diff --git a/hosts/hijiri/default.nix b/hosts/hijiri/default.nix
index eb55a12..8b0f775 100644
--- a/hosts/hijiri/default.nix
+++ b/hosts/hijiri/default.nix
@@ -23,6 +23,7 @@
         ];
         programs.alacritty.settings.font.size = 14;
       };
+      common.incus.enable = true;
 
       system.defaults = {
         ".GlobalPreferences" = {
diff --git a/hosts/legion/default.nix b/hosts/legion/default.nix
index 849592f..e3b4b2d 100644
--- a/hosts/legion/default.nix
+++ b/hosts/legion/default.nix
@@ -31,6 +31,7 @@
         hostId = builtins.substring 0 8 (builtins.readFile ./machine-id);
         networkmanager.enable = true;
         firewall.trustedInterfaces = [ "tailscale0" ];
+        nftables.enable = true;
       };
       systemd.services.NetworkManager-wait-online.enable = false;
 
@@ -47,5 +48,6 @@
           instances = 4;
         };
       };
+      common.incus.enable = true;
     };
 }
diff --git a/hosts/ude/default.nix b/hosts/ude/default.nix
index 4b7dd17..0eab93b 100644
--- a/hosts/ude/default.nix
+++ b/hosts/ude/default.nix
@@ -19,6 +19,7 @@
         loader.systemd-boot.configurationLimit = 1;
         loader.efi.canTouchEfiVariables = true;
       };
+      networking.nftables.enable = true;
 
       common.hercules.enable = true;
       services.hercules-ci-agent.settings.concurrentTasks = 6;
@@ -29,6 +30,7 @@
           instances = 6;
         };
       };
+      common.incus.enable = true;
 
       services.nginx = {
         enable = true;
diff --git a/modules/system/common/default.nix b/modules/system/common/default.nix
index 70e91b7..1976696 100644
--- a/modules/system/common/default.nix
+++ b/modules/system/common/default.nix
@@ -65,6 +65,7 @@ in
     (import ./hercules.nix { inherit isLinux; })
     (import ./user.nix { inherit isLinux; })
     (import ./github-runner.nix { inherit isLinux; })
+    (import ./incus.nix { inherit isLinux; })
   ];
 
   config = lib.mkMerge [
diff --git a/modules/system/common/incus.nix b/modules/system/common/incus.nix
new file mode 100644
index 0000000..25716e9
--- /dev/null
+++ b/modules/system/common/incus.nix
@@ -0,0 +1,79 @@
+{ isLinux }:
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+let
+  inherit (lib) mkOption types;
+
+  cfg = config.common.incus;
+
+  sharedConfig = {
+    environment.systemPackages = [ cfg.clientPackage ];
+  };
+
+  linuxConfig = lib.optionalAttrs isLinux {
+    virtualisation.incus = lib.mkIf (!cfg.clientOnly) {
+      enable = true;
+      inherit (cfg) package clientPackage;
+      preseed = {
+        networks = [
+          {
+            name = "incusbr0";
+            type = "bridge";
+            config = {
+              "ipv4.address" = "10.0.100.1/24";
+              "ipv4.nat" = "true";
+            };
+          }
+        ];
+        storage_pools = [
+          {
+            name = "default";
+            driver = "dir";
+            config = {
+              source = "/var/lib/incus/storage-pools/default";
+            };
+          }
+        ];
+      };
+    };
+  };
+
+  darwinConfig = lib.optionalAttrs (!isLinux) {
+    assertions = [
+      {
+        assertion = cfg.enable -> cfg.clientOnly;
+        message = "Darwin cannot be an incus host";
+      }
+    ];
+  };
+in
+{
+  _file = ./incus.nix;
+
+  options.common.incus = {
+    enable = lib.mkEnableOption "incus, the VM and container manager";
+    clientOnly = mkOption {
+      type = types.bool;
+      default = !isLinux;
+    };
+    package = lib.mkPackageOption pkgs "incus" { };
+    clientPackage = lib.mkOption {
+      type = types.package;
+      default = cfg.package.client;
+      defaultText = lib.literalExpression "config.common.incus.package.client";
+      description = "The incus client package to use. This package is added to PATH.";
+    };
+  };
+
+  config = lib.mkIf cfg.enable (
+    lib.mkMerge [
+      sharedConfig
+      linuxConfig
+      darwinConfig
+    ]
+  );
+}