diff --git a/kube/clusters/biohazard/flux/kustomization.yaml b/kube/clusters/biohazard/flux/kustomization.yaml
index e20a8cb7..f6855781 100644
--- a/kube/clusters/biohazard/flux/kustomization.yaml
+++ b/kube/clusters/biohazard/flux/kustomization.yaml
@@ -115,3 +115,4 @@ resources:
   - ../../../deploy/vm/_kubevirt/
   #- ../../../deploy/vm/_base/
   - ../../../deploy/vm/ad/
+  - ../../../deploy/vm/jj/
diff --git a/kube/deploy/vm/jj/_deps/netpol.yaml b/kube/deploy/vm/jj/_deps/netpol.yaml
new file mode 100644
index 00000000..2d0c4b7f
--- /dev/null
+++ b/kube/deploy/vm/jj/_deps/netpol.yaml
@@ -0,0 +1,40 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumnetworkpolicy_v2.json
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: &app vm-jj
+  namespace: *app
+spec:
+  endpointSelector: {}
+  ingress:
+    # Tailscale default port
+    - fromEntities:
+        - all
+      toPorts:
+        - ports:
+            - port: "41641"
+              protocol: UDP
+  egress:
+    # same namespace
+    - toEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: *app
+    # WireGuard to router
+    - toCIDRSet:
+        - cidr: "${IP_ROUTER_LAN}/32"
+      toPorts:
+        - ports:
+            - port: "45678"
+              protocol: UDP
+    # egress to Tailscale default port
+    - toEntities:
+        - all
+      toPorts:
+        - ports:
+            - port: "41641"
+              protocol: UDP
+    # internet
+    - toCIDRSet:
+        - cidr: "0.0.0.0/0"
+          except: ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10"] # private IP ranges should go through WireGuard with OPNsense rules or Tailscale's ACLs, but internet egress should still go through Cilium for DNS netpols and whatnot
diff --git a/kube/deploy/vm/jj/_deps/ns.yaml b/kube/deploy/vm/jj/_deps/ns.yaml
new file mode 100644
index 00000000..e3c9da7b
--- /dev/null
+++ b/kube/deploy/vm/jj/_deps/ns.yaml
@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: vm-jj
\ No newline at end of file
diff --git a/kube/deploy/vm/jj/_deps/preference.yaml b/kube/deploy/vm/jj/_deps/preference.yaml
new file mode 100644
index 00000000..a03e9dde
--- /dev/null
+++ b/kube/deploy/vm/jj/_deps/preference.yaml
@@ -0,0 +1,34 @@
+---
+apiVersion: instancetype.kubevirt.io/v1beta1
+kind: VirtualMachinePreference
+metadata:
+  name: "jj" # Windows Server 2022 & Windows 11
+# from https://github.com/kubevirt/kubevirt/blob/2c5e56f2cd0fcde341f47a7da0b94bc812c2f43f/examples/windows.yaml
+spec:
+  preferredSubdomain: "jj"
+  requirements:
+    cpu:
+      guest: 2
+    memory:
+      guest: 8192Mi
+  clock:
+    preferredClockOffset:
+      timezone: "${CONFIG_TZ}"
+  devices:
+    preferredDiskBus: virtio
+    preferredInterfaceModel: virtio
+    preferredTPM:
+      persistent: true
+    preferredAutoattachMemBalloon: false
+    preferredAutoattachGraphicsDevice: true
+    preferredAutoattachSerialConsole: true
+    preferredAutoattachPodInterface: true
+    preferredAutoattachInputDevice: true
+    preferredInputType: "tablet"
+  firmware:
+    preferredUseEfi: true
+  volumes:
+    preferredStorageClassName: "file"
+  preferredTerminationGracePeriodSeconds: 180
+  machine:
+    preferredMachineType: "pc-q35-rhel9.2.0"
diff --git a/kube/deploy/vm/jj/_deps/svc.yaml b/kube/deploy/vm/jj/_deps/svc.yaml
new file mode 100644
index 00000000..6ca20b5a
--- /dev/null
+++ b/kube/deploy/vm/jj/_deps/svc.yaml
@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: "vm-jj"
+spec:
+  type: ClusterIP
+  clusterIP: None
+  selector:
+    vm.home.arpa: "jj"
diff --git a/kube/deploy/vm/jj/_deps/type.yaml b/kube/deploy/vm/jj/_deps/type.yaml
new file mode 100644
index 00000000..f7ed76e6
--- /dev/null
+++ b/kube/deploy/vm/jj/_deps/type.yaml
@@ -0,0 +1,10 @@
+---
+apiVersion: instancetype.kubevirt.io/v1beta1
+kind: VirtualMachineInstancetype
+metadata:
+  name: "jj"
+spec:
+  cpu:
+    guest: 2
+  memory:
+    guest: 8192Mi
diff --git a/kube/deploy/vm/jj/ks.yaml b/kube/deploy/vm/jj/ks.yaml
new file mode 100644
index 00000000..e1edaee7
--- /dev/null
+++ b/kube/deploy/vm/jj/ks.yaml
@@ -0,0 +1,50 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: zz-vm-jj-1-deps
+  namespace: flux-system
+spec:
+  path: ./kube/deploy/vm/ad/_deps
+  targetNamespace: "vm-ad"
+  dependsOn:
+    - name: zz-vm-1-kubevirt-app
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: zz-vm-jj-debian-pvc
+  namespace: flux-system
+spec:
+  path: ./kube/deploy/core/storage/volsync/template
+  targetNamespace: "vm-jj"
+  dependsOn:
+    - name: 1-core-storage-volsync-app
+    - name: 1-core-storage-rook-ceph-cluster
+    - name: zz-vm-jj-1-deps
+  postBuild:
+    substitute:
+      PVC: "vm-jj-debian-root"
+      SIZE: "55Gi"
+      VOLUMEMODE: "Filesystem"
+      RUID: &uid "107"
+      RGID: *uid
+      RFSG: *uid
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: zz-vm-jj-debian
+  namespace: flux-system
+  labels:
+    wait.flux.home.arpa/disabled: "true"
+spec:
+  path: ./kube/deploy/vm/jj/template
+  targetNamespace: "vm-jj"
+  dependsOn:
+    - name: zz-vm-1-kubevirt-app
+    - name: zz-vm-jj-1-deps
+    - name: zz-vm-jj-debian-pvc
+  postBuild:
+    substitute:
+      VM: "debian"
diff --git a/kube/deploy/vm/jj/kustomization.yaml b/kube/deploy/vm/jj/kustomization.yaml
new file mode 100644
index 00000000..45bc3673
--- /dev/null
+++ b/kube/deploy/vm/jj/kustomization.yaml
@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  # - ns.yaml
+  - ks.yaml
diff --git a/kube/deploy/vm/jj/template/svc.yaml b/kube/deploy/vm/jj/template/svc.yaml
new file mode 100644
index 00000000..c7830104
--- /dev/null
+++ b/kube/deploy/vm/jj/template/svc.yaml
@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: "jj-${VM}"
+spec:
+  type: ClusterIP
+  clusterIP: None
+  selector:
+    vm.home.arpa/jj: "${VM}"
\ No newline at end of file
diff --git a/kube/deploy/vm/jj/template/vm.yaml b/kube/deploy/vm/jj/template/vm.yaml
new file mode 100644
index 00000000..7f6431df
--- /dev/null
+++ b/kube/deploy/vm/jj/template/vm.yaml
@@ -0,0 +1,50 @@
+---
+apiVersion: kubevirt.io/v1
+kind: VirtualMachine
+metadata:
+  name: "jj-${VM}"
+spec:
+  preference:
+    kind: "VirtualMachinePreference"
+    name: "jj"
+  instancetype:
+    kind: "VirtualMachineInstancetype"
+    name: "jj"
+  runStrategy: "Always"
+  template:
+    metadata:
+      labels:
+        vm.home.arpa: "jj"
+        vm.home.arpa/os: "linux"
+        vm.home.arpa/jj: "${VM}"
+    spec:
+      hostname: "jj-${VM}"
+      networks:
+        - name: "main"
+          pod:
+            vmNetworkCIDR: "${IP_KUBEVIRT_JJ_CIDR_V4}"
+      volumes:
+        - name: "root"
+          persistentVolumeClaim:
+            claimName: "vm-jj-${VM}-root"
+      domain:
+        devices:
+          disks:
+            - name: "root"
+              disk: {}
+          interfaces:
+            - name: "main"
+              masquerade: {}
+              ports:
+                - name: "tailscale"
+                  port: 41641
+                  protocol: "UDP"
+          autoattachInputDevice: true
+          inputs:
+            - name: "tablet1"
+              type: "tablet"
+              bus: "virtio"
+        firmware:
+          bootloader:
+            efi:
+              persistent: true
\ No newline at end of file