diff --git a/services/apiserver.go b/services/apiserver.go
index 64efb14438f35b94f5d9b2faabd966fb6bad31bb..3f614b791dae69b49262f4c2eac1830aed18c424 100644
--- a/services/apiserver.go
+++ b/services/apiserver.go
@@ -64,7 +64,7 @@ const apiserverPort = 6443
 
 var kubeApiserver = &Unit{
 	Name:         "kube-apiserver",
-	Dependencies: []*Unit{etcd, pkiCA, pkiMaster, vpn, kubeLogger},
+	Dependencies: []*Unit{etcd, pkiMaster, vpn, kubeLogger},
 	Run: func(u *Unit, c *Cluster, ctx context.Context) error {
 		config, clients, err := buildConfig(c)
 		if err != nil {
diff --git a/services/certs.go b/services/certs.go
index 150a5483c3bd53fedb0431a601bd57273f1b8b5e..0f189f1a969ed8b4ec2af86b8ea340ccde6d8804 100644
--- a/services/certs.go
+++ b/services/certs.go
@@ -40,9 +40,9 @@ type NodeCerts struct {
 	API *pekahi.Certificate `json:"api"`
 }
 
-// PKI Client on non-master nodes
-var pkiCA = &Unit{
-	Name: "pki-ca",
+// Initialize the CA
+var pkiInit = &Unit{
+	Name: "pki-init",
 	Start: func(u *Unit, c *Cluster, ctx context.Context) error {
 		bundle, err := pekahi.NewFileBundle(path.Join(c.settings.DataDir, "pki/ca"))
 		if err != nil {
@@ -56,6 +56,11 @@ var pkiCA = &Unit{
 		c.state.PKI = c.pki
 		return nil
 	},
+}
+
+// Wait for the CA on nodes
+var pkiCA = &Unit{
+	Name: "pki-ca",
 	Ready: func(u *Unit, c *Cluster) bool {
 		return (c.pki != nil &&
 			c.pki.TLS.Cert != nil &&
@@ -66,8 +71,7 @@ var pkiCA = &Unit{
 
 // PKI manager on the master node
 var pkiManager = &Unit{
-	Name:         "pki-manager",
-	Dependencies: []*Unit{pkiCA},
+	Name: "pki-manager",
 	Start: func(u *Unit, c *Cluster, ctx context.Context) error {
 		bundle, err := pekahi.NewFileBundle(path.Join(c.settings.DataDir, "pki/ca"))
 		if err != nil {
@@ -166,7 +170,8 @@ var pkiMaster = &Unit{
 
 // Unit for requesting and getting node certs
 var pkiNode = &Unit{
-	Name: "pki-node",
+	Name:         "pki-node",
+	Dependencies: []*Unit{pkiInit},
 	Start: func(u *Unit, c *Cluster, ctx context.Context) error {
 		// See: https://kubernetes.io/docs/setup/best-practices/certificates/
 		bundle, err := pekahi.NewFileBundle(path.Join(c.settings.DataDir, "pki/node"))
diff --git a/services/cm.go b/services/cm.go
index 96196dab7f008ea01b2c5ea406508313f1c94365..ddc765c3f05386ccd50b62ebb263c1f2b2f7845e 100644
--- a/services/cm.go
+++ b/services/cm.go
@@ -37,7 +37,7 @@ import (
 
 var kubeControllerManager = &Unit{
 	Name:         "kube-controller-manager",
-	Dependencies: []*Unit{kubeApiserver, pkiCA, pkiMaster, kubeLogger},
+	Dependencies: []*Unit{kubeApiserver, pkiMaster, kubeLogger},
 	Start: func(u *Unit, c *Cluster, ctx context.Context) error {
 		// Used as a replacement for InformersStarted in vanilla code
 		allReady := make(chan struct{})
diff --git a/services/discovery.go b/services/discovery.go
index 2333719e6352c218106a9d32e308427e1fb72ce1..4e9b3c3bff73fa322b70e54e9fd5d82c7c1f133b 100644
--- a/services/discovery.go
+++ b/services/discovery.go
@@ -10,7 +10,7 @@ import (
 var memberlist = &Unit{
 	Name: "memberlist",
 	// Depend on the vpn so the vpn key is properly populated before we start broadcasting any node metadata
-	Dependencies: []*Unit{vpn, pkiCA},
+	Dependencies: []*Unit{},
 	Run: func(u *Unit, c *Cluster, ctx context.Context) error {
 		ml := sml.New[HeptoMeta, HeptoState](
 			c.thisNode.Name, c.thisNode.PublicIP,
@@ -29,29 +29,19 @@ var memberlist = &Unit{
 			<-events
 			c.nodes = ml.Nodes()
 			u.Manager.Logger.Info("memberlist metadata received", "nodes", c.nodes)
-			u.Manager.Trigger()
-		}
-	},
-	Wake: func(u *Unit, c *Cluster) error {
-		// Try and find master node if required
-		if c.masterNode == nil {
-			for _, node := range c.nodes {
-				if node.Role == "master" || node.Role == "full" {
-					u.Manager.Logger.Info("found remote master", "name", node.Name)
-					c.masterNode = node
-					c.masterUrl = fmt.Sprintf("https://[%s]:%d", node.VpnIP.String(), apiserverPort)
-					u.Manager.Trigger()
+
+			// Try and find master node if required
+			if c.masterNode == nil {
+				for _, node := range c.nodes {
+					if node.Role == "master" || node.Role == "full" {
+						u.Manager.Logger.Info("found remote master", "name", node.Name)
+						c.masterNode = node
+						c.masterUrl = fmt.Sprintf("https://[%s]:%d", node.VpnIP.String(), apiserverPort)
+						u.Markready()
+					}
 				}
 			}
+			u.Manager.Trigger()
 		}
-		return nil
-	},
-}
-
-// Simple depencency unit waiting for the master node to be ready
-var masterDiscovery = &Unit{
-	Name: "master-discovery",
-	Ready: func(u *Unit, c *Cluster) bool {
-		return c.masterNode != nil
 	},
 }
diff --git a/services/kubelet.go b/services/kubelet.go
index cf00b4f5c2f5ecb7f0e6148048f40d97f873a970..c8e8c8381a30e240570c84b604d3ab833f07c079 100644
--- a/services/kubelet.go
+++ b/services/kubelet.go
@@ -38,7 +38,7 @@ import (
 
 var kubeKubelet = &Unit{
 	Name:         "kubelet",
-	Dependencies: []*Unit{masterDiscovery, containerdGRPC, containerdTTRPC, pkiCA, pkiNode, kubeLogger, reaper},
+	Dependencies: []*Unit{memberlist, containerdGRPC, containerdTTRPC, pkiCA, pkiNode, kubeLogger, reaper},
 	Run: func(u *Unit, c *Cluster, ctx context.Context) error {
 		// Sleep before starting, to make sure that containerd is actually ready
 		// (very difficult to check otherwise)
diff --git a/services/meta.go b/services/meta.go
index ef3ae9934479cb8c9d198dad8c316e9fa1487890..104425e0751fc2fba51ab5ebcf916086e52d560d 100644
--- a/services/meta.go
+++ b/services/meta.go
@@ -81,7 +81,7 @@ func (s *HeptoState) Merge(b []byte) (bool, error) {
 	if err != nil {
 		return false, err
 	}
-	if remote.PKI == nil {
+	if s.PKI == nil || remote.PKI == nil {
 		return false, nil
 	}
 	change := false
diff --git a/services/scheduler.go b/services/scheduler.go
index 1c4ff84a0c1f280df377c50ff655fdb7d3e3c1ae..5542571834b8e4a2e40d320dad8735d85a709729 100644
--- a/services/scheduler.go
+++ b/services/scheduler.go
@@ -9,7 +9,7 @@ import (
 
 var kubeScheduler = &Unit{
 	Name:         "kube-scheduler",
-	Dependencies: []*Unit{kubeApiserver, pkiCA, pkiMaster, kubeLogger},
+	Dependencies: []*Unit{kubeApiserver, pkiMaster, kubeLogger},
 	Run: func(u *Unit, c *Cluster, ctx context.Context) error {
 		clients, err := k8s.NewTokenClients(c.masterUrl, c.pki.TLS, c.loopbackToken)
 		if err != nil {
diff --git a/services/vpn.go b/services/vpn.go
index c911b1218920cb951179ea0910da7bcbd397018a..741049347634a35373678931b0eff947ccb4abc4 100644
--- a/services/vpn.go
+++ b/services/vpn.go
@@ -14,6 +14,9 @@ var vpn = &Unit{
 		}
 		peers := []wg.Peer{}
 		for _, node := range c.nodes {
+			if node.VpnKey == "" {
+				continue
+			}
 			peers = append(peers, node)
 		}
 		c.vpn.Update(peers, c.networking.MTU)