{pkgs, ...}: {
  virtualisation.libvirtd.enable = true;

  networking.firewall.interfaces."wg0" = {
    allowedTCPPorts = [
      5900 # vnc by QEMU
      2233
      60022
      8545
    ];
  };

  systemd.services.vm-ubuntu = let
    start-vm = pkgs.writeShellApplication {
      name = "start-vm";
      runtimeInputs = with pkgs; [qemu];
      text = ''
        qemu-system-x86_64 \
          -enable-kvm \
          -cpu host,kvm=on,hv-vendor_id="GenuineIntel" \
          -smp 4 \
          -m 8192 \
          -nic user,model=virtio-net-pci,hostfwd=tcp::60022-:22,hostfwd=tcp::8545-:8545 \
          -drive file=/var/lib/vm-ubuntu/ubuntu.qcow2
      '';
    };
  in {
    wantedBy = ["multi-user.target"];
    after = ["network.target"];
    serviceConfig = {
      ExecStart = "${start-vm}/bin/start-vm";
    };
  };
}