diff --git a/cluster/cloudflare.tf b/cluster/cloudflare.tf
index 74bc6683..72017f6d 100644
--- a/cluster/cloudflare.tf
+++ b/cluster/cloudflare.tf
@@ -1,7 +1,7 @@
 variable "cloudflare_api_token" {
     type = string
 }
-/*
+
 resource "kubernetes_secret" "cloudflare_api_token" {
     metadata {
         name = "cloudflare-api-token"
@@ -48,4 +48,4 @@ resource "kubernetes_manifest" "cert_manager_cloudflare_issuer" {
             }
         }
     }
-}*/
\ No newline at end of file
+}
\ No newline at end of file
diff --git a/cluster/traefik.tf b/cluster/traefik.tf
index c2756e3a..98baa79d 100644
--- a/cluster/traefik.tf
+++ b/cluster/traefik.tf
@@ -24,10 +24,14 @@ resource "helm_release" "traefik" {
                     }
                     web = {
                         hostPort = 80
+                        port = 80
+                        exposedPort = 80
                         expose = true
                     }
                     websecure = {
                         hostPort = 443
+                        port = 443
+                        exposedPort = 443
                         expose = true
                     }
                 }
diff --git a/nixos/roles/k8s-cluster/kubernetes.nix b/nixos/roles/k8s-cluster/kubernetes.nix
index 4fd919e1..2ed69aa8 100644
--- a/nixos/roles/k8s-cluster/kubernetes.nix
+++ b/nixos/roles/k8s-cluster/kubernetes.nix
@@ -1,4 +1,9 @@
-{pkgs, ...}: let
+{
+  pkgs,
+  lib,
+  ...
+}: let
+  inherit (lib.modules) mkForce;
   kubeMasterIP = "100.105.14.66";
   kubeMasterHostname = "ran.gensokyo.zone";
   kubeMasterAPIServerPort = 6443;
@@ -11,7 +16,7 @@ in {
   ];
 
   networking = {
-    firewall.enable = false;
+    firewall.enable = mkForce false;
     extraHosts = "${kubeMasterIP} ${kubeMasterHostname}";
   };
 
@@ -27,6 +32,7 @@ in {
     apiserver = {
       securePort = kubeMasterAPIServerPort;
       advertiseAddress = kubeMasterIP;
+      extraOpts = "--service-node-port-range=1-65535";
     };
   };
 }