diff --git a/modules/default.nix b/modules/default.nix
index 430d3df..edcb1d5 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -106,6 +106,10 @@
         allowedUDPPortRanges = lib.singleton { from = 9990; to = 9999; };
       };
 
+      # Use nftables by default,
+      # but allow it to be easily disabled on by-machine basis.
+      networking.nftables.enable = lib.mkDefault true;
+
       # Globally set Let’s Encrypt requirements
       security.acme = {
         acceptTerms = true;