{
  # Docker loads br_netfilter on jeeves. Disable bridge netfilter so
  # br-nix-builder behaves like a pure L2 bridge and bridged traffic
  # does not hit the host firewall/rpfilter path.
  boot.kernel.sysctl = {
    "net.bridge.bridge-nf-call-arptables" = 0;
    "net.bridge.bridge-nf-call-ip6tables" = 0;
    "net.bridge.bridge-nf-call-iptables" = 0;
  };

  networking = {
    hostName = "jeeves";
    hostId = "0e15ce35";
    firewall = {
      enable = true;
      interfaces.br-nix-builder = {
        allowedTCPPorts = [ ];
        allowedUDPPorts = [ ];
      };
    };
    useNetworkd = true;
  };

  systemd.network = {
    enable = true;
    wait-online = {
      enable = false;
      anyInterface = true;
    };
    netdevs = {
      "20-br-nix-builder" = {
        netdevConfig = {
          Kind = "bridge";
          Name = "br-nix-builder";
        };
      };
      "30-internet-vlan" = {
        netdevConfig = {
          Kind = "vlan";
          Name = "internet-vlan";
        };
        vlanConfig.Id = 100;
      };
    };
    networks = {
      "10-Primary" = {
        matchConfig.Name = "enp97s0";
        address = [ "192.168.99.14/24" ];
        dns = [
          "192.168.99.1"
          "2600:4040:abfb:d700::1"
        ];
        routes = [ { Gateway = "192.168.99.1"; } ];
        vlan = [ "internet-vlan" ];
        dhcpV4Config.UseDNS = false;
        dhcpV6Config.UseDNS = false;
        ipv6AcceptRAConfig.UseDNS = false;
        linkConfig.RequiredForOnline = "routable";
      };
      "50-internet-vlan" = {
        matchConfig.Name = "internet-vlan";
        bridge = [ "br-nix-builder" ];
        linkConfig.RequiredForOnline = "no";
      };
      "60-br-nix-builder" = {
        matchConfig.Name = "br-nix-builder";
        bridgeConfig = { };
        networkConfig = {
          IPv6AcceptRA = false;
          LinkLocalAddressing = "no";
        };
        linkConfig.RequiredForOnline = "no";
      };
    };
  };
}