken}"`
+    : "cluster-init: true";
+  return `# k3s server configuration — CIS hardened, etcd HA
+${clusterLines}
+protect-kernel-defaults: true
 secrets-encryption: true
 write-kubeconfig-mode: "0640"