{ lib, config, ... }:
let cfg = config.lab.networking;
in {
  options.lab.networking.allowDMZConnectivity = lib.mkOption {
    default = false;
    type = lib.types.bool;
    description = ''
      Whether to create a networking interface on the DMZ bridge.
    '';
  };

  config = {
    networking = {
      domain = "hyp";
      firewall.enable = true;
      useDHCP = false;
    };

    systemd.network = {
      enable = true;

      netdevs = {
        "20-vlandmz" = {
          vlanConfig.Id = 30;

          netdevConfig = {
            Kind = "vlan";
            Name = "vlandmz";
          };
        };

        "20-bridgedmz" = {
          netdevConfig = {
            Kind = "bridge";
            Name = "bridgedmz";
          };
        };
      };

      networks = {
        "30-main-nic" = {
          matchConfig.Name = "en*";
          vlan = [ "vlandmz" ];

          networkConfig = {
            DHCP = "yes";
          };
        };

        "40-vlandmz" = {
          matchConfig.Name = "vlandmz";
          linkConfig.RequiredForOnline = "enslaved";

          networkConfig = {
            IPv6AcceptRA = false;
            LinkLocalAddressing = "no";
            Bridge = "bridgedmz";
          };
        };

        "40-bridgedmz" = {
          matchConfig.Name = "bridgedmz";
          linkConfig.RequiredForOnline = "carrier";

          networkConfig = {
            IPv6AcceptRA = false;
            LinkLocalAddressing = "no";
            DHCP = lib.mkIf cfg.allowDMZConnectivity "yes";
          };
        };
      };
    };
  };
}