diff --git a/SwarselSystems.org b/SwarselSystems.org
index 993de0d..ae40010 100644
--- a/SwarselSystems.org
+++ b/SwarselSystems.org
@@ -3068,7 +3068,7 @@ This ensures that all user-configuration happens here in the config file.
         isNormalUser = true;
         description = "Leon S";
         hashedPasswordFile = lib.mkIf (!config.swarselsystems.initialSetup) config.sops.secrets.swarseluser.path;
-        extraGroups = [ "networkmanager" "syncthing" "docker" "wheel" "lp" "audio" "video" "vboxusers" "scanner" ];
+        extraGroups = [ "networkmanager" "syncthing" "docker" "wheel" "lp" "audio" "video" "vboxusers" "libvirtd" "scanner" ];
         packages = with pkgs; [ ];
       };
     };
@@ -6063,17 +6063,21 @@ Options that I need specifically at work. There are more options at [[#h:f0b2ea9
       };
     };
 
+    networking.firewall.trustedInterfaces = [ "virbr0" ];
+
     virtualisation = {
       docker.enable = true;
+      spiceUSBRedirection.enable = true;
       libvirtd = {
         enable = true;
         qemu = {
           package = pkgs.qemu_kvm;
           runAsRoot = true;
           swtpm.enable = true;
+          vhostUserPackages = with pkgs; [ virtiofsd ];
           ovmf = {
             enable = true;
-            packages = [(pkgs.OVMF.override {
+            packages = [(pkgs.OVMFFull.override {
               secureBoot = true;
               tpmSupport = true;
             }).fd];
@@ -6094,10 +6098,21 @@ Options that I need specifically at work. There are more options at [[#h:f0b2ea9
       libisoburn
       govc
       terraform
+
+      # vm
+      virt-manager
+      virt-viewer
+      virtiofsd
+      spice
+      spice-gtk
+      spice-protocol
+      win-virtio
+      win-spice
     ];
 
 
     services = {
+      spice-vdagentd.enable = true;
       openssh = {
         enable = true;
         extraConfig = ''
diff --git a/profiles/common/nixos/users.nix b/profiles/common/nixos/users.nix
index 2aef8a8..d99e5de 100644
--- a/profiles/common/nixos/users.nix
+++ b/profiles/common/nixos/users.nix
@@ -8,7 +8,7 @@
       isNormalUser = true;
       description = "Leon S";
       hashedPasswordFile = lib.mkIf (!config.swarselsystems.initialSetup) config.sops.secrets.swarseluser.path;
-      extraGroups = [ "networkmanager" "syncthing" "docker" "wheel" "lp" "audio" "video" "vboxusers" "scanner" ];
+      extraGroups = [ "networkmanager" "syncthing" "docker" "wheel" "lp" "audio" "video" "vboxusers" "libvirtd" "scanner" ];
       packages = with pkgs; [ ];
     };
   };
diff --git a/profiles/optional/nixos/work.nix b/profiles/optional/nixos/work.nix
index a83717b..76f08b3 100644
--- a/profiles/optional/nixos/work.nix
+++ b/profiles/optional/nixos/work.nix
@@ -42,18 +42,22 @@ in
     };
   };
 
+  networking.firewall.trustedInterfaces = [ "virbr0" ];
+
   virtualisation = {
     docker.enable = true;
+    spiceUSBRedirection.enable = true;
     libvirtd = {
       enable = true;
       qemu = {
         package = pkgs.qemu_kvm;
         runAsRoot = true;
         swtpm.enable = true;
+        vhostUserPackages = with pkgs; [ virtiofsd ];
         ovmf = {
           enable = true;
           packages = [
-            (pkgs.OVMF.override {
+            (pkgs.OVMFFull.override {
               secureBoot = true;
               tpmSupport = true;
             }).fd
@@ -75,10 +79,21 @@ in
     libisoburn
     govc
     terraform
+
+    # vm
+    virt-manager
+    virt-viewer
+    virtiofsd
+    spice
+    spice-gtk
+    spice-protocol
+    win-virtio
+    win-spice
   ];
 
 
   services = {
+    spice-vdagentd.enable = true;
     openssh = {
       enable = true;
       extraConfig = ''