{pkgs, ...}: {
  project.name = "infrastructure";

  networks.dmz = {
    name = "dmz";
    external = true;
  };

  docker-compose.volumes = {
    traefik_letsencrypt = null;
    scrutiny_data = null;
    scrutiny_db = null;
  };

  services = {
    traefik.service = {
      image = "traefik:v3.0";
      container_name = "traefik";
      useHostStore = true;
      ports = [
        "80:80"
        "81:81"
        "443:443"
        "444:444"
        "8421:8080"
      ];
      labels = {
        "traefik.enable" = "true";
        "traefik.http.routers.dashboard.rule" = "Host(`traefik.ghoscht.com`)";
        "traefik.http.routers.dashboard.entrypoints" = "websecure";
        "traefik.http.services.dashboard.loadbalancer.server.port" = "8080";
        "traefik.http.routers.dashboard.tls" = "true";
        "traefik.http.routers.dashboard.tls.certresolver" = "letsencrypt";
      };
      volumes = [
        "traefik_letsencrypt:/letsencrypt"
        "/home/ghoscht/.docker/infrastructure/traefik_data:/etc/traefik"
        "/var/run/docker.sock:/var/run/docker.sock:ro"
      ];
      env_file = [
        "/home/ghoscht/.docker/infrastructure/traefik.env"
      ];
      dns = ["1.1.1.1"];
      restart = "always";
      networks = [
        "dmz"
      ];
    };
    cloudflared.service = {
      image = "cloudflare/cloudflared:2024.2.1";
      container_name = "cloudflared";
      env_file = [
        "/home/ghoscht/.docker/infrastructure/cloudflared.env"
      ];
      restart = "always";
      dns = ["1.1.1.1"];
      command = "tunnel --no-autoupdate --protocol http2 run";
      networks = [
        "dmz"
      ];
    };
    scrutiny.service = {
      image = "ghcr.io/analogj/scrutiny:v0.8.0-omnibus";
      container_name = "scrutiny";
      restart = "always";
      labels = {
        "traefik.enable" = "true";
        "traefik.http.routers.scrutiny.entrypoints" = "websecure";
        "traefik.http.routers.scrutiny.rule" = "Host(`scrutiny.ghoscht.com`)";
        "traefik.http.services.scrutiny.loadbalancer.server.port" = "8080";
        "traefik.http.routers.scrutiny.tls" = "true";
        "traefik.http.routers.scrutiny.tls.certresolver" = "letsencrypt";
      };
      capabilities = {
        SYS_RAWIO = true;
        SYS_ADMIN = true; #enables nvme support
      };
      volumes = [
        "/run/udev:/run/udev:ro"
        "scrutiny_data:/opt/scrutiny/config"
        "scrutiny_db:/opt/scrutiny/influxdb"
      ];
      devices = [
        "/dev/nvme0n1"
        "/dev/sda"
        "/dev/sdb"
        "/dev/sdc"
        "/dev/sdd"
        "/dev/sde"
        "/dev/sdf"
      ];
      networks = [
        "dmz"
      ];
    };
    dyndns.service = {
      image = "ghcr.io/cromefire/fritzbox-cloudflare-dyndns:1.2.1";
      container_name = "dyndns";
      restart = "always";
      ports = ["8888:8080"];
      dns = ["1.1.1.1"];
      environment = {
        CLOUDFLARE_ZONES_IPV4 = "ghoscht.com";
      };
      env_file = [
        "/home/ghoscht/.docker/infrastructure/dyndns.env"
      ];
    };
  };
}