diff --git a/configurations/nixos/arma-reforger-tofu/default.nix b/configurations/nixos/arma-reforger-tofu/default.nix
index a12f61d..217a0e0 100644
--- a/configurations/nixos/arma-reforger-tofu/default.nix
+++ b/configurations/nixos/arma-reforger-tofu/default.nix
@@ -14,7 +14,7 @@ in
 {
   imports = [
     self.nixosModules.default
-    # "${modulesPath}/virtualisation/lxc-container.nix"
+    "${modulesPath}/virtualisation/lxc-container.nix"
   ];
 
   services.arma.enable = true;
diff --git a/modules/nixos/common/firewall.nix b/modules/nixos/common/firewall.nix
index 6c93641..25573ae 100644
--- a/modules/nixos/common/firewall.nix
+++ b/modules/nixos/common/firewall.nix
@@ -1,33 +1,37 @@
 {
-  lib,
-  pkgs,
-  config,
+  # lib,
+  # pkgs,
+  # config,
   ...
 }:
 {
   networking.nftables = {
     enable = true;
-    ruleset = ''
-      table inet filter {
-        chain input {
-          type filter hook input priority filter; policy accept;
-          ct state related,established accept
+    tables = {
+      yggSsh = {
+        name = "yggSsh";
+        family = "inet";
+        content = ''
+          chain input {
+            type filter hook input priority filter; policy accept;
+            ct state related,established accept
 
-          # Restrict ygg0: only allow SSH in
-          iifname "ygg0" tcp dport 22 accept
-          iifname "ygg0" drop
-        }
+            # Restrict ygg0: only allow SSH in
+            iifname "ygg0" tcp dport 22 accept
+            iifname "ygg0" drop
+          }
 
-        chain forward {
-          type filter hook forward priority filter; policy accept;
-          # Optional: drop forwarding via ygg0
-          iifname "ygg0" drop
-        }
+          chain forward {
+            type filter hook forward priority filter; policy accept;
+            # Optional: drop forwarding via ygg0
+            iifname "ygg0" drop
+          }
 
-        chain output {
-          type filter hook output priority filter; policy accept;
-        }
-      }
-    '';
+          chain output {
+            type filter hook output priority filter; policy accept;
+          }
+        '';
+      };
+    };
   };
 }
diff --git a/modules/nixos/common/incus.nix b/modules/nixos/common/incus.nix
index 8d5132e..14f38a9 100644
--- a/modules/nixos/common/incus.nix
+++ b/modules/nixos/common/incus.nix
@@ -1,34 +1,31 @@
 {
-
-  systemd.network = {
-    enable = true;
-    networks."50-eth0" = {
-
-      matchConfig.Name = "eth0";
-      networkConfig = {
-        DHCP = "ipv4";
-        IPv6AcceptRA = true;
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+{
+  options.iscontainer.enable = lib.mkEnableOption "iscontainer" // {
+    default = true;
+  };
+  config = lib.mkIf config.iscontainer.enable {
+    systemd.network = {
+      enable = true;
+      networks."50-eth0" = {
+        matchConfig.Name = "eth0";
+        networkConfig = {
+          DHCP = "ipv4";
+          IPv6AcceptRA = true;
+        };
+        linkConfig.RequiredForOnline = "routable";
       };
-      linkConfig.RequiredForOnline = "routable";
+    };
+
+    networking = {
+      firewall.enable = false;
+      dhcpcd.enable = false;
+      useDHCP = false;
+      useHostResolvConf = false;
     };
   };
-
-  networking = {
-    #   firewall = {
-    firewall.enable = false;
-    #     interfaces = {
-    #       ygg0 = {
-    #         allowedTCPPorts = [ 22 ];
-    #         allowedUDPPorts = [ ];
-    #       };
-    #     };
-
-    #     # Default deny policy for all interfaces (including ygg0)
-    #     allowedTCPPorts = [ ];
-    #     allowedUDPPorts = [ ];
-    #   };
-    dhcpcd.enable = false;
-    useDHCP = false;
-    useHostResolvConf = false;
-  };
 }