{
  flake,
  ...
}:
let
  inherit (flake.config.machines.devices) eris;
in
{
  microvm.host.enable = true;
  systemd.network = {
    enable = true;
    netdevs."10-br-vms" = {
      netdevConfig = {
        Name = "br-vms";
        Kind = "bridge";
      };
    };
    networks = {
      "20-enp3s0" = {
        matchConfig.Name = "enp3s0";
        networkConfig = {
          Bridge = "br-vms";
        };
      };
      "20-vm" = {
        matchConfig.Name = "vm-*";
        networkConfig = {
          Bridge = "br-vms";
        };
      };
      "30-br-vms" = {
        matchConfig.Name = "br-vms";
        networkConfig = {
          Address = "192.168.50.245/24";
          Gateway = "192.168.50.1";
          DNS = [ "192.168.50.1" ];
        };
        linkConfig.RequiredForOnline = "routable";
      };
    };
  };
  networking = {
    hostName = eris.name;
    networkmanager.enable = false;
    nftables.enable = true;
    useDHCP = false;
    firewall = {
      enable = true;
      allowedTCPPorts = [
        22 # SSH
        25 # SMTP
        139 # SMTP
        587 # SMTP
        2525 # SMTP
        9999 # NC
      ];
    };
  };
  services = {
    avahi = {
      enable = true;
      openFirewall = true;
      nssmdns4 = true;
      publish = {
        enable = true;
        userServices = true;
      };
    };
    sshd.enable = true;
    openssh = {
      enable = true;
      settings.PasswordAuthentication = false;
    };
  };
}