diff --git a/ansible/playbooks/mask-avahi.yml b/ansible/playbooks/mask-avahi.yml
new file mode 100644
index 0000000..0647d1e
--- /dev/null
+++ b/ansible/playbooks/mask-avahi.yml
@@ -0,0 +1,43 @@
+---
+# Mask avahi-daemon on all Ubuntu hosts
+#
+# Avahi (mDNS/Bonjour) is not needed in a static-IP homelab with Pi-hole DNS.
+# A kernel busy-loop bug in avahi-daemon was found consuming ~1.7 CPU cores
+# across 5 VMs. Masking prevents it from ever starting again, surviving reboots.
+#
+# Targets: vms + physical (all Ubuntu QEMU VMs and ubuntu-manticore)
+# Controller: ansible-controller (LXC 304 at 10.10.0.232)
+#
+# Usage:
+#   # Dry run
+#   ansible-playbook /opt/ansible/playbooks/mask-avahi.yml --check
+#
+#   # Test on a single host first
+#   ansible-playbook /opt/ansible/playbooks/mask-avahi.yml --limit discord-bots
+#
+#   # Roll out to all Ubuntu hosts
+#   ansible-playbook /opt/ansible/playbooks/mask-avahi.yml
+#
+# To undo: systemctl unmask avahi-daemon
+
+- name: Mask avahi-daemon on all Ubuntu hosts
+  hosts: vms:physical
+  become: true
+
+  tasks:
+    - name: Stop avahi-daemon
+      ansible.builtin.systemd:
+        name: avahi-daemon
+        state: stopped
+      ignore_errors: true
+
+    - name: Mask avahi-daemon
+      ansible.builtin.systemd:
+        name: avahi-daemon
+        masked: true
+
+    - name: Verify avahi is masked
+      ansible.builtin.command: systemctl is-enabled avahi-daemon
+      register: avahi_status
+      changed_when: false
+      failed_when: avahi_status.stdout | trim != 'masked'
diff --git a/vm-management/scripts/cloud-init-user-data.yaml b/vm-management/scripts/cloud-init-user-data.yaml
index 23d1ffe..f504a55 100644
--- a/vm-management/scripts/cloud-init-user-data.yaml
+++ b/vm-management/scripts/cloud-init-user-data.yaml
@@ -67,10 +67,15 @@ runcmd:
   
   # Add cal user to docker group (will take effect after next login)
   - usermod -aG docker cal
-  
+
   # Test Docker installation
   - docker run --rm hello-world
 
+  # Mask avahi-daemon — not needed in a static-IP homelab with Pi-hole DNS,
+  # and has a known kernel busy-loop bug that wastes CPU
+  - systemctl stop avahi-daemon || true
+  - systemctl mask avahi-daemon
+
 # Write configuration files
 write_files:
   # SSH hardening configuration