diff --git a/hieradata/roles/infra/incus/node.yaml b/hieradata/roles/infra/incus/node.yaml
new file mode 100644
index 0000000..a0c8ecb
--- /dev/null
+++ b/hieradata/roles/infra/incus/node.yaml
@@ -0,0 +1,33 @@
+---
+profiles::pki::vault::alt_names:
+  - incus.service.consul
+  - incus.query.consul
+  - "incus.service.%{facts.country}-%{facts.region}.consul"
+
+profiles::ssh::sign::principals:
+  - incus.service.consul
+  - incus.query.consul
+  - "incus.service.%{facts.country}-%{facts.region}.consul"
+
+# configure consul service
+consul::services:
+  incus:
+    service_name: 'incus'
+    tags:
+      - 'incus'
+      - 'container'
+      - 'lxd'
+    address: "%{facts.networking.ip}"
+    port: 8443
+    checks:
+      - id: 'incus_https_check'
+        name: 'incus HTTPS Check'
+        http: "https://%{facts.networking.fqdn}:8443"
+        method: 'GET'
+        tls_skip_verify: true
+        interval: '10s'
+        timeout: '1s'
+profiles::consul::client::node_rules:
+  - resource: service
+    segment: incus
+    disposition: write
diff --git a/site/roles/manifests/infra/incus/node.pp b/site/roles/manifests/infra/incus/node.pp
new file mode 100644
index 0000000..070bbf1
--- /dev/null
+++ b/site/roles/manifests/infra/incus/node.pp
@@ -0,0 +1,10 @@
+# a role to deploy a incus node
+class roles::infra::incus::node {
+  if $facts['firstrun'] {
+    include profiles::defaults
+    include profiles::firstrun::init
+  }else{
+    include profiles::defaults
+    include profiles::base
+  }
+}