diff --git a/deploy.yml b/deploy.yml
index d8ec9ec..0926326 100644
--- a/deploy.yml
+++ b/deploy.yml
@@ -7,6 +7,7 @@
     - narwhal
     - snitch
     - suricata
+    - pikvm
   become: true
   roles:
     - basic
diff --git a/host_files/ssh/pikvm/ssh_host_ed25519_key b/host_files/ssh/pikvm/ssh_host_ed25519_key
new file mode 100644
index 0000000..e42be2d
--- /dev/null
+++ b/host_files/ssh/pikvm/ssh_host_ed25519_key
@@ -0,0 +1,25 @@
+$ANSIBLE_VAULT;1.1;AES256
+36623534373562653236363634643266336265393333303836353739656166366364613962616431
+6561346563666530613330633861323034313830313538640a373461383637313066353466653963
+39336331306239366665313962353333336331376163626432313931316135623061386538336163
+3537383035613438390a646131616161346539333839373131393464316130626466343931333139
+66623663376330353964376563363461346464646234663632653437623462646266393161363236
+37616461656532373565303230323035383837643534373834353732386261616562316564386337
+31636263313061343436313135336630663633363339303463636162343564616435323035343930
+39343839333935303431346430323434393563643463646363643731303230313934386436306232
+62323165393162653139636561623431303330656561623562353062313437313062663563633263
+65306262383437303139616536303333313331356564626365653533303436396266333333393165
+35613335353330396635643435353762326136353465306133623734623364323765613135646134
+66353936373361653331383761663336383262393830303462376130376638376134663539316461
+30353330303166373961633533323865346337373864623833393030666235303638333939393732
+35363662623563633734613061616431326263626462663331393063626238343030316261383732
+38353266303561626461343632663030303834393238343033316262336138363630653831353533
+35636637666134666237303334316437396637366265386636626662353539613165316562383861
+39633335633264316332303462376265303032363530643464343030356666613462313065653962
+34326463393634323738306130316464343839643064653166313165353934376431633461376538
+65633032623364383934363566323636366131623636363465336633366366383462346237643030
+30616662623430383862643930393535333965363766333966303039343636313061356131383337
+65323063656138633961646539646465613230366531323839666162376637303462623162313930
+30623862323862333139363639653833616134336230303830633231366634643466623964383064
+39646134633037646564623037303234656439333533663235363535343761333536343963366334
+39396364646666323436
diff --git a/host_files/ssh/pikvm/ssh_host_ed25519_key-cert.pub b/host_files/ssh/pikvm/ssh_host_ed25519_key-cert.pub
new file mode 100644
index 0000000..d82a792
--- /dev/null
+++ b/host_files/ssh/pikvm/ssh_host_ed25519_key-cert.pub
@@ -0,0 +1,31 @@
+$ANSIBLE_VAULT;1.1;AES256
+36653935306166363534383961663830353666376164333764623462663637343364383764346462
+6433363163313433616364396264333538323765663034630a633165316332616333633035646238
+63613736353630343164636466313461646162366465303461316135373238386462633436396261
+6234383934623964310a333835356338333231626565346434666438653136366162396638356136
+64346332613066353037653535353335303466353133336432626633353134326364656261653661
+37343237316664373865383139353066623633656437336361613131326230613034333161393963
+36343738393631613366323435363437333933333336373437366237376263323963656530653061
+33653861623865323838666435613330646130313337353832376433663938613337313639623835
+65613432653865623439356564353830353161336661643866333965356165323261623134343031
+37633763643539653035616362383238313433356462376336303862663738663333313339336663
+34346565396461396265383733626134393132323433636236613830616332393534393434643139
+61616664376133663031653137336434633932643639326166303233353039356236363065633664
+65663534313532326463646539393537653634323834366633633433663035666463346635616435
+64626165363336643061316461333362373063313634343735633166386335633563326136393163
+33643066363539626539333462386635346239643061363434353633363436366239396230653933
+32366434346530333562366363646237633665653761373935626439366662323461623737633361
+63313761323365643139643262326530643238653661613036376636663935316238623233316439
+64356661393733623832626631383065616264396464646365663866333563656631396233383465
+63363737626639616265376135356537383666303433386134323761363963366337613132383139
+66363231353061383663663230343565353364626135323330343633306661336562643762376639
+32653635346161623964363839326436653632663866386365613231626236656661326165343638
+38316438386434623135666261383137336631616433623837623730633738386237363733313663
+62396436326338353962366138353461336661393234326638633266333136646630653763326262
+34323537666166666236363065623131646662323334646138636461613739313864636136356335
+33353962663762313538623039343834643764646263326438623633623931613638346437613430
+36373538333236393965373061336334643263316538316136383037393132326265313032346363
+38313430613231366236313838396434356534636635353934623932396535653664643166616436
+66613038373135346132363833393737393434616438363462353634666337383165323639313237
+30326530383033653834313936626439646266626165303263376435306332383661386138343636
+3132343866653735383039313666353434333963386532663266
diff --git a/host_files/ssh/pikvm/ssh_host_ed25519_key.pub b/host_files/ssh/pikvm/ssh_host_ed25519_key.pub
new file mode 100644
index 0000000..1ed428c
--- /dev/null
+++ b/host_files/ssh/pikvm/ssh_host_ed25519_key.pub
@@ -0,0 +1,10 @@
+$ANSIBLE_VAULT;1.1;AES256
+66613761333737313530613231386130613335643737376362366339383534636631653563323131
+3131633961613663363137363861393639656633373434330a343533333139303734353836333362
+33626438313632386263386532646162613161656665633866306663356536626165336562313034
+3132613630343833390a303139633861633036313361396339626238626365396139373937363161
+65383161316666303431386436336464626562333063613765383235646465336632333361386330
+30646236386534653339366265303066633133363065646634336261343637326634653239366562
+31613734366537373164666232326232393536316537303838303331353337363962316534393930
+61346132313832396331643031393631393163343532323061313637346536623263353234363466
+3937
diff --git a/hosts.yml b/hosts.yml
index 62357db..3507e9c 100644
--- a/hosts.yml
+++ b/hosts.yml
@@ -2,6 +2,13 @@
 all:
   hosts:
 
+    pikvm:
+      ansible_host: pikvm
+      ansible_user: ansible
+      ansible_port: 22
+      ansible_python_interpreter: /usr/bin/python3
+      ansible_become_method: doas
+
     snitch:
       ansible_host: snitch
       ansible_user: ansible
diff --git a/roles/basic/tasks/main.yml b/roles/basic/tasks/main.yml
index 9516d8d..30d960d 100644
--- a/roles/basic/tasks/main.yml
+++ b/roles/basic/tasks/main.yml
@@ -18,3 +18,9 @@
     name:
       - python3
   when: ansible_distribution == "OpenBSD"
+
+- name: install python3
+  pacman:
+    name:
+      - python3
+  when: ansible_distribution == "Archlinux"
diff --git a/roles/sshd/files/ssh_known_hosts b/roles/sshd/files/ssh_known_hosts
index 8be0d33..a0c9f1d 100644
--- a/roles/sshd/files/ssh_known_hosts
+++ b/roles/sshd/files/ssh_known_hosts
@@ -1,15 +1,15 @@
 $ANSIBLE_VAULT;1.1;AES256
-36353339353134333434643436623333336164626237333933626364353932333435376637323865
-3338306465393764393463626238343033646166376533300a396465613731393362356265623761
-62386539613961316564666161613536303934373336393861613566323364353438396634373934
-3537326237386436630a376333623766376437666561363236326337333563373030643239336164
-65363936346531313034363334313361643462313364353130366639383565343837616135336165
-31393539643035633963386430383133646161393332643039316366306630336633636565653466
-62393834393633663465393233653866313239323539623565653862643531323461613830666639
-63653939363264616139333361383561656238626139313735613632663733653561643266666632
-38306332306539366539643866653762646236383534393866373137383961353161353938633963
-37306264376134336538356164393831346530333662333531663931653135613663323161393066
-32636230633364346639313237373736333562643337616564303861396131363335623564643739
-61613138373865616635313530363166333762393933373238383264646233333961393866393464
-38343833336563323034393034653433633033366533643535616334396336326330313166373361
-3035643134653035306431373834386464373731356332633630
+39383134636362323766393935316435366236656439313765303361663738386539343364356261
+6462646239313865386332376637313731633739383762620a393938663162373637333432323161
+37373965306230353264336462386261343363653963326634383964323033383366343664636533
+3130353433353963350a663032383630643036663462343733646463353832333366316265306432
+38313537633363616361643634386436353133343964666466306562376163653661366662633736
+35613264396235323064316433633732383030316330373038313934393033313362393661663462
+34643335613535313733343938393339316133623736653134643238316465643166373537623731
+64366135376265623166366332333361656430316434363031343661333430616637353236666439
+38623765653139653638333632363165336135663635383463613832636632356638626433383430
+65613465363536373234633635393937616537363965396664313736616231363666633366663463
+31626364316436393035333062393337313031633336396466623764653761326161616465363463
+64613065636539623266336433666139363138303537356363343231666630393862643031303836
+36326632613339373063616234616335623739373431396565386133643139303432393937633532
+3663303833393831363633646130323238643431656133376530
diff --git a/roles/sshd/tasks/archlinux.yml b/roles/sshd/tasks/archlinux.yml
new file mode 100644
index 0000000..0fb49d1
--- /dev/null
+++ b/roles/sshd/tasks/archlinux.yml
@@ -0,0 +1,10 @@
+---
+- name: install openssh
+  pacman:
+    name: openssh
+
+- name: enable sshd service
+  systemd:
+    name: sshd
+    enabled: true
+    state: started
diff --git a/roles/sshd/tasks/main.yml b/roles/sshd/tasks/main.yml
index d918abb..7099ce7 100644
--- a/roles/sshd/tasks/main.yml
+++ b/roles/sshd/tasks/main.yml
@@ -12,3 +12,7 @@
 - name: setup alpine ssh
   include_tasks: alpine.yml
   when: ansible_distribution == "Alpine"
+
+- name: setup arch ssh
+  include_tasks: archlinux.yml
+  when: ansible_distribution == "Archlinux"
diff --git a/roles/sshd/templates/sshd_config.j2 b/roles/sshd/templates/sshd_config.j2
index e73ef4b..fd0687d 100644
--- a/roles/sshd/templates/sshd_config.j2
+++ b/roles/sshd/templates/sshd_config.j2
@@ -113,8 +113,10 @@ Subsystem  sftp  /usr/libexec/sftp-server
 Subsystem  sftp  /usr/lib/ssh/sftp-server
 {% elif ansible_distribution == "Ubuntu" %}
 Subsystem  sftp  /usr/lib/openssh/sftp-server
+{% elif ansible_distribution == "Archlinux" %}
+Subsystem  sftp  /usr/lib/ssh/sftp-server
 {% else %}
-# I don't know what OS that is, Ansible guessed on using the same config as Alpine
+# I don't know what OS that is, Ansible guessed on using the same config as Alpine and Arch
 Subsystem  sftp  /usr/lib/ssh/sftp-server
 {% endif %}
 
diff --git a/roles/wheel/tasks/archlinux.yml b/roles/wheel/tasks/archlinux.yml
new file mode 100644
index 0000000..269105c
--- /dev/null
+++ b/roles/wheel/tasks/archlinux.yml
@@ -0,0 +1,11 @@
+---
+- name: install doas
+  pacman:
+    name: opendoas
+
+- name: copy doas config
+  copy:
+    src: doas.conf
+    dest: /etc/doas.conf
+    owner: root
+    mode: '0644'
diff --git a/roles/wheel/tasks/main.yml b/roles/wheel/tasks/main.yml
index 2af9296..4850632 100644
--- a/roles/wheel/tasks/main.yml
+++ b/roles/wheel/tasks/main.yml
@@ -23,3 +23,7 @@
 - name: 'debian-specific things'
   include_tasks: debian.yml
   when: ansible_distribution in ["Debian", "Ubuntu"]
+
+- name: 'arch-specific things'
+  include_tasks: archlinux.yml
+  when: ansible_distribution == "Archlinux"