{pkgs, ...}: {
  project.name = "infrastructure";

  networks.dmz = {
    name = "dmz";
    external = true;
  };

  docker-compose.volumes = {
    traefik_letsencrypt = null;
    scrutiny_data = null;
    scrutiny_db = null;
  };

  services = {
    traefik.service = {
      image = "traefik:v3.0";
      container_name = "traefik";
      useHostStore = true;
      ports = [
        "80:80"
        "81:81"
        "443:443"
        "444:444"
        "8421:8080"
      ];
      labels = {
        "traefik.enable" = "true";
        "traefik.http.routers.dashboard.rule" = "Host(`traefik.ghoscht.com`)";
        "traefik.http.routers.dashboard.entrypoints" = "websecure";
        "traefik.http.services.dashboard.loadbalancer.server.port" = "8080";
        "traefik.http.routers.dashboard.tls" = "true";
        "traefik.http.routers.dashboard.tls.certresolver" = "letsencrypt";

        "traefik.http.routers.dashboard.tls.domains[0].main" = "ghoscht.com";
        "traefik.http.routers.dashboard.tls.domains[0].sans" = "*.ghoscht.com";

        "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme" = "https";
        "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto" = "https";
      };
      volumes = [
        "/home/ghoscht/.docker/infrastructure/traefik_config/traefik.yml:/traefik.yml:ro"
        "/storage/dataset/docker/infrastructure/traefik_data/acme.json:/acme.json"
        "/var/run/docker.sock:/var/run/docker.sock:ro"
      ];
      env_file = [
        "/home/ghoscht/.docker/infrastructure/traefik.env"
      ];
      restart = "always";
      networks = [
        "dmz"
      ];
    };
    scrutiny.service = {
      image = "ghcr.io/analogj/scrutiny:v0.8.0-omnibus";
      container_name = "scrutiny";
      restart = "always";
      labels = {
        "traefik.enable" = "true";
        "traefik.http.routers.scrutiny.entrypoints" = "websecure";
        "traefik.http.routers.scrutiny.rule" = "Host(`scrutiny.ghoscht.com`)";
        "traefik.http.services.scrutiny.loadbalancer.server.port" = "8080";
        "traefik.http.routers.scrutiny.tls" = "true";
        "traefik.http.routers.scrutiny.tls.certresolver" = "letsencrypt";
      };
      capabilities = {
        SYS_RAWIO = true;
        SYS_ADMIN = true; #enables nvme support
      };
      volumes = [
        "/run/udev:/run/udev:ro"
        "/storage/dataset/docker/infrastructure/scrutiny_data:/opt/scrutiny/config"
        "/storage/dataset/docker/infrastructure/scrutiny_influxdb_data:/opt/scrutiny/influxdb"
      ];
      devices = [
        "/dev/nvme0"
        "/dev/sda"
        "/dev/sdb"
        "/dev/sdc"
        "/dev/sdd"
        "/dev/sde"
        "/dev/sdf"
      ];
      networks = [
        "dmz"
      ];
    };
    dyndns.service = {
      image = "ghcr.io/cromefire/fritzbox-cloudflare-dyndns:1.2.1";
      container_name = "dyndns";
      restart = "always";
      ports = ["8888:8080"];
      environment = {
        CLOUDFLARE_ZONES_IPV4 = "ghoscht.com";
      };
      env_file = [
        "/home/ghoscht/.docker/infrastructure/dyndns.env"
      ];
    };
    diun.service = {
      image = "crazymax/diun:4.28";
      container_name = "diun";
      restart = "always";
      command = "serve";
      volumes = [
        "/storage/dataset/docker/infrastructure/diun_data:/data"
        "/var/run/docker.sock:/var/run/docker.sock"
      ];
      environment = {
        TZ = "Europe/Berlin";
        LOG_LEVEL = "info";
        #Only when setting workers=1 sorting can be actually observed
        DIUN_WATCH_WORKERS = "20";
        DIUN_WATCH_SCHEDULE = "0 */6 * * *";
        DIUN_WATCH_JITTER = "30s";
        DIUN_WATCH_RUNONSTARTUP = "true";
        DIUN_PROVIDERS_DOCKER = "true";

        DIUN_DEFAULTS_MAXTAGS = 1;
        DIUN_DEFAULTS_NOTIFYON = "new";

        DIUN_NOTIF_NTFY_ENDPOINT = "http://ntfy";
        DIUN_NOTIF_NTFY_TOPIC = "docker-updates";
      };
      env_file = [
        "/home/ghoscht/.docker/infrastructure/diun.env"
      ];
      networks = [
        "dmz"
      ];
    };
  };
}