diff --git a/machines/NixOS-VPS/default.nix b/machines/NixOS-VPS/default.nix
index 6737840..07e1281 100644
--- a/machines/NixOS-VPS/default.nix
+++ b/machines/NixOS-VPS/default.nix
@@ -182,7 +182,7 @@
   users.users = {
     ${config.mainuser} = {
       isNormalUser = true;
-      extraGroups = [ "disk" "systemd-journal" "wheel" ];
+      extraGroups = [ "disk" "systemd-journal" "wheel" "qemu-libvirtd" "libvirtd" ];
       uid = 1000;
       hashedPassword =
         "$y$j9T$ZC44T3XYOPapB26cyPsA4.$8wlYEbwXFszC9nrg0vafqBZFLMPabXdhnzlT3DhUit6";
@@ -231,7 +231,19 @@
         runroot = "/run/containers/storage";
       };
     };
+    libvirtd = {
+      enable = true;
+      qemu = {
+        ovmf.enable = true;
+        ovmf.packages = [ pkgs.OVMFFull.fd ];
+        runAsRoot = false;
+      };
+      onBoot = "ignore";
+      onShutdown = "shutdown";
+    };
   };
+  programs.virt-manager.enable = true;
+  networking.firewall.trustedInterfaces = [ "podman+" "vnet+" "virbr+" ];
   networking.firewall.interfaces."podman+".allowedUDPPorts = [ 53 ];
   security.unprivilegedUsernsClone = true;
 
diff --git a/machines/NixOS-VPS/hardware/networks.nix b/machines/NixOS-VPS/hardware/networks.nix
index 46bff74..2e41d26 100644
--- a/machines/NixOS-VPS/hardware/networks.nix
+++ b/machines/NixOS-VPS/hardware/networks.nix
@@ -6,6 +6,7 @@ rec {
       # This is the public-facing interface. Any interface name with a prime
       # symbol means it's a public-facing interface.
       main' = {
+        mac = "72:df:16:d2:1b:d7";
         bridgeName = "br0";
         ifname = "enp0s18";
         IPv4 = {
diff --git a/machines/NixOS-VPS/network.nix b/machines/NixOS-VPS/network.nix
index 4090ad6..3f1d464 100644
--- a/machines/NixOS-VPS/network.nix
+++ b/machines/NixOS-VPS/network.nix
@@ -33,9 +33,9 @@ in {
         ];
         linkConfig.RequiredForOnline = "routable";
         networkConfig = {
-          DHCP = "no";
+          DHCPServer = true;
           IPForward = true;
-          IPv6PrivacyExtensions = "kernel";
+          # IPv6PrivacyExtensions = "kernel";
           DNS = IPv4.dns ++ IPv6.dns;
         };
         routes = [{
@@ -44,6 +44,19 @@ in {
         } {
           routeConfig.Gateway = IPv6.gateway;
           routeConfig.GatewayOnLink = true;
+        } {
+          routeConfig.Destination = "192.168.0.1/24";
+        }];
+        dhcpServerConfig = {
+          ServerAddress = "192.168.0.1/24";
+          PoolOffset = 100;
+          PoolSize = 100;
+        };
+        dhcpServerStaticLeases = [{
+          dhcpServerStaticLeaseConfig = {
+            MACAddress = "52:54:00:5b:49:bf";
+            Address = "192.168.0.11";
+          };
         }];
       };
     };
@@ -52,7 +65,7 @@ in {
         netdevConfig = {
           Kind = "bridge";
           Name = bridgeName;
-          MACAddress = "72:df:16:d2:1b:d7";
+          MACAddress = mac;
         };
       };
     };