diff --git a/hosts/thinkpad/modules/virtualisation/default.nix b/hosts/thinkpad/modules/virtualisation/default.nix
index e661127..ae859a9 100644
--- a/hosts/thinkpad/modules/virtualisation/default.nix
+++ b/hosts/thinkpad/modules/virtualisation/default.nix
@@ -1,96 +1,26 @@
 { config, pkgs, ... }:
-# Virtualisation with gpu passthrough
-# Following https://astrid.tech/2022/09/22/0/nixos-gpu-vfio/
-# let
-#   gpuHook = pkgs.writeShellScript "gpuhook.sh" ''
-#     export PATH=$PATH:${lib.makeBinPath [pkgs.pciutils pkgs.kmod pkgs.psmisc pkgs.systemd pkgs.coreutils]}
-#     gpu_domains=(
-#         win11
-#     )
-#     function gpu_begin {
-#         set -x
-#         device=$(lspci -nnD | grep "VGA compatible controller" | grep Intel)
-#         # Stop display manager
-#         systemctl stop greetd.service
-#         # Unbind vtconsole
-#         for i in /sys/class/vtconsole/*/bind; do
-#             echo 0 > "$i"
-#         done
-#         # Kill pulseaudio
-#         killall pipewire
-#         killall pipewire-pulse
-#         # Unbind GPU
-#         echo "$device" | cut -d' ' -f1 > /sys/module/i915/drivers/pci:i915/unbind
-#         # Unload modules
-#         rmmod snd_hda_intel
-#         rmmod i915
-#         # Load vfio
-#         modprobe vfio-pci ids="$(echo "$device" | grep -o 8086:....)"
-#     }
-#     function gpu_end {
-#         set -x
-#         # Unload vfio
-#         rmmod vfio_pci
-#         # Load modules
-#         modprobe snd_hda_intel
-#         modprobe i915
-#         # Rebind vtconsole
-#         for i in /sys/class/vtconsole/*/bind; do
-#             echo 1 > "$i"
-#         done
-#         # Start display manager
-#         systemctl start greetd.service
-#     }
-#     # Run only for gpu_domains
-#     for d in "''${gpu_domains[@]}"; do
-#         [ "$d" = "$1" ] && gpu_domain=true
-#     done
-#     if [ "$gpu_domain" = true ]; then
-#         [ "$2" = prepare ] && [ "$3" = begin ] && gpu_begin
-#         [ "$2" = release ] && [ "$3" = end ] && gpu_end
-#     fi
-#     true
-#   '';
-# in
 {
-
-  # boot.kernelParams = [ "intel_iommu=on" ];
   virtualisation = {
     libvirtd = {
       enable = true;
       qemu = {
         runAsRoot = false;
+        swtpm.enable = true;
+        ovmf.packages = [
+          (pkgs.OVMF.override ({
+            tpmSupport = true;
+            secureBoot =
+              true;
+          })).fd
+        ];
       };
     };
     spiceUSBRedirection.enable = true;
   };
-
-  # fix to enable secure boot in vms
-  environment.etc = {
-    "ovmf/edk2-x86_64-secure-code.fd" = {
-      source = config.virtualisation.libvirtd.qemu.package + "/share/qemu/edk2-x86_64-secure-code.fd";
-    };
-
-    "ovmf/edk2-i386-vars.fd" = {
-      source = config.virtualisation.libvirtd.qemu.package + "/share/qemu/edk2-i386-vars.fd";
-      mode = "0644";
-      user = "libvirtd";
-    };
-
-  };
+  # allow libvirts internal network stuff
+  networking.firewall.trustedInterfaces = [ "virbr0" ];
+  programs.virt-manager.enable = true;
   environment.systemPackages = with pkgs; [
     virt-viewer
   ];
-  # systemd.services.libvirtd.preStart =
-  #   ''
-  #     mkdir -p /var/lib/libvirt/hooks
-  #     chmod 755 /var/lib/libvirt/hooks
-
-  #     # Copy hook files
-  #     cp -f ${gpuHook} /var/lib/libvirt/hooks/qemu
-
-  #     # Make them executable
-  #     chmod +x /var/lib/libvirt/hooks/qemu
-  #   '';
-
 }