{ lib, config, ... }:
let cfg = config.lab.networking;
in {
  imports = [ ./dmz ];

  options.lab.networking = {
    allowDMZConnectivity = lib.mkOption {
      default = false;
      type = lib.types.bool;
      description = ''
        Whether to create a networking interface on the DMZ bridge.
      '';
    };

    staticDMZIpv4Address = lib.mkOption {
      default = "";
      type = lib.types.str;
      description = ''
        Assign a static IPv4 on the DMZ interface.
      '';
    };

    publicIPv4 = lib.mkOption {
      type = lib.types.str;
      description = ''
        Public IPv4 address of our home.
      '';
    };

    dockerSwarmInternalIPv4 = lib.mkOption {
      type = lib.types.str;
      description = ''
        Internal IPv4 address of the Docker Swarm.
      '';
    };

    dmzRouterIPv4 = lib.mkOption {
      type = lib.types.str;
      description = ''
        The router's IPv4 address on the DMZ network.
      '';
    };

    dmzDHCPIPv4 = lib.mkOption {
      type = lib.types.str;
      description = ''
        The IPv4 address of the DHCP server on the DMZ network.
      '';
    };
  };

  config = {
    networking = {
      domain = "hyp";
      # TODO: Enabling the firewall makes connectivity of LAN -> DMZ impossible...
      firewall.enable = false;
      useDHCP = false;
    };

    systemd.network = {
      enable = true;

      netdevs = {
        "20-vlandmz" = {
          vlanConfig.Id = 30;

          netdevConfig = {
            Kind = "vlan";
            Name = "vlandmz";
          };
        };

        "20-bridgedmz" = {
          netdevConfig = {
            Kind = "bridge";
            Name = "bridgedmz";
            # TODO: This does not seem to work? Unsure what the problem is.
            # We don't necessary need this though: we simply use DNS as the host.
            # MACAddress = lib.mkIf cfg.allowDMZConnectivity "CA:FE:C0:FF:EE:0A";
            # MACAddress = "ca:fe:c0:ff:ee:0a";
          };
        };
      };

      networks = {
        "30-main-nic" = {
          matchConfig.Name = "en*";
          vlan = [ "vlandmz" ];

          networkConfig = {
            DHCP = "yes";
          };
        };

        "40-vlandmz" = {
          matchConfig.Name = "vlandmz";
          linkConfig.RequiredForOnline = "enslaved";

          networkConfig = {
            IPv6AcceptRA = false;
            LinkLocalAddressing = "no";
            Bridge = "bridgedmz";
          };
        };

        "40-bridgedmz" = {
          matchConfig.Name = "bridgedmz";
          linkConfig.RequiredForOnline = "carrier";

          networkConfig = {
            IPv6AcceptRA = false;
            LinkLocalAddressing = "no";
            DHCP = lib.mkIf cfg.allowDMZConnectivity "yes";
            Address = lib.mkIf (cfg.staticDMZIpv4Address != "") cfg.staticDMZIpv4Address;
          };
        };
      };
    };
  };
}