diff --git a/configuration-desktop.nix b/configuration-desktop.nix
index 875c343..3c16fd7 100644
--- a/configuration-desktop.nix
+++ b/configuration-desktop.nix
@@ -45,13 +45,19 @@
     kdePackages.plasma-thunderbolt
   ];
 
-  systemd.services.clear-downloads = {
-    description = "Wipe downloads on boot";
+  systemd.tmpfiles.settings.usersetup."e!"."/home/audrey/Downloads" = {
+    user = "audrey";
+    group = "users";
+    mode = "0700";
+    age = "1d";
+  };
+  systemd.services.sysfs-settings = {
+    description = "Set desktop sysfs tunables";
     script = ''
-      rm -rf /home/audrey/Downloads
-      mkdir /home/audrey/Downloads
-      chown audrey:users /home/audrey/Downloads
+      # https://bugzilla.kernel.org/show_bug.cgi?id=219112
+      test "$(cat /sys/module/kvm/parameters/nx_huge_pages)" = "never" && exit 0 || true
+      echo "never" | tee /sys/module/kvm/parameters/nx_huge_pages
     '';
-    wantedBy = [ "multi-user.target" ];
+    before = [ "boot-complete.target" ];
   };
 }
diff --git a/configuration.nix b/configuration.nix
index 6dadcef..bd4e00e 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -1,6 +1,6 @@
 { config, lib, pkgs, ... }:
-
-{
+let nixKey = "/var/lib/nix/binary-cache-key";
+in {
   imports = [ ./overlays/packages.nix ];
   nixpkgs.config.allowUnfree = true;
 
@@ -11,6 +11,20 @@
   boot.loader.efi.efiSysMountPoint = "/boot";
 
   nix.settings.extra-experimental-features = "nix-command flakes";
+  nix.settings.trusted-users = [ "audrey" ];
+  nix.settings.max-jobs = 1;
+  nix.settings.cores = 0;
+  #nix.settings.secret-key-files = [ nixKey ];
+
+  systemd.services.nix-key-setup = {
+    description = "Generate a nix build signing key";
+    script = ''
+      test -f ${nixKey} && test -f ${nixKey}.pub && exit 0 || true
+      mkdir -p "$(dirname "${nixKey}")"
+      ${config.nix.package}/bin/nix-store --generate-binary-cache-key ${config.networking.hostName} ${nixKey} ${nixKey}.pub
+    '';
+    wantedBy = [ "multi-user.target" ];
+  };
 
   # Select internationalisation properties.
   i18n.defaultLocale = "en_US.UTF-8";
@@ -31,7 +45,6 @@
     description = "Audrey Dutcher";
     isNormalUser = true;
     extraGroups = [ "wheel" "docker" ];
-    packages = with pkgs; [ ];
   };
 
   environment.systemPackages = with pkgs; [
@@ -44,6 +57,7 @@
     file
     stdenv.cc
     patchelf
+    meld
 
     # language servers
     nil
diff --git a/sites/daisy/configuration.nix b/sites/daisy/configuration.nix
index 67e4599..3c40898 100644
--- a/sites/daisy/configuration.nix
+++ b/sites/daisy/configuration.nix
@@ -10,6 +10,8 @@
   # fstrim is also enabled by nixos-hardware, but only runs for /boot
 
   services.fprintd.enable = true;
+  # fix hang on initial login
+  security.pam.services.login.fprintAuth = false;
 
   networking.hostName = "daisy";
   networking.hostId = "293a1290";
@@ -26,5 +28,11 @@
 
   environment.systemPackages = [
     pkgs.idapro9
+    pkgs.qemu_kvm
+    (pkgs.runCommand "OVMF-fd" {} ''
+      mkdir -p $out/share/FV
+      ln -s ${pkgs.OVMF.fd}/FV/OVMF_CODE.fd $out/share/FV/OVMF_CODE.fd
+    '')
+    pkgs.OVMF.fd
   ];
 }