diff --git a/nixos/boxes/castle/default.nix b/nixos/boxes/castle/default.nix
index 483e54b..0ac9fd1 100644
--- a/nixos/boxes/castle/default.nix
+++ b/nixos/boxes/castle/default.nix
@@ -108,6 +108,9 @@ in
           blueman.enable = true;
         };
 
+        programs.virt-manager.enable = true;
+        virtualisation.libvirtd.enable = true;
+
         networking = {
           domain = "h.${lib.my.c.pubDomain}";
           firewall.enable = false;
diff --git a/nixos/modules/tmproot.nix b/nixos/modules/tmproot.nix
index 7d71b59..19cc0c6 100644
--- a/nixos/modules/tmproot.nix
+++ b/nixos/modules/tmproot.nix
@@ -463,6 +463,9 @@ in
           }
         ];
       })
+      (mkIf config.virtualisation.libvirtd.enable {
+        my.tmproot.persistence.config.directories = [ "/var/lib/libvirt" ];
+      })
     ]))
   ]);
 
diff --git a/nixos/modules/user.nix b/nixos/modules/user.nix
index a0b0c0a..9198d05 100644
--- a/nixos/modules/user.nix
+++ b/nixos/modules/user.nix
@@ -35,8 +35,9 @@ in
             isNormalUser = true;
             uid = mkDefault 1000;
             extraGroups =
-              [ "wheel" "kvm" ] ++
-              (optional config.networking.networkmanager.enable "networkmanager");
+              [ "wheel" "kvm" "dialout" ] ++
+              (optional config.networking.networkmanager.enable "networkmanager") ++
+              (optional config.virtualisation.libvirtd.enable "libvirtd");
             password = mkIf (cfg.passwordSecret == null) (mkDefault "hunter2");
             shell =
               let shell = cfg.homeConfig.my.shell;