diff --git a/system/machines/desktop/default.nix b/system/machines/desktop/default.nix
index c7f50e0..539aa63 100644
--- a/system/machines/desktop/default.nix
+++ b/system/machines/desktop/default.nix
@@ -10,6 +10,7 @@
     ../../../user
     ../../keys
     ../../modules/sops
+    ../../modules/docker
     ./hardware.nix
     ./system.nix
   ];
diff --git a/system/machines/desktop/hardware.nix b/system/machines/desktop/hardware.nix
index a4183c8..052bdfa 100644
--- a/system/machines/desktop/hardware.nix
+++ b/system/machines/desktop/hardware.nix
@@ -66,6 +66,7 @@ with lib;
         nvidiaSettings = true;
         package = config.boot.kernelPackages.nvidiaPackages.stable;
       };
+      nvidia-container-toolkit.enable = true;
       graphics = {
         enable = true;
         enable32Bit = true;
diff --git a/system/machines/desktop/system.nix b/system/machines/desktop/system.nix
index d734365..86d1aa5 100644
--- a/system/machines/desktop/system.nix
+++ b/system/machines/desktop/system.nix
@@ -5,10 +5,13 @@ let
     (user: user.modules.user.security.gpg.enable or false)
     (lib.attrValues config.home-manager.users);
 
+  sysModules = config.modules.system;
+
 in
 { system.stateVersion = "23.11";
 
   modules.system.sops.enable = true;
+  modules.system.docker.enable = true;
 
   # WiFi secrets
   sops.secrets = let wifi = { sopsFile = ../../../secrets/system/wifi.yaml; }; in {
diff --git a/system/machines/server/system.nix b/system/machines/server/system.nix
index 69bcf99..5905c4d 100644
--- a/system/machines/server/system.nix
+++ b/system/machines/server/system.nix
@@ -108,9 +108,16 @@
 
   console.font = "Lat2-Terminus16";
 
+  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
+
   networking = {
     hostName = "server";
     useDHCP = false;
+    nat = {
+      enable = true;
+      internalInterfaces = [ "enp2s0f1" ];
+      externalInterface = "enp2s0f0";
+    };
     interfaces.enp2s0f0 = {
       ipv4.addresses = [{
         address = "192.168.0.154";
@@ -130,17 +137,17 @@
       enable = true;
       allowedTCPPorts = [ 22 ];
       allowedUDPPorts = [ 53 67 ];  # DNS + DHCP
-      extraCommands = ''
-        # Block camera MACs from forwarding (instant DROP, no timeouts)
-        iptables -A FORWARD -m mac --mac-source 00:1f:54:c2:d1:b1 -j DROP  # cam4
-        iptables -A FORWARD -m mac --mac-source 00:1f:54:b2:9b:1d -j DROP  # cam2/cam3
-        iptables -A FORWARD -m mac --mac-source 00:1f:54:a9:81:d1 -j DROP  # cam1
-      '';
-      extraStopCommands = ''
-        iptables -D FORWARD -m mac --mac-source 00:1f:54:c2:d1:b1 -j DROP || true
-        iptables -D FORWARD -m mac --mac-source 00:1f:54:b2:9b:1d -j DROP || true
-        iptables -D FORWARD -m mac --mac-source 00:1f:54:a9:81:d1 -j DROP || true
-      '';
+      # extraCommands = ''
+      #   # Block camera MACs from forwarding (instant DROP, no timeouts)
+      #   iptables -A FORWARD -m mac --mac-source 00:1f:54:c2:d1:b1 -j DROP  # cam4
+      #   iptables -A FORWARD -m mac --mac-source 00:1f:54:b2:9b:1d -j DROP  # cam2/cam3
+      #   iptables -A FORWARD -m mac --mac-source 00:1f:54:a9:81:d1 -j DROP  # cam1
+      # '';
+      # extraStopCommands = ''
+      #   iptables -D FORWARD -m mac --mac-source 00:1f:54:c2:d1:b1 -j DROP || true
+      #   iptables -D FORWARD -m mac --mac-source 00:1f:54:b2:9b:1d -j DROP || true
+      #   iptables -D FORWARD -m mac --mac-source 00:1f:54:a9:81:d1 -j DROP || true
+      # '';
     };
   };
 
diff --git a/system/modules/docker/default.nix b/system/modules/docker/default.nix
new file mode 100644
index 0000000..31b537f
--- /dev/null
+++ b/system/modules/docker/default.nix
@@ -0,0 +1,27 @@
+{ pkgs, lib, config, ... }:
+
+with lib;
+let
+  cfg = config.modules.system.docker;
+
+in
+{
+  options.modules.system.docker = { enable = mkEnableOption "Enable Docker"; };
+  config = mkIf cfg.enable {
+    virtualisation.docker = {
+      enable = true;
+
+      # Explicit storage driver for ext4/xfs filesystems
+      storageDriver = "overlay2";
+    };
+
+    # Add docker package to system packages
+    environment.systemPackages = with pkgs; [
+      docker
+      docker-compose
+    ];
+
+    # Add user to docker group
+    users.users.${config.user.name}.extraGroups = [ "docker" ];
+  };
+}
diff --git a/system/modules/sops/default.nix b/system/modules/sops/default.nix
index e7c2240..e1b8610 100644
--- a/system/modules/sops/default.nix
+++ b/system/modules/sops/default.nix
@@ -7,7 +7,6 @@ let
 in
 {
   options.modules.system.sops = { enable = mkEnableOption "Enable sops-nix"; };
-
   config = mkIf cfg.enable {
     # Smartcard daemon for Yubikey (GPG, etc.)
     services.pcscd.enable = true;
diff --git a/user/modules/utils/dev/default.nix b/user/modules/utils/dev/default.nix
index 102807c..cde42f2 100644
--- a/user/modules/utils/dev/default.nix
+++ b/user/modules/utils/dev/default.nix
@@ -17,8 +17,6 @@ in
       pkg-config
       qrencode
 
-      docker
-
       # Network/system tools
       fping
       wireguard-tools