diff --git a/hosts/lazyworkhorse/configuration.nix b/hosts/lazyworkhorse/configuration.nix
index 83b8db1..13baa96 100644
--- a/hosts/lazyworkhorse/configuration.nix
+++ b/hosts/lazyworkhorse/configuration.nix
@@ -36,7 +36,7 @@
     "transparent_hugepage=always" # because mucho ram
   ];
   # 2. Load the specific drivers found by sensors-detect
-  boot.kernelModules = [ "nct6775" "lm96163" "iptable_nat" "iptable_filter" ];
+  boot.kernelModules = [ "nct6775" "lm96163" "iptable_nat" "iptable_filter" "kvm-intel" "kvm" ];
   # 3. Force the nct6775 driver to recognize the chip if it's stubborn
   boot.extraModprobeConfig = ''
     options nct6775 force_id=0xd280
@@ -328,20 +328,21 @@
   # Mi50 config
   hardware.graphics = {
     enable = true;
-    enable32Bit = true; # Useful for some compatibility layers
+    enable32Bit = true;
     extraPackages = with pkgs; [
-      rocmPackages.clr.icd # OpenCL/HIP runtime
+      rocmPackages.clr.icd
     ];
   };
   nixpkgs.config.rocmTargets = [ "gfx906" ];
   environment.variables = {
-    # This "tricks" ROCm into supporting the MI50 if using newer versions
     HSA_OVERRIDE_GFX_VERSION = "9.0.6";
-    # Ensures the system sees both GPUs
     HIP_VISIBLE_DEVICES = "0,1";
   };
 
- # Open ports in the firewall.
+  # KVM/libvirt for staging VM
+  virtualisation.libvirtd.enable = true;
+
+# Open ports in the firewall.
   # networking.firewall.allowedTCPPorts = [ ... ];
   # networking.firewall.allowedUDPPorts = [ ... ];
   # Or disable the firewall altogether.
diff --git a/users/ai-worker.nix b/users/ai-worker.nix
index 6308151..b7a534d 100644
--- a/users/ai-worker.nix
+++ b/users/ai-worker.nix
@@ -4,7 +4,7 @@
     group = "ai-worker";
     home = "/home/ai-worker";
     createHome = true;
-    extraGroups = [ "docker" ];
+    extraGroups = [ "docker" "libvirtd" ];
     shell = pkgs.bashInteractive;
     openssh.authorizedKeys.keys = [
       keys.users.ai-worker.main