diff --git a/configurations/nixos/base-image/default.nix b/configurations/nixos/base-image/default.nix
new file mode 100644
index 0000000..fb80fbe
--- /dev/null
+++ b/configurations/nixos/base-image/default.nix
@@ -0,0 +1,36 @@
+{
+  flake,
+  modulesPath,
+  config,
+  ...
+}:
+
+let
+  inherit (flake) inputs;
+  inherit (inputs) self;
+in
+{
+  imports = [
+    self.nixosModules.default
+    "${modulesPath}/virtualisation/lxc-container.nix"
+  ];
+  deploy = {
+    enable = false;
+  };
+
+  services = {
+    tty-ips.enable = true;
+  };
+  networking = {
+    yggdrasil = {
+      enable = true;
+      AllowedPublicKeys = [
+        "d0e265fcf663451ae9bc048dc1297749819ce9d48042a986f2866c15a779a074"
+      ];
+    };
+    hostName = "tofu";
+  };
+  environment.systemPackages = [
+  ];
+  system.stateVersion = "25.05";
+}
diff --git a/configurations/nixos/observer-tofu/default.nix b/configurations/nixos/observer-tofu/default.nix
index 76c6201..1419e1c 100644
--- a/configurations/nixos/observer-tofu/default.nix
+++ b/configurations/nixos/observer-tofu/default.nix
@@ -14,7 +14,10 @@ in
     self.nixosModules.default
     "${modulesPath}/virtualisation/lxc-container.nix"
   ];
-  deploy.address = "200:b938:d405:92df:a6e:1ffd:5213:26b";
+  deploy = {
+    enable = true;
+    address = "200:b938:d405:92df:a6e:1ffd:5213:26b";
+  };
   services = {
     tty-ips.enable = true;
     uptime-kuma = {
@@ -27,7 +30,6 @@ in
     };
   };
   networking = {
-    firewall.enable = false;
     yggdrasil = {
       enable = true;
       AllowedPublicKeys = [
diff --git a/configurations/nixos/tofu/default.nix b/configurations/nixos/tofu/default.nix
index 582f803..3f0c038 100644
--- a/configurations/nixos/tofu/default.nix
+++ b/configurations/nixos/tofu/default.nix
@@ -15,6 +15,7 @@ in
     "${modulesPath}/virtualisation/lxc-container.nix"
   ];
   deploy = {
+    enable = true;
     address = "200:1978:6503:e6f0:2dbe:11fd:74b:ff64";
   };
   sops.secrets = {
@@ -39,7 +40,6 @@ in
     };
   };
   networking = {
-    firewall.enable = false;
     yggdrasil = {
       enable = true;
       AllowedPublicKeys = [
diff --git a/modules/nixos/common/incus.nix b/modules/nixos/common/incus.nix
index 00d4741..3e2963f 100644
--- a/modules/nixos/common/incus.nix
+++ b/modules/nixos/common/incus.nix
@@ -14,6 +14,20 @@
   };
 
   networking = {
+    firewall = {
+      enable = true;
+      interfaces = {
+        ygg0 = {
+          allowedTCPPorts = [ 22 ];
+          allowedUDPPorts = [ ];
+        };
+      };
+
+      # Default deny policy for all interfaces (including ygg0)
+      allowPing = false;
+      allowedTCPPorts = [ ];
+      allowedUDPPorts = [ ];
+    };
     dhcpcd.enable = false;
     useDHCP = false;
     useHostResolvConf = false;