diff --git a/modules/desktop.nix b/modules/desktop.nix
index 355965e4..4ad7591e 100644
--- a/modules/desktop.nix
+++ b/modules/desktop.nix
@@ -11,6 +11,7 @@
       self.nixosModules.dualsensePatch
       self.nixosModules.gnome
       self.nixosModules.french
+      self.nixosModules.vpn
     ];
 
     options.stars.desktop = {
@@ -27,7 +28,6 @@
         ncspot # spotify
         obsidian
         pfetch
-        protonvpn-gui
         qFlipper
         qbittorrent
         ranger
@@ -76,11 +76,6 @@
 
       services = {
         resolved.enable = true;
-        mullvad-vpn = {
-          enable = true;
-          package = pkgs.mullvad-vpn;
-          enableEarlyBootBlocking = true;
-        };
 
         pipewire = {
           enable = true;
diff --git a/modules/hosts/cassiopeia/configuration.nix b/modules/hosts/cassiopeia/configuration.nix
index 7a32d236..d2d45a7e 100644
--- a/modules/hosts/cassiopeia/configuration.nix
+++ b/modules/hosts/cassiopeia/configuration.nix
@@ -40,6 +40,7 @@
         niri.enable = true;
         noctalia.enable = true;
         wallpapers.enable = true;
+        vpn.enable = true;
       };
       frenchPatch = true;
       asusPatch = true;
diff --git a/modules/hosts/cetus/configuration.nix b/modules/hosts/cetus/configuration.nix
index 3bd6884f..772664d2 100644
--- a/modules/hosts/cetus/configuration.nix
+++ b/modules/hosts/cetus/configuration.nix
@@ -11,6 +11,7 @@
       self.nixosModules.core
       self.nixosModules.userEnv
       self.nixosModules.server-services
+      self.nixosModules.virt
 
       self.nixosModules.hostCetusHardware
     ];
@@ -39,6 +40,7 @@
         traefik.enable = true;
         mcheads.enable = true;
       };
+      virt = true;
     };
 
     systemd.services.nix-daemon.serviceConfig = {
diff --git a/modules/hosts/lyra/configuration.nix b/modules/hosts/lyra/configuration.nix
index 563e4af1..28d488dd 100644
--- a/modules/hosts/lyra/configuration.nix
+++ b/modules/hosts/lyra/configuration.nix
@@ -35,6 +35,7 @@
         noctalia.enable = true;
         ratePatch = true;
         wallpapers.enable = true;
+        vpn.enable = true;
       };
       dev = true;
       dualsensePatch = true;
diff --git a/modules/virt.nix b/modules/virt.nix
index 41406d36..77b26e23 100644
--- a/modules/virt.nix
+++ b/modules/virt.nix
@@ -36,12 +36,12 @@ _: {
 
       services.spice-vdagentd.enable = true;
 
-      # module options to get OSX-KVM working
-      boot.extraModprobeConfig = ''
-        options kvm_intel nested=1
-        options kvm_intel emulate_invalid_guest_state=0
-        options kvm ignore_msrs=1
-      '';
+      # # module options to get OSX-KVM working
+      # boot.extraModprobeConfig = ''
+      #   options kvm_intel nested=1
+      #   options kvm_intel emulate_invalid_guest_state=0
+      #   options kvm ignore_msrs=1
+      # '';
 
       users.users.${config.stars.mainUser}.extraGroups = ["docker" "libvirtd"];
     };
diff --git a/modules/vpn.nix b/modules/vpn.nix
new file mode 100644
index 00000000..cc20fbf0
--- /dev/null
+++ b/modules/vpn.nix
@@ -0,0 +1,27 @@
+# feature: unified desktop environment
+_: {
+  flake.nixosModules.vpn = {
+    lib,
+    pkgs,
+    config,
+    ...
+  }: {
+    options.stars.desktop.vpn.enable = lib.mkEnableOption "VPNs and anonymity";
+
+    config = lib.mkIf config.stars.desktop.vpn.enable {
+      environment.systemPackages = with pkgs; [
+        mullvad-browser
+        protonvpn-gui
+        tor
+        tor-browser
+      ];
+
+      services.
+        mullvad-vpn = {
+        enable = true;
+        package = pkgs.mullvad-vpn;
+        enableEarlyBootBlocking = true;
+      };
+    };
+  };
+}