diff --git a/containers/hercules.nix b/containers/hercules.nix
new file mode 100644
index 0000000..b1fb45f
--- /dev/null
+++ b/containers/hercules.nix
@@ -0,0 +1,13 @@
+{ config, pkgs, lib, ... }:
+
+# A separate container to run Hercules effects
+# https://docs.hercules-ci.com/hercules-ci/effects/
+{
+  containers.hercules = {
+    ephemeral = false;
+    autoStart = true;
+    config = { config, pkgs, ... }: {
+      networking.firewall.allowedTCPPorts = [ ];
+    };
+  };
+}
diff --git a/hosts/thick.nix b/hosts/thick.nix
index b129cf4..651f046 100644
--- a/hosts/thick.nix
+++ b/hosts/thick.nix
@@ -4,6 +4,7 @@
   imports =
     [
       (modulesPath + "/installer/scan/not-detected.nix")
+      (../containers/hercules.nix)
     ];
 
   boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];