{ pkgs
, lib
, config
, ... }: with lib; let
  cfg = config.global.libvirt;
in {
  options.global.libvirt = {
    enable = mkEnableOption "libvirt virtualisation daemon" // { default = true; };
  };

  config = mkIf cfg.enable {
    virtualisation.libvirtd = {
      enable = true;
      qemu.runAsRoot = false;
      qemu.swtpm.enable = true;

      # disable as much implicit state as possible
      onBoot = "ignore";
      onShutdown = "shutdown";
      parallelShutdown = 5;
    };

    # USB redirection requires a setuid wrapper
    virtualisation.spiceUSBRedirection.enable = true;

    environment.persistence."/nix/persist/fhs".directories = [
      "/var/lib/libvirt"
    ];
    global.fs.zfs.mountpoints."/nix/persist/service/libvirt" = "service/libvirt";

    # allow management by admin users
    users.adminGroups = [ "libvirtd" ];
  };
}