diff --git a/modules/vms/home-assistant.nix b/modules/vms/home-assistant.nix
new file mode 100644
index 0000000..ad95519
--- /dev/null
+++ b/modules/vms/home-assistant.nix
@@ -0,0 +1,21 @@
+# ./modules/vms/home-assistant.nix
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+  options.services.homeAssistantVM = {
+    enable = mkEnableOption "Home Assistant VM specific configurations";
+  };
+  config = mkIf config.services.homeAssistantVM.enable {
+    networking.firewall.allowedTCPPorts = [
+      8123 # Home Assistant Web UI default port
+    ];
+
+    environment.systemPackages = with pkgs; [
+      wget # For downloading the Home Assistant OS image
+      xz   # For decompressing the Home Assistant OS image
+    ];
+  };
+}
+
diff --git a/modules/vms/incus-base.nix b/modules/vms/incus-base.nix
new file mode 100644
index 0000000..1707831
--- /dev/null
+++ b/modules/vms/incus-base.nix
@@ -0,0 +1,50 @@
+{ lib, ... }:
+
+with lib;
+
+let
+  storagePoolSource = "/var/lib/incus/storage-pools/default";
+  defaultDiskSize = "50GiB";
+  hostBridgeName = "br0"; # This must match the bridge name created in homelab.nix
+in
+{
+  config = { 
+    virtualisation.incus.preseed = {
+      profiles = [
+        {
+          name = "default";
+          config = {
+            "boot.autostart" = "true"; # VMs using this profile will auto-start
+          };
+          devices = {
+            eth0 = {
+              name = "eth0";
+              nictype = "bridged";        # Use 'bridged' nictype
+              parent = hostBridgeName;    # Connect to the host-managed bridge 'br0'
+              type = "nic";
+            };
+            root = {
+              path = "/";
+              pool = "default";         # Use the default storage pool
+              size = defaultDiskSize;
+              type = "disk";
+            };
+          };
+        }
+      ];
+
+      storage_pools = [
+        {
+          name = "default";
+          driver = "dir";   # Use directory-backed storage
+          config = {
+            source = storagePoolSource;
+          };
+        }
+      ];
+    };
+    # If using NixOS firewall & VMs have DHCP issues (unlikely with host bridge but possible):
+    # consider adding to homelab.nix: networking.firewall.trustedInterfaces = [ "br0" ];
+  };
+}
+
diff --git a/nixos/homelab.nix b/nixos/homelab.nix
index 20e789c..de04a9a 100644
--- a/nixos/homelab.nix
+++ b/nixos/homelab.nix
@@ -7,9 +7,9 @@
    ../modules/media/qbittorrent.nix
    ../modules/media/arr-suite.nix
 #  ../modules/home-assistant.nix
-#   ../modules/home-assistant-vm.nix
-   # Import any shared modules from your ./modules directory if applicable
-    # e.g., (../modules/common-settings.nix)
+   ../modules/home-assistant-vm.nix
+   ../modules/vms/incus-base.nix   
+
   ];
   arrSuite.enable = true;
 #  nixpkgs.config.allowUnfree = true;
@@ -55,6 +55,18 @@
   networking.firewall.allowedUDPPorts = [
   53   # AdGuard Home DNS over UDP
 ];
+
+#bridge settings for vms
+
+  networking.bridges.br0.interfaces = [ "enp41s0" ];
+  networking.interfaces.enp41s0 = { # Replace "enp41s0"
+    useDHCP = false; 
+  };
+
+  networking.interfaces.br0 = {
+    useDHCP = true; # br0 will get an IP from your LAN router (e.g., 192.168.0.1)
+  };
+
 # Allow SSH
   networking.firewall.trustedInterfaces = [ "tailscale0" ]; # <--- ADDED for Tailscale access
   # SSH Server configuration
@@ -76,7 +88,7 @@
 users.users.death916 = {
     isNormalUser = true;
     shell = pkgs.bash;
-    extraGroups = [ "wheel" "media_services" "nextcloud" "docker" "qbittorent"]; # For sudo access
+    extraGroups = [ "wheel" "media_services" "nextcloud" "docker" "qbittorent" "incus-admin"]; # For sudo access
     openssh.authorizedKeys.keys = [
       "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCte9KjJUSn4xBPEKCk9QER6+jF+C0uBatVl27zIamYsryyHdFrmqK2DAg7OhqTHqzjxID6sp6d57MsJqOUAtwXbUDMLffqBSerUxfTm+1SPDrhL0GSvo0QVjMLVseOEq8d2qXgW1R7dIk412VbO5e9SAump5aJOHI/SzT6VLoUczalmqrjnDacWQMeLu/TSOZHcfrhjYSg+b1xbc1vHp6C4obOb8JIj/anAieT/1P36MhlNW79ow6PWenLemBYeeezFrKtESF1oMc8jmcxogzgLamlqhKYAHlKhOuBF6u0nRneI5IPDbbMF5zwEv5szCEKj8XZJVYUk8uUg7ARyppjcA7yAXuaNKBNxa7tfjqWrDWOACn97ufE5FFJt0XH5JzkXcDh96K8ZSZaWxMRu2s+GlIu/1F415xtVfe1d79HYkWke/ewaQ4NqgOt8f7wRvyzabpQZDzkaXO0UoK65O2HyUur33XWCEmV+1pB6BrS8pD+1I4Tvbnc+rOgtHTTRfKqezKqZmaErEOxClBwvWjvn0PzhGSoClTGXPjhl239/sH0JGY09dTBh8GtAVbfv+jFO6nm6aR7O/OwSaohY3uOdRo8XyxJr4XyGAaBNRdm6BUJRnB4W51J49IQBZzIe2NUkNMHeUT4jkxFpfhkujnSFw2ZnOLkERpwkltAlbwuLw== tavn1992@gmail.com" # <<-- REPLACE THIS WITH YOUR SSH PUBLIC KEY for death916
       # Add more keys if needed
@@ -234,6 +246,8 @@ users.users.death916 = {
 
   users.groups.adguardhome = {};
   
+  services.homeAssistantVM.enable = true;
+
 
   # Sudo access for the wheel group (which death916 is part of)
   security.sudo.wheelNeedsPassword = true; # Or false if you prefer passwordless sudo for wheel