diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 4f657d7..9f3cd00 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -36,3 +36,4 @@ repos:
       - id: sops-encryption
         # Uncomment to exclude all markdown files from encryption
         # exclude: *.\.md
+        files: .*secrets.*
diff --git a/nixos/modules/nixos/system/incus/default.nix b/nixos/modules/nixos/system/incus/default.nix
new file mode 100644
index 0000000..ceef2a7
--- /dev/null
+++ b/nixos/modules/nixos/system/incus/default.nix
@@ -0,0 +1,31 @@
+{ config, pkgs, ... }:
+{
+  sops.secrets.secret-domain-0 = {
+    sopsFile = ./secret.sops.yaml;
+  };
+
+  users.users.jahanson.extraGroups = [ "incus-admin" ];
+
+  virtualisation.incus = {
+    enable = true;
+    ui.enable = true;
+  };
+
+
+  # systemd.services.incus-preseed.postStart = "${oidcSetup}";
+
+  networking = {
+    nftables.enable = true;
+    firewall = {
+      allowedTCPPorts = [
+        8443
+        53
+        67
+      ];
+      allowedUDPPorts = [
+        53
+        67
+      ];
+    };
+  };
+}