diff --git a/.gitignore b/.gitignore
index fcfc4a1..8ca3126 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
 result*
+shared/*
diff --git a/devshell.toml b/devshell.toml
index d4bd943..239320b 100644
--- a/devshell.toml
+++ b/devshell.toml
@@ -1,3 +1,11 @@
+[[env]]
+name = "QEMU_NET_OPTS"
+value = "hostfwd=tcp::5443-:443"
+
+[[env]]
+name = "KUBECONFIG"
+eval = "$DEVSHELL_ROOT/kubeconfig.json"
+
 [devshell]
 name = "kubenix"
 packages = [
diff --git a/kubeconfig.json b/kubeconfig.json
new file mode 100644
index 0000000..e979589
--- /dev/null
+++ b/kubeconfig.json
@@ -0,0 +1,38 @@
+{
+    "apiVersion":"v1",
+    "clusters":
+    [
+        {
+            "cluster":
+            {
+                "certificate-authority":"/tmp/vm-state-kube/xchg/secrets/ca.pem",
+                "server":"https://127.0.0.1:5443"
+            },
+            "name":"kubenix"
+        }
+    ],
+    "contexts":
+    [
+        {
+            "context":
+            {
+                "cluster":"kubenix",
+                "user":"cluster-admin"
+            },
+            "current-context":"kubenix"
+        }
+    ],
+    "kind":"Config",
+    "users":
+    [
+        {
+            "name":"cluster-admin",
+            "user":
+            {
+                "client-certificate":"/tmp/vm-state-kube/xchg/secrets/cluster-admin.pem",
+                "client-key":"/tmp/vm-state-kube/xchg/secrets/cluster-admin-key.pem"
+            }
+        }
+    ]
+}
+
diff --git a/modules/testing.nix b/modules/testing.nix
index 712bd38..923f50a 100644
--- a/modules/testing.nix
+++ b/modules/testing.nix
@@ -61,6 +61,17 @@ let
       };
 
       systemd.extraConfig = "DefaultLimitNOFILE=1048576";
+
+      systemd.services.copy-certs = {
+        description = "Share k8s certificates with host";
+        script = "cp -rf /var/lib/kubernetes/secrets /tmp/xchg/";
+        after = [ "kubernetes.target" ];
+        wantedBy = [ "multi-user.target" ];
+        serviceConfig = {
+          Type = "oneshot";
+          RemainAfterExit = true;
+        };
+      };
     }
     (mkIf (any (role: role == "master") config.services.kubernetes.roles) {
       networking.firewall.allowedTCPPorts = [
diff --git a/tests/images.nix b/tests/images.nix
index 80bea14..4d2ac6a 100644
--- a/tests/images.nix
+++ b/tests/images.nix
@@ -32,6 +32,10 @@ with lib;
     extraCommands = ''
       mkdir -p etc
       chmod u+w etc
+      mkdir -p var/cache/nginx
+      chmod u+w var/cache/nginx
+      mkdir -p var/log/nginx
+      chmod u+w var/log/nginx
       echo "nginx:x:1000:1000::/:" > etc/passwd
       echo "nginx:x:1000:nginx" > etc/group
     '';