{
  config,
  lib,
  pkgs,
  ...
}:
with lib; let
  cfg = config.local.preset.dmz;
in {
  options.local.preset.dmz = {
    enable = mkEnableOption "dmz preset";

    container = mkOption {
      type = types.bool;
      default = false;
    };
  };

  config = lib.mkIf cfg.enable {
    local = {
      boot = {
        kernel = mkDefault pkgs.linuxPackages_hardened;
        loader = mkDefault "grub";

        efi.enable = mkDefault (!cfg.container);
        firmware.mode = mkDefault "none";
        namespaced.enable = cfg.container;

        stack.luksExt4FscryptImpermanence = {
          enable = mkDefault (!cfg.container);
        };
      };

      jobs.pkiExpiry.enable = mkDefault config.local.mta.enable;

      mta = {
        enable = mkDefault true;

        mode = "primary";
      };

      net = {
        enable = true;
        hostname = "dmz";

        fail2ban.enable = true;
      };

      web.sites.portal.enable = true;
    };

    services = {
      resolved = {
        llmnr = "false";
        fallbackDns = []; # Disable the default systemd-resolved server list
      };
    };

    users = {
      allowNoPasswordLogin = cfg.container;
      mutableUsers = false;
    };
  };
}