27 changed files with 361 additions and 1238 deletions
--- a/flake.lock
+++ b/flake.lock
--- a/flake.nix
+++ b/flake.nix
@ -42,7 +42,6 @@
      url = "github:nix-community/disko";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    hyprland.url = "github:hyprwm/Hyprland";
    impermanence.url = "github:nix-community/impermanence";
    lix = {
      url = "https://git.lix.systems/lix-project/lix/archive/main.tar.gz";
@ -53,10 +52,6 @@
      inputs.nixpkgs.follows = "nixpkgs";
      inputs.lix.follows = "lix";
    };
    lsfg-vk = {
      url = "github:pabloaul/lsfg-vk-flake/main";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    nix-index-database = {
      url = "github:nix-community/nix-index-database";
      inputs.nixpkgs.follows = "nixpkgs";
@ -65,7 +60,6 @@
      url = "github:nix-community/nix-vscode-extensions";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    prismlauncher.url = "github:AtaraxiaSjel/PrismLauncher";
    quadlet-nix.url = "github:SEIAROTg/quadlet-nix";
    sops-nix = {
      url = "github:Mic92/sops-nix";
@ -255,7 +249,7 @@
                  hostname = "10.10.10.101";
                };
                redshift = {
-                  hostname = "217.147.15.227";
+                  hostname = "104.164.54.197";
                  fastConnection = false;
                  sshOpts = [
                    "-p"
--- a/hosts/andromedae/default.nix
+++ b/hosts/andromedae/default.nix
@ -8,16 +8,13 @@
 let
  inherit (lib) mkForce;
  defaultUser = config.ataraxia.defaults.users.defaultUser;
  hyprPkgs = inputs.hyprland.packages.${pkgs.hostPlatform.system};
 in
 {
  imports = [
    ./hardware-configuration.nix
    ./boot.nix
    ./samba.nix
    inputs.catppuccin.nixosModules.catppuccin
    inputs.lsfg-vk.nixosModules.default
  ];
  catppuccin.enable = true;
  catppuccin.accent = "mauve";
@ -70,19 +67,17 @@ in
    ataraxia.defaults.role = "desktop";
    ataraxia.programs.lutris.enable = true;
    ataraxia.programs.mangohud.enable = true;
    ataraxia.programs.umu-launcher.enable = true;
    ataraxia.services.modprobed-db.enable = true;
    ataraxia.theme.catppuccin.enable = true;
    wayland.windowManager.hyprland.settings = {
      # TODO: Remove after flickering is fixed
      # misc.vrr = lib.mkForce 0;
      monitor = mkForce [
        "DP-3,2560x1440@164.998993,0x0,1"
        "HDMI-A-1,1920x1080@60,-1920x360,1"
        ",highres,auto,1"
      ];
      env = {
        WAYLANDDRV_PRIMARY_MONITOR = "DP-3";
      };
      exec-once = [
        "${pkgs.xorg.xrandr}/bin/xrandr --output DP-3 --primary"
      ];
@ -90,7 +85,6 @@ in
    home.packages = with pkgs; [
      devenv
      freerdp
      llama-cpp
      nh
      nix-diff
@ -115,7 +109,7 @@ in
      modprobed-db
      # packwiz
      # piper
-      prismlauncher
+      # prismlauncher
      # radeontop
      # streamrip
      # wayvnc
@ -123,16 +117,10 @@ in
      # yt-archivist
    ];
    home.sessionVariables = {
      WAYLANDDRV_PRIMARY_MONITOR = "DP-3";
    };
    persist.state.directories = [
      ".config/image-updater"
      ".config/lsfg-vk"
      ".config/sops/age"
      ".config/WarThunder"
      ".local/share/PrismLauncher"
      "nixos-config"
      "projects"
    ];
@ -147,7 +135,7 @@ in
    wal_recycle = "off";
  };
-  ataraxia.virtualisation.docker = true;
+  # ataraxia.virtualisation.docker = true;
  ataraxia.virtualisation.libvirt = true;
  ataraxia.virtualisation.podman = true;
@ -167,14 +155,10 @@ in
  ];
  # Mesa from unstable channel
-  # hardware.graphics.package = pkgs.mesaUnstable;
+  hardware.graphics.package = pkgs.mesaUnstable;
-  # hardware.graphics.package32 = pkgs.mesaUnstablei686;
+  hardware.graphics.package32 = pkgs.mesaUnstablei686;
-  # programs.hyprland.package = pkgs.hyprlandUnstable;
+  programs.hyprland.package = pkgs.hyprlandUnstable;
-  # programs.hyprland.portalPackage = pkgs.hyprlandPortalUnstable;
+  programs.hyprland.portalPackage = pkgs.hyprlandPortalUnstable;
  programs.hyprland.package = hyprPkgs.hyprland;
  programs.hyprland.portalPackage = hyprPkgs.xdg-desktop-portal-hyprland;
  services.lsfg-vk.enable = true;
  services.lsfg-vk.ui.enable = true;
  # Auto-mount lan nfs share
  fileSystems = {
--- a/hosts/andromedae/samba.nix
+++ b/hosts/andromedae/samba.nix
@ -1,42 +0,0 @@
 { ... }:
 {
  services.samba = {
    enable = true;
    openFirewall = true;
    settings = {
      global = {
        "workgroup" = "WORKGROUP";
        "server string" = "smbnix";
        "netbios name" = "smbnix";
        "security" = "user";
        #"use sendfile" = "yes";
        #"max protocol" = "smb2";
        # note: localhost is the ipv6 localhost ::1
        "hosts allow" = "10.10.10. 127.0.0.1 localhost";
        "hosts deny" = "0.0.0.0/0";
        "guest account" = "ataraxia";
        "map to guest" = "bad user";
      };
      "extra" = {
        "path" = "/run/media/ataraxia/Extra/Anomaly";
        "browseable" = "yes";
        "read only" = "no";
        "guest ok" = "no";
        "create mask" = "0644";
        "directory mask" = "0755";
        "force user" = "ataraxia";
        "force group" = "users";
      };
      "gamma" = {
        "path" = "/media/games/Anomaly-Gamma";
        "browseable" = "yes";
        "read only" = "no";
        "guest ok" = "no";
        "create mask" = "0644";
        "directory mask" = "0755";
        "force user" = "ataraxia";
        "force group" = "users";
      };
    };
  };
 }
--- a/hosts/blueshift/default.nix
+++ b/hosts/blueshift/default.nix
@ -154,8 +154,6 @@
      };
    };
  };
  ataraxia.services.tor.enableRelay = true;
  ataraxia.services.tor.relayPort = 32910;
  system.stateVersion = "24.11";
 }
--- a/hosts/blueshift/services.nix
+++ b/hosts/blueshift/services.nix
@ -37,12 +37,12 @@ in
    let
      nginx = {
        sopsFile = secretsDir + /blueshift/nginx.yaml;
-        restartUnits = [ "nginx.service" ];
+        restartUnits = [ "podman-nginx.service" ];
      };
      marzban = {
        format = "dotenv";
        sopsFile = secretsDir + /blueshift/marzban.env;
-        restartUnits = [ "marzban.service" ];
+        restartUnits = [ "podman-marzban.service" ];
      };
    in
    {
@ -52,31 +52,27 @@ in
      inherit marzban;
    };
-  virtualisation.quadlet.containers = {
+  virtualisation.oci-containers.containers = {
    marzban = {
      autoStart = true;
-      containerConfig = {
+      # Tags: v0.8.4
-        # Tags: v0.8.4
+      image = "ghcr.io/gozargah/marzban@sha256:8e422c21997e5d2e3fa231eeff73c0a19193c20fc02fa4958e9368abb9623b8d";
-        image = "ghcr.io/gozargah/marzban@sha256:8e422c21997e5d2e3fa231eeff73c0a19193c20fc02fa4958e9368abb9623b8d";
+      environmentFiles = [ marzban-env ];
-        environmentFiles = [ marzban-env ];
+      extraOptions = [ "--network=host" ];
-        networks = [ "host" ];
+      volumes = [
-        volumes = [
+        "/srv/marzban:/var/lib/marzban"
-          "/srv/marzban:/var/lib/marzban"
+      ];
        ];
      };
    };
    nginx = {
      autoStart = true;
-      containerConfig = {
+      # Tags: mainline-alpine3.21, mainline-alpine, alpine3.21
-        # Tags: mainline-alpine3.21, mainline-alpine, alpine3.21
+      image = "docker.io/nginx@sha256:e4efffc3236305ae53fb54e5cd76c9ccac0cebf7a23d436a8f91bce6402c2665";
-        image = "docker.io/nginx@sha256:e4efffc3236305ae53fb54e5cd76c9ccac0cebf7a23d436a8f91bce6402c2665";
+      extraOptions = [ "--network=host" ];
-        networks = [ "host" ];
+      volumes = [
-        volumes = [
+        "${cert-key}:/etc/ssl/certs/cf-cert.key:ro"
-          "${cert-key}:/etc/ssl/certs/cf-cert.key:ro"
+        "${cert-pem}:/etc/ssl/certs/cf-cert.pem:ro"
-          "${cert-pem}:/etc/ssl/certs/cf-cert.pem:ro"
+        "${nginx-conf}:/etc/nginx/nginx.conf:ro"
-          "${nginx-conf}:/etc/nginx/nginx.conf:ro"
+      ];
        ];
      };
    };
  };
--- a/hosts/orion/default.nix
+++ b/hosts/orion/default.nix
@ -1,13 +1,11 @@
 {
  config,
  lib,
  pkgs,
  inputs,
  ...
 }:
 let
-  inherit (lib) concatLists unique recursiveUpdate;
+  inherit (lib) concatLists unique;
  nginx = config.ataraxia.services.nginx;
 in
 {
  imports = [
@ -115,9 +113,7 @@ in
  ataraxia.containers.filestash.enable = true;
  ataraxia.containers.media-stack.enable = true;
  ataraxia.containers.sing-box-filter.enable = true;
  ataraxia.containers.tinyproxy.enable = true;
  ataraxia.containers.tor.enable = true;
  ataraxia.security.acme.enable = true;
  ataraxia.services.authentik.enable = true;
  ataraxia.services.gitea.enable = true;
@ -170,15 +166,6 @@ in
    )
  );
  services.nginx.virtualHosts = {
    "incus.ataraxiadev.com" = recursiveUpdate nginx.defaultSettings {
      locations."/" = {
        proxyPass = "https://10.10.10.5:8443";
        proxyWebsockets = true;
      };
    };
  };
  ataraxia.virtualisation.guests = {
    omv = {
      autoStart = true;
@ -188,7 +175,5 @@ in
    };
  };
  networking.firewall.allowedTCPPorts = [ 9050 ];
  system.stateVersion = "25.05";
 }
--- a/hosts/redshift/default.nix
+++ b/hosts/redshift/default.nix
@ -48,12 +48,12 @@
    disableIPv6 = true;
    domain = "wg.ataraxiadev.com";
    ifname = "enp0s18";
-    mac = "bc:24:11:33:ea:74";
+    mac = "bc:24:11:99:d5:2f";
    bridge.enable = true;
    ipv4 = [
      {
-        address = "217.147.15.227/24";
+        address = "104.164.54.197/24";
-        gateway = "217.147.15.1";
+        gateway = "104.164.54.1";
        dns = [
          "9.9.9.9"
          "149.112.112.112"
@ -154,8 +154,6 @@
      };
    };
  };
  ataraxia.services.tor.enableRelay = true;
  ataraxia.services.tor.relayPort = 18342;
-  system.stateVersion = "25.05";
+  system.stateVersion = "24.11";
 }
--- a/hosts/redshift/services.nix
+++ b/hosts/redshift/services.nix
@ -38,12 +38,12 @@ in
    let
      nginx = {
        sopsFile = secretsDir + /redshift/nginx.yaml;
-        restartUnits = [ "nginx.service" ];
+        restartUnits = [ "podman-nginx.service" ];
      };
      marzban = {
        format = "dotenv";
        sopsFile = secretsDir + /redshift/marzban.env;
-        restartUnits = [ "marzban.service" ];
+        restartUnits = [ "podman-marzban.service" ];
      };
    in
    {
@ -53,31 +53,27 @@ in
      inherit marzban;
    };
-  virtualisation.quadlet.containers = {
+  virtualisation.oci-containers.containers = {
    marzban = {
      autoStart = true;
-      containerConfig = {
+      # Tags: v0.8.4
-        # Tags: v0.8.4
+      image = "ghcr.io/gozargah/marzban@sha256:8e422c21997e5d2e3fa231eeff73c0a19193c20fc02fa4958e9368abb9623b8d";
-        image = "ghcr.io/gozargah/marzban@sha256:8e422c21997e5d2e3fa231eeff73c0a19193c20fc02fa4958e9368abb9623b8d";
+      environmentFiles = [ marzban-env ];
-        environmentFiles = [ marzban-env ];
+      extraOptions = [ "--network=host" ];
-        networks = [ "host" ];
+      volumes = [
-        volumes = [
+        "/srv/marzban:/var/lib/marzban"
-          "/srv/marzban:/var/lib/marzban"
+      ];
        ];
      };
    };
    nginx = {
      autoStart = true;
-      containerConfig = {
+      # Tags: mainline-alpine3.21, mainline-alpine, alpine3.21
-        # Tags: mainline-alpine3.21, mainline-alpine, alpine3.21
+      image = "docker.io/nginx@sha256:e4efffc3236305ae53fb54e5cd76c9ccac0cebf7a23d436a8f91bce6402c2665";
-        image = "docker.io/nginx@sha256:e4efffc3236305ae53fb54e5cd76c9ccac0cebf7a23d436a8f91bce6402c2665";
+      extraOptions = [ "--network=host" ];
-        networks = [ "host" ];
+      volumes = [
-        volumes = [
+        "${cert-key}:/etc/ssl/certs/cf-cert.key:ro"
-          "${cert-key}:/etc/ssl/certs/cf-cert.key:ro"
+        "${cert-pem}:/etc/ssl/certs/cf-cert.pem:ro"
-          "${cert-pem}:/etc/ssl/certs/cf-cert.pem:ro"
+        "${nginx-conf}:/etc/nginx/nginx.conf:ro"
-          "${nginx-conf}:/etc/nginx/nginx.conf:ro"
+      ];
        ];
      };
    };
  };
--- a/hosts/vega/default.nix
+++ b/hosts/vega/default.nix
@ -6,7 +6,6 @@
 }:
 let
  defaultUser = config.ataraxia.defaults.users.defaultUser;
  hyprPkgs = inputs.hyprland.packages.${pkgs.hostPlatform.system};
 in
 {
  imports = [
@ -88,12 +87,10 @@ in
  };
  # Mesa from unstable channel
-  # hardware.graphics.package = pkgs.mesaUnstable;
+  hardware.graphics.package = pkgs.mesaUnstable;
-  # hardware.graphics.package32 = pkgs.mesaUnstablei686;
+  hardware.graphics.package32 = pkgs.mesaUnstablei686;
-  # programs.hyprland.package = pkgs.hyprlandUnstable;
+  programs.hyprland.package = pkgs.hyprlandUnstable;
-  # programs.hyprland.portalPackage = pkgs.hyprlandPortalUnstable;
+  programs.hyprland.portalPackage = pkgs.hyprlandPortalUnstable;
  programs.hyprland.package = hyprPkgs.hyprland;
  programs.hyprland.portalPackage = hyprPkgs.xdg-desktop-portal-hyprland;
  # Auto-mount lan nfs share
  fileSystems = {
--- a/modules/home/applications/games/umu-launcher.nix
+++ b/modules/home/applications/games/umu-launcher.nix
@ -1,20 +0,0 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 let
  inherit (lib) mkEnableOption mkIf;
  cfg = config.ataraxia.programs.umu-launcher;
 in
 {
  options.ataraxia.programs.umu-launcher = {
    enable = mkEnableOption "Enable umu-launcher program";
  };
  config = mkIf cfg.enable {
    home.packages = with pkgs; [ umu-launcher ];
    persist.state.directories = [ ".local/share/umu" ];
  };
 }
--- a/modules/home/applications/vesktop.nix
+++ b/modules/home/applications/vesktop.nix
@ -1,34 +0,0 @@
 { config, lib, ... }:
 let
  inherit (lib) mkEnableOption mkIf;
  cfg = config.ataraxia.programs.vesktop;
 in
 {
  options.ataraxia.programs.vesktop = {
    enable = mkEnableOption "Enable vesktop program";
  };
  config = mkIf cfg.enable {
    programs.vesktop.enable = true;
    programs.vesktop.settings = {
      # appBadge = false;
      # arRPC = true;
      # checkUpdates = false;
      # customTitleBar = false;
      # disableMinSize = true;
      minimizeToTray = true;
      # tray = false;
      # splashBackground = "#000000";
      # splashColor = "#ffffff";
      # splashTheming = true;
      # staticTitle = true;
      hardwareAcceleration = true;
      discordBranch = "canary";
    };
    # programs.vesktop.vencord.settings = {};
    # programs.vesktop.vencord.themes = {};
    # programs.vesktop.vencord.useSystem = false;
    persist.state.directories = [ ".config/vesktop" ];
  };
 }
--- a/modules/home/applications/vscode.nix
+++ b/modules/home/applications/vscode.nix
@ -49,7 +49,7 @@ in
          with ext-market;
          [
            aaron-bond.better-comments
-            # catppuccin.catppuccin-vsc-icons
+            catppuccin.catppuccin-vsc-icons
            christian-kohler.path-intellisense
            codezombiech.gitignore
            eamodio.gitlens
--- a/modules/home/applications/walker.nix
+++ b/modules/home/applications/walker.nix
@ -1,6 +1,7 @@
 {
  config,
  lib,
  pkgs,
  inputs,
  ...
 }:
@ -23,11 +24,14 @@ in
    programs.walker = {
      enable = true;
-      runAsService = true;
+      package = pkgs.walker;
      runAsService = false;
      config = {
        websearch.prefix = "?";
        switcher.prefix = "/";
      };
    };
    startupApplications = [ "${getExe config.programs.walker.package} --gapplication-service" ];
  };
 }
--- a/modules/home/roles/default.nix
+++ b/modules/home/roles/default.nix
@ -92,7 +92,6 @@ in
        ataraxia.programs.spotify.enable = mkDefault true;
        ataraxia.programs.telegram.enable = mkDefault true;
        ataraxia.programs.thunderbird.enable = mkDefault true;
        ataraxia.programs.vesktop.enable = mkDefault true;
        ataraxia.programs.vscode.enable = mkDefault true;
        ataraxia.programs.walker.enable = mkDefault true;
        ataraxia.programs.zathura.enable = mkDefault true;
--- a/modules/home/theme/catppuccin.nix
+++ b/modules/home/theme/catppuccin.nix
@ -8,7 +8,6 @@
 let
  inherit (lib)
    mkEnableOption
    mkForce
    mkIf
    mkMerge
    mkOption
@ -116,7 +115,7 @@ in
        };
        iconTheme = {
          name = "Papirus-Dark";
-          package = mkForce (pkgs.catppuccin-papirus-folders.override { inherit (cfg) accent flavor; });
+          package = pkgs.catppuccin-papirus-folders.override { inherit (cfg) accent flavor; };
        };
        font = {
          package = config.theme.fonts.sans.package;
--- a/modules/home/workspace/wayland/waybar.nix
+++ b/modules/home/workspace/wayland/waybar.nix
@ -25,14 +25,15 @@ in
          layer = "top";
          position = "top";
          # margin = "8 8 0 8";
-          modules-left = [
+          modules-left =
-            "hyprland/workspaces"
+            [
-            "wireplumber"
+              "hyprland/workspaces"
-          ]
+              "wireplumber"
-          ++ lib.optionals cfg.laptopWidgets [
+            ]
-            "battery"
+            ++ lib.optionals cfg.laptopWidgets [
-            "backlight"
+              "battery"
-          ];
+              "backlight"
            ];
          modules-center = [ "hyprland/window" ];
          modules-right = [
            "tray"
--- a/modules/nixos/applications/steam.nix
+++ b/modules/nixos/applications/steam.nix
@ -16,8 +16,6 @@ in
  };
  config = mkIf cfg.enable {
    boot.kernelModules = [ "ntsync" ];
    programs.gamemode.enable = true;
    programs.gamescope.enable = true;
    programs.gamescope.capSysNice = false;
--- a/modules/nixos/containers/sing-box-filter.nix
+++ b/modules/nixos/containers/sing-box-filter.nix
@ -1,157 +0,0 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 let
  inherit (lib) mkEnableOption mkIf;
  inherit (config.virtualisation.quadlet) networks;
  cfg = config.ataraxia.containers.sing-box-filter;
  # Exclude almost all european countries (and some more)
  filter-countries = "!EU,!AL,!AD,!BY,!BA,!GB,!CH,!IS,!LI,!MD,!MC,!ME,!MK,!NO,!RU,!SM,!RS,!UA,!VA,!XK,!US,!CN,!IR,!PK";
  filter-protocols = "vless,ss";
  geoip-db = "https://git.io/GeoLite2-Country.mmdb";
  proxy-list = "https://raw.githubusercontent.com/ebrasha/free-v2ray-public-list/refs/heads/main/V2Ray-Config-By-EbraSha.txt";
  dockerfile = pkgs.writeText "Dockerfile.sing-box" ''
    ARG sing_box_ver="1.12.1"
    ARG alpine_ver="3.22"
    ARG processor_ver="0.1.1"
    FROM ghcr.io/sagernet/sing-box:v''${sing_box_ver} AS sing-box
    FROM ataraxiadev/proxy-processor:''${processor_ver} as proxy-filter
    FROM alpine:''${alpine_ver}
    COPY --from=sing-box /usr/local/bin/sing-box /bin/sing-box
    COPY --from=proxy-filter /bin/proxy-filter-cli /bin/proxy-filter-cli
    WORKDIR /app
    ENTRYPOINT ["/app/entrypoint.sh"]
  '';
  entrypoint = pkgs.writeScript "singbox-entrypoint" ''
    #!/bin/ash
    set -euo pipefail
    mkdir -p /etc/sing-box
    mkdir -p /var/lib/sing-box
    cp /app/sing-box.json /etc/sing-box/config.json
    echo "0 * * * * /app/update.sh" > /var/spool/cron/crontabs/root
    /app/update.sh &
    crond -f
  '';
  sing-box-update = pkgs.writeScript "singbox-update" ''
    #!/bin/ash
    set -euo pipefail
    if [ $(pgrep "update.sh" | wc -l) -gt 2 ]; then
        exit 0
    fi
    echo "Update proxy list..."
    proxy-filter-cli -i ${proxy-list} -o outbounds.json --geoip ${geoip-db} -t ${filter-protocols} -c '${filter-countries}' -f sing-box
    cp outbounds.json /etc/sing-box/outbound.json
    echo "Update proxy list finished..."
    if pgrep "sing-box"; then
        echo "Stopping sing-box process..."
        pkill -f sing-box
    fi
    echo "Starting sing-box process..."
    sing-box -D /var/lib/sing-box -C /etc/sing-box run &
  '';
  singbox-config = pkgs.writeText "singbox-entrypoint" ''
    {
      "log": {
        "level": "warn",
        "timestamp": true
      },
      "dns": {
        "strategy": "ipv4_only",
        "disable_cache": true,
        "disable_expire": true,
        "servers": [{
          "tag": "local-dns",
          "type": "udp",
          "server": "10.10.10.1"
        }]
      },
      "inbounds": [{
        "type": "mixed",
        "tag": "mixed-in",
        "domain_strategy": "ipv4_only",
        "listen": "0.0.0.0",
        "listen_port": 2080,
        "tcp_fast_open": false
      }],
      "outbounds": [{
        "type": "direct",
        "tag": "direct-out"
      }],
      "route": {
        "rules": [{
          "action": "resolve",
          "strategy": "prefer_ipv4"
        }, {
          "action": "sniff"
        }, {
          "protocol": "dns",
          "action": "hijack-dns"
        }, {
          "outbound": "direct-out",
          "ip_is_private": true
        }],
        "final": "urltest-out",
        "auto_detect_interface": true
      },
      "experimental": {
        "clash_api": {
          "external_controller": "0.0.0.0:9090",
          "external_ui": "ui",
          "external_ui_download_url": "https://github.com/MetaCubeX/Yacd-meta/archive/gh-pages.zip",
          "external_ui_download_detour": "direct-out"
        },
        "cache_file": {
          "enabled": true
        }
      }
    }
  '';
 in
 {
  options.ataraxia.containers.sing-box-filter = {
    enable = mkEnableOption "Enable sing-box-filter container";
  };
  config = mkIf cfg.enable {
    virtualisation.quadlet = {
      builds.sing-box-filter = {
        autoStart = true;
        buildConfig = {
          file = toString dockerfile;
          tag = "sing-box-filter:latest";
          # globalArgs = [ "--build-args=" ];
        };
      };
      containers.sing-box-filter = {
        autoStart = true;
        containerConfig = {
          image = config.virtualisation.quadlet.builds.sing-box-filter.ref;
          networks = [ networks.br-services.ref ];
          publishPorts = [
            "0.0.0.0:2080:2080/tcp"
            "0.0.0.0:2081:9090/tcp"
          ];
          volumes = [
            "${entrypoint}:/app/entrypoint.sh:ro"
            "${sing-box-update}:/app/update.sh:ro"
            "${singbox-config}:/app/sing-box.json:ro"
          ];
        };
      };
    };
    networking.firewall.allowedTCPPorts = [
      2080
      2081
    ];
  };
 }
--- a/modules/nixos/containers/tinyproxy.nix
+++ b/modules/nixos/containers/tinyproxy.nix
@ -2,7 +2,6 @@
  config,
  lib,
  secretsDir,
  inputs,
  ...
 }:
 let
@ -32,11 +31,6 @@ in
      config =
        { pkgs, ... }:
        {
          nixpkgs.overlays = [
            (_final: _prev: {
              sing-box = inputs.ataraxiasjel-nur.packages.${pkgs.hostPlatform.system}.sing-box-extended;
            })
          ];
          environment.systemPackages = with pkgs; [
            dnsutils
            kitty.terminfo
--- a/modules/nixos/containers/tor.nix
+++ b/modules/nixos/containers/tor.nix
@ -1,74 +0,0 @@
 {
  config,
  lib,
  pkgs,
  secretsDir,
  ...
 }:
 let
  inherit (lib) mkEnableOption mkIf;
  inherit (config.virtualisation.quadlet) networks;
  cfg = config.ataraxia.containers.tor;
  dockerfile = pkgs.writeText "Dockerfile.tor" ''
    FROM alpine:3
    LABEL name="tor-socks-proxy"
    LABEL version="latest"
    RUN echo '@edge https://dl-cdn.alpinelinux.org/alpine/edge/community' >> /etc/apk/repositories && \
        echo '@edge https://dl-cdn.alpinelinux.org/alpine/edge/testing'   >> /etc/apk/repositories && \
        apk -U upgrade && \
        apk -v add tor@edge lyrebird@edge curl && \
        chmod 700 /var/lib/tor && \
        rm -rf /var/cache/apk/* && \
        tor --version
    RUN echo -e "HardwareAccel 1\nLog notice stdout\nDNSPort 0.0.0.0:8853\nSocksPort 0.0.0.0:9150\nDataDirectory /var/lib/tor" > /etc/tor/torrc && \
        chown tor:root /etc/tor/torrc
    HEALTHCHECK --timeout=30s --start-period=60s \
        CMD curl --fail --socks5-hostname localhost:9150 -I -L 'https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion' || exit 1
    USER tor
    EXPOSE 8853/udp 9150/tcp
    CMD ["/usr/bin/tor", "-f", "/etc/tor/torrc"]
  '';
 in
 {
  options.ataraxia.containers.tor = {
    enable = mkEnableOption "Enable tor client container";
  };
  config = mkIf cfg.enable {
    sops.secrets.tor-container.sopsFile = secretsDir + /proxy.yaml;
    sops.secrets.tor-container.mode = "0444";
    virtualisation.quadlet = {
      builds.tor-proxy = {
        autoStart = true;
        buildConfig = {
          file = toString dockerfile;
          tag = "tor-socks-proxy:latest";
        };
      };
      containers.tor-proxy = {
        autoStart = true;
        containerConfig = {
          exec = "sh -c 'cat /home/torrc-extra >> /etc/tor/torrc && /usr/bin/tor -f /etc/tor/torrc'";
          image = config.virtualisation.quadlet.builds.tor-proxy.ref;
          networks = [ networks.br-services.ref ];
          publishPorts = [
            "0.0.0.0:9150:9150/tcp"
            "0.0.0.0:8853:8853/udp"
          ];
          volumes = [
            "${config.sops.secrets.tor-container.path}:/home/torrc-extra:ro"
          ];
        };
      };
    };
    networking.firewall.allowedTCPPorts = [ 9150 ];
    networking.firewall.allowedUDPPorts = [ 8853 ];
  };
 }
--- a/modules/nixos/persist/default.nix
+++ b/modules/nixos/persist/default.nix
@ -109,16 +109,17 @@ in
        "/var/cache"
      ];
      persist.state = {
-        directories = [
+        directories =
-          "/var/lib/nixos"
+          [
-          "/var/lib/systemd"
+            "/var/lib/nixos"
-        ]
+            "/var/lib/systemd"
-        ++ lib.optionals config.services.mysql.enable [
+          ]
-          config.services.mysql.dataDir
+          ++ lib.optionals config.services.mysql.enable [
-        ]
+            config.services.mysql.dataDir
-        ++ lib.optionals config.services.postgresql.enable [
+          ]
-          "/var/lib/postgresql"
+          ++ lib.optionals config.services.postgresql.enable [
-        ];
+            "/var/lib/postgresql"
          ];
        files = [
          "/etc/machine-id"
          "/etc/ssh/ssh_host_ed25519_key"
--- a/modules/nixos/services/tor.nix
+++ b/modules/nixos/services/tor.nix
@ -1,36 +0,0 @@
 { config, lib, ... }:
 let
  inherit (lib) mkEnableOption mkIf mkOption;
  inherit (lib.types) int;
  cfg = config.ataraxia.services.tor;
 in
 {
  options.ataraxia.services.tor = {
    enable = mkEnableOption "Enable tor service client";
    enableRelay = mkEnableOption "Enable tor service bridge";
    relayPort = mkOption {
      type = int;
      description = "Bridge listen port";
    };
  };
  config = mkIf (cfg.enable || cfg.enableRelay) {
    services.tor = {
      enable = true;
      client.enable = cfg.enable;
      relay.enable = cfg.enableRelay;
      relay.role = "private-bridge";
      settings = mkIf cfg.enableRelay {
        ContactInfo = "admin@ataraxiadev.com";
        Nickname = config.networking.hostName;
        ORPort = 42891;
        ServerTransportListenAddr = "obfs4 0.0.0.0:${toString cfg.relayPort}";
      };
    };
    networking.firewall.allowedTCPPorts = [ cfg.relayPort ];
    persist.state.directories = [ "/var/lib/tor" ];
  };
 }
--- a/modules/nixos/virtualisation/virtualisation.nix
+++ b/modules/nixos/virtualisation/virtualisation.nix
@ -24,8 +24,6 @@ in
  };
  config = mkIf (cfg.docker || cfg.libvirt || cfg.podman) {
    boot.enableContainers = true;
    virtualisation = {
      oci-containers.backend = if (!cfg.podman && cfg.docker) then "docker" else "podman";
      docker = {
@ -40,7 +38,6 @@ in
      podman = {
        enable = cfg.podman;
        defaultNetwork.settings.dns_enabled = true;
        dockerCompat = !config.virtualisation.docker.enable;
        dockerSocket.enable = !config.virtualisation.docker.enable;
      };
      containers.containersConf.settings = {
@ -101,6 +98,8 @@ in
      };
    };
    boot.enableContainers = true;
    environment.systemPackages =
      [ ]
      ++ optionals cfg.docker [ pkgs.docker-compose ]
@ -117,18 +116,19 @@ in
    networking.firewall = {
      trustedInterfaces = mkIf cfg.libvirt [ "virbr0" ];
-      interfaces = {
+      interfaces =
-        "podman*".allowedUDPPorts = mkIf cfg.podman [
+        {
-          53
+          "podman*".allowedUDPPorts = mkIf cfg.podman [
-          5353
+            53
-        ];
+            5353
-      }
+          ];
-      // mapAttrs (_: _: {
+        }
-        allowedUDPPorts = [
+        // mapAttrs (_: _: {
-          53
+          allowedUDPPorts = [
-          5353
+            53
-        ];
+            5353
-      }) config.virtualisation.quadlet.networks;
+          ];
        }) config.virtualisation.quadlet.networks;
    };
    security.unprivilegedUsernsClone = true;
@ -138,26 +138,18 @@ in
      "/var/lib/libvirt"
      "/var/lib/containers"
    ];
    persist.state.files = [
      "/etc/subuid"
      "/etc/subgid"
    ];
    home-manager = mkIf useHomeManager {
      users.${defaultUser} = {
-        home.file.".config/containers/storage.conf".text = mkIf cfg.podman ''
+        home.file.".config/containers/storage.conf".text = ''
          [storage]
          driver = "overlay"
        '';
-        home.file.".config/libvirt/libvirt.conf".text = mkIf cfg.libvirt ''
+        home.file.".config/libvirt/libvirt.conf".text = ''
          uri_default = "qemu:///system"
        '';
-        persist.state.directories = mkIf cfg.podman [
+        persist.state.directories = [
          ".config/containers"
          {
            directory = ".local/share/containers";
            method = "symlink";
          }
        ];
      };
    };
--- a/overlays/default.nix
+++ b/overlays/default.nix
@ -34,13 +34,9 @@ in
  # nix-index-update = inputs.nix-alien.packages.${system}.nix-index-update;
  osu-lazer = unstable.osu-lazer;
  osu-lazer-bin = unstable.osu-lazer-bin;
-  prismlauncher = inputs.prismlauncher.packages.${system}.prismlauncher.override {
+  # prismlauncher = inputs.prismlauncher.packages.${system}.prismlauncher.override {
-    jdks = [
+  #   jdks = [ final.temurin-bin ];
-      final.temurin-jre-bin
+  # };
      final.temurin-jre-bin-17
    ];
    textToSpeechSupport = false;
  };
  proton-ge-bin = unstable.proton-ge-bin;
  xray = unstable.xray;
  # youtube-to-mpv = prev.callPackage ./packages/youtube-to-mpv.nix { term = config.defaultApplications.term.cmd; };
@ -49,29 +45,64 @@ in
  sing-box = final.sing-box-extended;
  wine = prev.wineWow64Packages.stagingFull;
  # Patch spotify with spotx
  spotify = prev.spotify.overrideAttrs (
    oa:
    let
      spotx = prev.fetchurl {
        url = "https://raw.githubusercontent.com/SpotX-Official/SpotX-Bash/b1de24ec4c23c45da373dcb64a44e372253a0c16/spotx.sh";
        hash = "sha256-/p6cJKzaZzjcLJISFudstQjs+lPXnXx4f0vxKbF9Sqw=";
      };
    in
    {
      nativeBuildInputs =
        oa.nativeBuildInputs
        ++ (with prev; [
          perl
          unzip
          util-linux
          zip
        ]);
      postUnpack =
        oa.postUnpack or ""
        + ''
          patchShebangs --build ${spotx}
        '';
      postInstall =
        oa.postInstall or ""
        + ''
          bash ${spotx} -f -h -P "$out/share/spotify"
        '';
    }
  );
  # Move modprobed config to subdir. Easier to use with impermanence
  modprobed-db = prev.modprobed-db.overrideAttrs (oa: {
    nativeBuildInputs = [ prev.makeWrapper ] ++ oa.nativeBuildInputs or [ ];
-    postPatch = (oa.postPatch or "") + ''
+    postPatch =
-      substituteInPlace ./common/modprobed-db.in \
+      (oa.postPatch or "")
-        --replace-fail "/modprobed-db.conf" "/modprobed-db/modprobed-db.conf"
+      + ''
-      substituteInPlace ./common/modprobed-db.skel \
+        substituteInPlace ./common/modprobed-db.in \
-        --replace-fail "/.config" "/.config/modprobed-db"
+          --replace-fail "/modprobed-db.conf" "/modprobed-db/modprobed-db.conf"
-    '';
+        substituteInPlace ./common/modprobed-db.skel \
-    postInstall = (oa.postInstall or "") + ''
+          --replace-fail "/.config" "/.config/modprobed-db"
-      wrapProgram $out/bin/modprobed-db \
+      '';
-      --set PATH ${
+    postInstall =
-        with final;
+      (oa.postInstall or "")
-        lib.makeBinPath [
+      + ''
-          gawk
+        wrapProgram $out/bin/modprobed-db \
-          getent
+        --set PATH ${
-          coreutils
+          with final;
-          gnugrep
+          lib.makeBinPath [
-          gnused
+            gawk
-          kmod
+            getent
-        ]
+            coreutils
-      }
+            gnugrep
-    '';
+            gnused
            kmod
          ]
        }
      '';
  });
  pass-secret-service = prev.pass-secret-service.overrideAttrs (_: {
--- a/secrets/blueshift/nginx.yaml
+++ b/secrets/blueshift/nginx.yaml
--- a/secrets/proxy.yaml
+++ b/secrets/proxy.yaml