diff --git a/hosts/mauville/raffauflabs.nix b/hosts/mauville/raffauflabs.nix
index a6dbfde4..b24096c0 100644
--- a/hosts/mauville/raffauflabs.nix
+++ b/hosts/mauville/raffauflabs.nix
@@ -29,7 +29,8 @@
   };
 in {
   networking = {
-    firewall.allowedTCPPorts = [80 443 3000];
+    firewall.allowedTCPPorts = [80 443 2379 2380 3000 6443];
+    firewall.allowedUDPPorts = [8472];
   };
 
   services = {
@@ -90,6 +91,13 @@ in {
       };
     };
 
+    k3s = {
+      enable = true;
+      role = "server";
+      tokenFile = config.age.secrets.k3s.path;
+      serverAddr = "http://192.168.0.104:6443";
+    };
+
     navidrome = {
       enable = true;
       openFirewall = true;
diff --git a/hosts/mauville/secrets.nix b/hosts/mauville/secrets.nix
index 9c81b63b..2753c4f1 100644
--- a/hosts/mauville/secrets.nix
+++ b/hosts/mauville/secrets.nix
@@ -1,6 +1,6 @@
 {
   age.secrets = {
-    cloudflare.file = ../../secrets/cloudflare.age;
+    k3s.file = ../../secrets/k3s.age;
 
     lastfmId = {
       owner = "navidrome";
diff --git a/hosts/slateport/raffauflabs.nix b/hosts/slateport/raffauflabs.nix
index 0615db4e..c909bf96 100644
--- a/hosts/slateport/raffauflabs.nix
+++ b/hosts/slateport/raffauflabs.nix
@@ -3,7 +3,8 @@
   domain = "raffauflabs.com";
 in {
   networking = {
-    firewall.allowedTCPPorts = [80 443];
+    firewall.allowedTCPPorts = [80 443 2379 2380 6443];
+    firewall.allowedUDPPorts = [8472];
   };
 
   security.acme = {