feat: add env to fix in game resolution problems

flake.nix

@@ -42,6 +42,7 @@
       url = "github:nix-community/disko";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    hyprland.url = "github:hyprwm/Hyprland";
     impermanence.url = "github:nix-community/impermanence";
     lix = {
       url = "https://git.lix.systems/lix-project/lix/archive/main.tar.gz";
@@ -52,6 +53,10 @@
       inputs.nixpkgs.follows = "nixpkgs";
       inputs.lix.follows = "lix";
     };
+    lsfg-vk = {
+      url = "github:pabloaul/lsfg-vk-flake/main";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
     nix-index-database = {
       url = "github:nix-community/nix-index-database";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -60,6 +65,7 @@
       url = "github:nix-community/nix-vscode-extensions";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    prismlauncher.url = "github:AtaraxiaSjel/PrismLauncher";
     quadlet-nix.url = "github:SEIAROTg/quadlet-nix";
     sops-nix = {
       url = "github:Mic92/sops-nix";
@@ -249,7 +255,7 @@
                   hostname = "10.10.10.101";
                 };
                 redshift = {
-                  hostname = "104.164.54.197";
+                  hostname = "217.147.15.227";
                   fastConnection = false;
                   sshOpts = [
                     "-p"

hosts/andromedae/default.nix

@@ -8,13 +8,16 @@
 let
   inherit (lib) mkForce;
   defaultUser = config.ataraxia.defaults.users.defaultUser;
+  hyprPkgs = inputs.hyprland.packages.${pkgs.hostPlatform.system};
 in
 {
   imports = [
     ./hardware-configuration.nix
     ./boot.nix
+    ./samba.nix
 
     inputs.catppuccin.nixosModules.catppuccin
+    inputs.lsfg-vk.nixosModules.default
   ];
   catppuccin.enable = true;
   catppuccin.accent = "mauve";
@@ -67,17 +70,19 @@ in
     ataraxia.defaults.role = "desktop";
     ataraxia.programs.lutris.enable = true;
     ataraxia.programs.mangohud.enable = true;
+    ataraxia.programs.umu-launcher.enable = true;
     ataraxia.services.modprobed-db.enable = true;
     ataraxia.theme.catppuccin.enable = true;
 
     wayland.windowManager.hyprland.settings = {
-      # TODO: Remove after flickering is fixed
-      # misc.vrr = lib.mkForce 0;
       monitor = mkForce [
         "DP-3,2560x1440@164.998993,0x0,1"
         "HDMI-A-1,1920x1080@60,-1920x360,1"
         ",highres,auto,1"
       ];
+      env = {
+        WAYLANDDRV_PRIMARY_MONITOR = "DP-3";
+      };
       exec-once = [
         "${pkgs.xorg.xrandr}/bin/xrandr --output DP-3 --primary"
       ];
@@ -85,6 +90,7 @@ in
 
     home.packages = with pkgs; [
       devenv
+      freerdp
       llama-cpp
       nh
       nix-diff
@@ -109,7 +115,7 @@ in
       modprobed-db
       # packwiz
       # piper
-      # prismlauncher
+      prismlauncher
       # radeontop
       # streamrip
       # wayvnc
@@ -117,10 +123,16 @@ in
       # yt-archivist
     ];
 
+    home.sessionVariables = {
+      WAYLANDDRV_PRIMARY_MONITOR = "DP-3";
+    };
+
     persist.state.directories = [
       ".config/image-updater"
+      ".config/lsfg-vk"
       ".config/sops/age"
       ".config/WarThunder"
+      ".local/share/PrismLauncher"
       "nixos-config"
       "projects"
     ];
@@ -135,7 +147,7 @@ in
     wal_recycle = "off";
   };
 
-  # ataraxia.virtualisation.docker = true;
+  ataraxia.virtualisation.docker = true;
   ataraxia.virtualisation.libvirt = true;
   ataraxia.virtualisation.podman = true;
 
@@ -155,10 +167,14 @@ in
   ];
 
   # Mesa from unstable channel
-  hardware.graphics.package = pkgs.mesaUnstable;
+  # hardware.graphics.package = pkgs.mesaUnstable;
-  hardware.graphics.package32 = pkgs.mesaUnstablei686;
+  # hardware.graphics.package32 = pkgs.mesaUnstablei686;
-  programs.hyprland.package = pkgs.hyprlandUnstable;
+  # programs.hyprland.package = pkgs.hyprlandUnstable;
-  programs.hyprland.portalPackage = pkgs.hyprlandPortalUnstable;
+  # programs.hyprland.portalPackage = pkgs.hyprlandPortalUnstable;
+  programs.hyprland.package = hyprPkgs.hyprland;
+  programs.hyprland.portalPackage = hyprPkgs.xdg-desktop-portal-hyprland;
+  services.lsfg-vk.enable = true;
+  services.lsfg-vk.ui.enable = true;
 
   # Auto-mount lan nfs share
   fileSystems = {

hosts/andromedae/samba.nix

@@ -0,0 +1,42 @@
+{ ... }:
+{
+  services.samba = {
+    enable = true;
+    openFirewall = true;
+    settings = {
+      global = {
+        "workgroup" = "WORKGROUP";
+        "server string" = "smbnix";
+        "netbios name" = "smbnix";
+        "security" = "user";
+        #"use sendfile" = "yes";
+        #"max protocol" = "smb2";
+        # note: localhost is the ipv6 localhost ::1
+        "hosts allow" = "10.10.10. 127.0.0.1 localhost";
+        "hosts deny" = "0.0.0.0/0";
+        "guest account" = "ataraxia";
+        "map to guest" = "bad user";
+      };
+      "extra" = {
+        "path" = "/run/media/ataraxia/Extra/Anomaly";
+        "browseable" = "yes";
+        "read only" = "no";
+        "guest ok" = "no";
+        "create mask" = "0644";
+        "directory mask" = "0755";
+        "force user" = "ataraxia";
+        "force group" = "users";
+      };
+      "gamma" = {
+        "path" = "/media/games/Anomaly-Gamma";
+        "browseable" = "yes";
+        "read only" = "no";
+        "guest ok" = "no";
+        "create mask" = "0644";
+        "directory mask" = "0755";
+        "force user" = "ataraxia";
+        "force group" = "users";
+      };
+    };
+  };
+}

hosts/blueshift/default.nix

@@ -154,6 +154,8 @@
       };
     };
   };
+  ataraxia.services.tor.enableRelay = true;
+  ataraxia.services.tor.relayPort = 32910;
 
   system.stateVersion = "24.11";
 }

hosts/blueshift/services.nix

@@ -37,12 +37,12 @@ in
     let
       nginx = {
         sopsFile = secretsDir + /blueshift/nginx.yaml;
-        restartUnits = [ "podman-nginx.service" ];
+        restartUnits = [ "nginx.service" ];
       };
       marzban = {
         format = "dotenv";
         sopsFile = secretsDir + /blueshift/marzban.env;
-        restartUnits = [ "podman-marzban.service" ];
+        restartUnits = [ "marzban.service" ];
       };
     in
     {
@@ -52,27 +52,31 @@ in
       inherit marzban;
     };
 
-  virtualisation.oci-containers.containers = {
+  virtualisation.quadlet.containers = {
     marzban = {
       autoStart = true;
-      # Tags: v0.8.4
+      containerConfig = {
-      image = "ghcr.io/gozargah/marzban@sha256:8e422c21997e5d2e3fa231eeff73c0a19193c20fc02fa4958e9368abb9623b8d";
+        # Tags: v0.8.4
-      environmentFiles = [ marzban-env ];
+        image = "ghcr.io/gozargah/marzban@sha256:8e422c21997e5d2e3fa231eeff73c0a19193c20fc02fa4958e9368abb9623b8d";
-      extraOptions = [ "--network=host" ];
+        environmentFiles = [ marzban-env ];
-      volumes = [
+        networks = [ "host" ];
-        "/srv/marzban:/var/lib/marzban"
+        volumes = [
-      ];
+          "/srv/marzban:/var/lib/marzban"
+        ];
+      };
     };
     nginx = {
       autoStart = true;
-      # Tags: mainline-alpine3.21, mainline-alpine, alpine3.21
+      containerConfig = {
-      image = "docker.io/nginx@sha256:e4efffc3236305ae53fb54e5cd76c9ccac0cebf7a23d436a8f91bce6402c2665";
+        # Tags: mainline-alpine3.21, mainline-alpine, alpine3.21
-      extraOptions = [ "--network=host" ];
+        image = "docker.io/nginx@sha256:e4efffc3236305ae53fb54e5cd76c9ccac0cebf7a23d436a8f91bce6402c2665";
-      volumes = [
+        networks = [ "host" ];
-        "${cert-key}:/etc/ssl/certs/cf-cert.key:ro"
+        volumes = [
-        "${cert-pem}:/etc/ssl/certs/cf-cert.pem:ro"
+          "${cert-key}:/etc/ssl/certs/cf-cert.key:ro"
-        "${nginx-conf}:/etc/nginx/nginx.conf:ro"
+          "${cert-pem}:/etc/ssl/certs/cf-cert.pem:ro"
-      ];
+          "${nginx-conf}:/etc/nginx/nginx.conf:ro"
+        ];
+      };
     };
   };
 

hosts/orion/default.nix

@@ -1,11 +1,13 @@
 {
+  config,
   lib,
   pkgs,
   inputs,
   ...
 }:
 let
-  inherit (lib) concatLists unique;
+  inherit (lib) concatLists unique recursiveUpdate;
+  nginx = config.ataraxia.services.nginx;
 in
 {
   imports = [
@@ -113,7 +115,9 @@ in
 
   ataraxia.containers.filestash.enable = true;
   ataraxia.containers.media-stack.enable = true;
+  ataraxia.containers.sing-box-filter.enable = true;
   ataraxia.containers.tinyproxy.enable = true;
+  ataraxia.containers.tor.enable = true;
   ataraxia.security.acme.enable = true;
   ataraxia.services.authentik.enable = true;
   ataraxia.services.gitea.enable = true;
@@ -166,6 +170,15 @@ in
     )
   );
 
+  services.nginx.virtualHosts = {
+    "incus.ataraxiadev.com" = recursiveUpdate nginx.defaultSettings {
+      locations."/" = {
+        proxyPass = "https://10.10.10.5:8443";
+        proxyWebsockets = true;
+      };
+    };
+  };
+
   ataraxia.virtualisation.guests = {
     omv = {
       autoStart = true;
@@ -175,5 +188,7 @@ in
     };
   };
 
+  networking.firewall.allowedTCPPorts = [ 9050 ];
+
   system.stateVersion = "25.05";
 }

hosts/redshift/default.nix

@@ -48,12 +48,12 @@
     disableIPv6 = true;
     domain = "wg.ataraxiadev.com";
     ifname = "enp0s18";
-    mac = "bc:24:11:99:d5:2f";
+    mac = "bc:24:11:33:ea:74";
     bridge.enable = true;
     ipv4 = [
       {
-        address = "104.164.54.197/24";
+        address = "217.147.15.227/24";
-        gateway = "104.164.54.1";
+        gateway = "217.147.15.1";
         dns = [
           "9.9.9.9"
           "149.112.112.112"
@@ -154,6 +154,8 @@
       };
     };
   };
+  ataraxia.services.tor.enableRelay = true;
+  ataraxia.services.tor.relayPort = 18342;
 
-  system.stateVersion = "24.11";
+  system.stateVersion = "25.05";
 }

hosts/redshift/services.nix

@@ -38,12 +38,12 @@ in
     let
       nginx = {
         sopsFile = secretsDir + /redshift/nginx.yaml;
-        restartUnits = [ "podman-nginx.service" ];
+        restartUnits = [ "nginx.service" ];
       };
       marzban = {
         format = "dotenv";
         sopsFile = secretsDir + /redshift/marzban.env;
-        restartUnits = [ "podman-marzban.service" ];
+        restartUnits = [ "marzban.service" ];
       };
     in
     {
@@ -53,27 +53,31 @@ in
       inherit marzban;
     };
 
-  virtualisation.oci-containers.containers = {
+  virtualisation.quadlet.containers = {
     marzban = {
       autoStart = true;
-      # Tags: v0.8.4
+      containerConfig = {
-      image = "ghcr.io/gozargah/marzban@sha256:8e422c21997e5d2e3fa231eeff73c0a19193c20fc02fa4958e9368abb9623b8d";
+        # Tags: v0.8.4
-      environmentFiles = [ marzban-env ];
+        image = "ghcr.io/gozargah/marzban@sha256:8e422c21997e5d2e3fa231eeff73c0a19193c20fc02fa4958e9368abb9623b8d";
-      extraOptions = [ "--network=host" ];
+        environmentFiles = [ marzban-env ];
-      volumes = [
+        networks = [ "host" ];
-        "/srv/marzban:/var/lib/marzban"
+        volumes = [
-      ];
+          "/srv/marzban:/var/lib/marzban"
+        ];
+      };
     };
     nginx = {
       autoStart = true;
-      # Tags: mainline-alpine3.21, mainline-alpine, alpine3.21
+      containerConfig = {
-      image = "docker.io/nginx@sha256:e4efffc3236305ae53fb54e5cd76c9ccac0cebf7a23d436a8f91bce6402c2665";
+        # Tags: mainline-alpine3.21, mainline-alpine, alpine3.21
-      extraOptions = [ "--network=host" ];
+        image = "docker.io/nginx@sha256:e4efffc3236305ae53fb54e5cd76c9ccac0cebf7a23d436a8f91bce6402c2665";
-      volumes = [
+        networks = [ "host" ];
-        "${cert-key}:/etc/ssl/certs/cf-cert.key:ro"
+        volumes = [
-        "${cert-pem}:/etc/ssl/certs/cf-cert.pem:ro"
+          "${cert-key}:/etc/ssl/certs/cf-cert.key:ro"
-        "${nginx-conf}:/etc/nginx/nginx.conf:ro"
+          "${cert-pem}:/etc/ssl/certs/cf-cert.pem:ro"
-      ];
+          "${nginx-conf}:/etc/nginx/nginx.conf:ro"
+        ];
+      };
     };
   };
 

hosts/vega/default.nix

@@ -6,6 +6,7 @@
 }:
 let
   defaultUser = config.ataraxia.defaults.users.defaultUser;
+  hyprPkgs = inputs.hyprland.packages.${pkgs.hostPlatform.system};
 in
 {
   imports = [
@@ -87,10 +88,12 @@ in
   };
 
   # Mesa from unstable channel
-  hardware.graphics.package = pkgs.mesaUnstable;
+  # hardware.graphics.package = pkgs.mesaUnstable;
-  hardware.graphics.package32 = pkgs.mesaUnstablei686;
+  # hardware.graphics.package32 = pkgs.mesaUnstablei686;
-  programs.hyprland.package = pkgs.hyprlandUnstable;
+  # programs.hyprland.package = pkgs.hyprlandUnstable;
-  programs.hyprland.portalPackage = pkgs.hyprlandPortalUnstable;
+  # programs.hyprland.portalPackage = pkgs.hyprlandPortalUnstable;
+  programs.hyprland.package = hyprPkgs.hyprland;
+  programs.hyprland.portalPackage = hyprPkgs.xdg-desktop-portal-hyprland;
 
   # Auto-mount lan nfs share
   fileSystems = {

modules/home/applications/games/umu-launcher.nix

@@ -0,0 +1,20 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  inherit (lib) mkEnableOption mkIf;
+  cfg = config.ataraxia.programs.umu-launcher;
+in
+{
+  options.ataraxia.programs.umu-launcher = {
+    enable = mkEnableOption "Enable umu-launcher program";
+  };
+
+  config = mkIf cfg.enable {
+    home.packages = with pkgs; [ umu-launcher ];
+    persist.state.directories = [ ".local/share/umu" ];
+  };
+}

modules/home/applications/vesktop.nix

@@ -0,0 +1,34 @@
+{ config, lib, ... }:
+let
+  inherit (lib) mkEnableOption mkIf;
+  cfg = config.ataraxia.programs.vesktop;
+in
+{
+  options.ataraxia.programs.vesktop = {
+    enable = mkEnableOption "Enable vesktop program";
+  };
+
+  config = mkIf cfg.enable {
+    programs.vesktop.enable = true;
+    programs.vesktop.settings = {
+      # appBadge = false;
+      # arRPC = true;
+      # checkUpdates = false;
+      # customTitleBar = false;
+      # disableMinSize = true;
+      minimizeToTray = true;
+      # tray = false;
+      # splashBackground = "#000000";
+      # splashColor = "#ffffff";
+      # splashTheming = true;
+      # staticTitle = true;
+      hardwareAcceleration = true;
+      discordBranch = "canary";
+    };
+    # programs.vesktop.vencord.settings = {};
+    # programs.vesktop.vencord.themes = {};
+    # programs.vesktop.vencord.useSystem = false;
+
+    persist.state.directories = [ ".config/vesktop" ];
+  };
+}

modules/home/applications/vscode.nix

@@ -49,7 +49,7 @@ in
           with ext-market;
           [
             aaron-bond.better-comments
-            catppuccin.catppuccin-vsc-icons
+            # catppuccin.catppuccin-vsc-icons
             christian-kohler.path-intellisense
             codezombiech.gitignore
             eamodio.gitlens

modules/home/applications/walker.nix

@@ -1,7 +1,6 @@
 {
   config,
   lib,
-  pkgs,
   inputs,
   ...
 }:
@@ -24,14 +23,11 @@ in
 
     programs.walker = {
       enable = true;
-      package = pkgs.walker;
+      runAsService = true;
-      runAsService = false;
       config = {
         websearch.prefix = "?";
         switcher.prefix = "/";
       };
     };
-
-    startupApplications = [ "${getExe config.programs.walker.package} --gapplication-service" ];
   };
 }

modules/home/roles/default.nix

@@ -92,6 +92,7 @@ in
         ataraxia.programs.spotify.enable = mkDefault true;
         ataraxia.programs.telegram.enable = mkDefault true;
         ataraxia.programs.thunderbird.enable = mkDefault true;
+        ataraxia.programs.vesktop.enable = mkDefault true;
         ataraxia.programs.vscode.enable = mkDefault true;
         ataraxia.programs.walker.enable = mkDefault true;
         ataraxia.programs.zathura.enable = mkDefault true;

modules/home/theme/catppuccin.nix

@@ -8,6 +8,7 @@
 let
   inherit (lib)
     mkEnableOption
+    mkForce
     mkIf
     mkMerge
     mkOption
@@ -115,7 +116,7 @@ in
         };
         iconTheme = {
           name = "Papirus-Dark";
-          package = pkgs.catppuccin-papirus-folders.override { inherit (cfg) accent flavor; };
+          package = mkForce (pkgs.catppuccin-papirus-folders.override { inherit (cfg) accent flavor; });
         };
         font = {
           package = config.theme.fonts.sans.package;

modules/home/workspace/wayland/waybar.nix

@@ -25,15 +25,14 @@ in
           layer = "top";
           position = "top";
           # margin = "8 8 0 8";
-          modules-left =
+          modules-left = [
-            [
+            "hyprland/workspaces"
-              "hyprland/workspaces"
+            "wireplumber"
-              "wireplumber"
+          ]
-            ]
+          ++ lib.optionals cfg.laptopWidgets [
-            ++ lib.optionals cfg.laptopWidgets [
+            "battery"
-              "battery"
+            "backlight"
-              "backlight"
+          ];
-            ];
           modules-center = [ "hyprland/window" ];
           modules-right = [
             "tray"

modules/nixos/applications/steam.nix

@@ -16,6 +16,8 @@ in
   };
 
   config = mkIf cfg.enable {
+    boot.kernelModules = [ "ntsync" ];
+
     programs.gamemode.enable = true;
     programs.gamescope.enable = true;
     programs.gamescope.capSysNice = false;

modules/nixos/containers/sing-box-filter.nix

@@ -0,0 +1,157 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  inherit (lib) mkEnableOption mkIf;
+  inherit (config.virtualisation.quadlet) networks;
+
+  cfg = config.ataraxia.containers.sing-box-filter;
+
+  # Exclude almost all european countries (and some more)
+  filter-countries = "!EU,!AL,!AD,!BY,!BA,!GB,!CH,!IS,!LI,!MD,!MC,!ME,!MK,!NO,!RU,!SM,!RS,!UA,!VA,!XK,!US,!CN,!IR,!PK";
+  filter-protocols = "vless,ss";
+  geoip-db = "https://git.io/GeoLite2-Country.mmdb";
+  proxy-list = "https://raw.githubusercontent.com/ebrasha/free-v2ray-public-list/refs/heads/main/V2Ray-Config-By-EbraSha.txt";
+  dockerfile = pkgs.writeText "Dockerfile.sing-box" ''
+    ARG sing_box_ver="1.12.1"
+    ARG alpine_ver="3.22"
+    ARG processor_ver="0.1.1"
+
+    FROM ghcr.io/sagernet/sing-box:v''${sing_box_ver} AS sing-box
+    FROM ataraxiadev/proxy-processor:''${processor_ver} as proxy-filter
+
+    FROM alpine:''${alpine_ver}
+    COPY --from=sing-box /usr/local/bin/sing-box /bin/sing-box
+    COPY --from=proxy-filter /bin/proxy-filter-cli /bin/proxy-filter-cli
+    WORKDIR /app
+    ENTRYPOINT ["/app/entrypoint.sh"]
+  '';
+  entrypoint = pkgs.writeScript "singbox-entrypoint" ''
+    #!/bin/ash
+    set -euo pipefail
+
+    mkdir -p /etc/sing-box
+    mkdir -p /var/lib/sing-box
+    cp /app/sing-box.json /etc/sing-box/config.json
+
+    echo "0 * * * * /app/update.sh" > /var/spool/cron/crontabs/root
+    /app/update.sh &
+    crond -f
+  '';
+  sing-box-update = pkgs.writeScript "singbox-update" ''
+    #!/bin/ash
+    set -euo pipefail
+
+    if [ $(pgrep "update.sh" | wc -l) -gt 2 ]; then
+        exit 0
+    fi
+    echo "Update proxy list..."
+    proxy-filter-cli -i ${proxy-list} -o outbounds.json --geoip ${geoip-db} -t ${filter-protocols} -c '${filter-countries}' -f sing-box
+    cp outbounds.json /etc/sing-box/outbound.json
+    echo "Update proxy list finished..."
+    if pgrep "sing-box"; then
+        echo "Stopping sing-box process..."
+        pkill -f sing-box
+    fi
+    echo "Starting sing-box process..."
+    sing-box -D /var/lib/sing-box -C /etc/sing-box run &
+  '';
+  singbox-config = pkgs.writeText "singbox-entrypoint" ''
+    {
+      "log": {
+        "level": "warn",
+        "timestamp": true
+      },
+      "dns": {
+        "strategy": "ipv4_only",
+        "disable_cache": true,
+        "disable_expire": true,
+        "servers": [{
+          "tag": "local-dns",
+          "type": "udp",
+          "server": "10.10.10.1"
+        }]
+      },
+      "inbounds": [{
+        "type": "mixed",
+        "tag": "mixed-in",
+        "domain_strategy": "ipv4_only",
+        "listen": "0.0.0.0",
+        "listen_port": 2080,
+        "tcp_fast_open": false
+      }],
+      "outbounds": [{
+        "type": "direct",
+        "tag": "direct-out"
+      }],
+      "route": {
+        "rules": [{
+          "action": "resolve",
+          "strategy": "prefer_ipv4"
+        }, {
+          "action": "sniff"
+        }, {
+          "protocol": "dns",
+          "action": "hijack-dns"
+        }, {
+          "outbound": "direct-out",
+          "ip_is_private": true
+        }],
+        "final": "urltest-out",
+        "auto_detect_interface": true
+      },
+      "experimental": {
+        "clash_api": {
+          "external_controller": "0.0.0.0:9090",
+          "external_ui": "ui",
+          "external_ui_download_url": "https://github.com/MetaCubeX/Yacd-meta/archive/gh-pages.zip",
+          "external_ui_download_detour": "direct-out"
+        },
+        "cache_file": {
+          "enabled": true
+        }
+      }
+    }
+  '';
+in
+{
+  options.ataraxia.containers.sing-box-filter = {
+    enable = mkEnableOption "Enable sing-box-filter container";
+  };
+
+  config = mkIf cfg.enable {
+    virtualisation.quadlet = {
+      builds.sing-box-filter = {
+        autoStart = true;
+        buildConfig = {
+          file = toString dockerfile;
+          tag = "sing-box-filter:latest";
+          # globalArgs = [ "--build-args=" ];
+        };
+      };
+      containers.sing-box-filter = {
+        autoStart = true;
+        containerConfig = {
+          image = config.virtualisation.quadlet.builds.sing-box-filter.ref;
+          networks = [ networks.br-services.ref ];
+          publishPorts = [
+            "0.0.0.0:2080:2080/tcp"
+            "0.0.0.0:2081:9090/tcp"
+          ];
+          volumes = [
+            "${entrypoint}:/app/entrypoint.sh:ro"
+            "${sing-box-update}:/app/update.sh:ro"
+            "${singbox-config}:/app/sing-box.json:ro"
+          ];
+        };
+      };
+    };
+    networking.firewall.allowedTCPPorts = [
+      2080
+      2081
+    ];
+  };
+}

modules/nixos/containers/tinyproxy.nix

@@ -2,6 +2,7 @@
   config,
   lib,
   secretsDir,
+  inputs,
   ...
 }:
 let
@@ -31,6 +32,11 @@ in
       config =
         { pkgs, ... }:
         {
+          nixpkgs.overlays = [
+            (_final: _prev: {
+              sing-box = inputs.ataraxiasjel-nur.packages.${pkgs.hostPlatform.system}.sing-box-extended;
+            })
+          ];
           environment.systemPackages = with pkgs; [
             dnsutils
             kitty.terminfo

modules/nixos/containers/tor.nix

@@ -0,0 +1,74 @@
+{
+  config,
+  lib,
+  pkgs,
+  secretsDir,
+  ...
+}:
+let
+  inherit (lib) mkEnableOption mkIf;
+  inherit (config.virtualisation.quadlet) networks;
+
+  cfg = config.ataraxia.containers.tor;
+  dockerfile = pkgs.writeText "Dockerfile.tor" ''
+    FROM alpine:3
+
+    LABEL name="tor-socks-proxy"
+    LABEL version="latest"
+
+    RUN echo '@edge https://dl-cdn.alpinelinux.org/alpine/edge/community' >> /etc/apk/repositories && \
+        echo '@edge https://dl-cdn.alpinelinux.org/alpine/edge/testing'   >> /etc/apk/repositories && \
+        apk -U upgrade && \
+        apk -v add tor@edge lyrebird@edge curl && \
+        chmod 700 /var/lib/tor && \
+        rm -rf /var/cache/apk/* && \
+        tor --version
+
+    RUN echo -e "HardwareAccel 1\nLog notice stdout\nDNSPort 0.0.0.0:8853\nSocksPort 0.0.0.0:9150\nDataDirectory /var/lib/tor" > /etc/tor/torrc && \
+        chown tor:root /etc/tor/torrc
+
+    HEALTHCHECK --timeout=30s --start-period=60s \
+        CMD curl --fail --socks5-hostname localhost:9150 -I -L 'https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion' || exit 1
+
+    USER tor
+    EXPOSE 8853/udp 9150/tcp
+
+    CMD ["/usr/bin/tor", "-f", "/etc/tor/torrc"]
+  '';
+in
+{
+  options.ataraxia.containers.tor = {
+    enable = mkEnableOption "Enable tor client container";
+  };
+
+  config = mkIf cfg.enable {
+    sops.secrets.tor-container.sopsFile = secretsDir + /proxy.yaml;
+    sops.secrets.tor-container.mode = "0444";
+    virtualisation.quadlet = {
+      builds.tor-proxy = {
+        autoStart = true;
+        buildConfig = {
+          file = toString dockerfile;
+          tag = "tor-socks-proxy:latest";
+        };
+      };
+      containers.tor-proxy = {
+        autoStart = true;
+        containerConfig = {
+          exec = "sh -c 'cat /home/torrc-extra >> /etc/tor/torrc && /usr/bin/tor -f /etc/tor/torrc'";
+          image = config.virtualisation.quadlet.builds.tor-proxy.ref;
+          networks = [ networks.br-services.ref ];
+          publishPorts = [
+            "0.0.0.0:9150:9150/tcp"
+            "0.0.0.0:8853:8853/udp"
+          ];
+          volumes = [
+            "${config.sops.secrets.tor-container.path}:/home/torrc-extra:ro"
+          ];
+        };
+      };
+    };
+    networking.firewall.allowedTCPPorts = [ 9150 ];
+    networking.firewall.allowedUDPPorts = [ 8853 ];
+  };
+}

modules/nixos/persist/default.nix

@@ -109,17 +109,16 @@ in
         "/var/cache"
       ];
       persist.state = {
-        directories =
+        directories = [
-          [
+          "/var/lib/nixos"
-            "/var/lib/nixos"
+          "/var/lib/systemd"
-            "/var/lib/systemd"
+        ]
-          ]
+        ++ lib.optionals config.services.mysql.enable [
-          ++ lib.optionals config.services.mysql.enable [
+          config.services.mysql.dataDir
-            config.services.mysql.dataDir
+        ]
-          ]
+        ++ lib.optionals config.services.postgresql.enable [
-          ++ lib.optionals config.services.postgresql.enable [
+          "/var/lib/postgresql"
-            "/var/lib/postgresql"
+        ];
-          ];
         files = [
           "/etc/machine-id"
           "/etc/ssh/ssh_host_ed25519_key"

modules/nixos/services/tor.nix

@@ -0,0 +1,36 @@
+{ config, lib, ... }:
+let
+  inherit (lib) mkEnableOption mkIf mkOption;
+  inherit (lib.types) int;
+
+  cfg = config.ataraxia.services.tor;
+in
+{
+  options.ataraxia.services.tor = {
+    enable = mkEnableOption "Enable tor service client";
+    enableRelay = mkEnableOption "Enable tor service bridge";
+    relayPort = mkOption {
+      type = int;
+      description = "Bridge listen port";
+    };
+  };
+
+  config = mkIf (cfg.enable || cfg.enableRelay) {
+    services.tor = {
+      enable = true;
+      client.enable = cfg.enable;
+      relay.enable = cfg.enableRelay;
+      relay.role = "private-bridge";
+      settings = mkIf cfg.enableRelay {
+        ContactInfo = "admin@ataraxiadev.com";
+        Nickname = config.networking.hostName;
+        ORPort = 42891;
+        ServerTransportListenAddr = "obfs4 0.0.0.0:${toString cfg.relayPort}";
+      };
+    };
+
+    networking.firewall.allowedTCPPorts = [ cfg.relayPort ];
+
+    persist.state.directories = [ "/var/lib/tor" ];
+  };
+}

modules/nixos/virtualisation/virtualisation.nix

@@ -24,6 +24,8 @@ in
   };
 
   config = mkIf (cfg.docker || cfg.libvirt || cfg.podman) {
+    boot.enableContainers = true;
+
     virtualisation = {
       oci-containers.backend = if (!cfg.podman && cfg.docker) then "docker" else "podman";
       docker = {
@@ -38,6 +40,7 @@ in
       podman = {
         enable = cfg.podman;
         defaultNetwork.settings.dns_enabled = true;
+        dockerCompat = !config.virtualisation.docker.enable;
         dockerSocket.enable = !config.virtualisation.docker.enable;
       };
       containers.containersConf.settings = {
@@ -98,8 +101,6 @@ in
       };
     };
 
-    boot.enableContainers = true;
-
     environment.systemPackages =
       [ ]
       ++ optionals cfg.docker [ pkgs.docker-compose ]
@@ -116,19 +117,18 @@ in
 
     networking.firewall = {
       trustedInterfaces = mkIf cfg.libvirt [ "virbr0" ];
-      interfaces =
+      interfaces = {
-        {
+        "podman*".allowedUDPPorts = mkIf cfg.podman [
-          "podman*".allowedUDPPorts = mkIf cfg.podman [
+          53
-            53
+          5353
-            5353
+        ];
-          ];
+      }
-        }
+      // mapAttrs (_: _: {
-        // mapAttrs (_: _: {
+        allowedUDPPorts = [
-          allowedUDPPorts = [
+          53
-            53
+          5353
-            5353
+        ];
-          ];
+      }) config.virtualisation.quadlet.networks;
-        }) config.virtualisation.quadlet.networks;
     };
 
     security.unprivilegedUsernsClone = true;
@@ -138,18 +138,26 @@ in
       "/var/lib/libvirt"
       "/var/lib/containers"
     ];
+    persist.state.files = [
+      "/etc/subuid"
+      "/etc/subgid"
+    ];
 
     home-manager = mkIf useHomeManager {
       users.${defaultUser} = {
-        home.file.".config/containers/storage.conf".text = ''
+        home.file.".config/containers/storage.conf".text = mkIf cfg.podman ''
           [storage]
           driver = "overlay"
         '';
-        home.file.".config/libvirt/libvirt.conf".text = ''
+        home.file.".config/libvirt/libvirt.conf".text = mkIf cfg.libvirt ''
           uri_default = "qemu:///system"
         '';
-        persist.state.directories = [
+        persist.state.directories = mkIf cfg.podman [
           ".config/containers"
+          {
+            directory = ".local/share/containers";
+            method = "symlink";
+          }
         ];
       };
     };

overlays/default.nix

@@ -34,9 +34,13 @@ in
   # nix-index-update = inputs.nix-alien.packages.${system}.nix-index-update;
   osu-lazer = unstable.osu-lazer;
   osu-lazer-bin = unstable.osu-lazer-bin;
-  # prismlauncher = inputs.prismlauncher.packages.${system}.prismlauncher.override {
+  prismlauncher = inputs.prismlauncher.packages.${system}.prismlauncher.override {
-  #   jdks = [ final.temurin-bin ];
+    jdks = [
-  # };
+      final.temurin-jre-bin
+      final.temurin-jre-bin-17
+    ];
+    textToSpeechSupport = false;
+  };
   proton-ge-bin = unstable.proton-ge-bin;
   xray = unstable.xray;
   # youtube-to-mpv = prev.callPackage ./packages/youtube-to-mpv.nix { term = config.defaultApplications.term.cmd; };
@@ -45,64 +49,29 @@ in
   sing-box = final.sing-box-extended;
   wine = prev.wineWow64Packages.stagingFull;
 
-  # Patch spotify with spotx
-  spotify = prev.spotify.overrideAttrs (
-    oa:
-    let
-      spotx = prev.fetchurl {
-        url = "https://raw.githubusercontent.com/SpotX-Official/SpotX-Bash/b1de24ec4c23c45da373dcb64a44e372253a0c16/spotx.sh";
-        hash = "sha256-/p6cJKzaZzjcLJISFudstQjs+lPXnXx4f0vxKbF9Sqw=";
-      };
-    in
-    {
-      nativeBuildInputs =
-        oa.nativeBuildInputs
-        ++ (with prev; [
-          perl
-          unzip
-          util-linux
-          zip
-        ]);
-      postUnpack =
-        oa.postUnpack or ""
-        + ''
-          patchShebangs --build ${spotx}
-        '';
-      postInstall =
-        oa.postInstall or ""
-        + ''
-          bash ${spotx} -f -h -P "$out/share/spotify"
-        '';
-    }
-  );
-
   # Move modprobed config to subdir. Easier to use with impermanence
   modprobed-db = prev.modprobed-db.overrideAttrs (oa: {
     nativeBuildInputs = [ prev.makeWrapper ] ++ oa.nativeBuildInputs or [ ];
-    postPatch =
+    postPatch = (oa.postPatch or "") + ''
-      (oa.postPatch or "")
+      substituteInPlace ./common/modprobed-db.in \
-      + ''
+        --replace-fail "/modprobed-db.conf" "/modprobed-db/modprobed-db.conf"
-        substituteInPlace ./common/modprobed-db.in \
+      substituteInPlace ./common/modprobed-db.skel \
-          --replace-fail "/modprobed-db.conf" "/modprobed-db/modprobed-db.conf"
+        --replace-fail "/.config" "/.config/modprobed-db"
-        substituteInPlace ./common/modprobed-db.skel \
+    '';
-          --replace-fail "/.config" "/.config/modprobed-db"
+    postInstall = (oa.postInstall or "") + ''
-      '';
+      wrapProgram $out/bin/modprobed-db \
-    postInstall =
+      --set PATH ${
-      (oa.postInstall or "")
+        with final;
-      + ''
+        lib.makeBinPath [
-        wrapProgram $out/bin/modprobed-db \
+          gawk
-        --set PATH ${
+          getent
-          with final;
+          coreutils
-          lib.makeBinPath [
+          gnugrep
-            gawk
+          gnused
-            getent
+          kmod
-            coreutils
+        ]
-            gnugrep
+      }
-            gnused
+    '';
-            kmod
-          ]
-        }
-      '';
   });
 
   pass-secret-service = prev.pass-secret-service.overrideAttrs (_: {