diff --git a/nixos/ari/001-fix-certmgr-hostname-checks.patch b/nixos/ari/001-fix-certmgr-hostname-checks.patch
new file mode 100644
index 0000000..d23a347
--- /dev/null
+++ b/nixos/ari/001-fix-certmgr-hostname-checks.patch
@@ -0,0 +1,15 @@
+diff --git a/cert/verification.go b/cert/verification.go
+index 4af0d77..ac74493 100644
+--- a/cert/verification.go
++++ b/cert/verification.go
+@@ -10,6 +10,10 @@ import (
+ 
+ // CertificateMatchesHostname checks if the Certificates hosts are the same as the given hosts
+ func CertificateMatchesHostname(hosts []string, cert *x509.Certificate) bool {
++	// skip checks for kubernetes system certs with invalid DNS names (i.e. CN=system:kube-proxy)
++    if len(hosts) == 1 && len(cert.DNSNames)+len(cert.IPAddresses) == 0 { 
++		return true 
++	}
+     a := make([]string, len(hosts))
+     for idx := range hosts {
+         // normalize the IPs.
diff --git a/nixos/ari/default.nix b/nixos/ari/default.nix
index 4a51c4d..1c88f69 100644
--- a/nixos/ari/default.nix
+++ b/nixos/ari/default.nix
@@ -2,6 +2,10 @@
 # all by herself atm :3
 
 {
+  imports = [
+    ./kubernetes.nix
+  ];
+
   jix.nixos.ari = {
     system = "x86_64-linux";
 
diff --git a/nixos/ari/kubernetes.nix b/nixos/ari/kubernetes.nix
new file mode 100644
index 0000000..a441c13
--- /dev/null
+++ b/nixos/ari/kubernetes.nix
@@ -0,0 +1,42 @@
+{
+  jix.nixos.ari.modules = [
+    (
+      {
+        config,
+        ...
+      }:
+      {
+        imports = [
+          ./argocd
+        ];
+
+        jix.argocd.targetRevision = "73c33e78b938258628355c2d01547ab3d6572934";
+        networking.firewall.enable = false;
+
+        services = {
+          # kuwubernetes
+          kubernetes = {
+            masterAddress = config.networking.hostName;
+
+            roles = [
+              "master"
+              "node"
+            ];
+          };
+        };
+
+      }
+    )
+  ];
+
+  # fix certmgr restart looping kube services
+  perSystem.jix.overlays = [
+    (_: prev: {
+      certmgr = prev.certmgr.overrideAttrs {
+        patches = [
+          ./001-fix-certmgr-hostname-checks.patch
+        ];
+      };
+    })
+  ];
+}
diff --git a/nixos/ari/system.nix b/nixos/ari/system.nix
index 36a32af..cadcb47 100644
--- a/nixos/ari/system.nix
+++ b/nixos/ari/system.nix
@@ -1,18 +1,5 @@
 {
-  config,
-  ...
-}:
-{
-  imports = [
-    ./argocd
-  ];
-
-  networking = {
-    firewall.enable = false;
-    networkmanager.enable = true;
-  };
-
-  jix.argocd.targetRevision = "73c33e78b938258628355c2d01547ab3d6572934";
+  networking.networkmanager.enable = true;
 
   services = {
     openssh.enable = true;
@@ -57,16 +44,6 @@
         };
       };
     };
-
-    # kuwubernetes
-    kubernetes = {
-      masterAddress = config.networking.hostName;
-
-      roles = [
-        "master"
-        "node"
-      ];
-    };
   };
 
   boot.loader.grub = {