diff --git a/configurations/nixos/base-image/default.nix b/configurations/nixos/base-image/default.nix
deleted file mode 100644
index fb80fbe..0000000
--- a/configurations/nixos/base-image/default.nix
+++ /dev/null
@@ -1,36 +0,0 @@
-{
-  flake,
-  modulesPath,
-  config,
-  ...
-}:
-
-let
-  inherit (flake) inputs;
-  inherit (inputs) self;
-in
-{
-  imports = [
-    self.nixosModules.default
-    "${modulesPath}/virtualisation/lxc-container.nix"
-  ];
-  deploy = {
-    enable = false;
-  };
-
-  services = {
-    tty-ips.enable = true;
-  };
-  networking = {
-    yggdrasil = {
-      enable = true;
-      AllowedPublicKeys = [
-        "d0e265fcf663451ae9bc048dc1297749819ce9d48042a986f2866c15a779a074"
-      ];
-    };
-    hostName = "tofu";
-  };
-  environment.systemPackages = [
-  ];
-  system.stateVersion = "25.05";
-}
diff --git a/configurations/nixos/observer-tofu/default.nix b/configurations/nixos/observer-tofu/default.nix
index 312a252..76c6201 100644
--- a/configurations/nixos/observer-tofu/default.nix
+++ b/configurations/nixos/observer-tofu/default.nix
@@ -14,9 +14,7 @@ in
     self.nixosModules.default
     "${modulesPath}/virtualisation/lxc-container.nix"
   ];
-  deploy = {
-    address = "200:b938:d405:92df:a6e:1ffd:5213:26b";
-  };
+  deploy.address = "200:b938:d405:92df:a6e:1ffd:5213:26b";
   services = {
     tty-ips.enable = true;
     uptime-kuma = {
@@ -29,6 +27,7 @@ in
     };
   };
   networking = {
+    firewall.enable = false;
     yggdrasil = {
       enable = true;
       AllowedPublicKeys = [
diff --git a/configurations/nixos/tofu/default.nix b/configurations/nixos/tofu/default.nix
index 35de13c..18efd18 100644
--- a/configurations/nixos/tofu/default.nix
+++ b/configurations/nixos/tofu/default.nix
@@ -1,3 +1,5 @@
+# See /modules/nixos/* for actual settings
+# This file is just *top-level* configuration.
 {
   flake,
   modulesPath,
@@ -39,6 +41,7 @@ in
     };
   };
   networking = {
+    firewall.enable = false;
     yggdrasil = {
       enable = true;
       AllowedPublicKeys = [
diff --git a/modules/flake/deploy.nix b/modules/flake/deploy.nix
index d5f1f3e..0af10de 100644
--- a/modules/flake/deploy.nix
+++ b/modules/flake/deploy.nix
@@ -6,25 +6,21 @@ let
     nixpkgs
     nixos-anywhere
     ;
-
   inherit (nixpkgs) lib;
 
   genNode =
     hostName: nixosCfg:
     let
-      deploy = nixosCfg.config.deploy;
-      system = nixosCfg.pkgs.system;
+      # inherit (self.hosts.${hostName}) address hostPlatform remoteBuild;
+      # inherit (deploy-rs.lib.${hostPlatform}) activate;
+      system = self.nixosConfigurations."${hostName}".pkgs.system;
+      address = self.nixosConfigurations."${hostName}".config.deploy.address;
     in
     {
-      hostname = deploy.address;
-      profiles.system.path = deploy-rs.lib.${system}.activate.nixos nixosCfg;
+      # inherit address;
+      hostname = address;
+      profiles.system.path = deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.${hostName};
     };
-
-  # Filter out nodes where deploy.enable != true
-  deployableNodes = lib.filterAttrs (hostName: nixosCfg: nixosCfg.config.deploy.enable or false) (
-    self.nixosConfigurations or { }
-  );
-
 in
 {
   perSystem =
@@ -48,12 +44,13 @@ in
         deploy = deploy-rs.apps.${system}.deploy-rs;
       };
     };
-
-  flake.deploy = {
-    autoRollback = false;
-    magicRollback = true;
-    user = "root";
-    remoteBuild = true;
-    nodes = lib.mapAttrs genNode deployableNodes;
+  flake = {
+    deploy = {
+      autoRollback = false;
+      magicRollback = true;
+      user = "root";
+      remoteBuild = true;
+      nodes = lib.mapAttrs genNode (self.nixosConfigurations or { });
+    };
   };
 }
diff --git a/modules/nixos/common/deployrs.nix b/modules/nixos/common/deployrs.nix
deleted file mode 100644
index b179f7e..0000000
--- a/modules/nixos/common/deployrs.nix
+++ /dev/null
@@ -1,10 +0,0 @@
-{ lib, config, ... }:
-{
-  options.deploy = {
-    enable = (lib.mkEnableOption // { default = true; }) "enable deployrs module";
-    address = lib.mkOption {
-      type = lib.types.str;
-      default = config.networking.hostName;
-    };
-  };
-}
diff --git a/modules/nixos/common/incus.nix b/modules/nixos/common/incus.nix
index 3e2963f..00d4741 100644
--- a/modules/nixos/common/incus.nix
+++ b/modules/nixos/common/incus.nix
@@ -14,20 +14,6 @@
   };
 
   networking = {
-    firewall = {
-      enable = true;
-      interfaces = {
-        ygg0 = {
-          allowedTCPPorts = [ 22 ];
-          allowedUDPPorts = [ ];
-        };
-      };
-
-      # Default deny policy for all interfaces (including ygg0)
-      allowPing = false;
-      allowedTCPPorts = [ ];
-      allowedUDPPorts = [ ];
-    };
     dhcpcd.enable = false;
     useDHCP = false;
     useHostResolvConf = false;
diff --git a/modules/nixos/common/ssh.nix b/modules/nixos/common/ssh.nix
index d2de754..8d7f703 100644
--- a/modules/nixos/common/ssh.nix
+++ b/modules/nixos/common/ssh.nix
@@ -1,6 +1,9 @@
 { lib, config, ... }:
 {
-
+  options.deploy.address = lib.mkOption {
+    type = lib.types.str;
+    default = config.networking.hostName;
+  };
   config = {
     services.openssh.enable = true;
     security = {