treewide: upstreaming changes

Signed-off-by: s0me1newithhand7s <117505144+s0me1newithhand7s@users.noreply.github.com>
2025-10-24 20:48:35 +03:00 · 2025-10-24 20:48:35 +03:00 · e4e1b03c7e
commit e4e1b03c7e
parent d159232b37
160 changed files with 3408 additions and 5474 deletions
--- a/s0mev1rtn0de-nix/boot/initrd/availableKernelModules.nix
+++ b/s0mev1rtn0de-nix/boot/initrd/availableKernelModules.nix
@ -0,0 +1,19 @@
+{...}: {
+    boot = {
+        initrd = {
+            availableKernelModules = [
+                "ata_piix"
+                "uhci_hcd"
+                "xen_blkfront"
+                "vmw_pvscsi"
+                "virtio_net"
+                "virtio_pci"
+                "virtio_mmio"
+                "virtio_blk"
+                "virtio_scsi"
+                "9p"
+                "9pnet_virtio"
+            ];
+        };
+    };
+}
--- a/s0mev1rtn0de-nix/boot/initrd/kernelModules.nix
+++ b/s0mev1rtn0de-nix/boot/initrd/kernelModules.nix
@ -0,0 +1,14 @@
+{...}: {
+    boot = {
+        initrd = {
+            kernelModules = [
+                "virtio_balloon"
+                "virtio_console"
+                "virtio_rng"
+                "virtio_gpu"
+                "nvme"
+                "kvm-amd"
+            ];
+        };
+    };
+}
--- a/s0mev1rtn0de-nix/boot/kernel.nix
+++ b/s0mev1rtn0de-nix/boot/kernel.nix
@ -0,0 +1,10 @@
+{...}: {
+    boot = {
+        kernel = {
+            sysctl = {
+                "net.ipv4.ip_forward" = 1;
+                "net.ipv6.conf.all.forwarding" = 1;
+            };
+        };
+    };
+}
--- a/s0mev1rtn0de-nix/boot/loader/grub.nix
+++ b/s0mev1rtn0de-nix/boot/loader/grub.nix
@ -0,0 +1,11 @@
+{...}: {
+    boot = {
+        loader = {
+            grub = {
+                enable = true;
+                efiSupport = true;
+                efiInstallAsRemovable = true;
+            };
+        };
+    };
+}
--- a/s0mev1rtn0de-nix/boot/tmp.nix
+++ b/s0mev1rtn0de-nix/boot/tmp.nix
@ -0,0 +1,7 @@
+{...}: {
+    boot = {
+        tmp = {
+            cleanOnBoot = true;
+        };
+    };
+}
--- a/s0mev1rtn0de-nix/default.nix
+++ b/s0mev1rtn0de-nix/default.nix
@ -0,0 +1,58 @@
+{...}: {
+    imports = [
+        ./disko/disk.nix
+        ./disko/lvm_vg.nix
+
+        ./boot/initrd/availableKernelModules.nix
+        ./boot/initrd/kernelModules.nix
+        ./boot/loader/grub.nix
+        ./boot/kernel.nix
+        ./boot/tmp.nix
+
+        ./environment/systemPackages.nix
+
+        ./hardware/zram.nix
+
+        ./networking/firewall/ens3.nix
+        ./networking/firewall/wt0.nix
+        ./networking/firewall.nix
+        ./networking/hostname.nix
+        ./networking/dns.nix
+        ./networking/nftables.nix
+        ./networking/wireguard.nix
+        ./networking/wg-quick.nix
+        ./networking/nat.nix
+
+        ./nix/settings/allowed-users.nix
+        ./nix/settings/experimental-features.nix
+        ./nix/settings/substituters.nix
+        ./nix/settings/trusted-public-keys.nix
+        ./nix/settings/trusted-users.nix
+        ./nix/settings/auto-optimise-store.nix
+
+        ./nixpkgs/config.nix
+        ./nixpkgs/platform.nix
+
+        ./programs/nh.nix
+
+        ./services/openssh.nix
+        ./services/fail2ban.nix
+        ./services/netbird.nix
+        ./services/qemuGuest.nix
+        ./services/caddy.nix
+        ./services/sing-box.nix
+
+        ./sops/age.nix
+        ./sops/defaults.nix
+        ./sops/secrets.nix
+
+        ./system/stateVersion.nix
+
+        ./users/users.nix
+        ./users/users/askhat.nix
+        ./users/users/hand7s.nix
+        ./users/users/root.nix
+
+        ./virtualisation/docker.nix
+    ];
+}
--- a/s0mev1rtn0de-nix/disko/disk.nix
+++ b/s0mev1rtn0de-nix/disko/disk.nix
@ -0,0 +1,44 @@
+{
+    disko = {
+        devices = {
+            disk = {
+                virt_main = {
+                    device = "/dev/sda";
+                    type = "disk";
+                    content = {
+                        type = "gpt";
+                        partitions = {
+                            boot = {
+                                name = "boot";
+                                size = "1M";
+                                type = "EF02";
+                            };
+
+                            ESP = {
+                                name = "ESP";
+                                size = "1024M";
+                                type = "EF00";
+                                content = {
+                                    type = "filesystem";
+                                    format = "vfat";
+                                    mountpoint = "/boot";
+                                    mountOptions = [
+                                        "umask=0077"
+                                    ];
+                                };
+                            };
+
+                            root = {
+                                size = "100%";
+                                content = {
+                                    type = "lvm_pv";
+                                    vg = "pool";
+                                };
+                            };
+                        };
+                    };
+                };
+            };
+        };
+    };
+}
--- a/s0mev1rtn0de-nix/disko/lvm_vg.nix
+++ b/s0mev1rtn0de-nix/disko/lvm_vg.nix
@ -0,0 +1,27 @@
+{
+    disko = {
+        devices = {
+            lvm_vg = {
+                pool = {
+                    type = "lvm_vg";
+                    lvs = {
+                        root = {
+                            size = "100%FREE";
+                            content = {
+                                type = "btrfs";
+                                mountpoint = "/";
+                                extraArgs = [
+                                    "-f"
+                                ];
+
+                                mountOptions = [
+                                    "compress=zstd"
+                                ];
+                            };
+                        };
+                    };
+                };
+            };
+        };
+    };
+}
--- a/s0mev1rtn0de-nix/environment/systemPackages.nix
+++ b/s0mev1rtn0de-nix/environment/systemPackages.nix
@ -0,0 +1,10 @@
+{pkgs, ...}: {
+    environment = {
+        systemPackages = [
+            pkgs.helix
+            pkgs.comma
+        ];
+
+        enableAllTerminfo = true;
+    };
+}
--- a/s0mev1rtn0de-nix/hardware/zram.nix
+++ b/s0mev1rtn0de-nix/hardware/zram.nix
@ -0,0 +1,8 @@
+{...}: {
+    zramSwap = {
+        enable = true;
+        algorithm = "zstd";
+        priority = 100;
+        memoryPercent = 100;
+    };
+}
--- a/s0mev1rtn0de-nix/networking/dns.nix
+++ b/s0mev1rtn0de-nix/networking/dns.nix
@ -0,0 +1,16 @@
+{...}: {
+    networking = {
+        nameservers = [
+            "1.1.1.1"
+            "1.0.0.1"
+            "8.8.8.8"
+            "8.8.4.4"
+            "2606:4700:4700::1111"
+            "2606:4700:4700::1001"
+            "2001:4860:4860::8888"
+            "2001:4860:4860::8844"
+            "2620:119:35::35"
+            "2620:119:53::53"
+        ];
+    };
+}
--- a/s0mev1rtn0de-nix/networking/firewall.nix
+++ b/s0mev1rtn0de-nix/networking/firewall.nix
@ -0,0 +1,11 @@
+{...}: {
+    networking = {
+        firewall = {
+            enable = true;
+            allowPing = true;
+            checkReversePath = false;
+        };
+
+        useNetworkd = true;
+    };
+}
--- a/s0mev1rtn0de-nix/networking/firewall/ens3.nix
+++ b/s0mev1rtn0de-nix/networking/firewall/ens3.nix
@ -0,0 +1,21 @@
+{...}: {
+    networking = {
+        firewall = {
+            interfaces = {
+                ens3 = {
+                    allowedUDPPorts = [
+                        443
+                        53590
+                        53570
+                    ];
+
+                    allowedTCPPorts = [
+                        443
+                        53590
+                        53570
+                    ];
+                };
+            };
+        };
+    };
+}
--- a/s0mev1rtn0de-nix/networking/firewall/wt0.nix
+++ b/s0mev1rtn0de-nix/networking/firewall/wt0.nix
@ -0,0 +1,17 @@
+{...}: {
+    networking = {
+        firewall = {
+            interfaces = {
+                wt0 = {
+                    allowedUDPPorts = [
+                        39856
+                    ];
+
+                    allowedTCPPorts = [
+                        39856
+                    ];
+                };
+            };
+        };
+    };
+}
--- a/s0mev1rtn0de-nix/networking/hostname.nix
+++ b/s0mev1rtn0de-nix/networking/hostname.nix
@ -0,0 +1,5 @@
+{...}: {
+    networking = {
+        hostName = "s0mev1rtn0de-nix";
+    };
+}
--- a/s0mev1rtn0de-nix/networking/interfaces/ens3.nix
+++ b/s0mev1rtn0de-nix/networking/interfaces/ens3.nix
@ -0,0 +1,16 @@
+{...}: {
+    networking = {
+        interfaces = {
+            ens3 = {
+                ipv6 = {
+                    addresses = [
+                        {
+                            address = "";
+                            prefixLength = 128;
+                        }
+                    ];
+                };
+            };
+        };
+    };
+}
--- a/s0mev1rtn0de-nix/networking/nat.nix
+++ b/s0mev1rtn0de-nix/networking/nat.nix
@ -0,0 +1,12 @@
+{...}: {
+    networking = {
+        nat = {
+            enable = true;
+            enableIPv6 = true;
+            externalInterface = "ens3";
+            internalInterfaces = [
+                "wg0"
+            ];
+        };
+    };
+}
--- a/s0mev1rtn0de-nix/networking/nftables.nix
+++ b/s0mev1rtn0de-nix/networking/nftables.nix
@ -0,0 +1,7 @@
+{...}: {
+    networking = {
+        nftables = {
+            enable = false;
+        };
+    };
+}
--- a/s0mev1rtn0de-nix/networking/wg-quick.nix
+++ b/s0mev1rtn0de-nix/networking/wg-quick.nix
@ -0,0 +1,50 @@
+{
+    config,
+    pkgs,
+    lib,
+    ...
+}: {
+    networking = {
+        wg-quick = {
+            interfaces = {
+                wg0 = {
+                    type = "wireguard";
+                    listenPort = 53590;
+                    privateKeyFile = config.sops.secrets.privateWgKey;
+
+                    address = [
+                        "10.100.0.1/24"
+                    ];
+
+                    postUp = ''
+                        ${lib.getExe' pkgs.iptables "iptables"} -A FORWARD -i wg0 -j ACCEPT
+                        ${lib.getExe' pkgs.iptables "iptables"} -t nat -A POSTROUTING -s 10.100.0.0/24 -o ens3 -j MASQUERADE
+                    '';
+
+                    preDown = ''
+                        ${lib.getExe' pkgs.iptables "iptables"} -D FORWARD -i wg0 -j ACCEPT
+                         ${lib.getExe' pkgs.iptables "iptables"} -t nat -D POSTROUTING -s 10.100.0.0/24 -o ens3 -j MASQUERADE
+                    '';
+
+                    peers = [
+                        {
+                            publicKey = "{}";
+                            presharedKeyFile = config.sops.secrets.presharedWgKey1;
+                            allowedIPs = [
+                                "10.100.0.2/32"
+                            ];
+                        }
+
+                        {
+                            publicKey = "{}";
+                            presharedKeyFile = config.sops.secrets.presharedWgKey2;
+                            allowedIPs = [
+                                "10.100.0.3/32"
+                            ];
+                        }
+                    ];
+                };
+            };
+        };
+    };
+}
--- a/s0mev1rtn0de-nix/networking/wireguard.nix
+++ b/s0mev1rtn0de-nix/networking/wireguard.nix
@ -0,0 +1,7 @@
+{...}: {
+    networking = {
+        wireguard = {
+            enable = true;
+        };
+    };
+}
--- a/s0mev1rtn0de-nix/nix/settings/allowed-users.nix
+++ b/s0mev1rtn0de-nix/nix/settings/allowed-users.nix
@ -0,0 +1,10 @@
+{...}: {
+    nix = {
+        settings = {
+            sandbox = true;
+            allowed-users = [
+                "@wheel"
+            ];
+        };
+    };
+}
--- a/s0mev1rtn0de-nix/nix/settings/auto-optimise-store.nix
+++ b/s0mev1rtn0de-nix/nix/settings/auto-optimise-store.nix
@ -0,0 +1,7 @@
+{...}: {
+    nix = {
+        settings = {
+            auto-optimise-store = true;
+        };
+    };
+}
--- a/s0mev1rtn0de-nix/nix/settings/experimental-features.nix
+++ b/s0mev1rtn0de-nix/nix/settings/experimental-features.nix
@ -0,0 +1,10 @@
+{...}: {
+    nix = {
+        settings = {
+            experimental-features = [
+                "nix-command"
+                "flakes"
+            ];
+        };
+    };
+}
--- a/s0mev1rtn0de-nix/nix/settings/substituters.nix
+++ b/s0mev1rtn0de-nix/nix/settings/substituters.nix
@ -0,0 +1,19 @@
+{...}: {
+    nix = {
+        settings = {
+            substituters = [
+                # cache.nixos.org
+                "https://nixos-cache-proxy.cofob.dev"
+                "https://cache.nixos.org"
+                # cache.garnix.org
+                "https://cache.garnix.io"
+                # cachix
+                "https://nix-community.cachix.org/"
+                "https://chaotic-nyx.cachix.org/"
+                "https://ags.cachix.org"
+                "https://hyprland.cachix.org"
+                "https://chaotic-nyx.cachix.org/"
+            ];
+        };
+    };
+}
--- a/s0mev1rtn0de-nix/nix/settings/trusted-public-keys.nix
+++ b/s0mev1rtn0de-nix/nix/settings/trusted-public-keys.nix
@ -0,0 +1,18 @@
+{...}: {
+    nix = {
+        settings = {
+            trusted-public-keys = [
+                # cache.nixos.org
+                "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+                # cache.garnix.io
+                "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
+                # cachix.org
+                "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+                "chaotic-nyx.cachix.org-1:HfnXSw4pj95iI/n17rIDy40agHj12WfF+Gqk6SonIT8="
+                "ags.cachix.org-1:naAvMrz0CuYqeyGNyLgE010iUiuf/qx6kYrUv3NwAJ8="
+                "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
+                "chaotic-nyx.cachix.org-1:HfnXSw4pj95iI/n17rIDy40agHj12WfF+Gqk6SonIT8="
+            ];
+        };
+    };
+}
--- a/s0mev1rtn0de-nix/nix/settings/trusted-users.nix
+++ b/s0mev1rtn0de-nix/nix/settings/trusted-users.nix
@ -0,0 +1,9 @@
+{...}: {
+    nix = {
+        settings = {
+            trusted-users = [
+                "@wheel"
+            ];
+        };
+    };
+}
--- a/s0mev1rtn0de-nix/nixpkgs/config.nix
+++ b/s0mev1rtn0de-nix/nixpkgs/config.nix
@ -0,0 +1,8 @@
+{...}: {
+    nixpkgs = {
+        config = {
+            allowBroken = true;
+            allowUnfree = true;
+        };
+    };
+}
--- a/s0mev1rtn0de-nix/nixpkgs/platform.nix
+++ b/s0mev1rtn0de-nix/nixpkgs/platform.nix
@ -0,0 +1,6 @@
+{...}: {
+    nixpkgs = {
+        system = "x86_64-linux";
+        hostPlatform = "x86_64-linux";
+    };
+}
--- a/s0mev1rtn0de-nix/programs/nh.nix
+++ b/s0mev1rtn0de-nix/programs/nh.nix
@ -0,0 +1,7 @@
+{...}: {
+    programs = {
+        nh = {
+            enable = true;
+        };
+    };
+}
--- a/s0mev1rtn0de-nix/services/caddy.nix
+++ b/s0mev1rtn0de-nix/services/caddy.nix
@ -0,0 +1,55 @@
+{pkgs, ...}: {
+    services = {
+        caddy = {
+            enable = true;
+
+            package = pkgs.caddy.withPlugins {
+                plugins = [
+                    "github.com/mholt/caddy-l4@v0.0.0-20250902102621-4a517a98d7fa"
+                    "github.com/caddy-dns/cloudflare@v0.2.1"
+                ];
+                hash = "sha256-1/jRWotKCvx7QncjVSVGYXb2gAmIiokC/ZbCUelG5Rc=";
+            };
+
+            globalConfig = ''
+                debug
+                email me@hand7s.org
+
+                acme_ca https://acme-v02.api.letsencrypt.org/directory
+
+            '';
+
+            # acme_ca https://api.zerossl.com/directory
+
+            virtualHosts = {
+                "hand7s.org" = {
+                    extraConfig = ''
+
+                        respond "hi! :D WIP btw"
+                    '';
+                };
+
+                "git.hand7s.org" = {
+                    extraConfig = ''
+
+                        reverse_proxy ${homeIP}:53350
+                    '';
+                };
+
+                "bin.hand7s.org" = {
+                    extraConfig = ''
+
+                        reverse_proxy ${homeIP}:80
+                    '';
+                };
+
+                "zitadel.hand7s.org" = {
+                    extraConfig = ''
+
+                        reverse_proxy ${homeIP}:8443
+                    '';
+                };
+            };
+        };
+    };
+}
--- a/s0mev1rtn0de-nix/services/fail2ban.nix
+++ b/s0mev1rtn0de-nix/services/fail2ban.nix
@ -0,0 +1,14 @@
+{...}: {
+    services = {
+        fail2ban = {
+            enable = true;
+            bantime-increment = {
+                enable = true;
+                factor = "10";
+                formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
+                overalljails = true;
+                maxtime = "500h";
+            };
+        };
+    };
+}
--- a/s0mev1rtn0de-nix/services/netbird.nix
+++ b/s0mev1rtn0de-nix/services/netbird.nix
@ -0,0 +1,7 @@
+{...}: {
+    services = {
+        netbird = {
+            enable = true;
+        };
+    };
+}
--- a/s0mev1rtn0de-nix/services/openssh.nix
+++ b/s0mev1rtn0de-nix/services/openssh.nix
@ -0,0 +1,20 @@
+{...}: {
+    services = {
+        openssh = {
+            enable = true;
+
+            settings = {
+                PrintMotd = false;
+                PermitRootLogin = "no";
+                PasswordAuthentication = false;
+                MaxAuthTries = 3;
+                LoginGraceTime = 10;
+                PermitEmptyPasswords = "no";
+                ChallengeResponseAuthentication = "no";
+                KerberosAuthentication = "no";
+                GSSAPIAuthentication = "no";
+                X11Forwarding = false;
+            };
+        };
+    };
+}
--- a/s0mev1rtn0de-nix/services/qemuGuest.nix
+++ b/s0mev1rtn0de-nix/services/qemuGuest.nix
@ -0,0 +1,7 @@
+{...}: {
+    services = {
+        qemuGuest = {
+            enable = true;
+        };
+    };
+}
--- a/s0mev1rtn0de-nix/services/sing-box.nix
+++ b/s0mev1rtn0de-nix/services/sing-box.nix
@ -0,0 +1,91 @@
+{
+    # config,
+    ...
+}: {
+    services = {
+        sing-box = {
+            enable = true;
+            settings = {
+                log = {
+                    level = "debug";
+                };
+
+                dns = {
+                    servers = [
+                        {
+                            type = "local";
+                            tag = "local";
+                        }
+                    ];
+
+                    final = "local";
+                    strategy = "prefer_ipv6";
+                };
+
+                route = {
+                    final = "direct-out";
+                    auto_detect_interface = true;
+                };
+
+                outbounds = [
+                    {
+                        tag = "direct-out";
+                        type = "direct";
+                    }
+                ];
+
+                inbounds = [
+                    {
+                        type = "vless";
+                        tag = "vless-inbound";
+
+                        listen = "::";
+                        listen_port = 53570;
+
+                        users = [
+                            {
+                                name = "hand7s_1";
+                                uuid = "${singboxUUID2}";
+                                flow = "xtls-rprx-vision";
+                            }
+
+                            {
+                                name = "hand7s_2";
+                                uuid = "${singboxUUID2}";
+                                flow = "xtls-rprx-vision";
+                            }
+                        ];
+
+                        tls = rec {
+                            enabled = true;
+                            server_name = "vk.com";
+                            reality = {
+                                enabled = true;
+                                max_time_difference = "5m";
+                                handshake = {
+                                    server = server_name;
+                                    server_port = 443;
+                                };
+
+                                private_key = "${singboxKey}";
+
+                                short_id = [
+                                    "${singboxId}"
+                                ];
+                            };
+                        };
+
+                        transport = {
+                            type = "httpupgrade";
+                        };
+
+                        multiplex = {
+                            enabled = true;
+                            padding = false;
+                        };
+                    }
+                ];
+            };
+        };
+    };
+}
--- a/s0mev1rtn0de-nix/system/stateVersion.nix
+++ b/s0mev1rtn0de-nix/system/stateVersion.nix
@ -0,0 +1,5 @@
+{...}: {
+    system = {
+        stateVersion = "23.11";
+    };
+}
--- a/s0mev1rtn0de-nix/users/users.nix
+++ b/s0mev1rtn0de-nix/users/users.nix
@ -0,0 +1,5 @@
+{...}: {
+    users = {
+        mutableUsers = false;
+    };
+}
--- a/s0mev1rtn0de-nix/users/users/askhat.nix
+++ b/s0mev1rtn0de-nix/users/users/askhat.nix
@ -0,0 +1,23 @@
+{...}: {
+    users = {
+        users = {
+            askhat = {
+                description = "askhat";
+                isNormalUser = true;
+                hashedPassword = "$y$j9T$t3G0Vj47wHY86twX2bfwr/$kUajwW8gxtu09z9btWBB7YNEcj1Ut3QfYEazWr7utgC";
+                extraGroups = [
+                    "wheel"
+                    "docker"
+                ];
+
+                openssh = {
+                    authorizedKeys = {
+                        keys = [
+                            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICfdXRE2ckx++O1lHFcmZlBMN1Sgy3aqSadOdC+ZOLj5 kixoncon33@gmail.com"
+                        ];
+                    };
+                };
+            };
+        };
+    };
+}
--- a/s0mev1rtn0de-nix/users/users/hand7s.nix
+++ b/s0mev1rtn0de-nix/users/users/hand7s.nix
@ -0,0 +1,15 @@
+{...}: {
+    users = {
+        users = {
+            hand7s = {
+                description = "hands";
+                isNormalUser = true;
+                hashedPassword = "$y$j9T$eHfq328GBp7Ga8xsbOTV/0$kcihv7zWLqSkj2jKAhI1pdbTSwvaf2RY5Rokm69XTL/";
+                extraGroups = [
+                    "wheel"
+                    "docker"
+                ];
+            };
+        };
+    };
+}
--- a/s0mev1rtn0de-nix/users/users/root.nix
+++ b/s0mev1rtn0de-nix/users/users/root.nix
@ -0,0 +1,9 @@
+{pkgs, ...}: {
+    users = {
+        users = {
+            root = {
+                shell = "${pkgs.util-linux}/bin/nologin";
+            };
+        };
+    };
+}
--- a/s0mev1rtn0de-nix/virtualisation/docker.nix
+++ b/s0mev1rtn0de-nix/virtualisation/docker.nix
@ -0,0 +1,14 @@
+{...}: {
+    virtualisation = {
+        oci-containers = {
+            backend = "docker";
+        };
+
+        docker = {
+            enable = true;
+            rootless = {
+                enable = true;
+            };
+        };
+    };
+}
--- a/s0mev1rtn0de-nix/virtualisation/oci-containers/3x-ui.nix
+++ b/s0mev1rtn0de-nix/virtualisation/oci-containers/3x-ui.nix
@ -0,0 +1,26 @@
+{...}: {
+    virtualisation = {
+        oci-containers = {
+            containers = {
+                "3x-ui" = {
+                    autoStart = true;
+                    image = "ghcr.io/mhsanaei/3x-ui:latest";
+                    volumes = [
+                        "/docker/3x-ui/db/:/etc/x-ui/"
+                        "/docker/3x-ui/certs/:/root/cert/"
+                    ];
+
+                    environment = {
+                        XRAY_VMESS_AEAD_FORCED = toString false;
+                        XUI_ENABLE_FAIL2BAN = toString false;
+                    };
+
+                    extraOptions = [
+                        "--network=host"
+                        "--tty=true"
+                    ];
+                };
+            };
+        };
+    };
+}