diff --git a/docker_swarm/playbooks/stacks.yml b/docker_swarm/playbooks/stacks.yml
index b6e50cc..862a97a 100644
--- a/docker_swarm/playbooks/stacks.yml
+++ b/docker_swarm/playbooks/stacks.yml
@@ -5,9 +5,7 @@
     - {role: traefik, tags: traefik}
     - {role: forgejo, tags: forgejo}
     - {role: radicale, tags: radicale}
-    - {role: freshrss, tags: freshrss}
     - {role: hedgedoc, tags: hedgedoc}
-    - {role: cyberchef, tags: cyberchef}
     - {role: inbucket, tags: inbucket}
     - {role: kms, tags: kms}
     - {role: swarm_dashboard, tags: swarm_dashboard}
diff --git a/flake.nix b/flake.nix
index 572b81b..76a0d4b 100644
--- a/flake.nix
+++ b/flake.nix
@@ -47,6 +47,7 @@
       ./nix/flake/checks.nix
       ./nix/flake/deploy.nix
       ./nix/flake/nixos.nix
+      ./nix/flake/kubenix.nix
     ] // (flake-utils.lib.eachDefaultSystem (system: {
       formatter = nixpkgs.legacyPackages.${system}.nixfmt;
     }));
diff --git a/kubernetes/cyberchef.yaml b/kubernetes/cyberchef.yaml
deleted file mode 100644
index 6eb3f46..0000000
--- a/kubernetes/cyberchef.yaml
+++ /dev/null
@@ -1,52 +0,0 @@
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: cyberchef
-  labels:
-    app: cyberchef
-spec:
-  replicas: 3
-  selector:
-    matchLabels:
-      app: cyberchef
-  template:
-    metadata:
-      labels:
-        app: cyberchef
-    spec:
-      containers:
-      - name: cyberchef
-        image: mpepping/cyberchef
-        ports:
-        - containerPort: 8000
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: cyberchef
-spec:
-  selector:
-    app: cyberchef
-  ports:
-    - protocol: TCP
-      port: 80
-      targetPort: 8000
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: cyberchef
-spec:
-  ingressClassName: traefik
-  rules:
-  - host: cyberchef.kun.is
-    http:
-      paths:
-      - path: /
-        pathType: Prefix
-        backend:
-          service:
-            name: cyberchef
-            port:
-              number: 80
diff --git a/kubernetes/kubenix-namespace.yaml b/kubernetes/kubenix-namespace.yaml
new file mode 100644
index 0000000..37ce8b6
--- /dev/null
+++ b/kubernetes/kubenix-namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kubenix
diff --git a/nix/flake/kubenix.nix b/nix/flake/kubenix.nix
new file mode 100644
index 0000000..f6b5762
--- /dev/null
+++ b/nix/flake/kubenix.nix
@@ -0,0 +1,62 @@
+{ self, flake-utils, kubenix, ... }: flake-utils.lib.eachDefaultSystem
+  (system: {
+    kubenix = kubenix.packages.${system}.default.override {
+      specialArgs.flake = self;
+
+      module = { kubenix, ... }: {
+        imports = [ kubenix.modules.k8s ];
+        kubernetes.kubeconfig = "~/.kube/config";
+        kubenix.project = "home";
+
+        kubernetes.resources = {
+          deployments.cyberchef.spec = {
+            replicas = 3;
+            selector.matchLabels.app = "cyberchef";
+
+            template = {
+              metadata.labels.app = "cyberchef";
+
+              spec = {
+                containers.cyberchef = {
+                  image = "mpepping/cyberchef";
+
+                  ports = [{
+                    containerPort = 8000;
+                    protocol = "TCP";
+                  }];
+                };
+              };
+            };
+          };
+
+          services.cyberchef.spec = {
+            selector.app = "cyberchef";
+
+            ports = [{
+              protocol = "TCP";
+              port = 80;
+              targetPort = 8000;
+            }];
+          };
+
+          ingresses.cyberchef.spec = {
+            ingressClassName = "traefik";
+
+            rules = [{
+              host = "cyberchef.kun.is";
+
+              http.paths = [{
+                path = "/";
+                pathType = "Prefix";
+
+                backend.service = {
+                  name = "cyberchef";
+                  port.number = 80;
+                };
+              }];
+            }];
+          };
+        };
+      };
+    };
+  })