From 0998e016cda4f0c59425345b00b8391691ced772 Mon Sep 17 00:00:00 2001
From: s0me1newithhand7s <git+me@hand7s.org>
Date: Sun, 3 May 2026 15:35:13 +0300
Subject: [PATCH] kyra(hardening): using nixos-containers for mihomo core

Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
---
 kyra/containers/mihomo.nix | 126 +++++++++++++++++++++++++++++++++++++
 1 file changed, 126 insertions(+)
 create mode 100644 kyra/containers/mihomo.nix

diff --git a/kyra/containers/mihomo.nix b/kyra/containers/mihomo.nix
new file mode 100644
index 0000000..f31a32c
--- /dev/null
+++ b/kyra/containers/mihomo.nix
@@ -0,0 +1,126 @@
+_: {
+  containers = {
+    "mihomo" = {
+      autoStart = true;
+      privateNetwork = true;
+      hostAddress = "192.168.101.1";
+      localAddress = "192.168.101.2";
+
+      bindMounts = {
+        "acme" = {
+          isReadOnly = true;
+          hostPath = "/var/lib/acme/hand7s.org";
+          mountPoint = "/var/lib/acme/hand7s.org";
+        };
+      };
+
+      config = {
+        pkgs,
+        name,
+        lib,
+        ...
+      }: {
+        services = {
+          mihomo = {
+            enable = true;
+            configFile = (pkgs.formats.yaml {}).generate "config.yaml" {
+              dns = {
+                enable = true;
+                enhanced-mode = "fake-ip";
+                respect-rules = true;
+                nameserver = [
+                  "tcp://192.168.101.1:8853"
+                ];
+              };
+
+              sniffer = {
+                enable = true;
+                sniff = {
+                  quic = {
+                    ports = [
+                      443
+                    ];
+                  };
+
+                  tls = {
+                    override-destination = true;
+                    ports = [
+                      443
+                      8443
+                    ];
+                  };
+                };
+              };
+
+              rules = [
+                "IP-CIDR,10.0.0.0/8,DIRECT,no-resolve"
+                "IP-CIDR,127.0.0.0/8,DIRECT,no-resolve"
+
+                "MATCH,direct"
+              ];
+
+              experimental = {
+                udp-base-routing = true;
+              };
+
+              profile = {
+                store-selected = false;
+                store-fake-ip = false;
+              };
+
+              listeners = [
+                {
+                  name = "hy2-in";
+                  type = "hysteria2";
+                  listen = "[::]";
+                  port = 443;
+                  masquerade = "https://hand7s.org";
+                  up = "100 Mbps";
+                  down = "100 Mpbs";
+                  obfs = "salamander";
+                  obfs-password = lib.hashString "md5" "password";
+
+                  certificate = "/var/lib/acme/hand7s.org/cert.pem";
+                  private-key = "/var/lib/acme/hand7s.org/key.pem";
+
+                  users = [
+                    "hand7s:"
+                  ];
+                }
+
+                {
+                  name = "vless-in";
+                  type = "vless";
+                  listen = "[::]";
+                  port = 8443;
+                  udp = true;
+
+                  reality-config = {
+                    dest = "192.168.101.1:444";
+                    private-key = lib.hasString "md5" "pkb";
+
+                    short-id = [
+                      "shortie"
+                    ];
+
+                    server-names = [
+                      "${name}.hand7s.org"
+                    ];
+                  };
+
+                  users = [
+                    {
+                      username = "hand7s";
+                      flow = "xtls-rprx-vision";
+                      uuid = "very-real-uuid-btws";
+                    }
+                  ];
+                }
+              ];
+            };
+          };
+        };
+      };
+    };
+  };
+}