diff --git a/.gitea/workflows/01-deploy-proxmox-infra.yaml b/.gitea/workflows/01-deploy-proxmox-infra.yaml
index 20494c5..2ff07f5 100644
--- a/.gitea/workflows/01-deploy-proxmox-infra.yaml
+++ b/.gitea/workflows/01-deploy-proxmox-infra.yaml
@@ -80,17 +80,57 @@ jobs:
         run: pulumi package add terraform-provider marshallford/pfsense 0.22.0
         working-directory: 01-proxmox-infra
 
-      - name: Refresh State
+      - name: Shutdown VMs
         run: |
           pulumi login "$PULUMI_BACKEND_URL"
-          pulumi refresh --yes --stack dev \
-            --target 'urn:pulumi:dev::proxmox-infra::proxmoxve*' \
-            --target 'urn:pulumi:dev::proxmox-infra::tls*'
+          PVE1=$(pulumi stack output --stack dev --show-secrets pve1Endpoint)
+          TOKEN1=$(pulumi stack output --stack dev --show-secrets pve1ApiToken)
+          PVE2=$(pulumi stack output --stack dev --show-secrets pve2Endpoint)
+          TOKEN2=$(pulumi stack output --stack dev --show-secrets pve2ApiToken)
+          IDS=$(pulumi stack output --stack dev --json vmIds)
+          M1=$(echo "$IDS" | jq -r .master1)
+          M2=$(echo "$IDS" | jq -r .master2)
+          W1=$(echo "$IDS" | jq -r .worker1)
+          M3=$(echo "$IDS" | jq -r .master3)
+          W2=$(echo "$IDS" | jq -r .worker2)
+
+          for id in $M1 $M2 $W1; do
+            curl -sf -k -X POST "$PVE1/api2/json/nodes/pve/qemu/$id/status/shutdown" \
+              -H "Authorization: PVEAPIToken=$TOKEN1" || true
+          done
+          for id in $M3 $W2; do
+            curl -sf -k -X POST "$PVE2/api2/json/nodes/pve-bckp/qemu/$id/status/shutdown" \
+              -H "Authorization: PVEAPIToken=$TOKEN2" || true
+          done
+
+          wait_stopped() {
+            local ep=$1 tok=$2 node=$3 id=$4
+            for i in $(seq 1 36); do
+              status=$(curl -sf -k "$ep/api2/json/nodes/$node/qemu/$id/status/current" \
+                -H "Authorization: PVEAPIToken=$tok" | jq -r .data.status)
+              [ "$status" = "stopped" ] && return 0
+              sleep 5
+            done
+            echo "Timeout: VM $id did not stop within 3 minutes" && exit 1
+          }
+
+          for id in $M1 $M2 $W1; do wait_stopped "$PVE1" "$TOKEN1" pve "$id"; done
+          for id in $M3 $W2; do wait_stopped "$PVE2" "$TOKEN2" pve-bckp "$id"; done
         working-directory: 01-proxmox-infra
         env:
           PULUMI_CONFIG_PASSPHRASE: ${{ secrets.PULUMI_CONFIG_PASSPHRASE }}
           PULUMI_BACKEND_URL: ${{ secrets.PULUMI_BACKEND_URL }}
 
+      - name: Refresh State
+        uses: pulumi/actions@v5
+        with:
+          command: refresh
+          stack-name: dev
+          work-dir: 01-proxmox-infra
+          cloud-url: ${{ secrets.PULUMI_BACKEND_URL }}
+        env:
+          PULUMI_CONFIG_PASSPHRASE: ${{ secrets.PULUMI_CONFIG_PASSPHRASE }}
+
       - name: Deploy
         uses: pulumi/actions@v5
         with:
diff --git a/01-proxmox-infra/CLAUDE.md b/01-proxmox-infra/CLAUDE.md
index 7182cc2..e1c92b5 100644
--- a/01-proxmox-infra/CLAUDE.md
+++ b/01-proxmox-infra/CLAUDE.md
@@ -16,9 +16,11 @@ npm install
 pulumi preview
 
 # Sync Pulumi state with actual Proxmox state (run before up if resources were changed manually)
+# Note: shut down all k3s VMs in Proxmox first — refresh is slow against running VMs
 pulumi refresh --yes
 
 # Deploy infrastructure
+# Note: shut down all k3s VMs in Proxmox first, then run:
 pulumi refresh --yes && pulumi up --yes
 
 # Destroy infrastructure