{ pkgs, ... }:
{
  environment.systemPackages = with pkgs; [
    qemu_kvm
    qemu
  ];

  hardware.pulseaudio.extraConfig = ''
    load-module module-native-protocol-unix auth-group=qemu-libvirtd socket=/tmp/pulse-socket
  '';

  boot.kernelModules = [ "vfio-pci" ];

  networking.firewall.trustedInterfaces = [
    "virbr0"
    "br0"
  ];

  services.udev.extraRules = ''
    SUBSYSTEM=="vfio", OWNER="root", GROUP="kvm"
  '';

  virtualisation.libvirtd.qemu = {
    package = pkgs.qemu_kvm;
    runAsRoot = true;
    swtpm.enable = true;

    ovmf = {
      enable = true;

      packages = [
        (pkgs.OVMFFull.override {
          secureBoot = true;
          tpmSupport = true;
        }).fd
      ];
    };

    verbatimConfig = ''
      namespaces = []

      dynamic_ownership = 0
    '';
  };
}