{
  pkgs,
  config,
  ...
}: {
  virtualisation.libvirtd.qemu.verbatimConfig = ''
    namespaces = []
    user = "+1000"
    cgroup_device_acl = [
      "/dev/null", "/dev/full", "/dev/zero",
      "/dev/random", "/dev/urandom",
      "/dev/ptmx", "/dev/kvm", "/dev/kqemu",
      "/dev/rtc","/dev/hpet", "/dev/vfio/vfio",
      "/dev/kvmfr0",
    ]
  '';
  boot = {
    initrd.kernelModules = ["vfio_pci" "vfio_iommu_type1" "vfio"];
    kernelModules = ["kvmfr"];
    kernelParams = ["amd_iommu=on" "amd_iommu=pt" "kvm.ignore_msrs=1"];
    extraModulePackages = [config.boot.kernelPackages.kvmfr];
    extraModprobeConfig = ''
      options vfio-pci ids=10de:2b85,10de:22e8
      options kvmfr static_size_mb=64
      options kvm_amd avic=1
    '';
  };
  services.udev.extraRules = ''
    SUBSYSTEM=="kvmfr", GROUP="kvm", MODE="0660"
  '';
  environment.systemPackages = [pkgs.looking-glass-client];
  virtualisation.libvirtd.hooks.qemu = {
    "isolatecpu.sh" =
      pkgs.writeShellScript "isolatecpu.sh"
      ''
        #!/bin/sh
        PIN="AllowedCPUs=8-15,24-31"
        ALL="AllowedCPUs=0-31"
        if [ "$2" = "started" ]; then
          systemctl set-property --runtime -- system.slice $PIN
          systemctl set-property --runtime -- user.slice $PIN
          systemctl set-property --runtime -- init.scope $PIN
        elif [ "$2" = "release" ]; then
          systemctl set-property --runtime -- system.slice $ALL
          systemctl set-property --runtime -- user.slice $ALL
          systemctl set-property --runtime -- init.scope $ALL
        fi
      '';
  };
}