{
  inputs,
  pkgs,
  config,
  ...
}: {
  imports = [inputs.arion.nixosModules.arion];

  environment.systemPackages = with pkgs; [arion];

  networking.firewall = {
    allowedUDPPorts = [137 138];
    allowedTCPPorts = [139 445];
  };

  virtualisation.arion = {
    backend = "docker";
    projects = {
      infrastructure.settings = {
        imports = [./infrastructure/arion-compose.nix];
      };
      dns.settings = {
        imports = [./dns/arion-compose.nix];
      };
      push.settings = {
        imports = [./push/arion-compose.nix];
      };
      nas.settings = {
        imports = [./nas/arion-compose.nix];
      };
    };
  };

  systemd.services.init-dmz-bridge-network = {
    description = "Create the network bridge dmz for the Docker stack.";
    after = ["network.target"];
    wantedBy = ["multi-user.target"];

    serviceConfig.Type = "oneshot";
    script = let
      dockercli = "${config.virtualisation.docker.package}/bin/docker";
    in ''
      # Put a true at the end to prevent getting non-zero return code, which will
      # crash the whole service.
      check=$(${dockercli} network ls | grep "dmz" || true)
      if [ -z "$check" ]; then
        ${dockercli} network create dmz
      else
        echo "dmz already exists in docker"
      fi
    '';
  };
}