diff --git a/hieradata/roles/infra/incus/imagehost.yaml b/hieradata/roles/infra/incus/imagehost.yaml
index ef0ca71..930b0c7 100644
--- a/hieradata/roles/infra/incus/imagehost.yaml
+++ b/hieradata/roles/infra/incus/imagehost.yaml
@@ -1,11 +1,12 @@
 ---
 hiera_include:
   - incus
-  - zfs
 
 profiles::packages::include:
   bridge-utils: {}
   dnsmasq: {}
+  squashfs-tools: {}
+  iptables-nft: {}
 
 profiles::pki::vault::alt_names:
   - incus-images.service.consul
@@ -41,44 +42,9 @@ profiles::consul::client::node_rules:
     segment: incus-images
     disposition: write
 
-# additional repos
-profiles::yum::global::repos:
-  zfs-kmod:
-    name: zfs-kmod
-    descr: zfs-kmod repository
-    target: /etc/yum.repos.d/zfs-kmod.repo
-    baseurl: https://packagerepo.service.consul/zfs/rhel9/kmod-daily/%{facts.os.architecture}/os
-    gpgkey: https://packagerepo.service.consul/zfs/rhel9/kmod-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-openzfs-2022
-    mirrorlist: absent
-
-# zfs settings
-zfs::manage_repo: false
-zfs::zfs_arc_min: ~
-zfs::zfs_arc_max: 429496729 # 400MB
-zfs::zpools:
-  fastpool:
-    ensure: present
-    disk: /dev/vdb
-    ashift: 12
-zfs::datasets:
-  fastpool:
-    canmount: 'off'
-    acltype: posix
-    atime: 'off'
-    relatime: 'off'
-    compression: 'zstd'
-    xattr: 'sa'
-  fastpool/data:
-    canmount: 'on'
-    mountpoint: '/data'
-  fastpool/data/incus:
-    canmount: 'on'
-    mountpoint: '/data/incus'
-
 # manage incus
 incus::init: true
 incus::server_port: 8443
-incus::storage_images_volume: fastpool/imagestore
 
 # add sysadmin to incus-admin group
 profiles::accounts::sysadmin::extra_groups:
@@ -86,28 +52,6 @@ profiles::accounts::sysadmin::extra_groups:
 
 # sysctl recommendations
 sysctl::base::values:
-  fs.aio-max-nr:
-    value: '524288'
-  fs.inotify.max_queued_events:
-    value: '1048576'
-  fs.inotify.max_user_instances:
-    value: '1048576'
-  fs.inotify.max_user_watches:
-    value: '1048576'
-  kernel.dmesg_restrict:
-    value: '1'
-  kernel.keys.maxbytes:
-    value: '2000000'
-  kernel.keys.maxkeys:
-    value: '2000'
-  net.core.bpf_jit_limit:
-    value: '1000000000'
-  net.ipv4.neigh.default.gc_thresh3:
-    value: '8192'
-  net.ipv6.neigh.default.gc_thresh3:
-    value: '8192'
-  vm.max_map_count:
-    value: '262144'
   net.ipv4.conf.all.forwarding:
     value: '1'
   net.ipv6.conf.all.forwarding:
@@ -119,7 +63,3 @@ limits::entries:
     both: 1048576
   'root/nofile':
     both: 1048576
-  '*/memlock':
-    both: unlimited
-  'root/memlock':
-    both: unlimited
diff --git a/modules/incus/manifests/init.pp b/modules/incus/manifests/init.pp
index 077de8f..4bb862a 100644
--- a/modules/incus/manifests/init.pp
+++ b/modules/incus/manifests/init.pp
@@ -48,11 +48,10 @@ class incus (
     }
 
     exec { 'initiate_incus':
-      path        => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
-      command     => 'cat /root/incus.preseed.yaml | incus admin init --preseed && touch /root/.incus_initialized',
-      refreshonly => true,
-      creates     => '/root/.incus_initialized',
-      subscribe   => File['/root/incus.preseed.yaml'],
+      path    => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
+      command => 'cat /root/incus.preseed.yaml | incus admin init --preseed && touch /root/.incus_initialized',
+      creates => '/root/.incus_initialized',
+      require => File['/root/incus.preseed.yaml'],
     }
   }