diff --git a/modules/nixos/guests/zookeeper/default.nix b/modules/nixos/guests/zookeeper/default.nix
new file mode 100755
index 0000000..6da2a07
--- /dev/null
+++ b/modules/nixos/guests/zookeeper/default.nix
@@ -0,0 +1,128 @@
+{
+  flake,
+  ...
+}:
+let
+  inherit (flake.config.people) user0;
+  inherit (flake.config.services) instances;
+  serviceCfg = instances.zookeeper;
+  hostCfg = instances.web;
+in
+{
+  microvm.vms = {
+    zookeeper = {
+      autostart = true;
+      restartIfChanged = true;
+      config = {
+        system.stateVersion = "24.05";
+        time.timeZone = "America/Winnipeg";
+        imports = [
+          flake.inputs.zookeeper.nixosModules.default
+        ];
+        users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys;
+        services = {
+          zookeeperbot.enable = true;
+          openssh = {
+            enable = true;
+            settings = {
+              PasswordAuthentication = false;
+              PermitRootLogin = "prohibit-password";
+            };
+          };
+        };
+
+        networking.firewall.allowedTCPPorts = [
+          22
+        ];
+
+        systemd = {
+          network = {
+            enable = true;
+            networks."20-lan" = {
+              matchConfig.Name = "enp0s5";
+              addresses = [
+                { Address = "${serviceCfg.interface.ip}/24"; }
+              ];
+              routes = [
+                {
+                  Destination = "${hostCfg.localhost.address1}/0";
+                  Gateway = serviceCfg.interface.gate;
+                }
+              ];
+              dns = [
+                "1.1.1.1"
+                "8.8.8.8"
+              ];
+            };
+          };
+
+          tmpfiles.rules = [
+            "Z ${serviceCfg.varPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -"
+          ];
+
+        };
+
+        systemd.services.systemd-networkd.wantedBy = [ "multi-user.target" ];
+
+        microvm = {
+          vcpu = 2;
+          mem = 3072;
+          hypervisor = "qemu";
+          interfaces = [
+            {
+              type = "tap";
+              id = serviceCfg.interface.id;
+              mac = serviceCfg.interface.mac;
+            }
+            {
+              type = "user";
+              id = serviceCfg.interface.idUser;
+              mac = serviceCfg.interface.macUser;
+            }
+          ];
+          forwardPorts = [
+            {
+              from = "host";
+              host.port = serviceCfg.interface.ssh;
+              guest.port = 22;
+            }
+          ];
+          shares = [
+            {
+              mountPoint = "/nix/.ro-store";
+              proto = "virtiofs";
+              source = "/nix/store";
+              tag = "read_only_nix_store";
+            }
+            {
+              mountPoint = "/var/lib/${serviceCfg.name}";
+              proto = "virtiofs";
+              source = serviceCfg.mntPaths.path0;
+              tag = "${serviceCfg.name}_data";
+            }
+            {
+              mountPoint = "/run/secrets";
+              proto = "virtiofs";
+              source = "/run/secrets/${serviceCfg.name}";
+              tag = "host_secrets";
+            }
+          ];
+        };
+      };
+    };
+  };
+
+  systemd = {
+    tmpfiles.rules = [
+      "d ${serviceCfg.mntPaths.path0} 0751 microvm wheel - -"
+    ];
+  };
+
+  sops.secrets = {
+    "${serviceCfg.name}/env" = {
+      owner = "root";
+      mode = "0600";
+    };
+  };
+
+}