{ ... }:
{
  config.dendritic.features.virtualization-libvirt = {
    nixosModules = [
      (
        { config, pkgs, ... }:
        let
          user = config.dendritic.current.primaryUser;
        in
        {
          networking.firewall.trustedInterfaces = [ "virbr0" ];
          boot.kernelModules = [ "kvm-amd" ];

          environment.systemPackages = with pkgs; [
            virt-manager
            virtiofsd
            vagrant
          ];

          users.users.${user} = {
            extraGroups = [
              "libvirtd"
              "qemu-libvirtd"
              "kvm"
            ];
          };

          # Allow VM to run as non-root without ulimit
          security.pam.loginLimits = [
            {
              domain = "${user}";
              type = "soft";
              item = "memlock";
              value = "20000000";
            }
            {
              domain = "${user}";
              type = "hard";
              item = "memlock";
              value = "20000000";
            }
          ];

          virtualisation.libvirtd = {
            enable = true;
            # qemu.ovmf.enable = true;
            # qemu.runAsRoot = false;
            onBoot = "ignore";
            onShutdown = "shutdown";
            qemu = {
              package = pkgs.qemu_kvm;
              runAsRoot = true;
              swtpm.enable = true;
            };
          };

          users.extraGroups.libvirtd.members = [ "${user}" ];

        }
      )
    ];
  };
}