diff --git a/incus.nix b/incus.nix
new file mode 100644
index 0000000..3e55967
--- /dev/null
+++ b/incus.nix
@@ -0,0 +1,15 @@
+{ config, pkgs, ... }:
+
+{
+  virtualisation.incus.enable = true;
+  networking = {
+    nftables.enable = true;
+    firewall.interfaces = {
+      incusbr0 = {
+        allowedTCPPorts = [ 53 67 ];
+        allowedUDPPorts = [ 53 67 ];
+      };
+    };
+  };
+}
+
diff --git a/master.nix b/master.nix
index 998a798..f74e213 100644
--- a/master.nix
+++ b/master.nix
@@ -19,6 +19,7 @@ in
     ./user/stormwind/master.nix
     ./sshd.nix
     ./tailscale.nix
+    ./incus.nix
     ./auto-upgrade.nix
   ];
 
diff --git a/user/stormwind/master.nix b/user/stormwind/master.nix
index a8e1f44..f72d14e 100644
--- a/user/stormwind/master.nix
+++ b/user/stormwind/master.nix
@@ -29,6 +29,7 @@
     extraGroups = [
       "networkmanager"
       "wheel"
+      "incus-admin"
     ];
     packages = with pkgs; [];