{ config, lib, ... }:
let
  containersWithNet = lib.filterAttrs (_: v: v.privateNetwork or false) config.containers;
  containerIfaces = map (name: "ve-${name}") (lib.attrNames containersWithNet);
in {
  networking.nat = {
    enable = true;
    internalInterfaces = containerIfaces;
    externalInterface = "enp3s0";
  };
}