diff --git a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/k3s.yml b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/k3s.yml
index 22fcf36..c031a75 100644
--- a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/k3s.yml
+++ b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/k3s.yml
@@ -27,7 +27,7 @@
     chdir: /opt/metacluster/k3s
   environment:
     INSTALL_K3S_SKIP_DOWNLOAD: 'true'
-    INSTALL_K3S_EXEC: 'server --cluster-init --disable local-storage --config /etc/rancher/k3s/config.yaml'
+    INSTALL_K3S_EXEC: 'server --cluster-init --token {{ vapp['metacluster.token'] }} --disable local-storage --config /etc/rancher/k3s/config.yaml'
   when: ansible_facts.services['k3s.service'] is undefined
 
 - name: Debug possible taints on k3s node
diff --git a/packer/build.pkr.hcl b/packer/build.pkr.hcl
index 148ffb6..0a24804 100644
--- a/packer/build.pkr.hcl
+++ b/packer/build.pkr.hcl
@@ -7,11 +7,21 @@ build {
   source "vsphere-iso.ubuntu" {
     name = "bootstrap"
     vm_name = "${var.vm_name}-bootstrap"
+
+    export {
+      images                = false
+      output_directory      = "/scratch/airgapped-k8s/bootstrap"
+    }
   }
 
   source "vsphere-iso.ubuntu" {
     name = "upgrade"
     vm_name = "${var.vm_name}-upgrade"
+
+    export {
+      images                = false
+      output_directory      = "/scratch/airgapped-k8s/upgrade"
+    }
   }
 
   provisioner "ansible" {
@@ -36,11 +46,11 @@ build {
     inline = [
       "pwsh -command \"& scripts/Update-OvfConfiguration.ps1 \\",
       " -ApplianceType '${source.name} \\",
-      " -OVFFile '/scratch/airgapped-k8s/${var.vm_name}-${source.name}.ovf' \"",
+      " -OVFFile '/scratch/airgapped-k8s/${source.name}/${var.vm_name}-${source.name}.ovf' \"",
       "pwsh -file scripts/Update-Manifest.ps1 \\",
-      " -ManifestFileName '/scratch/airgapped-k8s/${var.vm_name}-${source.name}.mf'",
+      " -ManifestFileName '/scratch/airgapped-k8s/${source.name}/${var.vm_name}-${source.name}.mf'",
       "ovftool --acceptAllEulas --allowExtraConfig --overwrite \\",
-      " '/scratch/airgapped-k8s/${var.vm_name}-${source.name}.ovf' \\",
+      " '/scratch/airgapped-k8s/${source.name}/${var.vm_name}-${source.name}.ovf' \\",
       " /output/airgapped-k8s.${source.name}.ova"
     ]
   }
diff --git a/scripts/Update-OvfConfiguration.bootstrap.yml b/scripts/Update-OvfConfiguration.bootstrap.yml
index 331727f..339748d 100644
--- a/scripts/Update-OvfConfiguration.bootstrap.yml
+++ b/scripts/Update-OvfConfiguration.bootstrap.yml
@@ -31,6 +31,14 @@ PropertyCategories:
 - Name: 1) Meta-cluster
   ProductProperties:
 
+  - key: metacluster.token
+    Type: string(1..)
+    Label: K3s install token*
+    Description: Auto-generated; this value is used to join future new nodes to the metacluster after deployment
+    DefaultValue: '{{ metacluster.token }}'
+    Configurations: '*'
+    UserConfigurable: true
+
   - Key: guestinfo.hostname
     Type: string(1..15)
     Label: Hostname*
@@ -173,3 +181,6 @@ Variables:
 - Name: hostname.suffix
   Expression: |
     (-join ((48..57) + (97..122) | Get-Random -Count 5 | % {[char]$_})).ToLower()
+- Name: metacluster.token
+  Expression: |
+    (New-Guid).Guid -replace '-', ''