{ lib, config, ... }:
let cfg = config.lab.networking;
in {
  imports = [ ./dmz ];

  options.lab.networking = {
    allowDMZConnectivity = lib.mkOption {
      default = false;
      type = lib.types.bool;
      description = ''
        Whether to allow networking on the DMZ bridge interface.
      '';
    };

    staticDMZIPv4Address = lib.mkOption {
      default = "";
      type = lib.types.str;
      description = ''
        Assign a static IPv4 address on the DMZ interface.
      '';
    };

    staticDMZIPv6Address = lib.mkOption {
      default = "";
      type = lib.types.str;
      description = ''
        Assign a static IPv6 address on the DMZ interface.
      '';
    };

    publicIPv4 = lib.mkOption {
      type = lib.types.str;
      description = ''
        Public IPv4 address of our home.
      '';
    };

    dockerSwarmInternalIPv4 = lib.mkOption {
      type = lib.types.str;
      description = ''
        Internal IPv4 address of the Docker Swarm.
      '';
    };

    dockerSwarmIPv6 = lib.mkOption {
      type = lib.types.str;
      description = ''
        Globally routable IPv6 address of the Docker Swarm.
      '';
    };

    dmzRouterIPv4 = lib.mkOption {
      type = lib.types.str;
      description = ''
        The router's IPv4 address on the DMZ network.
      '';
    };

    dmzServicesIPv4 = lib.mkOption {
      type = lib.types.str;
      description = ''
        The IPv4 address of the interface serving DHCP and DNS on the DMZ network.
      '';
    };

    dmzServicesIPv6 = lib.mkOption {
      type = lib.types.str;
      description = ''
        The IPv6 address of the interface serving DHCP and DNS on the DMZ network.
      '';
    };

    dmzBridgeName = lib.mkOption {
      default = "bridgedmz";
      type = lib.types.str;
      description = ''
        The name of the DMZ bridge.
      '';
    };

    mainNicNamePattern = lib.mkOption {
      default = "en*";
      type = lib.types.str;
      description = ''
        Pattern to match the name of this machine's main NIC.
      '';
    };
  };

  config = {
    networking = {
      domain = "hyp";
      firewall = {
        enable = true;
        checkReversePath = false;
      };

      nftables.enable = true;
      useDHCP = false;
    };

    systemd.network = {
      enable = true;

      netdevs = {
        "20-vlandmz" = {
          vlanConfig.Id = 30;

          netdevConfig = {
            Kind = "vlan";
            Name = "vlandmz";
          };
        };

        "20-bridgedmz" = {
          netdevConfig = {
            Kind = "bridge";
            Name = cfg.dmzBridgeName;
          };
        };
      };

      networks = {
        "30-main-nic" = {
          matchConfig.Name = cfg.mainNicNamePattern;
          vlan = [ "vlandmz" ];

          networkConfig = {
            DHCP = "yes";
          };
        };

        "40-vlandmz" = {
          matchConfig.Name = "vlandmz";
          linkConfig.RequiredForOnline = "enslaved";

          networkConfig = {
            IPv6AcceptRA = false;
            LinkLocalAddressing = "no";
            Bridge = cfg.dmzBridgeName;
          };
        };

        "40-bridgedmz" = {
          matchConfig.Name = cfg.dmzBridgeName;
          linkConfig.RequiredForOnline = "carrier";

          networkConfig = {
            IPv6AcceptRA = cfg.allowDMZConnectivity;
            LinkLocalAddressing = if cfg.allowDMZConnectivity then "ipv6" else "no";
            DHCP = lib.mkIf (cfg.allowDMZConnectivity && cfg.staticDMZIPv4Address == "") "yes";
            Address = lib.lists.optional (cfg.staticDMZIPv4Address != "") cfg.staticDMZIPv4Address
              ++ lib.lists.optional (cfg.staticDMZIPv6Address != "") cfg.staticDMZIPv6Address;
          };
        };
      };
    };
  };
}