diff --git a/configs/common.nix b/configs/common.nix
index d5d1c31..b8120f1 100644
--- a/configs/common.nix
+++ b/configs/common.nix
@@ -36,6 +36,8 @@ in {
   boot = {
     kernelPackages = pkgs.linuxPackages; # use lts
     kernelParams = ["quiet" "loglevel=3"];
+
+    tmp.cleanOnBoot = true;
   };
 
   console.keyMap = "fr";
diff --git a/systems/vesuvio/default.nix b/systems/vesuvio/default.nix
index 6b6b421..1f6e48c 100644
--- a/systems/vesuvio/default.nix
+++ b/systems/vesuvio/default.nix
@@ -8,7 +8,6 @@
 in {
   imports = [secrets.generate];
 
-  boot.tmp.cleanOnBoot = true;
   zramSwap.enable = true;
 
   environment.systemPackages = with pkgs; [dig traceroute];
@@ -16,6 +15,9 @@ in {
   services = {
     openssh.ports = [4269];
 
+    # Needed by the Hetzner Cloud password reset feature.
+    qemuGuest.enable = true;
+
     frp = {
       enable = true;
       role = "server";
@@ -29,7 +31,12 @@ in {
     };
   };
 
-  systemd.services.frp.serviceConfig.EnvironmentFile = secrets.get "frpToken";
+  systemd.services = {
+    frp.serviceConfig.EnvironmentFile = secrets.get "frpToken";
+
+    # https://discourse.nixos.org/t/qemu-guest-agent-on-hetzner-cloud-doesnt-work/8864/2
+    qemu-guest-agent.path = [pkgs.shadow];
+  };
 
   networking.firewall = {
     allowedTCPPorts = [22]; # forgejo-ssh
diff --git a/systems/vesuvio/hardware-configuration.nix b/systems/vesuvio/hardware-configuration.nix
index 82aafb9..c0a2379 100644
--- a/systems/vesuvio/hardware-configuration.nix
+++ b/systems/vesuvio/hardware-configuration.nix
@@ -1,16 +1,21 @@
 {modulesPath, ...}: {
-  imports = [(modulesPath + "/profiles/qemu-guest.nix")];
+  imports = ["${modulesPath}/profiles/qemu-guest.nix"];
 
   boot = {
-    loader.grub = {
-      efiSupport = true;
-      efiInstallAsRemovable = true;
-      device = "nodev";
+    # arm so we can use systemd-boot
+    loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
     };
 
+    # set console because the console defaults to serial and
+    # initialize the display early to get a complete log.
+    # this is required for typing in LUKS passwords on boot too.
+    kernelParams = ["console=tty"];
+
     initrd = {
       availableKernelModules = ["ata_piix" "uhci_hcd" "xen_blkfront"];
-      kernelModules = ["nvme"];
+      kernelModules = ["nvme" "virtio_gpu"];
     };
   };