diff --git a/common/nixos/logrotate.nix b/common/nixos/logrotate.nix
index 17e9e22..734a340 100644
--- a/common/nixos/logrotate.nix
+++ b/common/nixos/logrotate.nix
@@ -5,9 +5,14 @@
 
   services.logrotate = {
     settings = {
+      header = {
+        dateext = true;
+      };
+
       "var/log/audit/audit.log" = {
         frequency = "daily";
         rotate = 3;
+        size = "100k";
       };
     };
   };
diff --git a/common/nixos/ssh/default.nix b/common/nixos/ssh/default.nix
index 27f2ca0..c6f352e 100644
--- a/common/nixos/ssh/default.nix
+++ b/common/nixos/ssh/default.nix
@@ -1,5 +1,10 @@
-{lib, ...}: {
-  imports = [./ssh.nix ./ssh_client.nix ./ssh_guard.nix];
+{ lib, ... }:
+{
+  imports = [
+    ./ssh.nix
+    ./ssh_client.nix
+    ./ssh_guard.nix
+  ];
 
   ssh_client.enable = lib.mkDefault true;
   ssh.enable = lib.mkDefault false;
diff --git a/common/nixos/sysctl/kernel.nix b/common/nixos/sysctl/kernel.nix
index f26ebc4..2effb04 100644
--- a/common/nixos/sysctl/kernel.nix
+++ b/common/nixos/sysctl/kernel.nix
@@ -31,7 +31,8 @@
     #   - 2: only admins can use ptrace (CAP_SYS_PTRACE capability required)
     #   - 3: disables ptrace completely, reboot is required to re-enable ptrace
     # If you need ptrace to work, then avoid non-ancestor ptrace access to running processes and their credentials, and use value "1".
-    "kernel.yama.ptrace_scope" = 3;
+    # # breaks debuggers
+    # "kernel.yama.ptrace_scope" = 3;
 
     # restrict kernel logs to root only
     "kernel.dmesg_restrict" = 1;
diff --git a/common/virtualization/libvirt.nix b/common/virtualization/libvirt.nix
index 3db68a1..f4f22cf 100644
--- a/common/virtualization/libvirt.nix
+++ b/common/virtualization/libvirt.nix
@@ -43,10 +43,24 @@
 
     virtualisation.libvirtd = {
       enable = true;
-      qemu.ovmf.enable = true;
-      qemu.runAsRoot = false;
+      # qemu.ovmf.enable = true;
+      # qemu.runAsRoot = false;
       onBoot = "ignore";
       onShutdown = "shutdown";
+      qemu = {
+        package = pkgs.qemu_kvm;
+        runAsRoot = true;
+        swtpm.enable = true;
+        ovmf = {
+          enable = true;
+          packages = [
+            (pkgs.OVMF.override {
+              secureBoot = true;
+              tpmSupport = true;
+            }).fd
+          ];
+        };
+      };
     };
 
     users.extraGroups.libvirtd.members = [ "${user}" ];
diff --git a/home-manager/modules/common-gui.nix b/home-manager/modules/common-gui.nix
index 932eba2..3acb0b8 100644
--- a/home-manager/modules/common-gui.nix
+++ b/home-manager/modules/common-gui.nix
@@ -5,6 +5,7 @@
     ./fuzzel.nix
     ./kitty.nix
     ./ghostty.nix
+    ./obs.nix
   ];
 
   fonts.fontconfig.enable = true;
diff --git a/home-manager/modules/obs.nix b/home-manager/modules/obs.nix
new file mode 100644
index 0000000..9af5d0d
--- /dev/null
+++ b/home-manager/modules/obs.nix
@@ -0,0 +1,15 @@
+# A cat clone with syntax highlighting and Git integration.
+{ pkgs, ... }:
+{
+  programs.obs-studio = {
+    enable = true;
+
+    # additional packages to add to gjs's runtime
+    # extraPackages = with pkgs; [
+    #   gtksourceview
+    #   webkitgtk
+    #   accountsservice
+    #   libdbusmenu-gtk3
+    # ];
+  };
+}