{ lib, config, ... }:
with lib; let
  cfg = config.local.nspawn;
in
{
  options.local.nspawn.dmz.enable = mkEnableOption "DMZ services in a container";

  config.systemd.nspawn.dmz = mkIf cfg.dmz.enable {
    execConfig.PrivateUsers = true;
  };
}