{ config
, lib
, ...
}: {
  # use networkd
  networking.dhcpcd.enable = false;
  systemd.network.enable = true;

  # add an entry to /etc/hosts for each host
  networking.extraHosts = lib.concatStringsSep "\n" (lib.mapAttrsToList
    (name: host: ''
      ${lib.optionalString (host.ipv4 != null) "${host.ipv4} ${name}"}
      ${lib.optionalString (host.ipv6 != null) "${host.ipv6} ${name}"}
    '')
    config.networking.newtype.hosts);

  # leave container interfaces alone unless otherwise specified
  systemd.network.networks."95-veth".extraConfig = ''
    [Match]
    Driver = veth

    [Link]
    Unmanaged = yes
    '';

  systemd.network.networks."10-nat-lan" = {
    matchConfig.Name = "nat-lan";
    linkConfig.RequiredForOnline = true;
    DHCP = "yes";
  };

  systemd.network.links."10-nat-lan" = {
    matchConfig.MACAddress = "3c:ec:ef:7e:bd:c8";
    linkConfig.Name = "nat-lan";
  };

  systemd.network.netdevs."10-wan-br" = {
    netdevConfig.Name = "wan-br";
    netdevConfig.Kind = "bridge";
    netdevConfig.MACAddress = "none";
    bridgeConfig.MulticastSnooping = false;
  };

  systemd.network.links."10-wan-br" = {
    matchConfig.Name = "wan-br";
    linkConfig.MACAddressPolicy = "none";
  };

  systemd.network.networks."10-wan-br" = {
    matchConfig.Name = "wan-br";
    linkConfig.RequiredForOnline = true;
    networkConfig.Address = [ config.networking.newtype.currentHost.ipv6 ];
  };

  systemd.network.networks."10-wan" = {
    matchConfig.Name = "wan";
    networkConfig.Bridge = "wan-br";
  };

  systemd.network.links."10-wan" = {
    matchConfig.MACAddress = "3c:ec:ef:7e:bd:c9";
    linkConfig.Name = "wan";
  };

  deployment.targetHost = "${config.networking.hostName}.infra.newtype.fr";
}