nix-configs/instances/nemesis/configuration.nix

{
  config,
  pkgs,
  lib,
  inputs,
  ...
}:
{
  nixpkgs.system = "x86_64-linux";
  imports = [
    ./hardware-configuration.nix
    # ./services/attic.nix
    # ./services/immich.nix
    # ./services/jellyfin.nix
    # ./services/paperless.nix
    # ./services/ytdl-sub.nix

  ];
  time.timeZone = "Europe/Berlin";
  networking.hostId = "7b4c2932";

  containers.ds9 = {
    autoStart = true;
    privateNetwork = true;
    enableTun = true;
    additionalCapabilities = [
      "CAP_NET_ADMIN"
      "CAP_MKNOD"
      "CAP_BPF"
      "CAP_DAC_READ_SEARCH"
      "CAP_SYS_RESOURCE"
      "CAP_SYS_ADMIN"
    ];
    hostAddress = "192.168.100.10";
    localAddress = "192.168.100.11";

    path = inputs.oldConf.nixosConfigurations.ds9.config.system.build.toplevel;
    
    bindMounts = {
      "/data" = {
        hostPath = "/data";
        isReadOnly = false;
      };
      "/backup" = {
        hostPath = "/backup";
        isReadOnly = false;
      };
      "/persistent" = {
        hostPath = "/oldds9/persistent";
        isReadOnly = false;
      };
    };
  };
  networking.nat.enable = true;
  networking.nat.internalInterfaces = [ "ve-+" ];
  networking.nat.externalInterface = "enp1s0f1"; # TODO: changeme

  xyno.services.traefik = {
    enable = true;
    simpleProxy.oldds9 = {
      host = "*.hailsatan.eu";
      internal = "http://192.168.100.11";
    };
  };

  xyno.presets.cli.enable = true;
  xyno.presets.server.enable = true;
  # xyno.services.wireguard.enable = true;
  # xyno.services.caddy.enable = true;
  # xyno.services.monitoring.enable = true;
  # xyno.services.authentik.enable = true;
  xyno.presets.home-manager.enable = true;
  xyno.system.user.enable = true;
  xyno.networking.networkd = {
    enable = true;
  };

  system.stateVersion = "25.11";
}