{ lib, config, ... }@inputs:
let
  cfg = config.lab.networking.dmz.services;
in
{
  options.lab.networking.dmz.services.enable = lib.mkOption {
    default = false;
    type = lib.types.bool;
    description = ''
      Whether to enable an authoritative DNS server and DNSmasq for DMZ network.
    '';
  };

  config = lib.mkIf cfg.enable {
    # TODO Remove this; make this explicit in the machine config.
    lab.networking.dmz.allowConnectivity = true;

    # TODO: listen only on dmz interface, make this portable between physical and VM.
    networking.firewall = {
      allowedTCPPorts = [ 53 5353 ];
      allowedUDPPorts = [ 53 67 5353 ];
    };

    services = {
      dnsmasq = {
        enable = true;
        settings = import ./dnsmasq.nix inputs;
      };
    };
  };
}