diff --git a/README.md b/README.md
index bddf974..26fbe01 100644
--- a/README.md
+++ b/README.md
@@ -65,7 +65,3 @@ Extract the resulting signed certificate from the CSR object:
 ```
 k3s kubectl get csr <username>-csr -o jsonpath='{.status.certificate}' | base64 --decode > <username>.crt
 ```
-
-## TODO
-
-1. Manage the bootstrap k3s clusterrolebinding with kubenix: `k3s kubectl create clusterrolebinding pim-cluster-admin --user=pim --clusterrole=cluster-admin`.
diff --git a/configuration.nix b/configuration.nix
index 2b1387f..2738b75 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -182,4 +182,28 @@
   services.k3s.extraFlags = "--tls-san jefke.hyp --data-dir /mnt/data/k3s";
 
   virtualisation.libvirtd.enable = true;
+
+  system.activationScripts.k3s-bootstrap.text =
+    let
+      k3sBootstrapFile = pkgs.writeTextFile {
+        name = "k3s-bootstrap";
+        text = ''
+          apiVersion: rbac.authorization.k8s.io/v1
+          kind: ClusterRoleBinding
+          metadata:
+            name: pim-cluster-admin
+          roleRef:
+            apiGroup: rbac.authorization.k8s.io
+            kind: ClusterRole
+            name: cluster-admin
+          subjects:
+          - apiGroup: rbac.authorization.k8s.io
+            kind: User
+            name: pim
+        '';
+      };
+    in
+    ''
+      ln -sf ${k3sBootstrapFile} /mnt/data/k3s/server/manifests/k3s-bootstrap.yaml
+    '';
 }