diff --git a/containers/data-access/config.nix b/containers/data-access/config.nix
new file mode 100644
index 00000000..f98849e6
--- /dev/null
+++ b/containers/data-access/config.nix
@@ -0,0 +1,23 @@
+{ pkgs, ... }: {
+
+  imports = [
+    ./config.secret.nix
+  ];
+
+  users.users.data = {
+    isNormalUser = true;
+    home = "/home/data";
+    description = "Data Access";
+    uid = 1000;
+    group = "users";
+  };
+  services.openssh = {
+    enable = true;
+    passwordAuthentication = false;
+    permitRootLogin = "no";
+    hostKeys = [
+      { bits = 4096; path = "/var/secrets/ssh_host_rsa_key"; type = "rsa"; }
+      { path = "/var/secrets/ssh_host_ed25519_key"; type = "ed25519"; }
+    ];
+  };
+}
diff --git a/containers/data-access/config.secret.nix b/containers/data-access/config.secret.nix
new file mode 100644
index 00000000..c3261cfe
Binary files /dev/null and b/containers/data-access/config.secret.nix differ
diff --git a/containers/data-access/default.nix b/containers/data-access/default.nix
new file mode 100644
index 00000000..49288bd5
--- /dev/null
+++ b/containers/data-access/default.nix
@@ -0,0 +1,30 @@
+{ config, ... }:
+
+{
+  imports = [ ./secret.nix ];
+
+  config = {
+    chvp.hasContainers = true;
+
+    containers.data-access = {
+      ephemeral = true;
+      autoStart = true;
+      bindMounts = {
+        "/home/data/data" = {
+          hostPath = "/srv/data";
+          isReadOnly = false;
+        };
+        "/var/secrets" = {
+          hostPath = "${config.chvp.dataPrefix}/var/secrets/data-access";
+          isReadOnly = true;
+        };
+      };
+      privateNetwork = true;
+      hostAddress = "192.168.100.10";
+      hostAddress6 = "fc00::1";
+      localAddress = "192.168.100.11";
+      localAddress6 = "fc00::2";
+      config = import ./config.nix;
+    };
+  };
+}
diff --git a/containers/data-access/secret.nix b/containers/data-access/secret.nix
new file mode 100644
index 00000000..b305e899
Binary files /dev/null and b/containers/data-access/secret.nix differ
diff --git a/flake.lock b/flake.lock
index 830a1413..1b4d87ff 100644
--- a/flake.lock
+++ b/flake.lock
@@ -23,11 +23,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1608506894,
-        "narHash": "sha256-G2TNqzJunVXcC2sQEvtLOUs5QpI6f2y4Ben//HLQkh8=",
+        "lastModified": 1608593447,
+        "narHash": "sha256-kPpoSldJMLKS8hdhxj4rnsRZb4f8ZzaiQFjYTuZm4mU=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "2b1892e646f2e48591c53b3293622720e1a3bdca",
+        "rev": "2901044520fbed466eea8b91df55183297eacd47",
         "type": "github"
       },
       "original": {
diff --git a/machines/urithiru/default.nix b/machines/urithiru/default.nix
index 3cec9883..161606e5 100644
--- a/machines/urithiru/default.nix
+++ b/machines/urithiru/default.nix
@@ -4,6 +4,7 @@
   imports = [
     ./hardware.nix
     ./secret.nix
+    ../../containers/data-access
   ];
 
   time.timeZone = "Europe/Berlin";
diff --git a/machines/urithiru/secret.nix b/machines/urithiru/secret.nix
index 34a34a43..2d6da5f4 100644
Binary files a/machines/urithiru/secret.nix and b/machines/urithiru/secret.nix differ
diff --git a/modules/default.nix b/modules/default.nix
index c2d03c6e..eab0ffbf 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -40,6 +40,11 @@
       default = false;
       example = true;
     };
+
+    hasContainers = lib.mkOption {
+      default = false;
+      example = true;
+    };
   };
 
   config = {
@@ -61,6 +66,11 @@
       ripgrep
     ];
 
+    console = {
+      font = "Lat2-Terminus16";
+      keyMap = "us";
+    };
+
     i18n = {
       defaultLocale = "en_IE.UTF-8";
       extraLocaleSettings = {
@@ -68,9 +78,11 @@
       };
     };
 
-    console = {
-      font = "Lat2-Terminus16";
-      keyMap = "us";
+    networking.nat = lib.mkIf config.chvp.hasContainers {
+      enable = true;
+      enableIPv6 = true;
+      internalInterfaces = [ "ve-+" ];
+      externalInterface = "eno3";
     };
 
     users = {