{ config, ... }:
{
  networking.firewall.trustedInterfaces = [ "wg0" ];
  systemd.network = {
    networks = {
      "10-enp2s0" = {
        name = "enp2s0";
        networkConfig = {
          Bridge = "br0";

          LinkLocalAddressing = false;
          LLDP = false;
          EmitLLDP = false;
          IPv6AcceptRA = false;
          IPv6SendRA = false;
        };
      };
      "10-enp3s0" = {
        name = "enp3s0";
        networkConfig = {
          Bridge = "br1";

          LinkLocalAddressing = false;
          LLDP = false;
          EmitLLDP = false;
          IPv6AcceptRA = false;
          IPv6SendRA = false;
        };
      };
      "20-vlan-apro" = {
        name = "vlan-apro";
        networkConfig = {
          Bridge = "br1";

          LinkLocalAddressing = false;
          LLDP = false;
          EmitLLDP = false;
          IPv6AcceptRA = false;
          IPv6SendRA = false;
        };
      };
      "50-gretap1" = {
        name = "gretap1";
        networkConfig = {
          Bridge = "br0";

          LinkLocalAddressing = false;
          LLDP = false;
          EmitLLDP = false;
          IPv6AcceptRA = false;
          IPv6SendRA = false;
        };
      };
      "50-br0" = {
        name = "br0";
        networkConfig = {
          VLAN = [ "vlan-apro" ];

          LinkLocalAddressing = false;
          LLDP = false;
          EmitLLDP = false;
          IPv6AcceptRA = false;
          IPv6SendRA = false;
        };
      };
      "50-br1" = {
        name = "br1";
        networkConfig = {
          LinkLocalAddressing = false;
          LLDP = false;
          EmitLLDP = false;
          IPv6AcceptRA = false;
          IPv6SendRA = false;
        };
      };
      "50-wg0" = {
        name = "wg0";
        address = [ "10.10.17.2/30" ];
        networkConfig.Tunnel = "gretap1";
      };
    };
    netdevs = {
      "20-vlan-apro" = {
        netdevConfig = {
          Name = "vlan-apro";
          Kind = "vlan";
        };
        vlanConfig.Id = 2000;
      };
      "50-wg0" = {
        netdevConfig = {
          Name = "wg0";
          Kind = "wireguard";
        };
        wireguardConfig.PrivateKeyFile = config.age.secrets."systemd-network-wg_vault01_key".path;
        wireguardPeers = [
          {
            wireguardPeerConfig = {
              AllowedIPs = [ "10.10.17.0/30" ];
              PublicKey = "ijgcPnWWZ0njUJjsDNSGhlhVO40aUDD+zFLtw/1nfBY=";
              Endpoint = "vault01.hyp01.infra.dgnum.eu:1194";
              PersistentKeepalive = 25;
            };
          }
        ];
      };
      "50-br0" = {
        netdevConfig = {
          Name = "br0";
          Kind = "bridge";
        };
        bridgeConfig = {
          VLANFiltering = false;
          STP = false;
        };
      };
      "50-br1" = {
        netdevConfig = {
          Name = "br1";
          Kind = "bridge";
        };
        bridgeConfig = {
          VLANFiltering = false;
          STP = false;
        };
      };
      "50-gretap1" = {
        netdevConfig = {
          Name = "gretap1";
          Kind = "gretap";
        };
        tunnelConfig = {
          Local = "10.10.17.2";
          Remote = "10.10.17.1";
        };
      };
    };
  };
}