{ lib, config, machine, ... }:
let cfg = config.lab.networking;
in {
  options.lab.networking = {
    dmz = {
      allowConnectivity = lib.mkOption {
        default = false;
        type = lib.types.bool;
        description = ''
          Whether to allow networking on the DMZ bridge interface.
        '';
      };

      bridgeName = lib.mkOption {
        default = "bridgedmz";
        type = lib.types.str;
        description = ''
          The name of the DMZ bridge.
        '';
      };
    };

    staticNetworking = lib.mkOption {
      default = false;
      type = lib.types.bool;
      description = ''
        Whether this machine has static networking configuration applied.
        Routing is prepopulated, but IP addresses have to be set.
      '';
    };

    staticIPv4 = lib.mkOption {
      type = lib.types.str;
      description = ''
        Static IPv4 address for the machine.
      '';
    };

    staticIPv6 = lib.mkOption {
      type = lib.types.str;
      description = ''
        Static IPv6 address for the machine.
      '';
    };
  };

  config = {
    networking = {
      domain = "dmz";
      nftables.enable = true;
      useDHCP = false;

      firewall = {
        enable = true;
        checkReversePath = false;
      };
    };

    systemd.network = {
      enable = true;

      networks = lib.attrsets.mergeAttrsList [
        (lib.optionalAttrs machine.isHypervisor {
          "30-main-nic" = {
            matchConfig.Name = "en*";

            networkConfig = {
              DHCP = "yes";
            };
          };
        })
        (lib.optionalAttrs machine.isRaspberryPi {
          "30-main-nic" = {
            matchConfig.Name = "end*";
            networkConfig = {
              IPv6AcceptRA = true;
              DHCP = "yes";
            };
          };
        })
      ];
    };
  };
}