diff --git a/README.rst b/README.rst
index ebc248a3d64fb0c565263750db906da4cac3e508..33f50f65fe8d462939c05264046ad0f0bc64d436 100644
--- a/README.rst
+++ b/README.rst
@@ -43,5 +43,7 @@ TODO
 - If root mount is NOT btrfs, then create a sparse file, format with btrfs and
   mount under /var/lib/machines.
 - Disable the networking service, use systemd-networkd.
+- Create a bridge with NAT using systemd-networkd, use dnsmasq for dns
+  resolving.
 - Create a Debian Jessie base image to clone.
 - Test mac-vlan on Vagrant.
diff --git a/files/nspawnbr0.netdev b/files/nspawnbr0.netdev
new file mode 100644
index 0000000000000000000000000000000000000000..26f360970b7baaf938c0b4b7013368a61f6fd2d5
--- /dev/null
+++ b/files/nspawnbr0.netdev
@@ -0,0 +1,3 @@
+[NetDev]
+Name=nspawnbr0
+Kind=bridge
diff --git a/files/nspawnbr0.network b/files/nspawnbr0.network
new file mode 100644
index 0000000000000000000000000000000000000000..456324ed1fb18dd21513ecabd977026efaaaf610
--- /dev/null
+++ b/files/nspawnbr0.network
@@ -0,0 +1,7 @@
+[Match]
+Name=nspawnbr0
+
+[Network]
+Address=192.168.123.1/24
+DHCPServer=yes
+IPMasquerade=yes
diff --git a/tasks/main.yml b/tasks/main.yml
index fc2bb79d4a2e036b0f32576020be9de48ca341cd..0c0efa721a7e69186d16f54a574e90ae54b6082b 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -10,7 +10,51 @@
   with_items:
     - systemd-sysv
     - systemd-container
+    - libnss-myhostname
+    - libnss-mymachines
+    - libnss-resolve
     - ufw
     - btrfs-tools
     - debootstrap
     - yum
+    - dnsmasq
+
+- name: Create npawn configuration directory
+  file:
+    path: /etc/systemd/nspawn
+    owner: root
+    group: root
+    mode: '0755'
+    state: directory
+
+- name: Allow IP forwarding in UFW
+  ufw:
+    direction: routed
+    policy: allow
+
+- name: Configure systemd-networkd
+  with_fileglob:
+  - '*.netdev'
+  - '*.network'
+  - '*.link'
+  copy:
+    src: '{{ item }}'
+    dest: '/etc/systemd/network/{{ item|basename }}'
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Disable networking service, enable systemd-networkd
+  with_items:
+  - name: systemd-resolved
+    state: started
+    enabled: yes
+  - name: systemd-networkd
+    state: started
+    enabled: yes
+  - name: networking
+    enabled: no
+  service:
+    name: '{{ item.name }}'
+    state: '{{ item.state|default(omit) }}'
+    enabled: '{{ item.enabled }}'