diff --git a/salt/libvirt/configbad b/salt/libvirt/configbad
new file mode 100644
index 000000000..0cf5f9ef5
--- /dev/null
+++ b/salt/libvirt/configbad
@@ -0,0 +1,51 @@
+listen_tls = 0
+listen_tcp = 0
+tls_port = "16514"
+tcp_port = "16509"
+listen_addr = "0.0.0.0"
+unix_sock_group = "root"
+unix_sock_ro_perms = "0777"
+unix_sock_rw_perms = "0770"
+unix_sock_admin_perms = "0700"
+unix_sock_dir = "/run/libvirt"
+auth_unix_ro = "none"
+auth_unix_rw = "none"
+auth_tcp = "none"
+auth_tls = "none"
+tcp_min_ssf = 112
+access_drivers = ["nop"]
+key_file = "/etc/pki/libvirt/private/serverkey.pem"
+cert_file = "/etc/pki/libvirt/servercert.pem"
+ca_file = "/etc/pki/CA/cacert.pem"
+crl_file = "/etc/pki/CA/crl.pem"
+tls_no_sanity_certificate = 0
+tls_no_verify_certificate = 0
+tls_allowed_dn_list = ["DN1", "DN2"]
+tls_priority = "NORMAL"
+sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM"]
+max_clients = 5000
+max_queued_clients = 1000
+max_anonymous_clients = 20
+min_workers = 5
+max_workers = 20
+prio_workers = 5
+max_client_requests = 5
+admin_min_workers = 1
+admin_max_workers = 5
+admin_max_clients = 5
+admin_max_queued_clients = 5
+admin_max_client_requests = 5
+log_level = 3
+log_filters = "1:qemu 1:libvirt 4:object 4:json 4:event 1:util"
+log_outputs = "3:syslog:libvirtd"
+audit_level = 2
+audit_logging = 1
+host_uuid = "00000000-0000-0000-0000-000000000000"
+host_uuid_source = "smbios"
+keepalive_interval = 5
+keepalive_count = 5
+keepalive_required = 1
+admin_keepalive_required = 1
+admin_keepalive_interval = 5
+admin_keepalive_count = 5
+ovs_timeout = 5
diff --git a/salt/libvirt/configgood b/salt/libvirt/configgood
new file mode 100644
index 000000000..72369709d
--- /dev/null
+++ b/salt/libvirt/configgood
@@ -0,0 +1,50 @@
+#listen_tls = "0"
+#listen_tcp = "0"
+#tls_port = "16514"
+#tcp_port = "16509"
+#listen_addr = "0.0.0.0"
+#unix_sock_group = "root"
+#unix_sock_ro_perms = "0777"
+#unix_sock_rw_perms = "0770"
+#unix_sock_admin_perms = "0700"
+#unix_sock_dir = "/run/libvirt"
+#auth_unix_ro = "none"
+#auth_unix_rw = "none"
+#auth_tcp = "none"
+#auth_tls = "none"
+#access_drivers = "[ \"nop\" ]"
+#key_file = "/etc/pki/libvirt/private/serverkey.pem"
+#cert_file = "/etc/pki/libvirt/servercert.pem"
+#ca_file = "/etc/pki/CA/cacert.pem"
+#crl_file = "/etc/pki/CA/crl.pem"
+#tls_no_sanity_certificate = "0"
+#tls_no_verify_certificate = "0"
+#tls_allowed_dn_list = "[\"DN1\", \"DN2\"]"
+#tls_priority = "NORMAL"
+#sasl_allowed_username_list = "[\"joe@example.com\", \"fred@example.com\"]"
+#max_clients = "5000"
+#max_queued_clients = "20"
+#max_anonymous_clients = "20"
+#min_workers = "5"
+#max_workers = "20"
+#prio_workers = "5"
+#max_client_requests = "5"
+#admin_min_workers = "1"
+#admin_max_workers = "5"
+#admin_max_clients = "5"
+#admin_max_queued_clients = "5"
+#admin_max_client_requests = "5"
+#log_level = "3"
+#log_filters = "\"1:qemu 1:libvirt 4:object 4:json 4:event 1:util\""
+#log_outputs = "\"3:syslog:libvirtd\""
+#audit_level = "1"
+#audit_logging = "0"
+#host_uuid = "00000000-0000-0000-0000-000000000000"
+#host_uuid_source = "smbios"
+#keepalive_interval = "5"
+#keepalive_count = "5"
+#keepalive_required = "0"
+#admin_keepalive_required = "0"
+#admin_keepalive_interval = "5"
+#admin_keepalive_count = "5"
+#ovs_timeout = "5"
diff --git a/salt/libvirt/configstock b/salt/libvirt/configstock
new file mode 100644
index 000000000..ac1174cfb
--- /dev/null
+++ b/salt/libvirt/configstock
@@ -0,0 +1,51 @@
+#listen_tls = 0
+#listen_tcp = 1
+#tls_port = "16514"
+#tcp_port = "16509"
+#listen_addr = "192.168.0.1"
+#unix_sock_group = "libvirt"
+#unix_sock_ro_perms = "0777"
+#unix_sock_rw_perms = "0770"
+#unix_sock_admin_perms = "0700"
+#unix_sock_dir = "/run/libvirt"
+#auth_unix_ro = "polkit"
+#auth_unix_rw = "polkit"
+#auth_tcp = "sasl"
+#auth_tls = "none"
+#tcp_min_ssf = 112
+#access_drivers = [ "polkit" ]
+#key_file = "/etc/pki/libvirt/private/serverkey.pem"
+#cert_file = "/etc/pki/libvirt/servercert.pem"
+#ca_file = "/etc/pki/CA/cacert.pem"
+#crl_file = "/etc/pki/CA/crl.pem"
+#tls_no_sanity_certificate = 1
+#tls_no_verify_certificate = 1
+#tls_allowed_dn_list = ["DN1", "DN2"]
+#tls_priority="NORMAL"
+#sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ]
+#max_clients = 5000
+#max_queued_clients = 1000
+#max_anonymous_clients = 20
+#min_workers = 5
+#max_workers = 20
+#prio_workers = 5
+#max_client_requests = 5
+#admin_min_workers = 1
+#admin_max_workers = 5
+#admin_max_clients = 5
+#admin_max_queued_clients = 5
+#admin_max_client_requests = 5
+#log_level = 3
+#log_filters="1:qemu 1:libvirt 4:object 4:json 4:event 1:util"
+#log_outputs="3:syslog:libvirtd"
+#audit_level = 2
+#audit_logging = 1
+#host_uuid = "00000000-0000-0000-0000-000000000000"
+#host_uuid_source = "smbios"
+#keepalive_interval = 5
+#keepalive_count = 5
+#keepalive_required = 1
+#admin_keepalive_required = 1
+#admin_keepalive_interval = 5
+#admin_keepalive_count = 5
+#ovs_timeout = 5
diff --git a/salt/libvirt/configstockstock b/salt/libvirt/configstockstock
new file mode 100644
index 000000000..d8bb42b6b
--- /dev/null
+++ b/salt/libvirt/configstockstock
@@ -0,0 +1,536 @@
+# Master libvirt daemon configuration file
+#
+
+#################################################################
+#
+# Network connectivity controls
+#
+
+# Flag listening for secure TLS connections on the public TCP/IP port.
+#
+# To enable listening sockets with the 'libvirtd' daemon it's also required to
+# pass the '--listen' flag on the commandline of the daemon.
+# This is not needed with 'virtproxyd'.
+#
+# This setting is not required or honoured if using systemd socket
+# activation.
+#
+# It is necessary to setup a CA and issue server certificates before
+# using this capability.
+#
+# This is enabled by default, uncomment this to disable it
+#listen_tls = 0
+
+# Listen for unencrypted TCP connections on the public TCP/IP port.
+#
+# To enable listening sockets with the 'libvirtd' daemon it's also required to
+# pass the '--listen' flag on the commandline of the daemon.
+# This is not needed with 'virtproxyd'.
+#
+# This setting is not required or honoured if using systemd socket
+# activation.
+#
+# Using the TCP socket requires SASL authentication by default. Only
+# SASL mechanisms which support data encryption are allowed. This is
+# DIGEST_MD5 and GSSAPI (Kerberos5)
+#
+# This is disabled by default, uncomment this to enable it.
+#listen_tcp = 1
+
+
+
+# Override the port for accepting secure TLS connections
+# This can be a port number, or service name
+#
+# This setting is not required or honoured if using systemd socket
+# activation.
+#
+#tls_port = "16514"
+
+# Override the port for accepting insecure TCP connections
+# This can be a port number, or service name
+#
+# This setting is not required or honoured if using systemd socket
+# activation.
+#
+#tcp_port = "16509"
+
+
+# Override the default configuration which binds to all network
+# interfaces. This can be a numeric IPv4/6 address, or hostname
+#
+# This setting is not required or honoured if using systemd socket
+# activation.
+#
+# If the libvirtd service is started in parallel with network
+# startup (e.g. with systemd), binding to addresses other than
+# the wildcards (0.0.0.0/::) might not be available yet.
+#
+#listen_addr = "192.168.0.1"
+
+
+#################################################################
+#
+# UNIX socket access controls
+#
+
+# Set the UNIX domain socket group ownership. This can be used to
+# allow a 'trusted' set of users access to management capabilities
+# without becoming root.
+#
+# This setting is not required or honoured if using systemd socket
+# activation.
+#
+# This is restricted to 'root' by default.
+#unix_sock_group = "libvirt"
+
+# Set the UNIX socket permissions for the R/O socket. This is used
+# for monitoring VM status only
+#
+# This setting is not required or honoured if using systemd socket
+# activation.
+#
+# Default allows any user. If setting group ownership, you may want to
+# restrict this too.
+#unix_sock_ro_perms = "0777"
+
+# Set the UNIX socket permissions for the R/W socket. This is used
+# for full management of VMs
+#
+# This setting is not required or honoured if using systemd socket
+# activation.
+#
+# Default allows only root. If PolicyKit is enabled on the socket,
+# the default will change to allow everyone (eg, 0777)
+#
+# If not using PolicyKit and setting group ownership for access
+# control, then you may want to relax this too.
+#unix_sock_rw_perms = "0770"
+
+# Set the UNIX socket permissions for the admin interface socket.
+#
+# This setting is not required or honoured if using systemd socket
+# activation.
+#
+# Default allows only owner (root), do not change it unless you are
+# sure to whom you are exposing the access to.
+#unix_sock_admin_perms = "0700"
+
+# Set the name of the directory in which sockets will be found/created.
+#
+# This setting is not required or honoured if using systemd socket
+# activation.
+#
+#unix_sock_dir = "/run/libvirt"
+
+
+
+#################################################################
+#
+# Authentication.
+#
+# There are the following choices available:
+#
+#  - none: do not perform auth checks. If you can connect to the
+#          socket you are allowed. This is suitable if there are
+#          restrictions on connecting to the socket (eg, UNIX
+#          socket permissions), or if there is a lower layer in
+#          the network providing auth (eg, TLS/x509 certificates)
+#
+#  - sasl: use SASL infrastructure. The actual auth scheme is then
+#          controlled from /etc/sasl2/libvirt.conf. For the TCP
+#          socket only GSSAPI & DIGEST-MD5 mechanisms will be used.
+#          For non-TCP or TLS sockets, any scheme is allowed.
+#
+#  - polkit: use PolicyKit to authenticate. This is only suitable
+#            for use on the UNIX sockets. The default policy will
+#            require a user to supply their own password to gain
+#            full read/write access (aka sudo like), while anyone
+#            is allowed read/only access.
+#
+
+# Set an authentication scheme for UNIX read-only sockets
+#
+# By default socket permissions allow anyone to connect
+#
+# If libvirt was compiled without support for 'polkit', then
+# no access control checks are done, but libvirt still only
+# allows execution of APIs which don't change state.
+#
+# If libvirt was compiled with support for 'polkit', then
+# the libvirt socket will perform a check with polkit after
+# connections. The default policy still allows any local
+# user access.
+#
+# To restrict monitoring of domains you may wish to either
+# enable 'sasl' here, or change the polkit policy definition.
+#auth_unix_ro = "polkit"
+
+# Set an authentication scheme for UNIX read-write sockets.
+#
+# If libvirt was compiled without support for 'polkit', then
+# the systemd .socket files will use SocketMode=0600 by default
+# thus only allowing root user to connect, and 'auth_unix_rw'
+# will default to 'none'.
+#
+# If libvirt was compiled with support for 'polkit', then
+# the systemd .socket files will use SocketMode=0666 which
+# allows any user to connect and 'auth_unix_rw' will default
+# to 'polkit'. If you disable use of 'polkit' here, then it
+# is essential to change the systemd SocketMode parameter
+# back to 0600, to avoid an insecure configuration.
+#
+#auth_unix_rw = "polkit"
+
+# Change the authentication scheme for TCP sockets.
+#
+# If you don't enable SASL, then all TCP traffic is cleartext.
+# Don't do this outside of a dev/test scenario. For real world
+# use, always enable SASL and use the GSSAPI or DIGEST-MD5
+# mechanism in /etc/sasl2/libvirt.conf
+#auth_tcp = "sasl"
+
+# Change the authentication scheme for TLS sockets.
+#
+# TLS sockets already have encryption provided by the TLS
+# layer, and limited authentication is done by certificates
+#
+# It is possible to make use of any SASL authentication
+# mechanism as well, by using 'sasl' for this option
+#auth_tls = "none"
+
+# Enforce a minimum SSF value for TCP sockets
+#
+# The default minimum is currently 56 (single-DES) which will
+# be raised to 112 in the future.
+#
+# This option can be used to set values higher than 112
+#tcp_min_ssf = 112
+
+
+# Change the API access control scheme
+#
+# By default an authenticated user is allowed access
+# to all APIs. Access drivers can place restrictions
+# on this. By default the 'nop' driver is enabled,
+# meaning no access control checks are done once a
+# client has authenticated with libvirtd
+#
+#access_drivers = [ "polkit" ]
+
+#################################################################
+#
+# TLS x509 certificate configuration
+#
+
+# Use of TLS requires that x509 certificates be issued. The default locations
+# for the certificate files is as follows:
+#
+#   /etc/pki/CA/cacert.pem - The CA master certificate
+#   /etc/pki/libvirt/servercert.pem - The server certificate signed by cacert.pem
+#   /etc/pki/libvirt/private/serverkey.pem - The server private key
+#
+# It is possible to override the default locations by altering the 'key_file',
+# 'cert_file', and 'ca_file' values and uncommenting them below.
+#
+# NB, overriding the default of one location requires uncommenting and
+# possibly additionally overriding the other settings.
+#
+
+# Override the default server key file path
+#
+#key_file = "/etc/pki/libvirt/private/serverkey.pem"
+
+# Override the default server certificate file path
+#
+#cert_file = "/etc/pki/libvirt/servercert.pem"
+
+# Override the default CA certificate path
+#
+#ca_file = "/etc/pki/CA/cacert.pem"
+
+# Specify a certificate revocation list.
+#
+# Defaults to not using a CRL, uncomment to enable it
+#crl_file = "/etc/pki/CA/crl.pem"
+
+
+
+#################################################################
+#
+# Authorization controls
+#
+
+
+# Flag to disable verification of our own server certificates
+#
+# When libvirtd starts it performs some sanity checks against
+# its own certificates.
+#
+# Default is to always run sanity checks. Uncommenting this
+# will disable sanity checks which is not a good idea
+#tls_no_sanity_certificate = 1
+
+# Flag to disable verification of client certificates
+#
+# Client certificate verification is the primary authentication mechanism.
+# Any client which does not present a certificate signed by the CA
+# will be rejected.
+#
+# Default is to always verify. Uncommenting this will disable
+# verification.
+#tls_no_verify_certificate = 1
+
+
+# An access control list of allowed x509 Distinguished Names
+# This list may contain wildcards such as
+#
+#    "C=GB,ST=London,L=London,O=Red Hat,CN=*"
+#
+# Any * matches any number of consecutive spaces, like a simplified glob(7).
+#
+# The format of the DN for a particular certificate can be queried
+# using:
+#
+#    virt-pki-query-dn clientcert.pem
+#
+# NB If this is an empty list, no client can connect, so comment out
+# entirely rather than using empty list to disable these checks
+#
+# By default, no DN's are checked
+#tls_allowed_dn_list = ["DN1", "DN2"]
+
+
+# Override the compile time default TLS priority string. The
+# default is usually "NORMAL" unless overridden at build time.
+# Only set this is it is desired for libvirt to deviate from
+# the global default settings.
+#
+#tls_priority="NORMAL"
+
+
+# An access control list of allowed SASL usernames. The format for username
+# depends on the SASL authentication mechanism. Kerberos usernames
+# look like username@REALM
+#
+# This list may contain wildcards such as
+#
+#    "*@EXAMPLE.COM"
+#
+# See the g_pattern_match function for the format of the wildcards.
+#
+# https://developer.gnome.org/glib/stable/glib-Glob-style-pattern-matching.html
+#
+# NB If this is an empty list, no client can connect, so comment out
+# entirely rather than using empty list to disable these checks
+#
+# By default, no Username's are checked
+#sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ]
+
+
+#################################################################
+#
+# Processing controls
+#
+
+# The maximum number of concurrent client connections to allow
+# over all sockets combined.
+#max_clients = 5000
+
+# The maximum length of queue of connections waiting to be
+# accepted by the daemon. Note, that some protocols supporting
+# retransmission may obey this so that a later reattempt at
+# connection succeeds.
+#max_queued_clients = 1000
+
+# The maximum length of queue of accepted but not yet
+# authenticated clients. The default value is 20. Set this to
+# zero to turn this feature off.
+#max_anonymous_clients = 20
+
+# The minimum limit sets the number of workers to start up
+# initially. If the number of active clients exceeds this,
+# then more threads are spawned, up to max_workers limit.
+# Typically you'd want max_workers to equal maximum number
+# of clients allowed
+#min_workers = 5
+#max_workers = 20
+
+
+# The number of priority workers. If all workers from above
+# pool are stuck, some calls marked as high priority
+# (notably domainDestroy) can be executed in this pool.
+#prio_workers = 5
+
+# Limit on concurrent requests from a single client
+# connection. To avoid one client monopolizing the server
+# this should be a small fraction of the global max_workers
+# parameter.
+# Setting this too low may cause keepalive timeouts.
+#max_client_requests = 5
+
+# Same processing controls, but this time for the admin interface.
+# For description of each option, be so kind to scroll few lines
+# upwards.
+
+#admin_min_workers = 1
+#admin_max_workers = 5
+#admin_max_clients = 5
+#admin_max_queued_clients = 5
+#admin_max_client_requests = 5
+
+#################################################################
+#
+# Logging controls
+#
+
+# Logging level: 4 errors, 3 warnings, 2 information, 1 debug
+# basically 1 will log everything possible
+#
+# WARNING: USE OF THIS IS STRONGLY DISCOURAGED.
+#
+# WARNING: It outputs too much information to practically read.
+# WARNING: The "log_filters" setting is recommended instead.
+#
+# WARNING: Journald applies rate limiting of messages and so libvirt
+# WARNING: will limit "log_level" to only allow values 3 or 4 if
+# WARNING: journald is the current output.
+#
+# WARNING: USE OF THIS IS STRONGLY DISCOURAGED.
+#log_level = 3
+
+# Logging filters:
+# A filter allows to select a different logging level for a given category
+# of logs. The format for a filter is:
+#
+#    level:match
+#
+# where 'match' is a string which is matched against the category
+# given in the VIR_LOG_INIT() at the top of each libvirt source
+# file, e.g., "remote", "qemu", or "util.json". The 'match' in the
+# filter matches using shell wildcard syntax (see 'man glob(7)').
+# The 'match' is always treated as a substring match. IOW a match
+# string 'foo' is equivalent to '*foo*'.
+#
+# 'level' is the minimal level where matching messages should
+#  be logged:
+#
+#    1: DEBUG
+#    2: INFO
+#    3: WARNING
+#    4: ERROR
+#
+# Multiple filters can be defined in a single @log_filters, they just need
+# to be separated by spaces. Note that libvirt performs "first" match, i.e.
+# if there are concurrent filters, the first one that matches will be applied,
+# given the order in @log_filters.
+#
+# A typical need is to capture information from a hypervisor driver,
+# public API entrypoints and some of the utility code. Some utility
+# code is very verbose and is generally not desired. Taking the QEMU
+# hypervisor as an example, a suitable filter string for debugging
+# might be to turn off object, json & event logging, but enable the
+# rest of the util code:
+#
+#log_filters="1:qemu 1:libvirt 4:object 4:json 4:event 1:util"
+
+# Logging outputs:
+# An output is one of the places to save logging information
+# The format for an output can be:
+#    level:stderr
+#      output goes to stderr
+#    level:syslog:name
+#      use syslog for the output and use the given name as the ident
+#    level:file:file_path
+#      output to a file, with the given filepath
+#    level:journald
+#      output to journald logging system
+# In all cases 'level' is the minimal priority, acting as a filter
+#    1: DEBUG
+#    2: INFO
+#    3: WARNING
+#    4: ERROR
+#
+# Multiple outputs can be defined, they just need to be separated by spaces.
+# e.g. to log all warnings and errors to syslog under the libvirtd ident:
+#log_outputs="3:syslog:libvirtd"
+
+
+##################################################################
+#
+# Auditing
+#
+# This setting allows usage of the auditing subsystem to be altered:
+#
+#   audit_level == 0  -> disable all auditing
+#   audit_level == 1  -> enable auditing, only if enabled on host (default)
+#   audit_level == 2  -> enable auditing, and exit if disabled on host
+#
+#audit_level = 2
+#
+# If set to 1, then audit messages will also be sent
+# via libvirt logging infrastructure. Defaults to 0
+#
+#audit_logging = 1
+
+###################################################################
+# UUID of the host:
+# Host UUID is read from one of the sources specified in host_uuid_source.
+#
+# - 'smbios': fetch the UUID from 'dmidecode -s system-uuid'
+# - 'machine-id': fetch the UUID from /etc/machine-id
+#
+# The host_uuid_source default is 'smbios'. If 'dmidecode' does not provide
+# a valid UUID a temporary UUID will be generated.
+#
+# Another option is to specify host UUID in host_uuid.
+#
+# Keep the format of the example UUID below. UUID must not have all digits
+# be the same.
+
+# NB This default all-zeros UUID will not work. Replace
+# it with the output of the 'uuidgen' command and then
+# uncomment this entry
+#host_uuid = "00000000-0000-0000-0000-000000000000"
+#host_uuid_source = "smbios"
+
+###################################################################
+# Keepalive protocol:
+# This allows libvirtd to detect broken client connections or even
+# dead clients.  A keepalive message is sent to a client after
+# keepalive_interval seconds of inactivity to check if the client is
+# still responding; keepalive_count is a maximum number of keepalive
+# messages that are allowed to be sent to the client without getting
+# any response before the connection is considered broken.  In other
+# words, the connection is automatically closed approximately after
+# keepalive_interval * (keepalive_count + 1) seconds since the last
+# message received from the client.  If keepalive_interval is set to
+# -1, libvirtd will never send keepalive requests; however clients
+# can still send them and the daemon will send responses.  When
+# keepalive_count is set to 0, connections will be automatically
+# closed after keepalive_interval seconds of inactivity without
+# sending any keepalive messages.
+#
+#keepalive_interval = 5
+#keepalive_count = 5
+
+#
+# These configuration options are no longer used.  There is no way to
+# restrict such clients from connecting since they first need to
+# connect in order to ask for keepalive.
+#
+#keepalive_required = 1
+#admin_keepalive_required = 1
+
+# Keepalive settings for the admin interface
+#admin_keepalive_interval = 5
+#admin_keepalive_count = 5
+
+###################################################################
+# Open vSwitch:
+# This allows to specify a timeout for openvswitch calls made by
+# libvirt. The ovs-vsctl utility is used for the configuration and
+# its timeout option is set by default to 5 seconds to avoid
+# potential infinite waits blocking libvirt.
+#
+#ovs_timeout = 5
diff --git a/salt/libvirt/defaults.yaml b/salt/libvirt/defaults.yaml
new file mode 100644
index 000000000..1905b2e8f
--- /dev/null
+++ b/salt/libvirt/defaults.yaml
@@ -0,0 +1,53 @@
+libvirt:
+  config:
+    listen_tls: 1
+    listen_tcp: 0
+    tls_port: "16514"
+    tcp_port: "16509"
+    listen_addr: "0.0.0.0"
+    unix_sock_group: "root"
+    unix_sock_ro_perms: "0777"
+    unix_sock_rw_perms: "0770"
+    unix_sock_admin_perms: "0700"
+    unix_sock_dir: "/run/libvirt"
+    auth_unix_ro: "none"
+    auth_unix_rw: "none"
+    auth_tcp: "none"
+    auth_tls: "none"
+    tcp_min_ssf: 112
+    access_drivers: ["polkit"]
+    key_file: "/etc/pki/libvirt/private/serverkey.pem"
+    cert_file: "/etc/pki/libvirt/servercert.pem"
+    ca_file: "/etc/pki/CA/cacert.pem"
+    #crl_file: "/etc/pki/CA/crl.pem"
+    tls_no_sanity_certificate: 0
+    tls_no_verify_certificate: 0
+    tls_allowed_dn_list: ["DN1", "DN2"]
+    tls_priority: "NORMAL"
+    sasl_allowed_username_list: ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM"]
+    max_clients: 5000
+    max_queued_clients: 1000
+    max_anonymous_clients: 20
+    min_workers: 5
+    max_workers: 20
+    prio_workers: 5
+    max_client_requests: 5
+    admin_min_workers: 1
+    admin_max_workers: 5
+    admin_max_clients: 5
+    admin_max_queued_clients: 5
+    admin_max_client_requests: 5
+    log_level: 3
+    log_filters: "1:qemu 1:libvirt 4:object 4:json 4:event 1:util"
+    log_outputs: "3:syslog:libvirtd"
+    audit_level: 2
+    audit_logging: 1
+    #host_uuid: "00000000-0000-0000-0000-000000000000"
+    host_uuid_source: "smbios"
+    keepalive_interval: 5
+    keepalive_count: 5
+    keepalive_required: 1
+    admin_keepalive_required: 1
+    admin_keepalive_interval: 5
+    admin_keepalive_count: 5
+    ovs_timeout: 5
diff --git a/salt/libvirt/etc/libvirtd.conf.jinja b/salt/libvirt/etc/libvirtd.conf.jinja
new file mode 100644
index 000000000..12406e1d2
--- /dev/null
+++ b/salt/libvirt/etc/libvirtd.conf.jinja
@@ -0,0 +1,8 @@
+{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+   or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+   https://securityonion.net/license; you may not use this file except in compliance with the
+   Elastic License 2.0. -#}
+
+{%- for k, v in LIBVIRTMERGED.config.items() %}
+{{ k }} = {{ v | json }}
+{%- endfor %}
diff --git a/salt/libvirt/init.sls b/salt/libvirt/init.sls
new file mode 100644
index 000000000..4b1fd6969
--- /dev/null
+++ b/salt/libvirt/init.sls
@@ -0,0 +1,80 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'libvirt/map.jinja' import LIBVIRTMERGED %}
+
+install_libvirt:
+  pkg.installed:
+    - name: libvirt
+
+libvirt_config:
+  file.managed:
+    - name: /etc/libvirt/libvirtd.conf
+    - source: salt://libvirt/etc/libvirtd.conf.jinja
+    - template: jinja
+    - defaults:
+        LIBVIRTMERGED: {{ LIBVIRTMERGED }}
+
+libvirt_service:
+  service.running:
+    - name: libvirtd
+
+libvirt_conf_dir:
+  file.directory:
+    - name: /opt/so/conf/libvirt
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+libvirt_source-packages_dir:
+  file.directory:
+    - name: /opt/so/conf/libvirt/source-packages
+
+libvirt_python_wheel:
+  file.recurse:
+    - name: /opt/so/conf/libvirt/source-packages/libvirt-python
+    - source: salt://libvirt/source-packages/libvirt-python
+    - clean: True
+
+libvirt_python_module:
+  cmd.run:
+    - name: /opt/saltstack/salt/bin/python3.10 -m pip install --no-index --find-links=/opt/so/conf/libvirt/source-packages/libvirt-python libvirt-python
+    - onchanges:
+      - file: libvirt_python_wheel
+
+# places cacert, clientcert, clientkey, servercert and serverkey
+# /etc/pki/CA/cacert.pem
+# /etc/pki/libvirt/clientcert.pem and /etc/pki/libvirt/servercert.pem
+# /etc/pki/libvirt/private/clientkey.pem and /etc/pki/libvirt/private/serverkey.pem
+libvirt_keys:
+  virt.keys:
+    - name: libvirt_keys
+
+install_qemu:
+  pkg.installed:
+    - name: qemu-kvm
+
+install_libguestfs:
+  pkg.installed:
+    - name: libguestfs
+
+# required for the network states below
+install_NetworkManager-updown:
+  pkg.installed:
+    - name: NetworkManager-initscripts-updown
+
+ens18:
+  network.managed:
+    - enabled: True
+    - type: eth
+    - bridge: virbr0
+
+virbr0:
+  network.managed:
+    - enabled: True
+    - type: bridge
+    - proto: dhcp
+    - require:
+      - network: ens18
diff --git a/salt/libvirt/map.jinja b/salt/libvirt/map.jinja
new file mode 100644
index 000000000..eebb50062
--- /dev/null
+++ b/salt/libvirt/map.jinja
@@ -0,0 +1,7 @@
+{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+   or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+   https://securityonion.net/license; you may not use this file except in compliance with the
+   Elastic License 2.0. #}
+   
+{% import_yaml 'libvirt/defaults.yaml' as LIBVIRTDEFAULTS %}
+{% set LIBVIRTMERGED = salt['pillar.get']('libvirt', LIBVIRTDEFAULTS.libvirt, merge=True) %}
diff --git a/salt/libvirt/source-packages/libvirt-python/libvirt_python-10.5.0-cp310-cp310-linux_x86_64.whl b/salt/libvirt/source-packages/libvirt-python/libvirt_python-10.5.0-cp310-cp310-linux_x86_64.whl
new file mode 100644
index 000000000..5687a2862
Binary files /dev/null and b/salt/libvirt/source-packages/libvirt-python/libvirt_python-10.5.0-cp310-cp310-linux_x86_64.whl differ