diff --git a/configurations/nixos/base-image/default.nix b/configurations/nixos/base-image/default.nix
new file mode 100644
index 0000000..fb80fbe
--- /dev/null
+++ b/configurations/nixos/base-image/default.nix
@@ -0,0 +1,36 @@
+{
+  flake,
+  modulesPath,
+  config,
+  ...
+}:
+
+let
+  inherit (flake) inputs;
+  inherit (inputs) self;
+in
+{
+  imports = [
+    self.nixosModules.default
+    "${modulesPath}/virtualisation/lxc-container.nix"
+  ];
+  deploy = {
+    enable = false;
+  };
+
+  services = {
+    tty-ips.enable = true;
+  };
+  networking = {
+    yggdrasil = {
+      enable = true;
+      AllowedPublicKeys = [
+        "d0e265fcf663451ae9bc048dc1297749819ce9d48042a986f2866c15a779a074"
+      ];
+    };
+    hostName = "tofu";
+  };
+  environment.systemPackages = [
+  ];
+  system.stateVersion = "25.05";
+}
diff --git a/configurations/nixos/observer-tofu/default.nix b/configurations/nixos/observer-tofu/default.nix
index 76c6201..312a252 100644
--- a/configurations/nixos/observer-tofu/default.nix
+++ b/configurations/nixos/observer-tofu/default.nix
@@ -14,7 +14,9 @@ in
     self.nixosModules.default
     "${modulesPath}/virtualisation/lxc-container.nix"
   ];
-  deploy.address = "200:b938:d405:92df:a6e:1ffd:5213:26b";
+  deploy = {
+    address = "200:b938:d405:92df:a6e:1ffd:5213:26b";
+  };
   services = {
     tty-ips.enable = true;
     uptime-kuma = {
@@ -27,7 +29,6 @@ in
     };
   };
   networking = {
-    firewall.enable = false;
     yggdrasil = {
       enable = true;
       AllowedPublicKeys = [
diff --git a/configurations/nixos/tofu/default.nix b/configurations/nixos/tofu/default.nix
index 18efd18..35de13c 100644
--- a/configurations/nixos/tofu/default.nix
+++ b/configurations/nixos/tofu/default.nix
@@ -1,5 +1,3 @@
-# See /modules/nixos/* for actual settings
-# This file is just *top-level* configuration.
 {
   flake,
   modulesPath,
@@ -41,7 +39,6 @@ in
     };
   };
   networking = {
-    firewall.enable = false;
     yggdrasil = {
       enable = true;
       AllowedPublicKeys = [
diff --git a/modules/flake/deploy.nix b/modules/flake/deploy.nix
index 0af10de..d5f1f3e 100644
--- a/modules/flake/deploy.nix
+++ b/modules/flake/deploy.nix
@@ -6,21 +6,25 @@ let
     nixpkgs
     nixos-anywhere
     ;
+
   inherit (nixpkgs) lib;
 
   genNode =
     hostName: nixosCfg:
     let
-      # inherit (self.hosts.${hostName}) address hostPlatform remoteBuild;
-      # inherit (deploy-rs.lib.${hostPlatform}) activate;
-      system = self.nixosConfigurations."${hostName}".pkgs.system;
-      address = self.nixosConfigurations."${hostName}".config.deploy.address;
+      deploy = nixosCfg.config.deploy;
+      system = nixosCfg.pkgs.system;
     in
     {
-      # inherit address;
-      hostname = address;
-      profiles.system.path = deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.${hostName};
+      hostname = deploy.address;
+      profiles.system.path = deploy-rs.lib.${system}.activate.nixos nixosCfg;
     };
+
+  # Filter out nodes where deploy.enable != true
+  deployableNodes = lib.filterAttrs (hostName: nixosCfg: nixosCfg.config.deploy.enable or false) (
+    self.nixosConfigurations or { }
+  );
+
 in
 {
   perSystem =
@@ -44,13 +48,12 @@ in
         deploy = deploy-rs.apps.${system}.deploy-rs;
       };
     };
-  flake = {
-    deploy = {
-      autoRollback = false;
-      magicRollback = true;
-      user = "root";
-      remoteBuild = true;
-      nodes = lib.mapAttrs genNode (self.nixosConfigurations or { });
-    };
+
+  flake.deploy = {
+    autoRollback = false;
+    magicRollback = true;
+    user = "root";
+    remoteBuild = true;
+    nodes = lib.mapAttrs genNode deployableNodes;
   };
 }
diff --git a/modules/nixos/common/deployrs.nix b/modules/nixos/common/deployrs.nix
new file mode 100644
index 0000000..b179f7e
--- /dev/null
+++ b/modules/nixos/common/deployrs.nix
@@ -0,0 +1,10 @@
+{ lib, config, ... }:
+{
+  options.deploy = {
+    enable = (lib.mkEnableOption // { default = true; }) "enable deployrs module";
+    address = lib.mkOption {
+      type = lib.types.str;
+      default = config.networking.hostName;
+    };
+  };
+}
diff --git a/modules/nixos/common/incus.nix b/modules/nixos/common/incus.nix
index 00d4741..3e2963f 100644
--- a/modules/nixos/common/incus.nix
+++ b/modules/nixos/common/incus.nix
@@ -14,6 +14,20 @@
   };
 
   networking = {
+    firewall = {
+      enable = true;
+      interfaces = {
+        ygg0 = {
+          allowedTCPPorts = [ 22 ];
+          allowedUDPPorts = [ ];
+        };
+      };
+
+      # Default deny policy for all interfaces (including ygg0)
+      allowPing = false;
+      allowedTCPPorts = [ ];
+      allowedUDPPorts = [ ];
+    };
     dhcpcd.enable = false;
     useDHCP = false;
     useHostResolvConf = false;
diff --git a/modules/nixos/common/ssh.nix b/modules/nixos/common/ssh.nix
index 8d7f703..d2de754 100644
--- a/modules/nixos/common/ssh.nix
+++ b/modules/nixos/common/ssh.nix
@@ -1,9 +1,6 @@
 { lib, config, ... }:
 {
-  options.deploy.address = lib.mkOption {
-    type = lib.types.str;
-    default = config.networking.hostName;
-  };
+
   config = {
     services.openssh.enable = true;
     security = {