diff --git a/README.md b/README.md
new file mode 100644
index 0000000..b38c6a6
--- /dev/null
+++ b/README.md
@@ -0,0 +1,76 @@
+# hyprland-infra
+
+<!--
+    TODO: proper readme.
+    Things we want:
+      - Onboarding
+      - Adding new services
+      - Easier deployment (?)
+-->
+
+Hyprland Nix infrastructure. Contains non-critical services, which include but
+is not limited to:
+
+- Typhon (Nix build service)
+
+## Networking setup
+
+### Creating a bridge on the host
+
+A bridge is needed to preserve bidirectional connectivity between the host and
+the guest.
+
+Get the current connection's link name. We'll use `<eth0>` throughout this file.
+
+```bash
+$ nmcli con show
+```
+
+```bash
+$ nmcli con add ifname br0 type bridge con-name br0
+$ nmcli con add type bridge-slave ifname <eth0> master br0
+```
+
+If using DHCP:
+
+```bash
+$ nmcli con mod br0 ipv4.method auto
+```
+
+If using static IPs:
+
+```bash
+$ nmcli con mod br0 ipv4.method manual
+$ nmcli con mod br0 ipv4.addresses 10.1.1.16/24
+$ nmcli con mod br0 ipv4.gateway 10.1.1.1
+$ nmcli con mod br0 ipv4.dns '10.1.1.1,1.1.1.1'
+```
+
+We do not need Spanning Tree Protocol, disable it:
+
+```bash
+$ nmcli con mod br0 bridge.stp no
+```
+
+Turn up the bridge:
+
+```bash
+$ nmcli con down <eth0>
+$ nmcli con up br0
+```
+
+To disable `<eth0>` autoconnect and let the bridge do the connection instead:
+
+```bash
+$ nmcli con mod <eth0> connection.autoconnect no
+```
+
+<!--
+    TODO(fufexan): research and add systemd-networkd sample code
+    - raf: The host does not run systemd-networkd. Good to have
+    but definitely not a priority.
+-->
+
+### Setting up QEMU to allow bridges
+
+In `/etc/qemu/bridge.conf` write `allow br0`.
diff --git a/hosts/caesar/virt.nix b/hosts/caesar/virt.nix
index b9594e2..26ac384 100644
--- a/hosts/caesar/virt.nix
+++ b/hosts/caesar/virt.nix
@@ -25,10 +25,11 @@
       vm0.vlan = 1;
     };
 
+    # mac addr can be anything, especially the last 3 bytes
+    # the OUI is specific to QEMU
     qemu.networkingOptions = [
-      "-net nic,netdev=user.0,model=virtio"
-      "-netdev user,id=user.0,\${QEMU_NET_OPTS:+,$QEMU_NET_OPTS}"
-      "hostfwd=tcp::2222-:2222"
+      "-device virtio-net-pci,netdev=user0,mac=52:54:00:00:00:00"
+      "-netdev bridge,id=user0,br=br0"
     ];
   };
 }
diff --git a/hosts/default.nix b/hosts/default.nix
index 8496bfd..5159ff7 100644
--- a/hosts/default.nix
+++ b/hosts/default.nix
@@ -27,6 +27,7 @@
 
   sharedModules = [
     inputs.agenix.nixosModules.default
+    ../modules/users.nix
   ];
 in {
   flake.nixosConfigurations = {
diff --git a/modules/openssh.nix b/modules/openssh.nix
index b9edded..ac8abca 100644
--- a/modules/openssh.nix
+++ b/modules/openssh.nix
@@ -4,12 +4,19 @@ in {
   services.openssh = {
     enable = true;
 
-    # since this is a VM, use a separate port than the host's
+    # since this is a VM, use a different port than the host's
     ports = [2222];
 
     settings = {
       PasswordAuthentication = mkForce false;
-      KexAlgorithms = mkForce ["sntrup761x25519-sha512@openssh.com"];
+      KexAlgorithms = mkForce [
+        "curve25519-sha256"
+        "curve25519-sha256@libssh.org"
+        "diffie-hellman-group16-sha512"
+        "diffie-hellman-group18-sha512"
+        "diffie-hellman-group-exchange-sha256"
+        "sntrup761x25519-sha512@openssh.com"
+      ];
       KbdInteractiveAuthentication = mkForce false;
     };
   };
diff --git a/modules/users.nix b/modules/users.nix
new file mode 100644
index 0000000..a3af79b
--- /dev/null
+++ b/modules/users.nix
@@ -0,0 +1,6 @@
+{self, ...}: {
+  imports = [
+    "${self}/users/mihai.nix"
+    "${self}/users/raf.nix"
+  ];
+}