{ pkgs, ... }:
{
  virtualisation = {
    podman = {
      enable = true;
      defaultNetwork.settings.dns_enabled = true;
    };
    libvirtd = {
      enable = true;
      qemu = {
        runAsRoot = false;
        swtpm.enable = true;
        ovmf.packages = [
          (pkgs.OVMF.override ({ tpmSupport = true; secureBoot = true; })).fd
        ];
      };
    };
    spiceUSBRedirection.enable = true;
  };
  # allow libvirts internal network stuff
  networking.firewall.trustedInterfaces = [ "virbr0" ];
  programs.virt-manager.enable = true;
  environment.systemPackages = with pkgs; [
    virt-viewer
    podman-compose
  ];
}