diff --git a/users/geekiot/home/env.nix b/users/geekiot/home/env.nix
new file mode 100644
index 0000000..e69de29
diff --git a/users/geekiot/host/default.nix b/users/geekiot/host/default.nix
index 10d36eb..539559a 100644
--- a/users/geekiot/host/default.nix
+++ b/users/geekiot/host/default.nix
@@ -11,5 +11,22 @@
     efibootmgr
   ];
 
-  system.stateVersion = "25.05";
+  host = {
+    locale = {
+      enable = true;
+      timeZone = "Asia/Yekaterinburg";
+    };
+    nix = {
+      enable = true;
+      optimization.enable = false;
+    };
+    polkit.enable = true;
+    window_managers.kde = {
+      enable = true;
+      sddm.enable = true;
+      powerProfiles.enable = false;
+    };
+    xserver.enable = true;
+    version = "25.05";
+  };
 }
diff --git a/users/geekiot/host/env.nix b/users/geekiot/host/env.nix
new file mode 100644
index 0000000..45a9eae
--- /dev/null
+++ b/users/geekiot/host/env.nix
@@ -0,0 +1,10 @@
+{
+  environment.sessionVariables = {
+    NIXOS_OZONE_WL = "1";
+    MOZ_ENABLE_WAYLAND = "1";
+
+    WRL_NO_HARDWARE_CURSORS = "1";
+
+    GTK_USE_PORTAL = "1";
+  };
+}
diff --git a/users/geekiot/host/firewall.nix b/users/geekiot/host/firewall.nix
new file mode 100644
index 0000000..28dd236
--- /dev/null
+++ b/users/geekiot/host/firewall.nix
@@ -0,0 +1,9 @@
+{
+  networking.nftables.enable = true;
+  networking.firewall = {
+    enable = true;
+    allowedTCPPorts = [ ];
+    allowedUDPPorts = [ ];
+    allowPing = false;
+  };
+}
diff --git a/users/geekiot/host/network_manager.nix b/users/geekiot/host/network_manager.nix
new file mode 100644
index 0000000..825f4bd
--- /dev/null
+++ b/users/geekiot/host/network_manager.nix
@@ -0,0 +1,10 @@
+{ pkgs, ... }:
+{
+  networking.networkmanager = {
+    enable = true;
+    package = pkgs.networkmanager;
+    wifi = {
+      macAddress = "random";
+    };
+  };
+}
diff --git a/users/geekiot/host/proxy.nix b/users/geekiot/host/proxy.nix
new file mode 100644
index 0000000..54be79c
--- /dev/null
+++ b/users/geekiot/host/proxy.nix
@@ -0,0 +1,197 @@
+{
+  pkgs,
+  config,
+  ...
+}:
+let
+  flow = config.sops.secrets."sing_box/flow".path;
+  packet_encoding = config.sops.secrets."sing_box/packet_encoding".path;
+  server = config.sops.secrets."sing_box/server".path;
+  public_key = config.sops.secrets."sing_box/public_key".path;
+  short_id = config.sops.secrets."sing_box/short_id".path;
+  server_name = config.sops.secrets."sing_box/server_name".path;
+  fingerprint = config.sops.secrets."sing_box/fingerprint".path;
+  uuid = config.sops.secrets."sing_box/uuid".path;
+  type = config.sops.secrets."sing_box/type".path;
+in
+{
+  # Sops
+  sops.secrets = {
+    "sing_box/flow" = { };
+    "sing_box/packet_encoding" = { };
+    "sing_box/server" = { };
+    "sing_box/public_key" = { };
+    "sing_box/short_id" = { };
+    "sing_box/server_name" = { };
+    "sing_box/fingerprint" = { };
+    "sing_box/uuid" = { };
+    "sing_box/type" = { };
+  };
+
+  networking.proxy = {
+    httpsProxy = "http://127.0.0.1:12634";
+    httpProxy = "http://127.0.0.1:12634";
+  };
+
+  # Sing-box
+  services.sing-box = {
+    enable = true;
+    package = pkgs.old.sing-box;
+  };
+
+  services.sing-box.settings.log = {
+    level = "panic";
+  };
+
+  services.sing-box.settings.experimental = {
+    cache_file = {
+      enabled = true;
+      path = "clash.db";
+    };
+  };
+
+  services.sing-box.settings.dns = {
+    independent_cache = true;
+    servers = [
+      {
+        tag = "dns-remote";
+        address = "udp://1.1.1.1";
+        detour = "proxy";
+        address_resolver = "dns-direct";
+      }
+      {
+        tag = "dns-direct";
+        address = "1.1.1.1";
+        address_resolver = "dns-local";
+        detour = "direct";
+      }
+      {
+        tag = "dns-local";
+        address = "local";
+        detour = "direct";
+      }
+      {
+        tag = "dns-block";
+        address = "rcode://success";
+      }
+    ];
+    rules = [
+      {
+        domain = "cp.cloudflare.com";
+        server = "dns-remote";
+        rewrite_ttl = 3000;
+      }
+      {
+        rule_set = [
+          "geoip-ru"
+          "geosite-ru"
+        ];
+        server = "dns-direct";
+      }
+      {
+        server = "dns-block";
+        domain_suffix = ".lan";
+        query_type = [
+          32
+          33
+        ];
+      }
+    ];
+  };
+
+  services.sing-box.settings.inbounds = [
+    {
+      type = "mixed";
+      tag = "mixed-in";
+      listen = "127.0.0.1";
+      listen_port = 12634;
+      sniff = true;
+      sniff_override_destination = true;
+    }
+    {
+      type = "direct";
+      tag = "dns-in";
+      listen = "127.0.0.1";
+      listen_port = 16450;
+    }
+  ];
+
+  services.sing-box.settings.outbounds = [
+    {
+      domain_strategy = "prefer_ipv4";
+      flow._secret = flow;
+      packet_encoding._secret = packet_encoding;
+      server._secret = server;
+      server_port = 443;
+      tls = {
+        enabled = true;
+        insecure = false;
+        reality = {
+          enabled = true;
+          public_key._secret = public_key;
+          short_id._secret = short_id;
+        };
+        server_name._secret = server_name;
+        utls = {
+          enabled = true;
+          fingerprint._secret = fingerprint;
+        };
+      };
+      uuid._secret = uuid;
+      tag = "proxy";
+      type._secret = type;
+    }
+    {
+      type = "dns";
+      tag = "dns-out";
+    }
+    {
+      type = "direct";
+      tag = "direct";
+    }
+    {
+      type = "direct";
+      tag = "bypass";
+    }
+    {
+      type = "block";
+      tag = "block";
+    }
+  ];
+
+  services.sing-box.settings.route = {
+    rules = [
+      {
+        rule_set = [
+          "geoip-ru"
+          "geosite-ru"
+        ];
+        outbound = "direct";
+      }
+      {
+        inbound = "dns-in";
+        outbound = "dns-out";
+      }
+      {
+        port = 53;
+        outbound = "dns-out";
+      }
+    ];
+    rule_set = [
+      {
+        type = "remote";
+        tag = "geoip-ru";
+        format = "binary";
+        url = "https://raw.githubusercontent.com/hiddify/hiddify-geo/rule-set/country/geoip-ru.srs";
+        update_interval = "120h0m0s";
+      }
+      {
+        type = "remote";
+        tag = "geosite-ru";
+        format = "binary";
+        url = "https://raw.githubusercontent.com/hiddify/hiddify-geo/rule-set/country/geosite-ru.srs";
+        update_interval = "120h0m0s";
+      }
+    ];
+  };
+}
diff --git a/users/geekiot/host/steam.nix b/users/geekiot/host/steam.nix
new file mode 100644
index 0000000..05f296d
--- /dev/null
+++ b/users/geekiot/host/steam.nix
@@ -0,0 +1,3 @@
+{
+  programs.steam.enable = true;
+}
diff --git a/users/geekiot/host/users.nix b/users/geekiot/host/users.nix
new file mode 100644
index 0000000..84daa00
--- /dev/null
+++ b/users/geekiot/host/users.nix
@@ -0,0 +1,36 @@
+{ pkgs, userData, ... }:
+let
+  name = userData.info.userName;
+  home = userData.paths.homeDir;
+in
+{
+  users.users = {
+    ${name} = {
+      inherit name home;
+      isNormalUser = true;
+      description = name;
+
+      createHome = true;
+      homeMode = "700";
+
+      extraGroups = [
+        "networkmanager"
+        "wheel"
+      ];
+    };
+    hotcat = {
+      name = "hotcat";
+      isNormalUser = true;
+      description = "HotCat";
+      createHome = true;
+      homeMode = "700";
+      extraGroups = [
+        "networkmanager"
+        "wheel"
+      ];
+      packages = with pkgs; [
+        librewolf
+      ];
+    };
+  };
+}