First off, thank you for this wonderful guide. I successfully used it to guide me through setting up a dedicated VM on Debian, only had the ignore the netplan bits.
Just wanted to offer up one alternative solution for section 2.1 regarding Docker breaking the libvirt bridge. The solution provided absolutely does work, but I also found to have success with simply telling Docker that the bridge exists rather than force my own iptables rule in to the service override.
You can do this by creating /etc/docker/daemon.json and simply adding the name of the bridge to the file.
{
"bridge": "br0"
}
Then a quick systemctl restart docker and Docker will itself acknowledge the bridge and permit the traffic.