diff --git a/nix/nixos-module/default.nix b/nix/nixos-module/default.nix
index ccbdd14..71814c5 100644
--- a/nix/nixos-module/default.nix
+++ b/nix/nixos-module/default.nix
@@ -13,6 +13,7 @@ in {
   ]
   ++ optionals (hostConfig.role == "server") [
     ./server/lxc-containers.nix
+    ./server/network.nix
   ]
   ++ optionals (hostConfig.role == "container") [
     ./container/defaults.nix
diff --git a/nix/nixos-module/server/lxc-containers.nix b/nix/nixos-module/server/lxc-containers.nix
index 54ff211..748397f 100644
--- a/nix/nixos-module/server/lxc-containers.nix
+++ b/nix/nixos-module/server/lxc-containers.nix
@@ -27,9 +27,9 @@ let
         } // (lib.optionalAttrs (ifData.type == "veth") {
           veth.pair = "${ctName}-${netName}";
           veth.mode = "bridge";
-          link = "br-${netName}";
+          link = "${netName}";
         }) // (lib.optionalAttrs (ifData.type == "phys") {
-          link = "bond0.TODO";
+          link = "ext-${netName}";
         })
       ) (builtins.attrNames interfaces);
 
diff --git a/nix/nixos-module/server/network.nix b/nix/nixos-module/server/network.nix
new file mode 100644
index 000000000..f51d03e
--- /dev/null
+++ b/nix/nixos-module/server/network.nix
@@ -0,0 +1,70 @@
+{ hostName, self, config, lib, pkgs, ... }:
+
+let
+  containers =
+    lib.filterAttrs (_: { role, model, location, ... }:
+      role == "container" &&
+      model == "lxc" &&
+      location == hostName
+    ) config.site.hosts;
+
+  bridgeNets =
+    lib.lists.unique (
+      builtins.concatMap ({ interfaces, ... }:
+        builtins.attrNames (
+          lib.filterAttrs (_: { type, ... }: type == "veth") interfaces
+        )) (builtins.attrValues containers)
+    );
+
+  ctNets =
+    lib.lists.unique (
+      builtins.concatMap ({ interfaces, ... }:
+        builtins.attrNames interfaces
+      ) (builtins.attrValues containers)
+    );
+
+in
+{
+  systemd.network = {
+    enable = true;
+
+    netdevs = {
+      bond0.netdevConfig = {
+        Kind = "bond";
+        Name = "bond0";
+      };
+    } // (
+      builtins.foldl' (result: net: result // {
+        "${net}".netdevConfig = {
+          Kind = "bridge";
+          Name = "${net}";
+        };
+      }) {} bridgeNets
+    ) // (
+      builtins.foldl' (result: net: result // {
+        "ext-${net}" = {
+          netdevConfig = {
+            Kind = "vlan";
+            Name = "ext-${net}";
+          };
+          vlanConfig.Id = config.site.net.${net}.vlan;
+        };
+      }) {} ctNets
+    );
+
+    networks = {
+      eth = {
+        matchConfig.Name = "eth*";
+        networkConfig.Bond = "bond0";
+      };
+      en = {
+        matchConfig.Name = "en*";
+        networkConfig.Bond = "bond0";
+      };
+      bond0 = {
+        matchConfig.Name = "bond0";
+        networkConfig.VLAN = map (net: "ext-${net}") ctNets;
+      };
+    };
+  };
+}