{
  config,
  lib,
  pkgs,
  vmsilo,
  stdenv,
  ...
}:

{
  nix = {
    settings.experimental-features = [
      "nix-command"
      "flakes"
    ];
  };

  # User needs to have uid explicitly specified
  users.users.david = {
    uid = 1000;
    group = "david";
    isNormalUser = true;
    extraGroups = [ "wheel" ];
  };
  users.groups.david.gid = 1000;

  programs.vmsilo =
    let
      sshKeys = config.users.users.root.openssh.authorizedKeys.keys;
      commonGuestPrograms = with pkgs; [
        firefox
        kdePackages.konsole
        vim
        git
        screen
        strace
        tcpdump
        curl
        jq
        dig
        bc
        net-tools
      ];
    in
    {
      enable = true;
      user = "david";

      # Set this to "full" to fully isolate each vCPU or "off" for no scheduling protection.
      # The default is "vm", which protects VMs from each other but does not protect each different
      # vCPUs of the same VM from each other. Note that "full" has a significant performance cost.
      schedulerIsolation = "vm";

      nixosVms = {
        untrusted = {
          color = "darkred";
          memory = 4096;
          cpus = 4;
          network = {
            netvm = "netvm";
            nameservers = [ "8.8.8.8" ];
          };
          guestConfig = [
            vmsilo.nixosModules.optionalGuestSettings
          ];
          guestPrograms = commonGuestPrograms;
        };

        trusted = {
          color = "darkgreen";
          memory = 4096;
          cpus = 4;
          network = {
            netvm = "vpnvm";
            nameservers = [ "8.8.8.8" ];
          };
          guestConfig = [
            vmsilo.nixosModules.optionalGuestSettings
          ];
          guestPrograms = commonGuestPrograms;
        };

        vpnvm = {
          # VPN VM, other VMs with netvm="vpnvm" get trusted access
          color = "darkgreen";
          memory = 768;
          cpus = 2;
          gpu = false;
          sound.playback = false;
          network = {
            isNetvm = true;
            netvm = "netvm";
            nameservers = [ "8.8.8.8" ];
          };
          guestConfig = [
            vmsilo.nixosModules.optionalGuestSettings
            {
              networking = {
                wireguard.enable = true;
                wireguard.interfaces.wg-mgmt = {
                  privateKeyFile = "/home/user/wg.key"; # Place private key at /shared/netvm/wg.key
                  ips = [
                    "192.168.0.5/32"
                  ];
                  peers = [
                    {
                      name = "router";
                      publicKey = "xxxpeerpubkey==";
                      endpoint = "wireguard.example.org:51820";
                      allowedIPs = [
                        "192.168.0.0/24"
                      ];
                    }
                  ];
                };
              };
            }
          ];
        };

        netvm = {
          color = "red";
          autoStart = true;
          memory = 768;
          cpus = 2;
          gpu = false;
          sound.playback = false;
          sharedHome = false;
          network = {
            isNetvm = true;
            netvm = "host";
            nameservers = [ "8.8.8.8" ];
          };
          guestConfig = [
            vmsilo.nixosModules.optionalGuestSettings
          ];
        };
      };
    };
}