diff --git a/hosts/12kingdoms-rakushun/default.nix b/hosts/12kingdoms-rakushun/default.nix
index 654e6d63..0132a213 100644
--- a/hosts/12kingdoms-rakushun/default.nix
+++ b/hosts/12kingdoms-rakushun/default.nix
@@ -22,7 +22,6 @@ in {
 
     ./gitea.nix
     ./caddy.nix
-    ./tailscale.nix
   ];
 
   networking = {
diff --git a/hosts/12kingdoms-suzu/microvm-host.nix b/hosts/12kingdoms-suzu/microvm-host.nix
index 233615ab..2f898352 100644
--- a/hosts/12kingdoms-suzu/microvm-host.nix
+++ b/hosts/12kingdoms-suzu/microvm-host.nix
@@ -20,73 +20,16 @@
 
       specialArgs = {inherit myvars mylib daeuniverse agenix mysecrets nuenv;};
 
-      config = {
-        imports = [
-          ./router
-          ../../secrets/nixos.nix
-          ../../modules/nixos/base/ssh.nix
-          ../../modules/nixos/base/user-group.nix
-          ../../modules/base.nix
-        ];
+      config.imports = [./suzi];
+    };
 
-        modules.secrets.server.network.enable = true;
+    mitsuha = {
+      autostart = true;
+      restartIfChanged = true;
 
-        microvm = {
-          mem = 1024; # RAM allocation in MB
-          vcpu = 1; # Number of Virtual CPU cores
+      specialArgs = {inherit myvars mylib nuenv;};
 
-          interfaces = [
-            {
-              type = "tap";
-              id = "vm-suzi"; # should be prefixed with "vm-"
-              mac = "02:00:00:00:00:01";
-            }
-          ];
-
-          # Block device images for persistent storage
-          # microvm use tmpfs for root(/), so everything else
-          # is ephemeral and will be lost on reboot.
-          #
-          # you can check this by running `df -Th` & `lsblk` in the VM.
-          volumes = [
-            {
-              mountPoint = "/var";
-              image = "var.img";
-              size = 512;
-            }
-            {
-              mountPoint = "/etc";
-              image = "etc.img";
-              size = 50;
-            }
-          ];
-
-          # shares can not be set to `neededForBoot = true;`
-          # so if you try to use a share in boot script(such as system.activationScripts), it will fail!
-          shares = [
-            {
-              # It is highly recommended to share the host's nix-store
-              # with the VMs to prevent building huge images.
-              # a host's /nix/store will be picked up so that no
-              # squashfs/erofs will be built for it.
-              #
-              # by this way, /nix/store is readonly in the VM,
-              # and thus the VM can't run any command that modifies
-              # the store. such as nix build, nix shell, etc...
-              # if you want to run nix commands in the VM, see
-              # https://github.com/astro/microvm.nix/blob/main/doc/src/shares.md#writable-nixstore-overlay
-              tag = "ro-store"; # Unique virtiofs daemon tag
-              proto = "virtiofs"; # virtiofs is faster than 9p
-              source = "/nix/store";
-              mountPoint = "/nix/.ro-store";
-            }
-          ];
-
-          hypervisor = "qemu";
-          # Control socket for the Hypervisor so that a MicroVM can be shutdown cleanly
-          socket = "control.socket";
-        };
-      };
+      config.imports = [./mitsuha];
     };
   };
 }
diff --git a/hosts/12kingdoms-suzu/microvm.md b/hosts/12kingdoms-suzu/microvm.md
index b13beffe..6458499b 100644
--- a/hosts/12kingdoms-suzu/microvm.md
+++ b/hosts/12kingdoms-suzu/microvm.md
@@ -30,6 +30,14 @@ microvm -r my-microvm
 ## 2. run `systemctl stop microvm@my-microvm` in the host
 ```
 
+## VM's pros compared to container
+
+1. VM has its own kernel, so it can use a fullfeatured kernel or customise the kernel's
+   configuration, without affecting the host.
+1. VM use a fullfeatured init system, so it can run services like a real machine.
+1. VM can use a fullfeatured network stack, so it can run network services like a real machine. it's
+   very useful for hosting some network services(such as tailscale, dae, etc).
+
 ## FAQ
 
 ### 1. enter the vm without ssh
diff --git a/hosts/12kingdoms-suzu/mitsuha/default.nix b/hosts/12kingdoms-suzu/mitsuha/default.nix
new file mode 100644
index 00000000..005549f1
--- /dev/null
+++ b/hosts/12kingdoms-suzu/mitsuha/default.nix
@@ -0,0 +1,65 @@
+{mylib, ...}: {
+  imports =
+    (mylib.scanPaths ./.)
+    ++ [
+      ../../../modules/nixos/base/ssh.nix
+      ../../../modules/nixos/base/user-group.nix
+      ../../../modules/base.nix
+    ];
+
+  microvm = {
+    mem = 1024; # RAM allocation in MB
+    vcpu = 1; # Number of Virtual CPU cores
+
+    interfaces = [
+      {
+        type = "tap";
+        id = "vm-mitsuha"; # should be prefixed with "vm-"
+        mac = "02:00:00:00:00:02"; # Unique MAC address
+      }
+    ];
+
+    # Block device images for persistent storage
+    # microvm use tmpfs for root(/), so everything else
+    # is ephemeral and will be lost on reboot.
+    #
+    # you can check this by running `df -Th` & `lsblk` in the VM.
+    volumes = [
+      {
+        mountPoint = "/var";
+        image = "var.img";
+        size = 512;
+      }
+      {
+        mountPoint = "/etc";
+        image = "etc.img";
+        size = 50;
+      }
+    ];
+
+    # shares can not be set to `neededForBoot = true;`
+    # so if you try to use a share in boot script(such as system.activationScripts), it will fail!
+    shares = [
+      {
+        # It is highly recommended to share the host's nix-store
+        # with the VMs to prevent building huge images.
+        # a host's /nix/store will be picked up so that no
+        # squashfs/erofs will be built for it.
+        #
+        # by this way, /nix/store is readonly in the VM,
+        # and thus the VM can't run any command that modifies
+        # the store. such as nix build, nix shell, etc...
+        # if you want to run nix commands in the VM, see
+        # https://github.com/astro/microvm.nix/blob/main/doc/src/shares.md#writable-nixstore-overlay
+        tag = "ro-store"; # Unique virtiofs daemon tag
+        proto = "virtiofs"; # virtiofs is faster than 9p
+        source = "/nix/store";
+        mountPoint = "/nix/.ro-store";
+      }
+    ];
+
+    hypervisor = "qemu";
+    # Control socket for the Hypervisor so that a MicroVM can be shutdown cleanly
+    socket = "control.socket";
+  };
+}
diff --git a/hosts/12kingdoms-suzu/mitsuha/networking.nix b/hosts/12kingdoms-suzu/mitsuha/networking.nix
new file mode 100644
index 00000000..b0e21862
--- /dev/null
+++ b/hosts/12kingdoms-suzu/mitsuha/networking.nix
@@ -0,0 +1,19 @@
+{myvars, ...}: let
+  hostName = "mitsuha";
+  inherit (myvars.networking) mainGateway nameservers;
+  inherit (myvars.networking.hostsAddr.${hostName}) ipv4;
+
+  ipv4WithMask = "${ipv4}/24";
+in {
+  systemd.network.enable = true;
+
+  systemd.network.networks."20-lan" = {
+    matchConfig.Type = "ether";
+    networkConfig = {
+      Address = [ipv4WithMask];
+      Gateway = mainGateway;
+      DNS = nameservers;
+      DHCP = "no";
+    };
+  };
+}
diff --git a/hosts/12kingdoms-rakushun/tailscale.nix b/hosts/12kingdoms-suzu/mitsuha/tailscale.nix
similarity index 95%
rename from hosts/12kingdoms-rakushun/tailscale.nix
rename to hosts/12kingdoms-suzu/mitsuha/tailscale.nix
index 28f97f99..0156e442 100644
--- a/hosts/12kingdoms-rakushun/tailscale.nix
+++ b/hosts/12kingdoms-suzu/mitsuha/tailscale.nix
@@ -1,13 +1,9 @@
-{
-  config,
-  pkgs,
-  ...
-}:
+{pkgs, ...}:
 # =============================================================
 #
 # Tailscale - your own private network(VPN) that uses WireGuard
 #
-# It's open souce and free for personal use,
+# It's open source and free for personal use,
 # and it's really easy to setup and use.
 # Tailscale has great client coverage for Linux, windows, Mac, android, and iOS.
 # Tailscale is more mature and stable compared to other alternatives such as netbird/netmaker.
diff --git a/hosts/12kingdoms-suzu/router/default.nix b/hosts/12kingdoms-suzu/router/default.nix
deleted file mode 100644
index eeb48a40..00000000
--- a/hosts/12kingdoms-suzu/router/default.nix
+++ /dev/null
@@ -1,3 +0,0 @@
-{mylib, ...}: {
-  imports = mylib.scanPaths ./.;
-}
diff --git a/hosts/12kingdoms-suzu/router/README.md b/hosts/12kingdoms-suzu/suzi/README.md
similarity index 100%
rename from hosts/12kingdoms-suzu/router/README.md
rename to hosts/12kingdoms-suzu/suzi/README.md
diff --git a/hosts/12kingdoms-suzu/router/config.dae b/hosts/12kingdoms-suzu/suzi/config.dae
similarity index 100%
rename from hosts/12kingdoms-suzu/router/config.dae
rename to hosts/12kingdoms-suzu/suzi/config.dae
diff --git a/hosts/12kingdoms-suzu/router/dae.nix b/hosts/12kingdoms-suzu/suzi/dae.nix
similarity index 100%
rename from hosts/12kingdoms-suzu/router/dae.nix
rename to hosts/12kingdoms-suzu/suzi/dae.nix
diff --git a/hosts/12kingdoms-suzu/suzi/default.nix b/hosts/12kingdoms-suzu/suzi/default.nix
new file mode 100644
index 00000000..fc73f775
--- /dev/null
+++ b/hosts/12kingdoms-suzu/suzi/default.nix
@@ -0,0 +1,68 @@
+{mylib, ...}: {
+  imports =
+    (mylib.scanPaths ./.)
+    ++ [
+      ../../../secrets/nixos.nix
+      ../../../modules/nixos/base/ssh.nix
+      ../../../modules/nixos/base/user-group.nix
+      ../../../modules/base.nix
+    ];
+
+  modules.secrets.server.network.enable = true;
+
+  microvm = {
+    mem = 1024; # RAM allocation in MB
+    vcpu = 1; # Number of Virtual CPU cores
+
+    interfaces = [
+      {
+        type = "tap";
+        id = "vm-suzi"; # should be prefixed with "vm-"
+        mac = "02:00:00:00:00:01"; # unique MAC address
+      }
+    ];
+
+    # Block device images for persistent storage
+    # microvm use tmpfs for root(/), so everything else
+    # is ephemeral and will be lost on reboot.
+    #
+    # you can check this by running `df -Th` & `lsblk` in the VM.
+    volumes = [
+      {
+        mountPoint = "/var";
+        image = "var.img";
+        size = 512;
+      }
+      {
+        mountPoint = "/etc";
+        image = "etc.img";
+        size = 50;
+      }
+    ];
+
+    # shares can not be set to `neededForBoot = true;`
+    # so if you try to use a share in boot script(such as system.activationScripts), it will fail!
+    shares = [
+      {
+        # It is highly recommended to share the host's nix-store
+        # with the VMs to prevent building huge images.
+        # a host's /nix/store will be picked up so that no
+        # squashfs/erofs will be built for it.
+        #
+        # by this way, /nix/store is readonly in the VM,
+        # and thus the VM can't run any command that modifies
+        # the store. such as nix build, nix shell, etc...
+        # if you want to run nix commands in the VM, see
+        # https://github.com/astro/microvm.nix/blob/main/doc/src/shares.md#writable-nixstore-overlay
+        tag = "ro-store"; # Unique virtiofs daemon tag
+        proto = "virtiofs"; # virtiofs is faster than 9p
+        source = "/nix/store";
+        mountPoint = "/nix/.ro-store";
+      }
+    ];
+
+    hypervisor = "qemu";
+    # Control socket for the Hypervisor so that a MicroVM can be shutdown cleanly
+    socket = "control.socket";
+  };
+}
diff --git a/hosts/12kingdoms-suzu/router/networking.nix b/hosts/12kingdoms-suzu/suzi/networking.nix
similarity index 100%
rename from hosts/12kingdoms-suzu/router/networking.nix
rename to hosts/12kingdoms-suzu/suzi/networking.nix
diff --git a/vars/networking.nix b/vars/networking.nix
index 7fa1b325..91585c2c 100644
--- a/vars/networking.nix
+++ b/vars/networking.nix
@@ -75,9 +75,13 @@
       ipv4 = "192.168.5.179";
     };
     suzi = {
-      iface = "eth1";
+      iface = "eth1"; # fake iface, it's not used by the host
       ipv4 = "192.168.5.178";
     };
+    mitsuha = {
+      iface = "eth1"; # fake iface, it's not used by the host
+      ipv4 = "192.168.5.177";
+    };
 
     # ============================================
     # Kubernetes Clusters