diff --git a/roles/common/files/50-virtio-kernel-names.link b/roles/common/files/50-virtio-kernel-names.link
new file mode 100644
index 0000000..f39f26b
--- /dev/null
+++ b/roles/common/files/50-virtio-kernel-names.link
@@ -0,0 +1,10 @@
+# udev 226 introduced predictable interface names for virtio;
+# disable this for upgrades. You can remove this file if you update your
+# network configuration to move to the ens* names instead.
+# See /usr/share/doc/udev/README.Debian.gz for details about predictable
+# network interface names.
+[Match]
+Driver=virtio_net
+
+[Link]
+NamePolicy=onboard kernel
diff --git a/roles/common/files/99-default.link b/roles/common/files/99-default.link
new file mode 100644
index 0000000..e156606
--- /dev/null
+++ b/roles/common/files/99-default.link
@@ -0,0 +1,6 @@
+# This machine is most likely a virtualized guest, where the old persistent
+# network interface mechanism (75-persistent-net-generator.rules) did not work.
+# This file disables /lib/systemd/network/99-default.link to avoid
+# changing network interface names on upgrade. Please read
+# /usr/share/doc/udev/README.Debian.gz about how to migrate to the currently
+# supported mechanism.
diff --git a/roles/common/files/resume b/roles/common/files/resume
new file mode 100644
index 0000000..213a0e2
--- /dev/null
+++ b/roles/common/files/resume
@@ -0,0 +1 @@
+RESUME=none
diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml
new file mode 100644
index 0000000..41faca2
--- /dev/null
+++ b/roles/common/handlers/main.yml
@@ -0,0 +1,4 @@
+---
+
+- name: update-initramfs
+  command: update-initramfs -u -k all
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index eae4d52..49cbb55 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -15,6 +15,10 @@
   - vim-nox
   - zsh
 
+- name: Install qemu-agent on KVM VMs
+  apt: name=qemu-guest-agent
+  when: ansible_virtualization_role == "guest" and ansible_virtualization_type == "kvm"
+
 - name: Configure misc software
   copy: src={{ item.src }} dest={{ item.dest }}
   with_items:
@@ -26,3 +30,13 @@
 
 - name: Set shell for root user
   user: name=root shell=/bin/zsh
+
+- name: Disable hibernation/resume
+  copy: src=resume dest=/etc/initramfs-tools/conf.d/resume
+  notify: update-initramfs
+
+- name: Prevent normal users from running su
+  lineinfile:
+    path: /etc/pam.d/su
+    regexp: '^.*auth\s+required\s+pam_wheel.so$'
+    line: 'auth       required   pam_wheel.so'