{
  lib,
  ...
}:
{
  # Enable systemd-networkd for bridge management
  systemd.network = {
    enable = true;

    netdevs = {
      "20-br-vms" = {
        netdevConfig = {
          Name = "br-vms";
          Kind = "bridge";
        };
        bridgeConfig = {
          STP = false;
        };
      };
    };

    networks = {
      # Connect physical interface to bridge
      "30-enp10s0" = {
        matchConfig.Name = "enp10s0";
        networkConfig = {
          Bridge = "br-vms";
          ConfigureWithoutCarrier = true;
          KeepConfiguration = "yes";
        };
        linkConfig = {
          RequiredForOnline = false;
        };
      };

      # Configure bridge to get IP from LAN DHCP
      "40-br-vms" = {
        matchConfig.Name = "br-vms";
        networkConfig = {
          DHCP = "ipv4";
          KeepConfiguration = "yes";
        };
        linkConfig = {
          RequiredForOnline = "routable";
        };
      };

      # VM tap interface to bridge
      "50-vm-forgejo" = {
        matchConfig.Name = "vm-forgejo";
        networkConfig = {
          Bridge = "br-vms";
          ConfigureWithoutCarrier = true;
        };
        linkConfig = {
          RequiredForOnline = false;
        };
      };
    };
  };

  # Tell NetworkManager to ignore bridge and VM interfaces
  networking.networkmanager.unmanaged = [
    "interface-name:br-vms"
    "interface-name:vm-*"
    "interface-name:enp10s0"
  ];

  # IP forwarding (needed for both bridge networking and WireGuard NAT)
  boot.kernel.sysctl = {
    "net.ipv4.ip_forward" = 1;
  };
}