diff --git a/config/kured.yaml b/config/kured.yaml
deleted file mode 100644
index 04bb3e5..0000000
--- a/config/kured.yaml
+++ /dev/null
@@ -1,141 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: kured
-rules:
-# Allow kured to read spec.unschedulable
-# Allow kubectl to drain/uncordon
-#
-# NB: These permissions are tightly coupled to the bundled version of kubectl; the ones below
-# match https://github.com/kubernetes/kubernetes/blob/v1.19.4/staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go
-#
-- apiGroups: [""]
-  resources: ["nodes"]
-  verbs:     ["get", "patch"]
-- apiGroups: [""]
-  resources: ["pods"]
-  verbs:     ["list","delete","get"]
-- apiGroups: ["apps"]
-  resources: ["daemonsets"]
-  verbs:     ["get"]
-- apiGroups: [""]
-  resources: ["pods/eviction"]
-  verbs:     ["create"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: kured
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: kured
-subjects:
-- kind: ServiceAccount
-  name: kured
-  namespace: kube-system
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  namespace: kube-system
-  name: kured
-rules:
-# Allow kured to lock/unlock itself
-- apiGroups:     ["apps"]
-  resources:     ["daemonsets"]
-  resourceNames: ["kured"]
-  verbs:         ["update"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  namespace: kube-system
-  name: kured
-subjects:
-- kind: ServiceAccount
-  namespace: kube-system
-  name: kured
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: kured
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: kured
-  namespace: kube-system
----
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
-  name: kured            # Must match `--ds-name`
-  namespace: kube-system # Must match `--ds-namespace`
-spec:
-  selector:
-    matchLabels:
-      name: kured
-  updateStrategy:
-   type: RollingUpdate
-  template:
-    metadata:
-      labels:
-        name: kured
-    spec:
-      serviceAccountName: kured
-      tolerations:
-        - key: node-role.kubernetes.io/master
-          effect: NoSchedule
-      hostPID: true # Facilitate entering the host mount namespace via init
-      restartPolicy: Always
-      containers:
-        - name: kured
-          image: registry.opensuse.org/kubic/kured:1.9.1
-                 # If you find yourself here wondering why there is no
-                 # :latest tag on Docker Hub,see the FAQ in the README
-          imagePullPolicy: Always
-          securityContext:
-            privileged: true # Give permission to nsenter /proc/1/ns/mnt
-          env:
-            # Pass in the name of the node on which this pod is scheduled
-            # for use with drain/uncordon operations and lock acquisition
-            - name: KURED_NODE_ID
-              valueFrom:
-                fieldRef:
-                  fieldPath: spec.nodeName
-          command:
-            - /usr/bin/kured
-#            - --force-reboot=false
-#            - --drain-grace-period=-1
-#            - --skip-wait-for-delete-timeout=0
-#            - --drain-timeout=0
-#            - --period=1h
-#            - --ds-namespace=kube-system
-#            - --ds-name=kured
-#            - --lock-annotation=weave.works/kured-node-lock
-#            - --lock-ttl=0
-#            - --prometheus-url=http://prometheus.monitoring.svc.cluster.local
-#            - --alert-filter-regexp=^RebootRequired$
-#            - --alert-firing-only=false
-#            - --reboot-sentinel=/var/run/reboot-required
-#            - --prefer-no-schedule-taint=""
-#            - --reboot-sentinel-command=""
-#            - --slack-hook-url=https://hooks.slack.com/...
-#            - --slack-username=prod
-#            - --slack-channel=alerting
-#            - --notify-url="" # See also shoutrrr url format
-#            - --message-template-drain=Draining node %s
-#            - --message-template-drain=Rebooting node %s
-#            - --blocking-pod-selector=runtime=long,cost=expensive
-#            - --blocking-pod-selector=name=temperamental
-#            - --blocking-pod-selector=...
-#            - --reboot-days=sun,mon,tue,wed,thu,fri,sat
-#            - --reboot-delay=90s
-#            - --start-time=0:00
-#            - --end-time=23:59:59
-#            - --time-zone=UTC
-#            - --annotate-nodes=false
-#            - --lock-release-delay=30m
-#            - --log-format=text
\ No newline at end of file
diff --git a/kured/patch.yaml b/kured/patch.yaml
new file mode 100644
index 0000000..bf72a0c
--- /dev/null
+++ b/kured/patch.yaml
@@ -0,0 +1,20 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: kured
+  namespace: kube-system
+spec:
+  selector:
+    matchLabels:
+      name: kured
+  template:
+    metadata:
+      labels:
+        name: kured
+    spec:
+      serviceAccountName: kured
+      containers:
+        - name: kured
+          command:
+            - /usr/bin/kured
+            - --reboot-command=/usr/bin/systemctl reboot
diff --git a/master.tf b/master.tf
index 1461063..3d64c9b 100644
--- a/master.tf
+++ b/master.tf
@@ -124,7 +124,7 @@ resource "hcloud_server" "first_control_plane" {
   provisioner "local-exec" {
     command = <<-EOT
       set -ex
-      kubectl -n kube-system apply ${path.module}/config/kured.yaml --kubeconfig ${path.module}/kubeconfig.yaml
+      kubectl -n kube-system apply -k ${dirname(local_file.kured_config.filename)} --kubeconfig ${path.module}/kubeconfig.yaml
     EOT
   }