diff --git a/modules/k8s.nix b/modules/k8s.nix
index 710855b..3702228 100644
--- a/modules/k8s.nix
+++ b/modules/k8s.nix
@@ -108,12 +108,12 @@ let
 
             helm_apply () {
                 local name chart
-                name="$1"
-                chart="$2"
+                name="$1"; shift
+                chart="$1"; shift
                 create_namespace $namespace
                 cat values.yaml | \
                   substitute_defaults | \
-                  helm template -n $namespace -f- $name $chart | \
+                  helm template -n $namespace -f- $name $chart $@ | \
                   kubectl -n $namespace $apply -f -
             }
 
@@ -251,12 +251,25 @@ let
         Restart = "on-failure";
       };
     };
+
     systemd.services.cfssl-restart  = {
       enable = true;
       startAt  = "00/6:00";
       description = "Restrart cfssl which regularly locks up";
       script = "systemctl restart cfssl.service";
     };
+
+    systemd.services.kube-socat-https-proxy  = {
+      enable = true;
+      wantedBy = [ "kubernetes.target" ];
+      after = [ "kubelet.target" ];
+      description = "Proxy TCP port 443 to ingress NodePort at 32443";
+      script = "${pkgs.socat}/bin/socat TCP-LISTEN:443,fork,reuseaddr TCP:127.0.0.1:32443";
+      serviceConfig = {
+        RestartSec = "10s";
+        Restart = "on-failure";
+      };
+    };
   };
 
   kubeNode = {