diff --git a/README.md b/README.md
index 4b10192c..78768a25 100644
--- a/README.md
+++ b/README.md
@@ -125,3 +125,4 @@ Distributed under the GPLv3 License. See `LICENSE` for more information.
 - [README template](https://github.com/othneildrew/Best-README-Template)
 - [Run the same Cloudflare Tunnel across many `cloudflared` processes](https://developers.cloudflare.com/cloudflare-one/tutorials/many-cfd-one-tunnel)
 - [MAC address environment variable in GRUB config](https://askubuntu.com/questions/1272400/how-do-i-automate-network-installation-of-many-ubuntu-18-04-systems-with-efi-and)
+- [Official k3s systemd service file](https://github.com/k3s-io/k3s/blob/master/k3s.service)
diff --git a/metal/hosts.yml b/metal/hosts.yml
index c4bdec1a..20309674 100644
--- a/metal/hosts.yml
+++ b/metal/hosts.yml
@@ -1,9 +1,13 @@
 metal:
-  hosts:
-    # metal0: {ansible_host: 192.168.1.110, mac: '00:23:24:d1:f3:f0'}
-    metal1: {ansible_host: 192.168.1.111, mac: '00:23:24:d1:f4:d6'}
-    metal2: {ansible_host: 192.168.1.112, mac: '00:23:24:e7:04:60'}
-    metal3: {ansible_host: 192.168.1.113, mac: '00:23:24:d1:f5:69'}
+  children:
+    masters:
+      hosts:
+        # metal0: {ansible_host: 192.168.1.110, mac: '00:23:24:d1:f3:f0'}
+        metal1: {ansible_host: 192.168.1.111, mac: '00:23:24:d1:f4:d6'}
+        metal2: {ansible_host: 192.168.1.112, mac: '00:23:24:e7:04:60'}
+    workers:
+      hosts:
+        metal3: {ansible_host: 192.168.1.113, mac: '00:23:24:d1:f5:69'}
   vars:
     ansible_user: root
     ansible_ssh_private_key_file: ~/.ssh/id_ed25519
diff --git a/metal/main.yml b/metal/main.yml
index 4bc6a240..d0162afb 100644
--- a/metal/main.yml
+++ b/metal/main.yml
@@ -8,3 +8,8 @@
   gather_facts: no
   roles:
     - wake
+
+- name: Create Kubernetes cluster
+  hosts: metal
+  roles:
+    - k3s
diff --git a/metal/roles/k3s/defaults/main.yml b/metal/roles/k3s/defaults/main.yml
new file mode 100644
index 00000000..1d911c20
--- /dev/null
+++ b/metal/roles/k3s/defaults/main.yml
@@ -0,0 +1,4 @@
+k3s_version: v1.21.4+k3s1
+k3s_config_file: /etc/rancher/k3s/config.yaml
+k3s_token_file: /etc/rancher/node/password
+k3s_service_file: /etc/systemd/system/k3s.service
diff --git a/metal/roles/k3s/tasks/main.yml b/metal/roles/k3s/tasks/main.yml
new file mode 100644
index 00000000..7fca1a49
--- /dev/null
+++ b/metal/roles/k3s/tasks/main.yml
@@ -0,0 +1,66 @@
+- name: Download k3s binary
+  get_url:
+    url: https://github.com/k3s-io/k3s/releases/download/{{ k3s_version }}/k3s
+    checksum: sha256:https://github.com/k3s-io/k3s/releases/download/{{ k3s_version }}/sha256sum-amd64.txt
+    dest: /usr/local/bin/k3s
+    owner: root
+    group: root
+    mode: 0755
+
+- name: Ensure config directories exist
+  file:
+    path: "{{ item }}"
+    state: directory
+  loop:
+    - /etc/rancher/k3s
+    - /etc/rancher/node
+
+- name: Check if k3s token file exists on the first node
+  run_once: yes
+  stat:
+    path: "{{ k3s_token_file }}"
+  register: k3s_token_file_stat
+
+- name: Generate k3s token file on the first node if not exist yet
+  run_once: yes
+  when: not k3s_token_file_stat.stat.exists
+  copy:
+    content: lookup('community.general.random_string', length=32)
+    dest: "{{ k3s_token_file }}"
+
+- name: Get k3s token from the first node
+  run_once: yes
+  slurp:
+    src: "{{ k3s_token_file }}"
+  register: k3s_token_base64
+
+- name: Ensure all nodes has the same token
+  copy:
+    content: "{{ k3s_token_base64.content | b64decode }}"
+    dest: "{{ k3s_token_file }}"
+
+- name: Copy k3s config files
+  template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+  loop:
+    - src: config.yaml.j2
+      dest: "{{ k3s_config_file }}"
+    - src: k3s.service.j2
+      dest: "{{ k3s_service_file }}"
+
+- name: Enable k3s service
+  systemd:
+    name: k3s
+    enabled: yes
+    state: started
+  register: k3s_service
+  until: k3s_service is succeeded
+  retries: 5
+
+- name: Get Kubernetes config file
+  run_once: yes
+  fetch:
+    src: /etc/rancher/k3s/k3s.yaml
+    dest: "{{ playbook_dir }}/kubeconfig.yaml"
+    flat: yes
diff --git a/metal/roles/k3s/templates/config.yaml.j2 b/metal/roles/k3s/templates/config.yaml.j2
new file mode 100644
index 00000000..06169e9b
--- /dev/null
+++ b/metal/roles/k3s/templates/config.yaml.j2
@@ -0,0 +1,6 @@
+{% if inventory_hostname == groups['masters'][0] %}
+cluster-init: true
+{% else %}
+server: https://{{ hostvars[groups['masters'][0]].ansible_host }}:6443
+{% endif %}
+token-file: {{ k3s_token_file }}
diff --git a/metal/roles/k3s/templates/k3s.service.j2 b/metal/roles/k3s/templates/k3s.service.j2
new file mode 100644
index 00000000..ee1c15ef
--- /dev/null
+++ b/metal/roles/k3s/templates/k3s.service.j2
@@ -0,0 +1,24 @@
+[Unit]
+Description=Lightweight Kubernetes
+Documentation=https://k3s.io
+After=network-online.target
+
+[Service]
+Type=notify
+ExecStartPre=-/sbin/modprobe br_netfilter
+ExecStartPre=-/sbin/modprobe overlay
+ExecStart=/usr/local/bin/k3s {{ 'server' if 'masters' in group_names else 'agent' }}
+KillMode=process
+Delegate=yes
+# Having non-zero Limit*s causes performance problems due to accounting overhead
+# in the kernel. We recommend using cgroups to do container-local accounting.
+LimitNOFILE=1048576
+LimitNPROC=infinity
+LimitCORE=infinity
+TasksMax=infinity
+TimeoutStartSec=0
+Restart=always
+RestartSec=5s
+
+[Install]
+WantedBy=multi-user.target