diff --git a/nixos/desktop-cage.nix b/nixos/desktop-cage.nix
new file mode 100644
index 0000000..446d2c4
--- /dev/null
+++ b/nixos/desktop-cage.nix
@@ -0,0 +1,20 @@
+{ pkgs, ... }:
+{
+  imports = [./desktop.nix];
+
+  systemd.network.networks.eth = {
+    matchConfig.Name = "en*";
+    DHCP = "ipv4";
+    networkConfig = {
+      IPv6AcceptRA = true;
+      IPv6PrivacyExtensions = true;
+    };
+  };
+
+  services.cage = {
+    enable = true;
+    extraArguments = [
+      "-d"
+    ];
+  };
+}
diff --git a/nixos/k3s/default.nix b/nixos/k3s/default.nix
new file mode 100644
index 0000000..16f3997
--- /dev/null
+++ b/nixos/k3s/default.nix
@@ -0,0 +1,28 @@
+{ pkgs, ... }:
+{
+  networking.firewall.allowedTCPPorts = [
+    # k8s api
+    6443
+    # metrics-server
+    10250
+  ];
+
+  services.k3s = {
+    enable = true;
+    role = "server";
+    extraFlags = toString [
+      "--disable traefik" # manuelle ... with ipv6 enable
+    ];
+  };
+  systemd.services.k3s = {
+    wants = [ "containerd.service" ];
+    after = [ "containerd.service" ];
+    serviceConfig.MemoryMax = "2G";
+  };
+
+  environment.systemPackages = with pkgs; [
+    k3s
+    k9s
+    kubectl
+  ];
+}
\ No newline at end of file
diff --git a/nixos/k3s/traefik-external.nix b/nixos/k3s/traefik-external.nix
new file mode 100644
index 0000000..fa2fdc2
--- /dev/null
+++ b/nixos/k3s/traefik-external.nix
@@ -0,0 +1,64 @@
+{
+  imports = [
+    ./default.nix
+  ];
+
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+  networking.firewall.allowedUDPPorts = [
+    443
+  ];
+
+  # for quic3 - max size to 2.5MB
+  boot.kernelParams = [
+    "net.core.rmem_max=2500000"
+    "net.core.wmem_max=2500000"
+  ];
+
+  services.traefik = {
+    enable = true;
+    staticConfigOptions = {
+      experimental.http3 = true;
+      entryPoints = {
+        web = {
+          address = ":80";
+        };
+        websecure = {
+          address = ":443";
+          http3 = {};
+        };
+      };
+      providers = {
+        kubernetesIngress = {
+          allowEmptyServices = true;
+          allowExternalNameServices = true;
+        };
+        kubernetesCRD = {
+          allowCrossNamespace = true;
+          allowEmptyServices = true;
+          allowExternalNameServices = true;
+        };
+      };
+      api.dashboard = true;
+      metrics.prometheus.entryPoint = "websecure";
+      certificatesResolvers.letsencrypt.acme = {
+        storage = "/var/lib/traefik/acme/acme.json";
+        caServer = "https://acme-v02.api.letsencrypt.org/directory";
+        tlsChallenge = {};
+      };
+    };
+    dynamicConfigOptions = {
+      http.middlewares = {
+        "redirect-https".redirectScheme = {
+          scheme = "https";
+          permanent = true;
+        };
+      };
+    };
+  };
+  systemd.services.traefik.environment = {
+    KUBECONFIG = "/var/lib/traefik/k3s-kubeconfig.yaml";
+  };
+}
\ No newline at end of file