{
  pkgs,
  lib,
  config,
  ...
}:
{

  options = {
    vm-guest = {
      enable = lib.mkEnableOption "VM guest configuration";
    };
  };

  config = lib.mkIf config.vm-guest.enable {
    services.qemuGuest.enable = true;
    services.spice-vdagentd.enable = true;

    # 9p for host file mounting
    boot.initrd.availableKernelModules = [
      "9p"
      "9pnet_virtio"
    ];
    boot.kernelModules = [
      "9p"
      "9pnet_virtio"
    ];

    # ssh with agent forwarding for git and hot-mount
    services.openssh = {
      enable = true;
      ports = [ 22 ];
      settings = {
        PasswordAuthentication = true;
        PermitRootLogin = "no";
        AllowAgentForwarding = true;
        StreamLocalBindUnlink = "yes";
      };
    };

    networking = {
      useDHCP = true;
      firewall.allowedTCPPorts = [ 22 ];
    };

    security.sudo.wheelNeedsPassword = false;

    environment.systemPackages = with pkgs; [
      curl
      wget
      htop
      sshfs
    ];
  };
}