diff --git a/extras/k3s-node.nix b/extras/k3s-node.nix
index aa86c88..853cb56 100644
--- a/extras/k3s-node.nix
+++ b/extras/k3s-node.nix
@@ -1,8 +1,22 @@
 {
   config,
   pkgs,
+  lib,
   ...
 }: {
+  swapDevices = lib.mkForce [];
+
+  boot = {
+    kernel.sysctl = {
+      # Enable IP forwarding (required for pod networking)
+      "net.ipv4.ip_forward" = 1;
+      "net.ipv6.conf.all.forwarding" = 1;
+
+      # Enable bridge netfilter (required for iptables rules on bridge traffic)
+      "net.bridge.bridge-nf-call-iptables" = 1;
+      "net.bridge.bridge-nf-call-ip6tables" = 1;
+    };
+  };
   networking.firewall.allowedTCPPorts = [
     6443 # k3s: required so that pods can reach the API server (running on port 6443 by default)
     # 2379 # k3s, etcd clients: required if using a "High Availability Embedded etcd" configuration
diff --git a/extras/k3s.nix b/extras/k3s.nix
index de82d03..1a5b470 100644
--- a/extras/k3s.nix
+++ b/extras/k3s.nix
@@ -1,21 +1,50 @@
 {
   config,
   pkgs,
+  lib,
   ...
 }: {
-  networking.firewall.allowedTCPPorts = [
-    6443 # k3s: required so that pods can reach the API server (running on port 6443 by default)
-    # 2379 # k3s, etcd clients: required if using a "High Availability Embedded etcd" configuration
-    # 2380 # k3s, etcd peers: required if using a "High Availability Embedded etcd" configuration
-  ];
-  networking.firewall.allowedUDPPorts = [
-    # 8472 # k3s, flannel: required if using multi-node for inter-node networking
+  swapDevices = lib.mkForce [];
+
+  boot = {
+    kernel.sysctl = {
+      # Enable IP forwarding (required for pod networking)
+      "net.ipv4.ip_forward" = 1;
+      "net.ipv6.conf.all.forwarding" = 1;
+
+      # Enable bridge netfilter (required for iptables rules on bridge traffic)
+      "net.bridge.bridge-nf-call-iptables" = 1;
+      "net.bridge.bridge-nf-call-ip6tables" = 1;
+    };
+  };
+
+  environment.systemPackages = with pkgs; [
+    kubernetes-helm
   ];
+
+  networking.firewall.enable = false;
+  # networking.firewall.allowedTCPPorts = [
+  # 6443 # k3s: required so that pods can reach the API server
+
+  # ];
+
+  # networking.firewall.allowedUDPPorts = [
+
+  # ];
+
   services.k3s = {
     enable = true;
     role = "server";
     # token = "jakeginesin12345678910";
     tokenFile = config.age.secrets.kube.path;
     clusterInit = true;
+
+    extraFlags = toString [
+      # "--bind-address=0.0.0.0" # API server listens on all interfaces
+      # "--advertise-address=100.125.181.75" # Advertise this IP to cluster members
+      # "--node-ip=100.125.181.75" # Primary IP for this node
+      # "--node-external-ip=100.125.181.75" # External IP for services
+      # "--tls-san=100.125.181.75" # Add IP to TLS certificate
+    ];
   };
 }
diff --git a/hosts/server1/configuration.nix b/hosts/server1/configuration.nix
index bb9d140..3e43b7e 100644
--- a/hosts/server1/configuration.nix
+++ b/hosts/server1/configuration.nix
@@ -6,7 +6,7 @@
 }: {
   imports = [
     ./hardware-configuration.nix
-    ../../system/system.nix
+    ../../system/system-server.nix
     ../meta.nix
     ../../extras/ssh.nix
     ../../extras/k3s.nix
diff --git a/system/services/services-server.nix b/system/services/services-server.nix
new file mode 100644
index 0000000..c96652e
--- /dev/null
+++ b/system/services/services-server.nix
@@ -0,0 +1,13 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  imports = [
+    ./synaptics/default.nix
+    ./tailscale/default.nix
+    # ./syncthing/default.nix
+    # ./resolved/default.nix (not enabled, in favor of dnsmasq)
+    # ./dnsmasq/default.nix
+  ];
+}
diff --git a/system/system-server.nix b/system/system-server.nix
new file mode 100644
index 0000000..a359683
--- /dev/null
+++ b/system/system-server.nix
@@ -0,0 +1,134 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  imports = [
+    # ./wm/bspwm.nix
+    ./xserver/default.nix
+    ./services/services-server.nix
+    ./fonts/fonts.nix
+    ./hardware/hardware.nix
+    ./networking/default.nix
+    ./users/default.nix
+  ];
+
+  # Set your time zone.
+  time.timeZone = "America/New_York";
+  # time.timeZone = "Asia/Seoul";
+
+  # Select internationalisation properties.
+  i18n.defaultLocale = "en_US.UTF-8";
+
+  i18n.extraLocaleSettings = {
+    LC_ADDRESS = "en_US.UTF-8";
+    LC_IDENTIFICATION = "en_US.UTF-8";
+    LC_MEASUREMENT = "en_US.UTF-8";
+    LC_MONETARY = "en_US.UTF-8";
+    LC_NAME = "en_US.UTF-8";
+    LC_NUMERIC = "en_US.UTF-8";
+    LC_PAPER = "en_US.UTF-8";
+    LC_TELEPHONE = "en_US.UTF-8";
+    LC_TIME = "en_US.UTF-8";
+  };
+
+  nixpkgs.config.allowUnfree = true;
+
+  virtualisation.docker = {
+    enable = true;
+    enableOnBoot = true;
+    liveRestore = false;
+  };
+
+  programs.nix-ld.enable = true;
+
+  virtualisation.libvirtd.enable = true;
+  programs.virt-manager.enable = true;
+  services.udisks2.enable = true;
+  services.printing.enable = true;
+  hardware.bluetooth.enable = true;
+  programs.dconf.enable = true;
+
+  xdg.mime.defaultApplications = {
+    "application/pdf" = "firefox.desktop";
+    "text/html" = "firefox.desktop";
+    "text/markdown" = "firefox.desktop";
+    "text/x-markdown" = "firefox.desktop";
+    "x-scheme-handler/about" = "firefox.desktop";
+    "x-scheme-handler/http" = "firefox.desktop";
+    "x-scheme-handler/https" = "firefox.desktop";
+    "x-scheme-handler/unknown" = "firefox.desktop";
+  };
+
+  hardware.pulseaudio.enable = false;
+  security.rtkit.enable = true;
+  services.pipewire = {
+    enable = true;
+    alsa.enable = true;
+    alsa.support32Bit = true;
+    pulse.enable = true;
+    # If you want to use JACK applications, uncomment this
+    #jack.enable = true;
+
+    # use the example session manager (no others are packaged yet so this is enabled by default,
+    # no need to redefine it in your config for now)
+    #media-session.enable = true;
+  };
+
+  security.sudo = {
+    # me ne frego. i dare you to privilege escalate me
+    enable = true;
+    extraRules = [
+      {
+        commands = [
+          {
+            command = "/etc/profiles/per-user/synchronous/bin/rebuild";
+            options = ["NOPASSWD"];
+          }
+          {
+            command = "/home/synchronous/nix-cfg/home/scripts/nixos-rebuild.sh";
+            options = ["NOPASSWD"];
+          }
+          {
+            command = "/home/synchronous/.scripts/nixos-rebuild.sh";
+            options = ["NOPASSWD"];
+          }
+          {
+            # are you serious?
+            command = "/run/current-system/sw/bin/nixos-rebuild";
+            options = ["NOPASSWD"];
+          }
+        ];
+        users = ["synchronous"];
+      }
+    ];
+  };
+
+  # programs.direnv.enable = true;
+
+  nix = {
+    nixPath = [
+      "nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos"
+      "nixos-config=/home/synchronous/nix-cfg/configuration.nix"
+      "/nix/var/nix/profiles/per-user/root/channels"
+    ];
+
+    settings = {
+      experimental-features = ["nix-command" "flakes"];
+      substituters = [
+        "https://nix-community.cachix.org"
+      ];
+      trusted-public-keys = [
+        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+      ];
+    };
+  };
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "24.11"; # Did you read the comment?
+}