{
  lib,
  config,
  pkgs,
  ...
}: let
  isEnabled =
    config.azos.virtualization.enable;
in {
  options.azos.virtualization.enable = lib.mkOption {
    default = true;
    example = true;
    type = lib.types.bool;
  };

  config = lib.mkIf isEnabled {
    virtualisation.libvirtd = {
      enable = true;                     # start / run libvirtd as a system service
      # optional: expose the default NAT network (virbr0) – libvirtd creates it
      # automatically when the daemon is on, but we make sure the bridge is
      # allowed through the firewall.
      qemu = {
        swtpm.enable = true;            # (optional) enable software TPM for guests
      };
    };
    environment.systemPackages = with pkgs; [
      # QEMU (KVM‑accelerated)
      qemu_kvm               # same as pkgs.qemu (but with KVM support explicitly enabled)
      # CLI utilities
      libvirt                # provides virsh, virt-install, virt-manager (cli bits)
      # GUI front‑end
      virt-manager           # graphical manager (uses libvirt + spice)
      virt-viewer            # Spice/VNC client that virt‑manager calls under the hood
    ];


    services.spice-vdagentd.enable = true;   # makes copy‑paste & auto‑resize work in Spice windows
    networking.firewall.allowedTCPPorts = [ 5900 5901 ];   # Spice ports (adjust if you expose elsewhere)
    networking.firewall.allowedUDPPorts = [ 5900 5901 ];

  };
}