diff --git a/.gitignore b/.gitignore
index 8905796..83d33eb 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,3 +2,4 @@
 .ssh/
 .ugit/
 .tsnet/
+*.qcow2
diff --git a/flake.nix b/flake.nix
index a9b837d..cc9a21a 100644
--- a/flake.nix
+++ b/flake.nix
@@ -54,5 +54,19 @@
         }
       );
       nixosModules.default = import ./nix/module.nix;
+      nixosConfigurations.ugitVM = nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
+        modules = [
+          ./nix/vm.nix
+          {
+            virtualisation.vmVariant.virtualisation = {
+              cores = 2;
+              memorySize = 2048;
+              graphics = false;
+            };
+            system.stateVersion = "23.11";
+          }
+        ];
+      };
     };
 }
diff --git a/nix/module.nix b/nix/module.nix
index 7c39455..1dc7638 100644
--- a/nix/module.nix
+++ b/nix/module.nix
@@ -12,6 +12,7 @@ let
     { name, config, ... }:
     let
       inherit (lib) mkEnableOption mkOption types;
+      baseDir = "/var/lib/ugit-${name}";
     in
     {
       options = {
@@ -26,13 +27,13 @@ let
         homeDir = mkOption {
           type = types.str;
           description = "ugit home directory";
-          default = "/var/lib/${name}";
+          default = baseDir;
         };
 
         repoDir = mkOption {
           type = types.str;
           description = "where ugit stores repositories";
-          default = "/var/lib/${name}/repos";
+          default = "${baseDir}/repos";
         };
 
         authorizedKeys = mkOption {
@@ -44,13 +45,13 @@ let
         authorizedKeysFile = mkOption {
           type = types.str;
           description = "path to authorized_keys file ugit uses for auth";
-          default = "/var/lib/${name}/authorized_keys";
+          default = "${baseDir}/authorized_keys";
         };
 
         hostKeyFile = mkOption {
           type = types.str;
           description = "path to host key file (will be created if it doesn't exist)";
-          default = "/var/lib/${name}/ugit_ed25519";
+          default = "${baseDir}/ugit_ed25519";
         };
 
         config = mkOption {
@@ -223,28 +224,5 @@ in
         }
       )
     ) { } (builtins.attrNames cfg);
-
-    systemd.tmpfiles.settings = lib.mapAttrs' (
-      name: instanceCfg:
-      lib.nameValuePair "ugit-${name}" (
-        builtins.listToAttrs (
-          map (
-            hook:
-            let
-              script = pkgs.writeShellScript hook.name hook.content;
-              path = "${instanceCfg.repoDir}/hooks/pre-receive.d/${hook.name}";
-            in
-            {
-              name = path;
-              value = {
-                "L" = {
-                  argument = "${script}";
-                };
-              };
-            }
-          ) instanceCfg.hooks
-        )
-      )
-    ) (lib.filterAttrs (name: instanceCfg: instanceCfg.enable) cfg);
   };
 }
diff --git a/nix/test.nix b/nix/test.nix
deleted file mode 100644
index 095c906..0000000
--- a/nix/test.nix
+++ /dev/null
@@ -1,22 +0,0 @@
-{ config, pkgs, ... }:
-{
-  imports = [ ./module.nix ];
-
-  users.users.jolheiser = {
-    isNormalUser = true;
-    extraGroups = [ "wheel" ];
-    initialPassword = "test";
-  };
-
-  services.ugit = {
-    enable = true;
-    hooks = [
-      {
-        name = "pre-receive";
-        content = ''
-          echo "Pre-receive hook executed"
-        '';
-      }
-    ];
-  };
-}
diff --git a/nix/vm.nix b/nix/vm.nix
new file mode 100644
index 0000000..087fa6b
--- /dev/null
+++ b/nix/vm.nix
@@ -0,0 +1,84 @@
+{ pkgs, ... }:
+let
+  privKey = ''
+    -----BEGIN OPENSSH PRIVATE KEY-----
+    b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+    QyNTUxOQAAACBIpmLtcHhECei1ls6s0kKUehjpRCP9yel/c5YCIb5DpQAAAIgAYtkzAGLZ
+    MwAAAAtzc2gtZWQyNTUxOQAAACBIpmLtcHhECei1ls6s0kKUehjpRCP9yel/c5YCIb5DpQ
+    AAAEDFY3M69VfnFbyE67r3l4lDcf5eht5qgNemE9xtMhRkBkimYu1weEQJ6LWWzqzSQpR6
+    GOlEI/3J6X9zlgIhvkOlAAAAAAECAwQF
+    -----END OPENSSH PRIVATE KEY-----
+  '';
+  pubKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEimYu1weEQJ6LWWzqzSQpR6GOlEI/3J6X9zlgIhvkOl";
+  sshConfig = ''
+    Host ugit
+        HostName localhost
+        Port 8448
+        User ugit
+        IdentityFile ~/.ssh/vm
+        IdentitiesOnly yes
+  '';
+in
+{
+  imports = [ ./module.nix ];
+  environment.systemPackages = with pkgs; [ git ];
+  services.getty.autologinUser = "root";
+  services.openssh.enable = true;
+  services.ugit.vm = {
+    enable = true;
+    authorizedKeys = [ pubKey ];
+    hooks = [
+      {
+        name = "pre-receive";
+        content = ''
+          echo "Pre-receive hook executed"
+        '';
+      }
+    ];
+  };
+  systemd.services."setup-vm" = {
+    wantedBy = [ "multi-user.target" ];
+    after = [ "ugit-vm.service" ];
+    path = with pkgs; [
+      git
+    ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+      User = "root";
+      Group = "root";
+      ExecStart =
+        let
+          privSSH = pkgs.writeText "vm-privkey" privKey;
+          sshConfigFile = pkgs.writeText "vm-sshconfig" sshConfig;
+        in
+        pkgs.writeShellScript "setup-vm-script" ''
+          # Hack to let ugit start up and generate its SSH keypair
+          sleep 3
+
+          # Set up git
+          git config --global user.name "NixUser"
+          git config --global user.email "nixuser@example.com"
+          git config --global init.defaultBranch main
+          git config --global push.autoSetupRemote true
+
+          # Set up SSH files
+          mkdir ~/.ssh
+          ln -sf ${sshConfigFile} ~/.ssh/config
+          cp ${privSSH} ~/.ssh/vm
+          chmod 600 ~/.ssh/vm
+          echo "[localhost]:8448 $(cat /var/lib/ugit-vm/ugit_ed25519.pub)" > ~/.ssh/known_hosts
+
+          # Stage some git activity
+          mkdir ~/repo
+          cd ~/repo
+          git init
+          git remote add origin ugit:repo.git
+          touch README.md
+          git add README.md
+          git commit -m "Test"
+        '';
+    };
+  };
+
+}