diff --git a/hosts/hainich/configuration.nix b/hosts/hainich/configuration.nix
index adf2e1a..952e741 100644
--- a/hosts/hainich/configuration.nix
+++ b/hosts/hainich/configuration.nix
@@ -16,6 +16,7 @@
     ./services/docker.nix
     ./services/gitlab-runner.nix
     ./services/lantifa.nix
+    ./services/hasenloch.nix
     ./services/syncthing.nix
     ./services/monitoring.nix
   ];
diff --git a/hosts/hainich/services/hasenloch.nix b/hosts/hainich/services/hasenloch.nix
new file mode 100644
index 0000000..a2d4c21
--- /dev/null
+++ b/hosts/hainich/services/hasenloch.nix
@@ -0,0 +1,81 @@
+{ pkgs, config, ...}:
+
+{
+  containers.hasenloch = {
+    autoStart = true;
+    privateNetwork = true;
+    hostAddress = "192.168.100.5";
+    localAddress = "192.168.100.7";
+
+    config = { pkgs, config2, ...}: {
+      services.engelsystem = {
+        enable = true;
+        domain = "himmel.hacc.earth";
+        
+        config = {
+          url = "https://himmel.hacc.earth";
+          trusted_proxies = [ "${config.containers.hasenloch.hostAddress}/31" ];
+          rewrite_urls = true;
+          
+          app_name = "Hasenloch";
+          
+          footer_items = {
+            FAQ = "TODO";
+            Contact = "TODO";
+          };
+          
+          signup_requires_arrival = true;
+          enable_dect = false;
+          
+          theme = 10;
+          
+          database = {
+            database = "engelsystem";
+            host = "localhost";
+            username = "engelsystem";
+          };
+          
+          
+          email = {
+            driver = "smtp";
+            encryption = "tls";
+            from = {
+              address = "noreply@infra4future.de";
+              name = "divoc Hasenloch";
+            };
+            host = "mail.hacc.space";
+            password = {
+              _secret = "/var/keys/engelsystem/mail";
+            };
+            port = 587;
+            username = "noreply@infra4future.de";
+          };
+        };
+      };
+
+      networking.firewall.allowedTCPPorts = [ 80 ];
+      networking.firewall.enable = false;
+      services.coredns = {
+        enable = true;
+        config = ''
+          .:53 {
+          forward . 1.1.1.1
+          }
+        '';
+      };
+    };
+  };
+
+  services.nginx.recommendedProxySettings = true;
+  services.nginx.virtualHosts."himmel.hacc.earth" = {
+    locations."/".proxyPass = "http://" + config.containers.hasenloch.localAddress;
+    forceSSL = true;
+    enableACME = true;
+  };
+  
+  networking.nat.enable = true;
+  networking.nat.internalInterfaces = ["ve-hasenloch"];
+  networking.nat.externalInterface = "enp6s0";
+
+}
+