diff --git a/flake.lock b/flake.lock
index b08213f..26f0fb9 100644
--- a/flake.lock
+++ b/flake.lock
@@ -36,6 +36,24 @@
         "type": "github"
       }
     },
+    "flake-utils_3": {
+      "inputs": {
+        "systems": "systems_3"
+      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
     "flakey-profile": {
       "locked": {
         "lastModified": 1712898590,
@@ -127,6 +145,28 @@
         "url": "https://git.syzygial.cc/Syzygial/EmacsConfig.git"
       }
     },
+    "microvm": {
+      "inputs": {
+        "flake-utils": "flake-utils_3",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "spectrum": "spectrum"
+      },
+      "locked": {
+        "lastModified": 1743083165,
+        "narHash": "sha256-Fz7AiCJWtoWZ2guJwO3B1h3RuJxYWaCzFIqY0Kmkyrs=",
+        "owner": "astro",
+        "repo": "microvm.nix",
+        "rev": "773d5a04e2e10ca7b412270dea11276a496e1b61",
+        "type": "github"
+      },
+      "original": {
+        "owner": "astro",
+        "repo": "microvm.nix",
+        "type": "github"
+      }
+    },
     "nix-darwin": {
       "inputs": {
         "nixpkgs": [
@@ -185,6 +225,7 @@
         "home-manager": "home-manager",
         "lix-module": "lix-module",
         "me-emacs": "me-emacs",
+        "microvm": "microvm",
         "nix-darwin": "nix-darwin",
         "nixpkgs": "nixpkgs",
         "sops-nix": "sops-nix"
@@ -208,6 +249,22 @@
         "type": "github"
       }
     },
+    "spectrum": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1733308308,
+        "narHash": "sha256-+RcbMAjSxV1wW5UpS9abIG1lFZC8bITPiFIKNnE7RLs=",
+        "ref": "refs/heads/main",
+        "rev": "80c9e9830d460c944c8f730065f18bb733bc7ee2",
+        "revCount": 792,
+        "type": "git",
+        "url": "https://spectrum-os.org/git/spectrum"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://spectrum-os.org/git/spectrum"
+      }
+    },
     "systems": {
       "locked": {
         "lastModified": 1681028828,
@@ -237,6 +294,21 @@
         "repo": "default",
         "type": "github"
       }
+    },
+    "systems_3": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
     }
   },
   "root": "root",
diff --git a/flake.nix b/flake.nix
index 5596ce4..bbb3d4b 100644
--- a/flake.nix
+++ b/flake.nix
@@ -12,9 +12,11 @@
       url = "https://git.lix.systems/lix-project/nixos-module/archive/2.92.0.tar.gz";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    microvm.url = "github:astro/microvm.nix";
+    microvm.inputs.nixpkgs.follows = "nixpkgs";
   };
   
-  outputs = { self, nixpkgs, sops-nix, me-emacs, nix-darwin, home-manager, lix-module }@inputs: let
+  outputs = { self, nixpkgs, sops-nix, me-emacs, nix-darwin, home-manager, lix-module, microvm }@inputs: let
     overlays = import ./overlays/default.nix inputs;
     modules = import ./modules/default.nix inputs;
 
@@ -68,6 +70,7 @@
           ./machines/pericyte/configuration.nix
           modules.sops
           # lix-module.nixosModules.default
+          microvm.nixosModules.host
         ];
       };
     };
diff --git a/machines/pericyte/configuration.nix b/machines/pericyte/configuration.nix
index aca40cf..09d8cd1 100644
--- a/machines/pericyte/configuration.nix
+++ b/machines/pericyte/configuration.nix
@@ -3,6 +3,8 @@
     ./hardware-configuration.nix
     "${inputs.nixpkgs}/nixos/modules/profiles/headless.nix"
     "${inputs.nixpkgs}/nixos/modules/profiles/minimal.nix"
+
+    ./microvm-configuration.nix
   ];
 
   nix.settings.experimental-features = [ "nix-command" "flakes" ];
diff --git a/machines/pericyte/microvm-configuration.nix b/machines/pericyte/microvm-configuration.nix
new file mode 100644
index 0000000..3af81ed
--- /dev/null
+++ b/machines/pericyte/microvm-configuration.nix
@@ -0,0 +1,44 @@
+{ pkgs, ... }: {
+  networking.useNetworkd = true;
+
+  systemd.network.netdevs."10-microvm".netdevConfig = {
+    Kind = "bridge";
+    Name = "microvm";
+  };
+  systemd.network.networks."10-microvm" = {
+    matchConfig.Name = "microvm";
+    networkConfig = {
+      DHCPServer = true;
+      IPv6SendRA = true;
+    };
+    addresses = [ {
+      addressConfig.Address = "10.1.0.1/24";
+    } {
+      addressConfig.Address = "fd12:3456:789a::1/64";
+    } ];
+    ipv6Prefixes = [ {
+      ipv6PrefixConfig.Prefix = "fd12:3456:789a::/64";
+    } ];
+  };
+
+  systemd.network.networks."11-microvm" = {
+    matchConfig.Name = "vm-*";
+    # Attach to the bridge that was configured above
+    networkConfig.Bridge = "microvm";
+  };
+
+  # Allow inbound traffic for the DHCP server
+  networking.firewall.allowedUDPPorts = [ 67 ];
+
+  networking.nat = {
+    enable = true;
+    # NAT66 exists and works. But if you have a proper subnet in
+    # 2000::/3 you should route that and remove this setting:
+    enableIPv6 = true;
+
+    # Change this to the interface with upstream Internet access
+    externalInterface = "ens3";
+    # The bridge where you want to provide Internet access
+    internalInterfaces = [ "microvm" ];
+  };
+}