diff --git a/flake.lock b/flake.lock
index 97e4448..6d9db15 100644
--- a/flake.lock
+++ b/flake.lock
@@ -100,8 +100,8 @@
         "systems": "systems_2"
       },
       "locked": {
-        "lastModified": 1731969219,
-        "narHash": "sha256-FkzplQ6ro4XeiPzm6tOY4zhI4Tw/iwQ/nOQU+f3biLk=",
+        "lastModified": 1733266129,
+        "narHash": "sha256-ez4R0WpHSZ5mVit5uh5qiQ/ljpkhh7fQZDiQkHL/rCc=",
         "type": "tarball",
         "url": "https://git.gaze.systems/gazesys/website/releases/download/latest/source.tgz"
       },
diff --git a/hosts/wolumonde/modules/secrets.nix b/hosts/wolumonde/modules/secrets.nix
index 080e880..08b0c69 100644
--- a/hosts/wolumonde/modules/secrets.nix
+++ b/hosts/wolumonde/modules/secrets.nix
@@ -1,4 +1,4 @@
-{
+{lib, ...}: {
   age.secrets.bernbotToken.file = ../../../secrets/bernbotToken.age;
   age.secrets.wgWolumondeKey = {
     file = ../../../secrets/wgWolumondeKey.age;
@@ -10,4 +10,11 @@
   age.secrets.tmodloaderServerPass.file = ../../../secrets/tmodloaderServerPass.age;
   age.secrets.websiteConfig.file = ../../../secrets/websiteConfig.age;
   age.secrets.giteaActRunnerToken.file = ../../../secrets/giteaActRunnerToken.age;
+  age.secrets.xrayConfig = {
+    name = "xrayConfig.json";
+    file = ../../../secrets/xrayConfig.age;
+    mode = "600";
+    # owner = "xray";
+    # group = "xray";
+  };
 }
diff --git a/hosts/wolumonde/modules/xray.disabled b/hosts/wolumonde/modules/xray.disabled
new file mode 100644
index 0000000..1954220
--- /dev/null
+++ b/hosts/wolumonde/modules/xray.disabled
@@ -0,0 +1,23 @@
+{lib, config, ...}: {
+  services.xray = {
+    enable = true;
+    settingsFile = config.age.secrets.xrayConfig.path;
+  };
+  users.groups.xray = {};
+  users.users.xray = {
+    group = "xray";
+    isSystemUser = true;
+  };
+  systemd.services.xray.serviceConfig = {
+    User = "xray";
+    Group = "xray";
+    DynamicUser = lib.mkForce false;
+    RuntimeDirectory = "xray";
+    ProtectSystem = "strict";
+    ProtectHome = "read-only";
+    PrivateTmp = "yes";
+    RemoveIPC = "yes";
+  };
+  networking.firewall.allowedUDPPorts = [1080];
+  networking.firewall.allowedTCPPorts = [1080];
+}
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 7fdc97b..8205417 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -11,4 +11,5 @@ in {
   "tmodloaderServerPass.age".publicKeys = [yusdacra wolumonde];
   "websiteConfig.age".publicKeys = [yusdacra wolumonde];
   "giteaActRunnerToken.age".publicKeys = [yusdacra wolumonde];
+  "xrayConfig.age".publicKeys = [yusdacra wolumonde];
 }
diff --git a/secrets/xrayConfig.age b/secrets/xrayConfig.age
new file mode 100644
index 0000000..ba9ab6a
Binary files /dev/null and b/secrets/xrayConfig.age differ