diff --git a/hosts/containers/deployer/configuration.nix b/hosts/containers/deployer/configuration.nix
index d63c22ae..2ae06c46 100644
--- a/hosts/containers/deployer/configuration.nix
+++ b/hosts/containers/deployer/configuration.nix
@@ -8,7 +8,7 @@
   imports =
     [ ../../../lib/lxc-container.nix
     ../../../lib/shared.nix
-    # ../../../lib/admins.nix
+    ../../../lib/admins.nix
   ];
 
   environment.systemPackages = with pkgs; [
@@ -20,30 +20,35 @@
     man
     zsh
     vim
+    screen
+    tmux
   ];
 
   networking = {
     hostName = "deployer";
     # usePredictableInterfacenames = false;
-    interfaces.ens18.ipv4.addresses = [{
-        address = "172.20.73.7";
-        prefixLength = 26;
-    }];
-    interfaces.ens18.ipv6.addresses = [{
-        address= "2a02:8106:208:5282:8c15:86ff:fe0f:b018";
-        prefixLength = 64;
-    }];
+    # interfaces.ens18.ipv4.addresses = [{
+    #     address = "172.20.73.7";
+    #     prefixLength = 26;
+    # }];
+    # interfaces.ens18.ipv6.addresses = [{
+    #     address= "2a02:8106:208:5282:8c15:86ff:fe0f:b018";
+    #     prefixLength = 64;
+    # }];
 
-    nameservers = [ "172.20.72.6" "9.9.9.9" ];
+    # nameservers = [ "172.20.72.6" "9.9.9.9" ];
 
-    defaultGateway = {
-       address = "172.20.73.1";
-       interface = "eth0@if23";
-    };
-    #defaultGateway6 = {
+    # defaultGateway = {
+    #    address = "172.20.73.1";
+    #    interface = "eth0@if23";
+    # };
+    # #defaultGateway6 = {
     #  address = "fe80::a800:42ff:fe7a:3246";
     #  interface = "ens18";
     #};
+    firewall.allowedTCPPorts = [ 
+      22
+    ];
   };
 
   services.openssh = {
@@ -54,12 +59,13 @@
   nix.buildCores = 16;
   nix.maxJobs = 16;
 
-    users.extraUsers.k-ot = {
+  users.extraUsers.k-ot = {
      isNormalUser = true;
      uid = 1000;
     extraGroups = [ "wheel" ];
   };
 
+  security.sudo.wheelNeedsPassword = false;
 
   system.stateVersion = "19.03"; # Did you read the comment?
 
diff --git a/kubernetes/cluster.yml b/kubernetes/cluster.yml
new file mode 100644
index 00000000..090ece94
--- /dev/null
+++ b/kubernetes/cluster.yml
@@ -0,0 +1,105 @@
+nodes:
+  - address: k8s-1.hq.c3d2.de
+    user: ubuntu
+    role:
+      - controlplane
+      - etcd
+  - address: k8s-2.hq.c3d2.de
+    user: ubuntu
+    role:
+      - controlplane
+      - etcd
+      - worker
+  - address: k8s-3.hq.c3d2.de
+    user: ubuntu
+    role:
+      - controlplane 
+      - etcd
+      - worker
+
+ssh_agent_auth: true
+cluster_name: chaoscluster
+kubernetes_version: v1.13.5-rancher1-2
+
+services:
+    etcd:
+
+    kube-api:
+      # IP range for any services created on Kubernetes
+      # This must match the service_cluster_ip_range in kube-controller
+      service_cluster_ip_range: 10.43.0.0/16
+      # Expose a different port range for NodePort services
+      service_node_port_range: 30000-32767    
+      pod_security_policy: false
+      # Add additional arguments to the kubernetes API server
+      # This WILL OVERRIDE any existing defaults
+      #extra_args:
+      #  # Enable audit log to stdout
+      #  audit-log-path: "-"
+    # Note for Rancher 2 users: If you are configuring Cluster Options using a Config File when creating Rancher Launched Kubernetes, the names of services should contain underscores only: `kube_controller`. This only applies to Rancher v2.0.5 and v2.0.6.
+    kube-controller:
+      # CIDR pool used to assign IP addresses to pods in the cluster
+      cluster_cidr: 10.42.0.0/16
+      # IP range for any services created on Kubernetes
+      # This must match the service_cluster_ip_range in kube-api
+      service_cluster_ip_range: 10.43.0.0/16
+    kubelet:
+      # Base domain for the cluster
+      cluster_domain: k8s.hq.c3d2.de
+      # IP address for the DNS service endpoint
+      cluster_dns_server: 10.43.0.10
+      # Fail if swap is on
+      fail_swap_on: false
+      # Set max pods to 250 instead of default 110
+      extra_args:
+        max-pods: 250
+      # Optionally define additional volume binds to a service
+      #extra_binds:
+      #  - "/usr/libexec/kubernetes/kubelet-plugins:/usr/libexec/kubernetes/kubelet-plugins"
+
+# Currently, only authentication strategy supported is x509.
+# You can optionally create additional SANs (hostnames or IPs) to add to
+#  the API server PKI certificate.
+# This is useful if you want to use a load balancer for the control plane servers.
+authentication:
+    strategy: x509
+    sans:
+      - "k8s.hq.c3d2.de"
+      - "172.22.99.13"
+      - "172.22.99.15"
+      - "172.22.99.16"
+
+# Kubernetes Authorization mode
+# Use `mode: rbac` to enable RBAC
+# Use `mode: none` to disable authorization
+authorization:
+    mode: none
+
+# Add-ons are deployed using kubernetes jobs. RKE will give up on trying to get the job status after this timeout in seconds..
+addon_job_timeout: 30
+
+# Currently only nginx ingress provider is supported.
+# To disable ingress controller, set `provider: none`
+
+ingress:
+    provider: nginx
+
+# All add-on manifests MUST specify a namespace
+addons: |-
+    ---
+    apiVersion: v1
+    kind: Pod
+    metadata:
+      name: my-nginx
+      namespace: default
+    spec:
+      containers:
+      - name: my-nginx
+        image: nginx
+        ports:
+        - containerPort: 80
+
+# addons_include:
+#    - https://raw.githubusercontent.com/rook/rook/master/cluster/examples/kubernetes/rook-operator.yaml
+#    - https://raw.githubusercontent.com/rook/rook/master/cluster/examples/kubernetes/rook-cluster.yaml
+#    - /path/to/manifest
diff --git a/common.nix b/lib/common/c3d2.nix
similarity index 100%
rename from common.nix
rename to lib/common/c3d2.nix
diff --git a/mpd.nix b/lib/mpd.nix
similarity index 100%
rename from mpd.nix
rename to lib/mpd.nix
diff --git a/users.nix b/lib/users.nix
similarity index 100%
rename from users.nix
rename to lib/users.nix