diff --git a/nixos/machines/default.nix b/nixos/machines/default.nix
index 934fe2e..08342c1 100644
--- a/nixos/machines/default.nix
+++ b/nixos/machines/default.nix
@@ -39,6 +39,7 @@
     nixosModule.lab = {
       disko.osDiskDevice = "/dev/sda";
       backups.enable = true;
+      networking.allowDMZConnectivity = true;
 
       dataDisk = {
         enable = true;
diff --git a/nixos/modules/default.nix b/nixos/modules/default.nix
index aba4311..dade716 100644
--- a/nixos/modules/default.nix
+++ b/nixos/modules/default.nix
@@ -6,5 +6,6 @@
     ./k3s
     ./disko.nix
     ./backups.nix
+    ./networking.nix
   ];
 }
diff --git a/nixos/modules/networking.nix b/nixos/modules/networking.nix
index 63f51a0..47dd296 100644
--- a/nixos/modules/networking.nix
+++ b/nixos/modules/networking.nix
@@ -1,59 +1,72 @@
-{
-  networking = {
-    domain = "hyp";
-    firewall.enable = true;
-    useDHCP = false;
+{ lib, config, ... }:
+let cfg = config.lab.networking;
+in {
+  options.lab.networking.allowDMZConnectivity = lib.mkOption {
+    default = false;
+    type = lib.types.bool;
+    description = ''
+      Whether to create a networking interface on the DMZ bridge.
+    '';
   };
 
-  systemd.network = {
-    enable = true;
-
-    netdevs = {
-      "20-vlandmz" = {
-        vlanConfig.Id = 30;
-
-        netdevConfig = {
-          Kind = "vlan";
-          Name = "vlandmz";
-        };
-      };
-
-      "20-bridgedmz" = {
-        netdevConfig = {
-          Kind = "bridge";
-          Name = "bridgedmz";
-        };
-      };
+  config = {
+    networking = {
+      domain = "hyp";
+      firewall.enable = true;
+      useDHCP = false;
     };
 
-    networks = {
-      "30-main-nic" = {
-        matchConfig.Name = "en*";
-        vlan = [ "vlandmz" ];
+    systemd.network = {
+      enable = true;
 
-        networkConfig = {
-          DHCP = "yes";
+      netdevs = {
+        "20-vlandmz" = {
+          vlanConfig.Id = 30;
+
+          netdevConfig = {
+            Kind = "vlan";
+            Name = "vlandmz";
+          };
+        };
+
+        "20-bridgedmz" = {
+          netdevConfig = {
+            Kind = "bridge";
+            Name = "bridgedmz";
+          };
         };
       };
 
-      "40-vlandmz" = {
-        matchConfig.Name = "vlandmz";
-        linkConfig.RequiredForOnline = "enslaved";
+      networks = {
+        "30-main-nic" = {
+          matchConfig.Name = "en*";
+          vlan = [ "vlandmz" ];
 
-        networkConfig = {
-          IPv6AcceptRA = false;
-          LinkLocalAddressing = "no";
-          Bridge = "bridgedmz";
+          networkConfig = {
+            DHCP = "yes";
+          };
         };
-      };
 
-      "40-bridgedmz" = {
-        matchConfig.Name = "bridgedmz";
-        linkConfig.RequiredForOnline = "carrier";
+        "40-vlandmz" = {
+          matchConfig.Name = "vlandmz";
+          linkConfig.RequiredForOnline = "enslaved";
 
-        networkConfig = {
-          IPv6AcceptRA = false;
-          LinkLocalAddressing = "no";
+          networkConfig = {
+            IPv6AcceptRA = false;
+            LinkLocalAddressing = "no";
+            Bridge = "bridgedmz";
+          };
+        };
+
+        "40-bridgedmz" = {
+          matchConfig.Name = "bridgedmz";
+          linkConfig.RequiredForOnline = "carrier";
+
+          networkConfig = {
+            IPv6AcceptRA = false;
+            LinkLocalAddressing = "no";
+            DHCP = lib.mkIf cfg.allowDMZConnectivity "yes";
+          };
         };
       };
     };