diff --git a/hosts/legion/default.nix b/hosts/legion/default.nix
index 59fad3e..36a5aea 100644
--- a/hosts/legion/default.nix
+++ b/hosts/legion/default.nix
@@ -30,7 +30,6 @@
         hostName = "legion";
         hostId = builtins.substring 0 8 (builtins.readFile ./machine-id);
         networkmanager.enable = true;
-        nftables.enable = true;
       };
       systemd.services.NetworkManager-wait-online.enable = false;
 
diff --git a/hosts/ude/default.nix b/hosts/ude/default.nix
index 0eab93b..cef0d5c 100644
--- a/hosts/ude/default.nix
+++ b/hosts/ude/default.nix
@@ -19,7 +19,6 @@
         loader.systemd-boot.configurationLimit = 1;
         loader.efi.canTouchEfiVariables = true;
       };
-      networking.nftables.enable = true;
 
       common.hercules.enable = true;
       services.hercules-ci-agent.settings.concurrentTasks = 6;
diff --git a/modules/system/common/incus.nix b/modules/system/common/incus.nix
index 25716e9..c71dd78 100644
--- a/modules/system/common/incus.nix
+++ b/modules/system/common/incus.nix
@@ -3,6 +3,7 @@
   lib,
   config,
   pkgs,
+  username,
   ...
 }:
 let
@@ -14,33 +15,41 @@ let
     environment.systemPackages = [ cfg.clientPackage ];
   };
 
-  linuxConfig = lib.optionalAttrs isLinux {
-    virtualisation.incus = lib.mkIf (!cfg.clientOnly) {
-      enable = true;
-      inherit (cfg) package clientPackage;
-      preseed = {
-        networks = [
-          {
-            name = "incusbr0";
-            type = "bridge";
-            config = {
-              "ipv4.address" = "10.0.100.1/24";
-              "ipv4.nat" = "true";
-            };
-          }
-        ];
-        storage_pools = [
-          {
-            name = "default";
-            driver = "dir";
-            config = {
-              source = "/var/lib/incus/storage-pools/default";
-            };
-          }
-        ];
+  linuxConfig = lib.optionalAttrs isLinux (
+    lib.mkIf (!cfg.clientOnly) {
+      virtualisation.incus = {
+        enable = true;
+        inherit (cfg) package clientPackage;
+        preseed = {
+          # TODO: Default profile with storage pool
+          networks = [
+            {
+              name = "incusbr0";
+              type = "bridge";
+              config = {
+                "ipv4.address" = "10.0.100.1/24";
+                "ipv4.nat" = "true";
+              };
+            }
+          ];
+          storage_pools = [
+            {
+              name = "default";
+              driver = "dir";
+              config = {
+                source = "/var/lib/incus/storage-pools/default";
+              };
+            }
+          ];
+        };
       };
-    };
-  };
+      networking = {
+        nftables.enable = true;
+        firewall.trustedInterfaces = [ "incusbr0" ];
+      };
+      users.users.${username}.extraGroups = [ "incus-admin" ];
+    }
+  );
 
   darwinConfig = lib.optionalAttrs (!isLinux) {
     assertions = [