{
  config,
  lib,
  pkgs,
  ...
}:

with lib;
mkIf (elem "virt-manager" config.machine.services) {
  virtualisation = {
    libvirtd = {
      enable = true;
      qemu = {
        ovmf.enable = true;
        swtpm.enable = true;
      };
    };
    qemu = {
      package = pkgs.qemu_kvm;
      ovmf = {
        enable = true;
        packages = [ pkgs.OVMFFull.fd ];
      };
    };
    swtpm.enable = true;
  };
  programs.virt-manager.enable = true;

  services.nfs.server.enable = true;

  # rule for vagrant virtualbox provider.
  networking.firewall.extraCommands = lib.optionalString (config.virtualisation.virtualbox.host.enable) ''
    ip46tables -I INPUT 1 -i vboxnet+ -p tcp -m tcp --dport 2049 -j ACCEPT
  '';

  # Add firewall exception for libvirt provider when using NFSv4
  networking.firewall.interfaces."virbr1" = {
    allowedTCPPorts = [ 2049 ];
    allowedUDPPorts = [ 2049 ];
  };

  environment = {
    systemPackages = with pkgs; [
      vagrant
    ];
    variables.VAGRANT_DEFAULT_PROVIDER = "libvirt";
  };
}