diff --git a/Makefile b/Makefile
index fcb0948..97eedef 100644
--- a/Makefile
+++ b/Makefile
@@ -91,6 +91,8 @@ $(DIRS):
 	export SUFFIX=$(SUFFIX) && \
 	export GIT_COMMIT=$(GIT_COMMIT) && \
 	export GIT_BRANCH=$(GIT_BRANCH) && \
+	export VAULT_ADDR=https://vault.query.consul:8200
+	export VAULT_TOKEN=$$(vault write -field=token auth/approle/login role_id=$$VAULT_ROLEID) && \
 	/usr/bin/packer init . && \
 	/usr/bin/packer build . )
 
diff --git a/builds/docker.pkr.hcl b/builds/docker.pkr.hcl
index 8657a5e..3a3f79e 100644
--- a/builds/docker.pkr.hcl
+++ b/builds/docker.pkr.hcl
@@ -21,6 +21,18 @@ build {
     destination = "/"
   }
 
+  # manage deploying incus client certficates
+  # this isnt super-secure, as the key ends up baked into the docker image
+  provisioner "shell" {
+    inline = [
+      "if [ ${var.include_incus_client_certs} = true ]; then",
+      "  mkdir -p /root/.config/incus",
+      "  echo '${replace(local.incus_crt, "'", "'\\''")}' > /root/.config/incus/client.crt",
+      "  echo '${replace(local.incus_key, "'", "'\\''")}' > /root/.config/incus/client.key",
+      "fi"
+    ]
+  }
+
   # post-file-copy scripts
   provisioner "shell" {
     inline = var.scripts_post_file_copy
diff --git a/files/almalinux/actionsdind/root/.config/incus/config.yml b/files/almalinux/actionsdind/root/.config/incus/config.yml
new file mode 100644
index 0000000..1733821
--- /dev/null
+++ b/files/almalinux/actionsdind/root/.config/incus/config.yml
@@ -0,0 +1,13 @@
+default-remote: incus-images
+remotes:
+  images:
+    addr: https://images.linuxcontainers.org
+    protocol: simplestreams
+    public: true
+  incus-images:
+    addr: https://incus-images.service.consul:8443
+    auth_type: tls
+    project: default
+    protocol: incus
+    public: false
+aliases: {}
diff --git a/files/almalinux/actionsdind/root/.config/incus/servercerts/incus-images.crt b/files/almalinux/actionsdind/root/.config/incus/servercerts/incus-images.crt
new file mode 100644
index 0000000..e690c7b
--- /dev/null
+++ b/files/almalinux/actionsdind/root/.config/incus/servercerts/incus-images.crt
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICQzCCAcmgAwIBAgIRAP69BjDEj7qKxP8PJ1LhPcEwCgYIKoZIzj0EAwMwSDEZ
+MBcGA1UEChMQTGludXggQ29udGFpbmVyczErMCkGA1UEAwwicm9vdEBhdXN5ZDFu
+eHZtMTA3Mi5tYWluLnVua2luLm5ldDAeFw0yNTA0MjEwNTI3MDZaFw0zNTA0MTkw
+NTI3MDZaMEgxGTAXBgNVBAoTEExpbnV4IENvbnRhaW5lcnMxKzApBgNVBAMMInJv
+b3RAYXVzeWQxbnh2bTEwNzIubWFpbi51bmtpbi5uZXQwdjAQBgcqhkjOPQIBBgUr
+gQQAIgNiAAT+BWB3mVdTG6kIy5XY5z0t7QqudNMIqA7cXt+mT7sV74gVJeVjWi1P
+poXp6OPXaGJUP937aisdAfRyvSd5qWu/WJ+i6vu7jNrGrTMsM9HDFqUzhNK5wcd4
+v0BxRAT70fGjdzB1MA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcD
+ATAMBgNVHRMBAf8EAjAAMEAGA1UdEQQ5MDeCHWF1c3lkMW54dm0xMDcyLm1haW4u
+dW5raW4ubmV0hwR/AAABhxAAAAAAAAAAAAAAAAAAAAABMAoGCCqGSM49BAMDA2gA
+MGUCMBcKlKF05Nd1NDxRDzji45O5O18EvvHkwGCAQHMw1V6Q6RNIbajSKEPwch5q
+qIciAQIxAIWpYJkELMpX2yJi6uzsN5KKo5LB3p5q8VGirgs3VDpma36oo99yw9nk
+YBQ2dT1GqA==
+-----END CERTIFICATE-----
diff --git a/images/almalinux/8.10/actionsdind/variables.auto.pkrvars.hcl b/images/almalinux/8.10/actionsdind/variables.auto.pkrvars.hcl
index d8a6ed9..4d54aec 100644
--- a/images/almalinux/8.10/actionsdind/variables.auto.pkrvars.hcl
+++ b/images/almalinux/8.10/actionsdind/variables.auto.pkrvars.hcl
@@ -1,9 +1,13 @@
 # almalinux/8.10/actionsdind
+deploy_files_from_common = true
+include_incus_client_certs = true
 docker_source = "git.query.consul/unkin/almalinux8-base:latest"
 packages = [
   "bash",
   "consul",
   "docker-ce-cli",
+  "incus-client",
+  "incus-tools",
   "nodejs",
   "packer",
   "terraform",
diff --git a/images/almalinux/9.5/actionsdind/variables.auto.pkrvars.hcl b/images/almalinux/9.5/actionsdind/variables.auto.pkrvars.hcl
index 9d9ca73..7ea26d8 100644
--- a/images/almalinux/9.5/actionsdind/variables.auto.pkrvars.hcl
+++ b/images/almalinux/9.5/actionsdind/variables.auto.pkrvars.hcl
@@ -1,9 +1,13 @@
 # almalinux/9.5/actionsdind
+deploy_files_from_common = true
+include_incus_client_certs = true
 docker_source = "git.query.consul/unkin/almalinux9-base:latest"
 packages = [
   "bash",
   "consul",
   "docker-ce-cli",
+  "incus-client",
+  "incus-tools",
   "nodejs",
   "packer",
   "terraform",
diff --git a/library/locals.pkr.hcl b/library/locals.pkr.hcl
index 3a306cb..e66fa54 100644
--- a/library/locals.pkr.hcl
+++ b/library/locals.pkr.hcl
@@ -7,4 +7,6 @@ locals {
   incus_base_name = "${var.os_name}${var.os_version_major}/${var.os_image}"
   incus_output_image = "${local.incus_base_name}/${var.suffix}"
   is_master  = "${var.git_branch}" == "master"
+  incus_key = vault("kv/data/service/packer/builder/docker-incus-client", "private_key")
+  incus_crt = vault("kv/data/service/packer/builder/docker-incus-client", "public_key")
 }
diff --git a/library/variables.pkr.hcl b/library/variables.pkr.hcl
index 9845aa9..2839fad 100644
--- a/library/variables.pkr.hcl
+++ b/library/variables.pkr.hcl
@@ -121,3 +121,8 @@ variable "git_branch" {
   type = string
   default = env("GIT_BRANCH")
 }
+
+variable "include_incus_client_certs" {
+  type    = bool
+  default = false
+}