{
  flake,
  ...
}:
let
  inherit (flake.config.machines.devices) ceres;
  inherit (flake.config.services) instances;
  wireguardService = instances.wireGuard;
in
{
  microvm.host.enable = true;

  systemd.network = {
    enable = true;
    netdevs."10-br-vms" = {
      netdevConfig = {
        Name = "br-vms";
        Kind = "bridge";
      };
    };

    networks = {
      "20-lan" = {
        matchConfig.Name = [
          "enp10s0"
          "vm-*"
        ];
        networkConfig = {
          Bridge = "br-vms";
        };
      };
      "30-br-vms" = {
        matchConfig.Name = "br-vms";
        networkConfig = {
          Address = "192.168.50.240/24";
          Gateway = "192.168.50.1";
          DNS = [ "192.168.50.1" ];
        };
        linkConfig.RequiredForOnline = "routable";
      };
    };
  };

  networking = {
    hostName = ceres.name;
    networkmanager.enable = false;
    nftables.enable = true;
    useDHCP = false;
    firewall = {
      enable = true;
      allowedTCPPorts = [
        22 # SSH
        25 # SMTP
        139 # SMTP
        587 # SMTP
        2525 # SMTP
        9999 # NC
        wireguardService.ports.port0 # WireGuard
      ];
      allowedUDPPorts = [
        wireguardService.ports.port0 # WireGuard
        wireguardService.ports.port1 # WireGuard
      ];
      # Add port ranges for VPN dynamic port forwarding
      allowedTCPPortRanges = [
        {
          from = 30000;
          to = 65535;
        }
      ];
      allowedUDPPortRanges = [
        {
          from = 30000;
          to = 65535;
        }
      ];
    };
  };

  services = {
    avahi = {
      enable = true;
      openFirewall = true;
      nssmdns4 = true;
      publish = {
        enable = true;
        userServices = true;
      };
    };
    sshd.enable = true;
    openssh = {
      enable = true;
      settings.PasswordAuthentication = false;
    };
  };
}