diff --git a/flake.nix b/flake.nix
index c68b823..9cfe41a 100644
--- a/flake.nix
+++ b/flake.nix
@@ -63,6 +63,7 @@
       hosts = import ./nix/hosts.nix inputs;
       colmena = import ./nix/colmena.nix inputs;
       homeConfigurations = import ./nix/home-manager.nix inputs;
+      microVms = import ./nix/microvms.nix inputs;
 
       inherit ((colmena.lib.makeHive self.colmena).introspect (x: x)) nodes;
     }
diff --git a/hosts/common/core/default.nix b/hosts/common/core/default.nix
index dc2cec5..ad82f67 100644
--- a/hosts/common/core/default.nix
+++ b/hosts/common/core/default.nix
@@ -1,7 +1,9 @@
 {
+  inputs,
   lib,
   pkgs,
   config,
+  nodeName,
   nodeSecrets,
   ...
 }: let
@@ -20,6 +22,16 @@ in {
     ./xdg.nix
   ];
 
+  # Setup secret rekeying parameters
+  rekey.forceRekeyOnSystem = "x86_64-linux";
+  rekey.hostPubkey = let
+    pubkeyPath = ../.. + "/${nodeName}/secrets/host.pub";
+  in
+    lib.mkIf (lib.pathExists pubkeyPath || lib.trace "Missing pubkey for ${nodeName}: ${toString pubkeyPath} not found, using dummy replacement key for now." false)
+    pubkeyPath;
+  rekey.masterIdentities = inputs.self.secrets.masterIdentities;
+  rekey.extraEncryptionPubkeys = inputs.self.secrets.extraEncryptionPubkeys;
+
   boot = {
     kernelParams = ["log_buf_len=10M"];
     tmpOnTmpfs = true;
@@ -40,6 +52,7 @@ in {
   };
 
   networking = {
+    hostName = lib.mkDefault nodeName;
     # FIXME: would like to use mkForce false for useDHCP, but nixpkgs#215908 blocks that.
     useDHCP = true;
     useNetworkd = true;
diff --git a/hosts/common/core/nix.nix b/hosts/common/core/nix.nix
index c006aa0..3342874 100644
--- a/hosts/common/core/nix.nix
+++ b/hosts/common/core/nix.nix
@@ -1,4 +1,8 @@
-{pkgs, ...}: {
+{
+  inputs,
+  pkgs,
+  ...
+}: {
   nix = {
     settings = {
       auto-optimise-store = true;
@@ -28,5 +32,12 @@
     '';
     optimise.automatic = true;
     gc.automatic = true;
+    # Define global flakes for this system
+    registry = {
+      nixpkgs.flake = inputs.nixpkgs;
+      p.flake = inputs.nixpkgs;
+      pkgs.flake = inputs.nixpkgs;
+      templates.flake = inputs.templates;
+    };
   };
 }
diff --git a/hosts/common/sound.nix b/hosts/common/sound.nix
index 6ca0c1e..a7b4e37 100644
--- a/hosts/common/sound.nix
+++ b/hosts/common/sound.nix
@@ -3,9 +3,8 @@
   pkgs,
   ...
 }: {
-  sound.enable = true;
   environment.systemPackages = with pkgs; [pulseaudio pulsemixer];
-
+  sound.enable = false; # ALSA
   hardware.pulseaudio.enable = lib.mkForce false;
   security.rtkit.enable = true;
   services.pipewire = {
diff --git a/hosts/nom/meta.nix b/hosts/nom/meta.nix
index 4e0cb6a..c575f4d 100644
--- a/hosts/nom/meta.nix
+++ b/hosts/nom/meta.nix
@@ -1,7 +1,7 @@
 {
   type = "nixos";
   system = "x86_64-linux";
-  physical_connections = {
+  physicalConnections = {
     "10-lan1" = "LAN 1";
     "10-wlan1" = "WiFi";
   };
diff --git a/hosts/ward/default.nix b/hosts/ward/default.nix
index 169aa82..9e7d81a 100644
--- a/hosts/ward/default.nix
+++ b/hosts/ward/default.nix
@@ -10,7 +10,7 @@
 
     ../common/core
     ../common/hardware/intel.nix
-    ../common/initrd-ssh.nix
+    #../common/initrd-ssh.nix
     ../common/efi.nix
     ../common/zfs.nix
 
@@ -22,22 +22,9 @@
 
   boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" "sdhci_pci"];
 
-  services.home-assistant = {
-    enable = true;
-    extraComponents = ["default_config" "met" "zha"];
-    openFirewall = true;
-    config = {
-      default_config = {};
-      met = {};
-    };
+  microvm.vms.agag = {
+    flake = self;
+    updateFlake = microvm;
   };
-  #networking.firewall.allowedTCPPorts = [1883];
-  #services.zigbee2mqtt.enable = true;
-  #services.zigbee2mqtt.settings = {
-  #  homeassistant = config.services.home-assistant.enable;
-  #  permit_join = true;
-  #  serial = {
-  #    port = "/dev/serial/by-id/usb-Silicon_Labs_Sonoff_Zigbee_3.0_USB_Dongle_Plus_0001-if00-port0";
-  #  };
-  #};
+  autostart = ["guest"];
 }
diff --git a/hosts/ward/meta.nix b/hosts/ward/meta.nix
index 238009b..4aeb0af 100644
--- a/hosts/ward/meta.nix
+++ b/hosts/ward/meta.nix
@@ -1,7 +1,8 @@
 {
   type = "nixos";
   system = "x86_64-linux";
-  physical_connections = {
+  microVmHost = true;
+  physicalConnections = {
     "10-lan1" = "LAN 1";
     "10-lan2" = "LAN 2";
   };
diff --git a/hosts/zackbiene/meta.nix b/hosts/zackbiene/meta.nix
index 817f8d4..19520c9 100644
--- a/hosts/zackbiene/meta.nix
+++ b/hosts/zackbiene/meta.nix
@@ -1,7 +1,7 @@
 {
   type = "nixos";
   system = "aarch64-linux";
-  physical_connections = {
+  physicalConnections = {
     "10-lan1" = "LAN 1";
   };
 }
diff --git a/nix/colmena.nix b/nix/colmena.nix
index 11d431c..200a8c0 100644
--- a/nix/colmena.nix
+++ b/nix/colmena.nix
@@ -1,45 +1,18 @@
 {
   self,
-  colmena,
-  home-manager,
-  #impermanence,
-  nixos-hardware,
   nixpkgs,
-  agenix,
-  agenix-rekey,
-  templates,
   ...
-}:
-with nixpkgs.lib; let
-  nixosHosts = filterAttrs (_: x: x.type == "nixos") self.hosts;
-  generateColmenaNode = hostName: _: {
-    imports = [
-      ({config, ...}: {
-        # By default, set networking.hostName to the hostName
-        networking.hostName = mkDefault hostName;
-        # Define global flakes for this system
-        nix.registry = {
-          nixpkgs.flake = nixpkgs;
-          p.flake = nixpkgs;
-          pkgs.flake = nixpkgs;
-          templates.flake = templates;
-        };
-        # Setup parameters for Secrets
-        rekey.forceRekeyOnSystem = "x86_64-linux";
-        rekey.hostPubkey = let
-          pubkeyPath = ../hosts + "/${hostName}/secrets/host.pub";
-        in
-          mkIf (pathExists pubkeyPath || trace "Missing pubkey for ${hostName}: ${toString pubkeyPath} not found, using dummy replacement key for now." false)
-          pubkeyPath;
-        rekey.masterIdentities = self.secrets.masterIdentities;
-        rekey.extraEncryptionPubkeys = self.secrets.extraEncryptionPubkeys;
-      })
-      (../hosts + "/${hostName}")
-      home-manager.nixosModules.default
-      #impermanence.nixosModules.default
-      agenix.nixosModules.default
-      agenix-rekey.nixosModules.default
-    ];
+} @ inputs: let
+  inherit
+    (nixpkgs.lib)
+    filterAttrs
+    mapAttrs
+    ;
+
+  nixosNodes = filterAttrs (_: x: x.type == "nixos") self.hosts;
+  nodes = mapAttrs (import ./generate-node.nix inputs) nixosNodes;
+  generateColmenaNode = nodeName: _: {
+    inherit (nodes.${nodeName}) imports;
   };
 in
   {
@@ -47,18 +20,8 @@ in
       description = "oddlama's colmena configuration";
       # Just a required dummy for colmena, overwritten on a per-node basis by nodeNixpkgs below.
       nixpkgs = self.pkgs.x86_64-linux;
-      nodeNixpkgs = mapAttrs (hostName: {system, ...}: self.pkgs.${system}) nixosHosts;
-      nodeSpecialArgs =
-        mapAttrs (hostName: _: {
-          nodeSecrets = self.secrets.content.nodes.${hostName};
-        })
-        nixosHosts;
-      specialArgs = {
-        inherit (nixpkgs) lib;
-        secrets = self.secrets.content;
-        nixos-hardware = nixos-hardware.nixosModules;
-        #impermanence = impermanence.nixosModules;
-      };
+      nodeNixpkgs = mapAttrs (_: node: node.pkgs) nodes;
+      nodeSpecialArgs = mapAttrs (_: node: node.specialArgs) nodes;
     };
   }
-  // mapAttrs generateColmenaNode nixosHosts
+  // mapAttrs generateColmenaNode nodes
diff --git a/nix/generate-node.nix b/nix/generate-node.nix
new file mode 100644
index 0000000..87ec74c
--- /dev/null
+++ b/nix/generate-node.nix
@@ -0,0 +1,45 @@
+{
+  self,
+  colmena,
+  home-manager,
+  #impermanence,
+  nixos-hardware,
+  nixpkgs,
+  microvm,
+  agenix,
+  agenix-rekey,
+  ...
+} @ inputs: let
+  inherit
+    (nixpkgs.lib)
+    optionals
+    ;
+in
+  nodeName: nodeMeta: {
+    inherit (nodeMeta) system;
+    pkgs = self.pkgs.${nodeMeta.system};
+    specialArgs = {
+      inherit (nixpkgs) lib;
+      inherit inputs;
+      inherit nodeName;
+      inherit nodeMeta;
+      secrets = self.secrets.content;
+      nodeSecrets = self.secrets.content.nodes.${nodeName};
+      nixos-hardware = nixos-hardware.nixosModules;
+      #impermanence = impermanence.nixosModules;
+    };
+    imports =
+      [
+        (../hosts + "/${nodeName}")
+        home-manager.nixosModules.default
+        #impermanence.nixosModules.default
+        agenix.nixosModules.default
+        agenix-rekey.nixosModules.default
+      ]
+      ++ optionals nodeMeta.microVmHost [
+        microvm.nixosModules.host
+      ]
+      ++ optionals (nodeMeta.type == "microvm") [
+        microvm.nixosModules.microvm
+      ];
+  }
diff --git a/nix/hosts.nix b/nix/hosts.nix
index fafc1dd..a97a512 100644
--- a/nix/hosts.nix
+++ b/nix/hosts.nix
@@ -1,5 +1,10 @@
-{nixpkgs, ...}:
-nixpkgs.lib.concatMapAttrs (nodeName: fileType:
+{nixpkgs, ...}: let
+  hostDefaults = {
+    physicalConnections = {};
+    microVmHost = false;
+  };
+in
+  nixpkgs.lib.concatMapAttrs (nodeName: fileType:
     if fileType == "directory" && nodeName != "common"
-    then {${nodeName} = import (../hosts + "/${nodeName}/meta.nix");}
+    then {${nodeName} = hostDefaults // import (../hosts + "/${nodeName}/meta.nix");}
     else {}) (builtins.readDir ../hosts)
diff --git a/nix/microvms.nix b/nix/microvms.nix
new file mode 100644
index 0000000..d085b77
--- /dev/null
+++ b/nix/microvms.nix
@@ -0,0 +1,21 @@
+{
+  self,
+  nixpkgs,
+  ...
+} @ inputs: let
+  inherit
+    (nixpkgs.lib)
+    filterAttrs
+    mapAttrs
+    nixosSystem
+    ;
+
+  microvmNodes = filterAttrs (_: x: x.type == "microvm") self.hosts;
+  nodes = mapAttrs (import ./generate-node.nix inputs) microvmNodes;
+  generateMicrovmNode = nodeName: _:
+    nixosSystem {
+      inherit (nodes.${nodeName}) system pkgs specialArgs;
+      modules = nodes.${nodeName}.imports;
+    };
+in
+  mapAttrs generateMicrovmNode nodes
diff --git a/users/common/nushell.nix b/users/common/nushell.nix
index 093bd1d..c314fa3 100644
--- a/users/common/nushell.nix
+++ b/users/common/nushell.nix
@@ -1,8 +1,4 @@
 {
-  lib,
-  pkgs,
-  ...
-}: {
   programs.nushell = {
     enable = true;
   };