diff --git a/.gitignore b/.gitignore
index a806510..e3c7e14 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,5 +1,260 @@
-# ---> Nix
-# Ignore build outputs from performing a nix-build or `nix build` command
-result
-result-*
+# Created by https://www.toptal.com/developers/gitignore/api/windows,linux,macos,direnv,vim,emacs,visualstudiocode,jetbrains+all,nix
+# Edit at https://www.toptal.com/developers/gitignore?templates=windows,linux,macos,direnv,vim,emacs,visualstudiocode,jetbrains+all,nix
 
+### direnv ###
+.direnv
+.envrc
+
+### Emacs ###
+# -*- mode: gitignore; -*-
+*~
+\#*\#
+/.emacs.desktop
+/.emacs.desktop.lock
+*.elc
+auto-save-list
+tramp
+.\#*
+
+# Org-mode
+.org-id-locations
+*_archive
+
+# flymake-mode
+*_flymake.*
+
+# eshell files
+/eshell/history
+/eshell/lastdir
+
+# elpa packages
+/elpa/
+
+# reftex files
+*.rel
+
+# AUCTeX auto folder
+/auto/
+
+# cask packages
+.cask/
+dist/
+
+# Flycheck
+flycheck_*.el
+
+# server auth directory
+/server/
+
+# projectiles files
+.projectile
+
+# directory configuration
+.dir-locals.el
+
+# network security
+/network-security.data
+
+
+### JetBrains+all ###
+# Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio, WebStorm and Rider
+# Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839
+
+# User-specific stuff
+.idea/**/workspace.xml
+.idea/**/tasks.xml
+.idea/**/usage.statistics.xml
+.idea/**/dictionaries
+.idea/**/shelf
+
+# AWS User-specific
+.idea/**/aws.xml
+
+# Generated files
+.idea/**/contentModel.xml
+
+# Sensitive or high-churn files
+.idea/**/dataSources/
+.idea/**/dataSources.ids
+.idea/**/dataSources.local.xml
+.idea/**/sqlDataSources.xml
+.idea/**/dynamic.xml
+.idea/**/uiDesigner.xml
+.idea/**/dbnavigator.xml
+
+# Gradle
+.idea/**/gradle.xml
+.idea/**/libraries
+
+# Gradle and Maven with auto-import
+# When using Gradle or Maven with auto-import, you should exclude module files,
+# since they will be recreated, and may cause churn.  Uncomment if using
+# auto-import.
+# .idea/artifacts
+# .idea/compiler.xml
+# .idea/jarRepositories.xml
+# .idea/modules.xml
+# .idea/*.iml
+# .idea/modules
+# *.iml
+# *.ipr
+
+# CMake
+cmake-build-*/
+
+# Mongo Explorer plugin
+.idea/**/mongoSettings.xml
+
+# File-based project format
+*.iws
+
+# IntelliJ
+out/
+
+# mpeltonen/sbt-idea plugin
+.idea_modules/
+
+# JIRA plugin
+atlassian-ide-plugin.xml
+
+# Cursive Clojure plugin
+.idea/replstate.xml
+
+# SonarLint plugin
+.idea/sonarlint/
+
+# Crashlytics plugin (for Android Studio and IntelliJ)
+com_crashlytics_export_strings.xml
+crashlytics.properties
+crashlytics-build.properties
+fabric.properties
+
+# Editor-based Rest Client
+.idea/httpRequests
+
+# Android studio 3.1+ serialized cache file
+.idea/caches/build_file_checksums.ser
+
+### JetBrains+all Patch ###
+# Ignore everything but code style settings and run configurations
+# that are supposed to be shared within teams.
+
+.idea/*
+
+!.idea/codeStyles
+!.idea/runConfigurations
+
+### Linux ###
+
+# temporary files which can be created if a process still has a handle open of a deleted file
+.fuse_hidden*
+
+# KDE directory preferences
+.directory
+
+# Linux trash folder which might appear on any partition or disk
+.Trash-*
+
+# .nfs files are created when an open file is removed but is still being accessed
+.nfs*
+
+### macOS ###
+# General
+.DS_Store
+.AppleDouble
+.LSOverride
+
+# Icon must end with two \r
+Icon

+
+# Thumbnails
+._*
+
+# Files that might appear in the root of a volume
+.DocumentRevisions-V100
+.fseventsd
+.Spotlight-V100
+.TemporaryItems
+.Trashes
+.VolumeIcon.icns
+.com.apple.timemachine.donotpresent
+
+# Directories potentially created on remote AFP share
+.AppleDB
+.AppleDesktop
+Network Trash Folder
+Temporary Items
+.apdisk
+
+### macOS Patch ###
+# iCloud generated files
+*.icloud
+
+#!! ERROR: nix is undefined. Use list command to see defined gitignore types !!#
+
+### Vim ###
+# Swap
+[._]*.s[a-v][a-z]
+!*.svg  # comment out if you don't need vector files
+[._]*.sw[a-p]
+[._]s[a-rt-v][a-z]
+[._]ss[a-gi-z]
+[._]sw[a-p]
+
+# Session
+Session.vim
+Sessionx.vim
+
+# Temporary
+.netrwhist
+# Auto-generated tag files
+tags
+# Persistent undo
+[._]*.un~
+
+### VisualStudioCode ###
+.vscode/*
+!.vscode/settings.json
+!.vscode/tasks.json
+!.vscode/launch.json
+!.vscode/extensions.json
+!.vscode/*.code-snippets
+
+# Local History for Visual Studio Code
+.history/
+
+# Built Visual Studio Code Extensions
+*.vsix
+
+### VisualStudioCode Patch ###
+# Ignore all local history of files
+.history
+.ionide
+
+### Windows ###
+# Windows thumbnail cache files
+Thumbs.db
+Thumbs.db:encryptable
+ehthumbs.db
+ehthumbs_vista.db
+
+# Dump file
+*.stackdump
+
+# Folder config file
+[Dd]esktop.ini
+
+# Recycle Bin used on file shares
+$RECYCLE.BIN/
+
+# Windows Installer files
+*.cab
+*.msi
+*.msix
+*.msm
+*.msp
+
+# Windows shortcuts
+*.lnk
+
+# End of https://www.toptal.com/developers/gitignore/api/windows,linux,macos,direnv,vim,emacs,visualstudiocode,jetbrains+all,nix
diff --git a/flake.nix b/flake.nix
new file mode 100644
index 0000000..62e02b0
--- /dev/null
+++ b/flake.nix
@@ -0,0 +1,72 @@
+{
+    description = "flake to deploy and manage cccb k8s cluster"
+    inputs = {
+        nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05"
+        nixpkgs-k8s.url = "github:NixOS/nixpkgs/846711e6d39699c930ea30630f57bbdc1b7bf824" # kubernetes 1.33.1
+        flake-utils.url = "github:numtide/flake-utils";
+        agenix = {
+            url = "github:ryantm/agenix";
+            inputs.nixpkgs.follows = "nixpkgs";
+        };
+    };
+    outputs = { self, nixpkgs, nixpkgs-k8s, flake-utils, agenix }: flake-utils.lib.eachDefaultSystem (system:
+    let
+        pkgs = import nixpkgs { inherit system };
+        pkgs-k8s = import nixpkgs-k8s { inherit system };
+    in
+    {
+        formatter = pkgs.nixpkgs-fmt;
+        devShells.default = pkgs.mkShell {
+            packages = with pkgs; [
+                agenix.packages.${system}.default
+                gnumake
+                kubectl
+                kubernetes-helm
+                cfssl
+
+                # debugging
+                age
+                etcd
+                openssl
+            ];
+        };
+        nixosConfigurations."k8s" = nixpkgs.lib.nixosSystem {
+            inherit system;
+            modules = [
+                agenix.nixosModules.default
+                { environment.systemPackages = [ agenix.packages.${system}.default ]; }
+                {
+                    age.secrets = {
+                        #etcd-root-crt = {
+                        #    file = ./secrets/etcd-root-crt.age;
+                        #    mode = "444";
+                        #    owner = "root";
+                        #    group = "root";
+                        #};
+                        #k8s-root-crt = {
+                        #    file = ./secrets/k8s-root-crt.age;
+                        #    mode = "444";
+                        #    owner = "root";
+                        #    group = "root";
+                        #};
+                    };
+                }
+                ./configuration.nix
+                {
+                    virtualisation = {
+                        useEFIBoot = true;
+                        libvirtd.enable = true;
+                    };
+                }
+
+                #./services/etcd.nix
+                #./services/k8s.nix
+                #./services/k8s-apiserver.nix
+                #./services/k8s-controller-manager.nix
+                #./services/k8s-kubelet.nix
+                #./services/k8s-proxy.nix
+                #./services/k8s-scheduler.nix
+            ];
+        };
+    });
+}