diff --git a/dotfiles/kvm/confs/win10.xml b/dotfiles/kvm/confs/win10.xml
new file mode 100644
index 0000000..cccdbc1
--- /dev/null
+++ b/dotfiles/kvm/confs/win10.xml
@@ -0,0 +1,247 @@
+
+ win10
+ b3d036ee-75ff-43fe-be76-b8c5494f5dd7
+
+
+
+
+
+ 25165824
+ 25165824
+
+
+
+ 32
+ 1
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ hvm
+ /usr/share/edk2-ovmf/x64/OVMF_CODE.fd
+ /var/lib/libvirt/qemu/nvram/win10_VARS.fd
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ destroy
+ restart
+ destroy
+
+
+
+
+
+ /usr/bin/qemu-system-x86_64
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/dotfiles/kvm/libvirt/hooks/kvm.conf b/dotfiles/kvm/libvirt/hooks/kvm.conf
new file mode 100644
index 0000000..6fc590b
--- /dev/null
+++ b/dotfiles/kvm/libvirt/hooks/kvm.conf
@@ -0,0 +1,9 @@
+# CONFIG
+VM_MEMORY=24576
+
+# VIRSH
+VIRSH_GPU_VIDEO=pci_0000_42_00_0
+VIRSH_GPU_AUDIO=pci_0000_42_00_1
+VIRSH_USB=pci_0000_42_00_2
+VIRSH_SERIAL_BUS=pci_0000_42_00_3
+
diff --git a/dotfiles/kvm/libvirt/hooks/qemu b/dotfiles/kvm/libvirt/hooks/qemu
new file mode 100755
index 0000000..fad8db1
--- /dev/null
+++ b/dotfiles/kvm/libvirt/hooks/qemu
@@ -0,0 +1,28 @@
+#!/bin/bash
+#
+# Author: Sebastiaan Meijer (sebastiaan@passthroughpo.st)
+#
+
+GUEST_NAME="$1"
+HOOK_NAME="$2"
+STATE_NAME="$3"
+MISC="${@:4}"
+
+BASEDIR="$(dirname $0)"
+
+HOOKPATH="$BASEDIR/qemu.d/$GUEST_NAME/$HOOK_NAME/$STATE_NAME"
+
+set -e # If a script exits with an error, we should as well.
+
+# check if it's a non-empty executable file
+if [ -f "$HOOKPATH" ] && [ -s "$HOOKPATH"] && [ -x "$HOOKPATH" ]; then
+ eval \"$HOOKPATH\" "$@"
+elif [ -d "$HOOKPATH" ]; then
+ while read file; do
+ # check for null string
+ if [ ! -z "$file" ]; then
+ eval \"$file\" "$@"
+ fi
+ done <<< "$(find -L "$HOOKPATH" -maxdepth 1 -type f -executable -print;)"
+fi
+
diff --git a/dotfiles/kvm/libvirt/hooks/qemu.d/win10/prepare/begin/alloc_hugepages.sh b/dotfiles/kvm/libvirt/hooks/qemu.d/win10/prepare/begin/alloc_hugepages.sh
new file mode 100755
index 0000000..ea4b619
--- /dev/null
+++ b/dotfiles/kvm/libvirt/hooks/qemu.d/win10/prepare/begin/alloc_hugepages.sh
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+## Load the config file
+source "/etc/libvirt/hooks/kvm.conf"
+
+## Calculate number of hugepages to allocate from memory (in MB)
+HUGEPAGES="$(($VM_MEMORY/$(($(grep Hugepagesize /proc/meminfo | awk '{print $2}')/1024))))"
+
+echo "Allocating hugepages..."
+echo $HUGEPAGES > /proc/sys/vm/nr_hugepages
+ALLOC_PAGES=$(cat /proc/sys/vm/nr_hugepages)
+
+TRIES=0
+while (( $ALLOC_PAGES != $HUGEPAGES && $TRIES < 1000 ))
+do
+ echo 1 > /proc/sys/vm/compact_memory ## defrag ram
+ echo $HUGEPAGES > /proc/sys/vm/nr_hugepages
+ ALLOC_PAGES=$(cat /proc/sys/vm/nr_hugepages)
+ echo "Succesfully allocated $ALLOC_PAGES / $HUGEPAGES"
+ let TRIES+=1
+done
+
+if [ "$ALLOC_PAGES" -ne "$HUGEPAGES" ]
+then
+ echo "Not able to allocate all hugepages. Reverting..."
+ echo 0 > /proc/sys/vm/nr_hugepages
+ exit 1
+fi
+
diff --git a/dotfiles/kvm/libvirt/hooks/qemu.d/win10/prepare/begin/cpu_mode_performance.sh b/dotfiles/kvm/libvirt/hooks/qemu.d/win10/prepare/begin/cpu_mode_performance.sh
new file mode 100755
index 0000000..db02ed7
--- /dev/null
+++ b/dotfiles/kvm/libvirt/hooks/qemu.d/win10/prepare/begin/cpu_mode_performance.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+## Enable CPU governor performance mode
+cat /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor
+for file in /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor; do echo "performance" > $file; done
+cat /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor
+
diff --git a/dotfiles/kvm/libvirt/hooks/qemu.d/win10/prepare/begin/start.sh b/dotfiles/kvm/libvirt/hooks/qemu.d/win10/prepare/begin/start.sh
new file mode 100755
index 0000000..aba18ca
--- /dev/null
+++ b/dotfiles/kvm/libvirt/hooks/qemu.d/win10/prepare/begin/start.sh
@@ -0,0 +1,35 @@
+#!/bin/bash
+# Helpful to read output when debugging
+set -x
+
+# Load variables
+source "/etc/libvirt/hooks/kvm.conf"
+
+# Stop display manager
+systemctl stop gdm.service
+
+# Unbind VTconsoles
+echo 0 > /sys/class/vtconsole/vtcon0/bind
+echo 0 > /sys/class/vtconsole/vtcon1/bind
+
+# Unbind EFI-Framebuffer
+echo efi-framebuffer.0 > /sys/bus/platform/drivers/efi-framebuffer/unbind
+
+# Avoid a Race condition
+sleep 5
+
+# Unload all Nvidia drivers
+modprobe -r nvidia_drm
+modprobe -r nvidia_modeset
+modprobe -r nvidia_uvm
+modprobe -r nvidia
+
+# Unbind the GPU from display driver
+virsh nodedev-detach $VIRSH_GPU_VIDEO
+virsh nodedev-detach $VIRSH_GPU_AUDIO
+virsh nodedev-detach $VIRSH_USB
+virsh nodedev-detach $VIRSH_SERIAL_BUS
+
+# Load VFIO Kernel Module
+modprobe vfio-pci
+
diff --git a/dotfiles/kvm/libvirt/hooks/qemu.d/win10/release/end/cpu_mode_ondemand.sh b/dotfiles/kvm/libvirt/hooks/qemu.d/win10/release/end/cpu_mode_ondemand.sh
new file mode 100755
index 0000000..e85ae88
--- /dev/null
+++ b/dotfiles/kvm/libvirt/hooks/qemu.d/win10/release/end/cpu_mode_ondemand.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+## Enable CPU governor on-demand mode
+cat /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor
+for file in /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor; do echo "ondemand" > $file; done
+cat /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor
+
diff --git a/dotfiles/kvm/libvirt/hooks/qemu.d/win10/release/end/dealloc_hugepages.sh b/dotfiles/kvm/libvirt/hooks/qemu.d/win10/release/end/dealloc_hugepages.sh
new file mode 100755
index 0000000..0761701
--- /dev/null
+++ b/dotfiles/kvm/libvirt/hooks/qemu.d/win10/release/end/dealloc_hugepages.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+echo 0 > /proc/sys/vm/nr_hugepages
+
diff --git a/dotfiles/kvm/libvirt/hooks/qemu.d/win10/release/end/stop.sh b/dotfiles/kvm/libvirt/hooks/qemu.d/win10/release/end/stop.sh
new file mode 100755
index 0000000..d5a61d3
--- /dev/null
+++ b/dotfiles/kvm/libvirt/hooks/qemu.d/win10/release/end/stop.sh
@@ -0,0 +1,36 @@
+#!/bin/bash
+set -x
+
+# Load variables
+source "/etc/libvirt/hooks/kvm.conf"
+
+# Unload VFIO-PCI Kernel Driver
+modprobe -r vfio-pci
+modprobe -r vfio_iommu_type1
+modprobe -r vfio
+
+# Re-Bind GPU to Nvidia Driver
+virsh nodedev-reattach $VIRSH_GPU_VIDEO
+virsh nodedev-reattach $VIRSH_GPU_AUDIO
+virsh nodedev-reattach $VIRSH_USB
+virsh nodedev-reattach $VIRSH_SERIAL_BUS
+
+# Rebind VT consoles
+echo 1 > /sys/class/vtconsole/vtcon0/bind
+echo 1 > /sys/class/vtconsole/vtcon1/bind
+
+# Bind EFI-Framebuffer
+nvidia-xconfig --query-gpu-info > /dev/null 2>&1
+echo "efi-framebuffer.0" > /sys/bus/platform/drivers/efi-framebuffer/bind
+
+# Load all Nvidia drivers
+modprobe nvidia_drm
+modprobe nvidia_modeset
+modprobe drm_kms_helper
+modprobe drm
+modprobe nvidia_uvm
+modprobe nvidia
+
+# Restart Display Manager
+systemctl start gdm.service
+
diff --git a/dotfiles/kvm/libvirt/qemu.conf b/dotfiles/kvm/libvirt/qemu.conf
new file mode 100644
index 0000000..3f16319
--- /dev/null
+++ b/dotfiles/kvm/libvirt/qemu.conf
@@ -0,0 +1,955 @@
+# Master configuration file for the QEMU driver.
+# All settings described here are optional - if omitted, sensible
+# defaults are used.
+
+# Use of TLS requires that x509 certificates be issued. The default is
+# to keep them in /etc/pki/qemu. This directory must contain
+#
+# ca-cert.pem - the CA master certificate
+# server-cert.pem - the server certificate signed with ca-cert.pem
+# server-key.pem - the server private key
+#
+# and optionally may contain
+#
+# dh-params.pem - the DH params configuration file
+#
+# If the directory does not exist, libvirtd will fail to start. If the
+# directory doesn't contain the necessary files, QEMU domains will fail
+# to start if they are configured to use TLS.
+#
+# In order to overwrite the default path alter the following. This path
+# definition will be used as the default path for other *_tls_x509_cert_dir
+# configuration settings if their default path does not exist or is not
+# specifically set.
+#
+#default_tls_x509_cert_dir = "/etc/pki/qemu"
+
+
+# The default TLS configuration only uses certificates for the server
+# allowing the client to verify the server's identity and establish
+# an encrypted channel.
+#
+# It is possible to use x509 certificates for authentication too, by
+# issuing an x509 certificate to every client who needs to connect.
+#
+# Enabling this option will reject any client who does not have a
+# certificate signed by the CA in /etc/pki/qemu/ca-cert.pem
+#
+# The default_tls_x509_cert_dir directory must also contain
+#
+# client-cert.pem - the client certificate signed with the ca-cert.pem
+# client-key.pem - the client private key
+#
+# If this option is supplied it provides the default for the "_verify" option
+# of specific TLS users such as vnc, backups, migration, etc. The specific
+# users of TLS may override this by setting the specific "_verify" option.
+#
+# When not supplied the specific TLS users provide their own defaults.
+#
+#default_tls_x509_verify = 1
+
+#
+# Libvirt assumes the server-key.pem file is unencrypted by default.
+# To use an encrypted server-key.pem file, the password to decrypt
+# the PEM file is required. This can be provided by creating a secret
+# object in libvirt and then to uncomment this setting to set the UUID
+# of the secret.
+#
+# NB This default all-zeros UUID will not work. Replace it with the
+# output from the UUID for the TLS secret from a 'virsh secret-list'
+# command and then uncomment the entry
+#
+#default_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+
+
+# VNC is configured to listen on 127.0.0.1 by default.
+# To make it listen on all public interfaces, uncomment
+# this next option.
+#
+# NB, strong recommendation to enable TLS + x509 certificate
+# verification when allowing public access
+#
+#vnc_listen = "0.0.0.0"
+
+# Enable this option to have VNC served over an automatically created
+# unix socket. This prevents unprivileged access from users on the
+# host machine, though most VNC clients do not support it.
+#
+# This will only be enabled for VNC configurations that have listen
+# type=address but without any address specified. This setting takes
+# preference over vnc_listen.
+#
+#vnc_auto_unix_socket = 1
+
+# Enable use of TLS encryption on the VNC server. This requires
+# a VNC client which supports the VeNCrypt protocol extension.
+# Examples include vinagre, virt-viewer, virt-manager and vencrypt
+# itself. UltraVNC, RealVNC, TightVNC do not support this
+#
+# It is necessary to setup CA and issue a server certificate
+# before enabling this.
+#
+#vnc_tls = 1
+
+
+# In order to override the default TLS certificate location for
+# vnc certificates, supply a valid path to the certificate directory.
+# If the provided path does not exist, libvirtd will fail to start.
+# If the path is not provided, but vnc_tls = 1, then the
+# default_tls_x509_cert_dir path will be used.
+#
+#vnc_tls_x509_cert_dir = "/etc/pki/libvirt-vnc"
+
+
+# Uncomment and use the following option to override the default secret
+# UUID provided in the default_tls_x509_secret_uuid parameter.
+#
+#vnc_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+
+
+# The default TLS configuration only uses certificates for the server
+# allowing the client to verify the server's identity and establish
+# an encrypted channel.
+#
+# It is possible to use x509 certificates for authentication too, by
+# issuing an x509 certificate to every client who needs to connect.
+#
+# Enabling this option will reject any client that does not have a
+# certificate (as described in default_tls_x509_verify) signed by the
+# CA in the vnc_tls_x509_cert_dir (or default_tls_x509_cert_dir).
+#
+# If this option is not supplied, it will be set to the value of
+# "default_tls_x509_verify". If "default_tls_x509_verify" is not supplied either,
+# the default is "0".
+#
+#vnc_tls_x509_verify = 1
+
+
+# The default VNC password. Only 8 bytes are significant for
+# VNC passwords. This parameter is only used if the per-domain
+# XML config does not already provide a password. To allow
+# access without passwords, leave this commented out. An empty
+# string will still enable passwords, but be rejected by QEMU,
+# effectively preventing any use of VNC. Obviously change this
+# example here before you set this.
+#
+#vnc_password = "XYZ12345"
+
+
+# Enable use of SASL encryption on the VNC server. This requires
+# a VNC client which supports the SASL protocol extension.
+# Examples include vinagre, virt-viewer and virt-manager
+# itself. UltraVNC, RealVNC, TightVNC do not support this
+#
+# It is necessary to configure /etc/sasl2/qemu.conf to choose
+# the desired SASL plugin (eg, GSSPI for Kerberos)
+#
+#vnc_sasl = 1
+
+
+# The default SASL configuration file is located in /etc/sasl2/
+# When running libvirtd unprivileged, it may be desirable to
+# override the configs in this location. Set this parameter to
+# point to the directory, and create a qemu.conf in that location
+#
+#vnc_sasl_dir = "/some/directory/sasl2"
+
+
+# QEMU implements an extension for providing audio over a VNC connection,
+# though if your VNC client does not support it, your only chance for getting
+# sound output is through regular audio backends. By default, libvirt will
+# disable all QEMU sound backends if using VNC, since they can cause
+# permissions issues. Enabling this option will make libvirtd honor the
+# QEMU_AUDIO_DRV environment variable when using VNC.
+#
+#vnc_allow_host_audio = 0
+
+
+
+# SPICE is configured to listen on 127.0.0.1 by default.
+# To make it listen on all public interfaces, uncomment
+# this next option.
+#
+# NB, strong recommendation to enable TLS + x509 certificate
+# verification when allowing public access
+#
+#spice_listen = "0.0.0.0"
+
+
+# Enable use of TLS encryption on the SPICE server.
+#
+# It is necessary to setup CA and issue a server certificate
+# before enabling this.
+#
+#spice_tls = 1
+
+
+# In order to override the default TLS certificate location for
+# spice certificates, supply a valid path to the certificate directory.
+# If the provided path does not exist, libvirtd will fail to start.
+# If the path is not provided, but spice_tls = 1, then the
+# default_tls_x509_cert_dir path will be used.
+#
+#spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice"
+
+
+# Enable this option to have SPICE served over an automatically created
+# unix socket. This prevents unprivileged access from users on the
+# host machine.
+#
+# This will only be enabled for SPICE configurations that have listen
+# type=address but without any address specified. This setting takes
+# preference over spice_listen.
+#
+#spice_auto_unix_socket = 1
+
+
+# The default SPICE password. This parameter is only used if the
+# per-domain XML config does not already provide a password. To
+# allow access without passwords, leave this commented out. An
+# empty string will still enable passwords, but be rejected by
+# QEMU, effectively preventing any use of SPICE. Obviously change
+# this example here before you set this.
+#
+#spice_password = "XYZ12345"
+
+
+# Enable use of SASL encryption on the SPICE server. This requires
+# a SPICE client which supports the SASL protocol extension.
+#
+# It is necessary to configure /etc/sasl2/qemu.conf to choose
+# the desired SASL plugin (eg, GSSPI for Kerberos)
+#
+#spice_sasl = 1
+
+# The default SASL configuration file is located in /etc/sasl2/
+# When running libvirtd unprivileged, it may be desirable to
+# override the configs in this location. Set this parameter to
+# point to the directory, and create a qemu.conf in that location
+#
+#spice_sasl_dir = "/some/directory/sasl2"
+
+# Enable use of TLS encryption on the chardev TCP transports.
+#
+# It is necessary to setup CA and issue a server certificate
+# before enabling this.
+#
+#chardev_tls = 1
+
+
+# In order to override the default TLS certificate location for character
+# device TCP certificates, supply a valid path to the certificate directory.
+# If the provided path does not exist, libvirtd will fail to start.
+# If the path is not provided, but chardev_tls = 1, then the
+# default_tls_x509_cert_dir path will be used.
+#
+#chardev_tls_x509_cert_dir = "/etc/pki/libvirt-chardev"
+
+
+# The default TLS configuration only uses certificates for the server
+# allowing the client to verify the server's identity and establish
+# an encrypted channel.
+#
+# It is possible to use x509 certificates for authentication too, by
+# issuing an x509 certificate to every client who needs to connect.
+#
+# Enabling this option will reject any client that does not have a
+# certificate (as described in default_tls_x509_verify) signed by the
+# CA in the chardev_tls_x509_cert_dir (or default_tls_x509_cert_dir).
+#
+# If this option is not supplied, it will be set to the value of
+# "default_tls_x509_verify". If "default_tls_x509_verify" is not supplied either,
+# the default is "1".
+#
+#chardev_tls_x509_verify = 1
+
+
+# Uncomment and use the following option to override the default secret
+# UUID provided in the default_tls_x509_secret_uuid parameter.
+#
+# NB This default all-zeros UUID will not work. Replace it with the
+# output from the UUID for the TLS secret from a 'virsh secret-list'
+# command and then uncomment the entry
+#
+#chardev_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+
+
+# Enable use of TLS encryption for all VxHS network block devices that
+# don't specifically disable.
+#
+# When the VxHS network block device server is set up appropriately,
+# x509 certificates are required for authentication between the clients
+# (qemu processes) and the remote VxHS server.
+#
+# It is necessary to setup CA and issue the client certificate before
+# enabling this.
+#
+#vxhs_tls = 1
+
+
+# In order to override the default TLS certificate location for VxHS
+# backed storage, supply a valid path to the certificate directory.
+# This is used to authenticate the VxHS block device clients to the VxHS
+# server.
+#
+# If the provided path does not exist, libvirtd will fail to start.
+# If the path is not provided, but vxhs_tls = 1, then the
+# default_tls_x509_cert_dir path will be used.
+#
+# VxHS block device clients expect the client certificate and key to be
+# present in the certificate directory along with the CA master certificate.
+# If using the default environment, default_tls_x509_verify must be configured.
+# Since this is only a client the server-key.pem certificate is not needed.
+# Thus a VxHS directory must contain the following:
+#
+# ca-cert.pem - the CA master certificate
+# client-cert.pem - the client certificate signed with the ca-cert.pem
+# client-key.pem - the client private key
+#
+#vxhs_tls_x509_cert_dir = "/etc/pki/libvirt-vxhs"
+
+
+# Uncomment and use the following option to override the default secret
+# UUID provided in the default_tls_x509_secret_uuid parameter.
+#
+# NB This default all-zeros UUID will not work. Replace it with the
+# output from the UUID for the TLS secret from a 'virsh secret-list'
+# command and then uncomment the entry
+#
+#vxhs_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+
+
+# Enable use of TLS encryption for all NBD disk devices that don't
+# specifically disable it.
+#
+# When the NBD server is set up appropriately, x509 certificates are required
+# for authentication between the client and the remote NBD server.
+#
+# It is necessary to setup CA and issue the client certificate before
+# enabling this.
+#
+#nbd_tls = 1
+
+
+# In order to override the default TLS certificate location for NBD
+# backed storage, supply a valid path to the certificate directory.
+# This is used to authenticate the NBD block device clients to the NBD
+# server.
+#
+# If the provided path does not exist, libvirtd will fail to start.
+# If the path is not provided, but nbd_tls = 1, then the
+# default_tls_x509_cert_dir path will be used.
+#
+# NBD block device clients expect the client certificate and key to be
+# present in the certificate directory along with the CA certificate.
+# Since this is only a client the server-key.pem certificate is not needed.
+# Thus a NBD directory must contain the following:
+#
+# ca-cert.pem - the CA master certificate
+# client-cert.pem - the client certificate signed with the ca-cert.pem
+# client-key.pem - the client private key
+#
+#nbd_tls_x509_cert_dir = "/etc/pki/libvirt-nbd"
+
+
+# Uncomment and use the following option to override the default secret
+# UUID provided in the default_tls_x509_secret_uuid parameter.
+#
+# NB This default all-zeros UUID will not work. Replace it with the
+# output from the UUID for the TLS secret from a 'virsh secret-list'
+# command and then uncomment the entry
+#
+#nbd_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+
+
+# In order to override the default TLS certificate location for migration
+# certificates, supply a valid path to the certificate directory. If the
+# provided path does not exist, libvirtd will fail to start. If the path is
+# not provided, but TLS-encrypted migration is requested, then the
+# default_tls_x509_cert_dir path will be used. Once/if a default certificate is
+# enabled/defined, migration will then be able to use the certificate via
+# migration API flags.
+#
+#migrate_tls_x509_cert_dir = "/etc/pki/libvirt-migrate"
+
+
+# The default TLS configuration only uses certificates for the server
+# allowing the client to verify the server's identity and establish
+# an encrypted channel.
+#
+# It is possible to use x509 certificates for authentication too, by
+# issuing an x509 certificate to every client who needs to connect.
+#
+# Enabling this option will reject any client that does not have a
+# certificate (as described in default_tls_x509_verify) signed by the
+# CA in the migrate_tls_x509_cert_dir (or default_tls_x509_cert_dir).
+#
+# If this option is not supplied, it will be set to the value of
+# "default_tls_x509_verify". If "default_tls_x509_verify" is not supplied
+# either, the default is "1".
+#
+#migrate_tls_x509_verify = 1
+
+
+# Uncomment and use the following option to override the default secret
+# UUID provided in the default_tls_x509_secret_uuid parameter.
+#
+# NB This default all-zeros UUID will not work. Replace it with the
+# output from the UUID for the TLS secret from a 'virsh secret-list'
+# command and then uncomment the entry
+#
+#migrate_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+
+
+# By default TLS is requested using the VIR_MIGRATE_TLS flag, thus not requested
+# automatically. Setting 'migate_tls_force' to "1" will prevent any migration
+# which is not using VIR_MIGRATE_TLS to ensure higher level of security in
+# deployments with TLS.
+#
+#migrate_tls_force = 0
+
+
+# In order to override the default TLS certificate location for backup NBD
+# server certificates, supply a valid path to the certificate directory. If the
+# provided path does not exist, libvirtd will fail to start. If the path is
+# not provided, but TLS-encrypted backup is requested, then the
+# default_tls_x509_cert_dir path will be used.
+#
+#backup_tls_x509_cert_dir = "/etc/pki/libvirt-backup"
+
+
+# The default TLS configuration only uses certificates for the server
+# allowing the client to verify the server's identity and establish
+# an encrypted channel.
+#
+# It is possible to use x509 certificates for authentication too, by
+# issuing an x509 certificate to every client who needs to connect.
+#
+# Enabling this option will reject any client that does not have a
+# certificate (as described in default_tls_x509_verify) signed by the
+# CA in the backup_tls_x509_cert_dir (or default_tls_x509_cert_dir).
+#
+# If this option is not supplied, it will be set to the value of
+# "default_tls_x509_verify". If "default_tls_x509_verify" is not supplied either,
+# the default is "1".
+#
+#backup_tls_x509_verify = 1
+
+
+# Uncomment and use the following option to override the default secret
+# UUID provided in the default_tls_x509_secret_uuid parameter.
+#
+# NB This default all-zeros UUID will not work. Replace it with the
+# output from the UUID for the TLS secret from a 'virsh secret-list'
+# command and then uncomment the entry
+#
+#backup_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+
+
+# By default, if no graphical front end is configured, libvirt will disable
+# QEMU audio output since directly talking to alsa/pulseaudio may not work
+# with various security settings. If you know what you're doing, enable
+# the setting below and libvirt will passthrough the QEMU_AUDIO_DRV
+# environment variable when using nographics.
+#
+#nographics_allow_host_audio = 1
+
+
+# Override the port for creating both VNC and SPICE sessions (min).
+# This defaults to 5900 and increases for consecutive sessions
+# or when ports are occupied, until it hits the maximum.
+#
+# Minimum must be greater than or equal to 5900 as lower number would
+# result into negative vnc display number.
+#
+# Maximum must be less than 65536, because higher numbers do not make
+# sense as a port number.
+#
+#remote_display_port_min = 5900
+#remote_display_port_max = 65535
+
+# VNC WebSocket port policies, same rules apply as with remote display
+# ports. VNC WebSockets use similar display <-> port mappings, with
+# the exception being that ports start from 5700 instead of 5900.
+#
+#remote_websocket_port_min = 5700
+#remote_websocket_port_max = 65535
+
+# The default security driver is SELinux. If SELinux is disabled
+# on the host, then the security driver will automatically disable
+# itself. If you wish to disable QEMU SELinux security driver while
+# leaving SELinux enabled for the host in general, then set this
+# to 'none' instead. It's also possible to use more than one security
+# driver at the same time, for this use a list of names separated by
+# comma and delimited by square brackets. For example:
+#
+# security_driver = [ "selinux", "apparmor" ]
+#
+# Notes: The DAC security driver is always enabled; as a result, the
+# value of security_driver cannot contain "dac". The value "none" is
+# a special value; security_driver can be set to that value in
+# isolation, but it cannot appear in a list of drivers.
+#
+#security_driver = "selinux"
+
+# If set to non-zero, then the default security labeling
+# will make guests confined. If set to zero, then guests
+# will be unconfined by default. Defaults to 1.
+#security_default_confined = 1
+
+# If set to non-zero, then attempts to create unconfined
+# guests will be blocked. Defaults to 0.
+#security_require_confined = 1
+
+# The user for QEMU processes run by the system instance. It can be
+# specified as a user name or as a user id. The qemu driver will try to
+# parse this value first as a name and then, if the name doesn't exist,
+# as a user id.
+#
+# Since a sequence of digits is a valid user name, a leading plus sign
+# can be used to ensure that a user id will not be interpreted as a user
+# name.
+#
+# Some examples of valid values are:
+#
+# user = "qemu" # A user named "qemu"
+# user = "+0" # Super user (uid=0)
+# user = "100" # A user named "100" or a user with uid=100
+#
+user = "florian"
+
+# The group for QEMU processes run by the system instance. It can be
+# specified in a similar way to user.
+group = "kvm"
+
+# Whether libvirt should dynamically change file ownership
+# to match the configured user/group above. Defaults to 1.
+# Set to 0 to disable file ownership changes.
+#dynamic_ownership = 1
+
+# Whether libvirt should remember and restore the original
+# ownership over files it is relabeling. Defaults to 1, set
+# to 0 to disable the feature.
+#remember_owner = 1
+
+# What cgroup controllers to make use of with QEMU guests
+#
+# - 'cpu' - use for scheduler tunables
+# - 'devices' - use for device access control
+# - 'memory' - use for memory tunables
+# - 'blkio' - use for block devices I/O tunables
+# - 'cpuset' - use for CPUs and memory nodes
+# - 'cpuacct' - use for CPUs statistics.
+#
+# NB, even if configured here, they won't be used unless
+# the administrator has mounted cgroups, e.g.:
+#
+# mkdir /dev/cgroup
+# mount -t cgroup -o devices,cpu,memory,blkio,cpuset none /dev/cgroup
+#
+# They can be mounted anywhere, and different controllers
+# can be mounted in different locations. libvirt will detect
+# where they are located.
+#
+#cgroup_controllers = [ "cpu", "devices", "memory", "blkio", "cpuset", "cpuacct" ]
+
+# This is the basic set of devices allowed / required by
+# all virtual machines.
+#
+# As well as this, any configured block backed disks,
+# all sound device, and all PTY devices are allowed.
+#
+# This will only need setting if newer QEMU suddenly
+# wants some device we don't already know about.
+#
+cgroup_device_acl = [
+ "/dev/null", "/dev/full", "/dev/zero",
+ "/dev/random", "/dev/urandom",
+ "/dev/ptmx", "/dev/kvm", "/dev/kqemu",
+ "/dev/rtc", "/dev/hpet", "/dev/sev"
+]
+#
+# RDMA migration requires the following extra files to be added to the list:
+# "/dev/infiniband/rdma_cm",
+# "/dev/infiniband/issm0",
+# "/dev/infiniband/issm1",
+# "/dev/infiniband/umad0",
+# "/dev/infiniband/umad1",
+# "/dev/infiniband/uverbs0"
+
+
+# The default format for QEMU/KVM guest save images is raw; that is, the
+# memory from the domain is dumped out directly to a file. If you have
+# guests with a large amount of memory, however, this can take up quite
+# a bit of space. If you would like to compress the images while they
+# are being saved to disk, you can also set "lzop", "gzip", "bzip2", or "xz"
+# for save_image_format. Note that this means you slow down the process of
+# saving a domain in order to save disk space; the list above is in descending
+# order by performance and ascending order by compression ratio.
+#
+# save_image_format is used when you use 'virsh save' or 'virsh managedsave'
+# at scheduled saving, and it is an error if the specified save_image_format
+# is not valid, or the requested compression program can't be found.
+#
+# dump_image_format is used when you use 'virsh dump' at emergency
+# crashdump, and if the specified dump_image_format is not valid, or
+# the requested compression program can't be found, this falls
+# back to "raw" compression.
+#
+# snapshot_image_format specifies the compression algorithm of the memory save
+# image when an external snapshot of a domain is taken. This does not apply
+# on disk image format. It is an error if the specified format isn't valid,
+# or the requested compression program can't be found.
+#
+#save_image_format = "raw"
+#dump_image_format = "raw"
+#snapshot_image_format = "raw"
+
+# When a domain is configured to be auto-dumped when libvirtd receives a
+# watchdog event from qemu guest, libvirtd will save dump files in directory
+# specified by auto_dump_path. Default value is /var/lib/libvirt/qemu/dump
+#
+#auto_dump_path = "/var/lib/libvirt/qemu/dump"
+
+# When a domain is configured to be auto-dumped, enabling this flag
+# has the same effect as using the VIR_DUMP_BYPASS_CACHE flag with the
+# virDomainCoreDump API. That is, the system will avoid using the
+# file system cache while writing the dump file, but may cause
+# slower operation.
+#
+#auto_dump_bypass_cache = 0
+
+# When a domain is configured to be auto-started, enabling this flag
+# has the same effect as using the VIR_DOMAIN_START_BYPASS_CACHE flag
+# with the virDomainCreateWithFlags API. That is, the system will
+# avoid using the file system cache when restoring any managed state
+# file, but may cause slower operation.
+#
+#auto_start_bypass_cache = 0
+
+# If provided by the host and a hugetlbfs mount point is configured,
+# a guest may request huge page backing. When this mount point is
+# unspecified here, determination of a host mount point in /proc/mounts
+# will be attempted. Specifying an explicit mount overrides detection
+# of the same in /proc/mounts. Setting the mount point to "" will
+# disable guest hugepage backing. If desired, multiple mount points can
+# be specified at once, separated by comma and enclosed in square
+# brackets, for example:
+#
+# hugetlbfs_mount = ["/dev/hugepages2M", "/dev/hugepages1G"]
+#
+# The size of huge page served by specific mount point is determined by
+# libvirt at the daemon startup.
+#
+# NB, within these mount points, guests will create memory backing
+# files in a location of $MOUNTPOINT/libvirt/qemu
+#
+#hugetlbfs_mount = "/dev/hugepages"
+
+
+# Path to the setuid helper for creating tap devices. This executable
+# is used to create