diff --git a/installer/installation.nix b/installer/installation.nix
index a5b66a7..2e1aa29 100644
--- a/installer/installation.nix
+++ b/installer/installation.nix
@@ -28,7 +28,7 @@ with lib;
                 echo "Test passed!";
     
                 echo "Adding home-manager channel...";
-                nix-channel --add https://github.com/nix-community/home-manager/archive/release-24.11.tar.gz home-manager;
+                nix-channel --add https://github.com/nix-community/home-manager/archive/release-25.11.tar.gz home-manager;
                 nix-channel --update;
     
                 echo "Creating partitions...";
diff --git a/modules/networking/default.nix b/modules/networking/default.nix
index 7b85d37..287f2ca 100644
--- a/modules/networking/default.nix
+++ b/modules/networking/default.nix
@@ -76,7 +76,12 @@ with lib;
               25 993 995 
             ] ++ optionals (config.fndx.services.netauth.enable) [
               749 464 88 389 636
-            ] ++ cfg.extraAllowedPorts;
+            ] ++ optionals (config.fndx.services.k3s.enable) [
+				2379
+				2380
+				6443 # k3s: required so that pods can reach the API server (running on port 6443 by default)
+				8472 # k3s, flannel: required if using multi-node for inter-node networking
+			] ++ cfg.extraAllowedPorts;
             in
             {
                 enable = true;
diff --git a/modules/services/default.nix b/modules/services/default.nix
index 6813375..af5729e 100644
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@@ -4,6 +4,7 @@
         ./ddclient.nix
         ./docker.nix
         ./jupyterhub.nix
+        ./k3s.nix
         ./keycloak.nix
         ./mailserver.nix
         ./netauth.nix
diff --git a/modules/services/k3s.nix b/modules/services/k3s.nix
new file mode 100644
index 0000000..2548eeb
--- /dev/null
+++ b/modules/services/k3s.nix
@@ -0,0 +1,67 @@
+{config, lib, pkgs, ...}:
+let
+  cfg = config.fndx.services.k3s;
+in
+with lib;
+{
+    options = {
+        fndx.services.k3s = {
+            enable = mkEnableOption "k3s for ctOS";
+            token = mkOption {
+                example = ["super private token"];
+                type = types.str;
+				description = mdDoc ''
+					The token used for authentication.
+					You can generate this token with the following command:
+					```sh
+					pwgen -s -n 16 | head -n1
+					```
+				'';
+            };
+			headNode = mkEnableOption "head node of the cluster";
+			headAddress = mkOption {
+                example = ["http://head-node:6443"];
+				default = "";
+                type = types.str;
+				description = mdDoc ''
+					Set the address towards the head-node of the cluster.
+					Warning: Set this attribute only for nodes that are not the head-node. 
+				'';
+			};
+        };
+    };
+
+    config = mkIf cfg.enable {
+		assertions = [ 
+			{
+				assertion = (cfg.headNode == (cfg.headAddress == "") );
+				message = "The headNode and headAddress attributes have been set together.";
+			}
+		];
+
+        services.k3s = {
+            enable = true;
+			role = "server";
+			token = cfg.token;
+			clusterInit = cfg.headNode;
+			serverAddr = mkIf (!cfg.headNode) cfg.headAddress;
+			extraFlags = [ 
+				"--write-kubeconfig-mode \"0644\""
+				"--disable servicelb"
+				"--disable localstorage"
+			];
+        };
+
+		# for longhorn
+		systemd.tmpfiles.rules = [
+			"L+ /usr/local/bin - - - - /run/current-system/sw/bin"
+		];
+		virtualisation.docker.logDriver = "json-file";
+
+		environment.systemPackages = [ pkgs.nfs-utils ];
+		services.openiscsi = {
+			enable = true;
+			name = "${config.networking.hostName}-initiatorhost";
+		};
+    };
+}