diff --git a/flake.nix b/flake.nix
index ef36458..28fcd00 100644
--- a/flake.nix
+++ b/flake.nix
@@ -34,6 +34,7 @@
         ./modules/applications/1password.nix
         ./modules/services/archiveteam-warrior.nix
         ./modules/services/linkding.nix
+        ./modules/services/k3s.nix
 
         ./modules/nix/linux.nix
         ./modules/shell.nix
diff --git a/modules/services/k3s.nix b/modules/services/k3s.nix
new file mode 100644
index 0000000..403b42a
--- /dev/null
+++ b/modules/services/k3s.nix
@@ -0,0 +1,12 @@
+{ config, ... }:
+
+{
+  services.k3s = {
+    enable = true;
+    role = "server";
+  };
+
+  networking.firewall.allowedTCPPorts = [
+    6443 # k3s: required so that pods can reach the API server (running on port 6443 by default)
+  ];
+}