diff --git a/hosts/12kingdoms-suzu/networking.nix b/hosts/12kingdoms-suzu/networking.nix
index ac2c7dd2..dbe07fa5 100644
--- a/hosts/12kingdoms-suzu/networking.nix
+++ b/hosts/12kingdoms-suzu/networking.nix
@@ -5,14 +5,10 @@
 
   ipv4WithMask = "${ipv4}/24";
 in {
-  boot = {
-    kernel = {
-      sysctl = {
-        # forward network packets that are not destined for the interface on which they were received
-        "net.ipv4.conf.all.forwarding" = true;
-        "net.ipv6.conf.all.forwarding" = true;
-      };
-    };
+  boot.kernel.sysctl = {
+    # forward network packets that are not destined for the interface on which they were received
+    "net.ipv4.conf.all.forwarding" = true;
+    "net.ipv6.conf.all.forwarding" = true;
   };
 
   networking.useNetworkd = true;
diff --git a/hosts/12kingdoms-suzu/suzi/networking.nix b/hosts/12kingdoms-suzu/suzi/networking.nix
index afdcd4c4..a7ff90e9 100644
--- a/hosts/12kingdoms-suzu/suzi/networking.nix
+++ b/hosts/12kingdoms-suzu/suzi/networking.nix
@@ -13,18 +13,14 @@
     end = "192.168.5.99";
   };
 in {
-  # https://github.com/ghostbuster91/blogposts/blob/main/router2023-part2/main.md
-  boot = {
-    kernel = {
-      # https://github.com/daeuniverse/dae/blob/main/docs/en/user-guide/kernel-parameters.md
-      sysctl = {
-        # forward network packets that are not destined for the interface on which they were received
-        "net.ipv4.conf.all.forwarding" = true;
-        "net.ipv6.conf.all.forwarding" = true;
-        "net.ipv4.conf.br-lan.rp_filter" = 1;
-        "net.ipv4.conf.br-lan.send_redirects" = 0;
-      };
-    };
+  boot.kernel.sysctl = {
+    # https://github.com/ghostbuster91/blogposts/blob/main/router2023-part2/main.md
+    # https://github.com/daeuniverse/dae/blob/main/docs/en/user-guide/kernel-parameters.md
+    # forward network packets that are not destined for the interface on which they were received
+    "net.ipv4.conf.all.forwarding" = true;
+    "net.ipv6.conf.all.forwarding" = true;
+    "net.ipv4.conf.br-lan.rp_filter" = 1;
+    "net.ipv4.conf.br-lan.send_redirects" = 0;
   };
 
   # Docker uses iptables internally to setup NAT for containers.
diff --git a/lib/genKubeVirtCoreModule.nix b/lib/genKubeVirtCoreModule.nix
index feed2c0f..c43ead39 100644
--- a/lib/genKubeVirtCoreModule.nix
+++ b/lib/genKubeVirtCoreModule.nix
@@ -23,6 +23,27 @@ in {
   boot.kernelModules = ["kvm-amd" "vfio-pci"];
   boot.extraModprobeConfig = "options kvm_amd nested=1"; # for amd cpu
 
+  boot.kernel.sysctl = {
+    # --- filesystem --- #
+    # increase the limits to avoid running out of inotify watches
+    "fs.inotify.max_user_watches" = 524288;
+    "fs.inotify.max_user_instances" = 1024;
+
+    # --- network --- #
+    "net.bridge.bridge-nf-call-iptables" = 1;
+    "net.core.somaxconn" = 32768;
+    "net.ipv4.ip_forward" = 1;
+    "net.ipv4.conf.all.forwarding" = 1;
+    "net.ipv4.neigh.default.gc_thresh1" = 4096;
+    "net.ipv4.neigh.default.gc_thresh2" = 6144;
+    "net.ipv4.neigh.default.gc_thresh3" = 8192;
+    "net.ipv4.neigh.default.gc_interval" = 60;
+    "net.ipv4.neigh.default.gc_stale_time" = 120;
+
+    # --- memory --- #
+    "vm.swappiness" = 0; # don't swap unless absolutely necessary
+  };
+
   environment.systemPackages = with pkgs; [
     # Validate Hardware Virtualization Support via:
     #   virt-host-validate qemu