Can I ask you both why you chose this route of creating a private network? As far as I can tell, by default systemd-spawn will allow the container to use the host's interface. I would have thought that would be adequate for most usecases?
Paul
My first tests with nspwan/networkd, with a very minimal configuration (just one eth netcl profile) left me with a working network on container, but as you said, the container was using host interface (enp7s0 in my case). Thus, same IP for both and no container network "isolation".
From SYSTEMD-NSPAWN(1)
--private-network Disconnect networking of the container from the host. This makes all network interfaces unavailable in the container, with the exception of the loopback device and those specified with --network-interface= and configured with --network-veth. That is exactly what I wanted. In my case, as the container is aimed at hosting various web apps with a static IP, I wanted to isolate the container network from the host one.