diff --git a/hosts/arumi/services/sing-box.nix b/hosts/arumi/services/sing-box.nix
index 38d0744..a965fc1 100644
--- a/hosts/arumi/services/sing-box.nix
+++ b/hosts/arumi/services/sing-box.nix
@@ -1,53 +1,69 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 
 {
-  desu.secrets.arumi-singbox-pk = {};
-  desu.secrets.arumi-singbox-sid = {};
-  desu.secrets.arumi-singbox-users = {};
+  desu.secrets.arumi-singbox-pk.owner = "xray";
+  desu.secrets.arumi-singbox-sid.owner = "xray";
+  desu.secrets.arumi-singbox-users.owner = "xray";
 
-  services.sing-box = {
+  users.users.xray = {
+    isNormalUser = true;
+    uid = 1102;
+  };
+
+  services.xray = {
     enable = true;
-    settings = {
+    settingsFile = "/etc/xray/config.json";
+  };
+
+  systemd.tmpfiles.rules = [
+    "d /etc/xray 0700 1102 1102 -"
+  ];
+  systemd.services.xray.serviceConfig = {
+    DynamicUser = lib.mkForce false;
+    User = "xray";
+  };
+  systemd.services.xray.preStart = let 
+    file = "/etc/xray/config.json";
+    template = pkgs.writeText "config.json" (builtins.toJSON {
       log = { level = "info"; timestamp = true; };
       inbounds = [
         {
-          type = "vless";
-          tag = "vless-in";
-          listen = "::";
-          listen_port = 443;
-          sniff = true;
-          sniff_override_destination = true;
-          domain_strategy = "ipv4_only";
-          users = []; # populated later in the preStart script
-          tls = let server = "updates.cdn-apple.com"; in {
-            enabled = true;
-            server_name = server;
-            reality = {
-              enabled = true;
-              handshake = { inherit server; server_port = 443; };
-              private_key._secret = config.desu.secrets.arumi-singbox-pk.path;
-              short_id = [ 
-                { _secret = config.desu.secrets.arumi-singbox-sid.path; }
-              ];
+          port = 443;
+          protocol = "vless";
+          settings = {
+            decryption = "none";
+            clients = []; # populated later in the preStart script
+          };
+          streamSettings = {
+            network = "tcp";
+            security = "reality";
+            realitySettings = {
+              alpn = [ "h2" ];
+              target = "updates.cdn-apple.com:443"; 
+              serverNames = [ "updates.cdn-apple.com" ];
+              privateKey = ""; # populated later in the preStart script
+              shortIds = []; # populated later in the preStart script
             };
           };
+          sniffing = {
+            enabled = true;
+            destOverride = [ "tls" "http" "quic" ];
+            routeOnly = true;
+          };
         }
       ];
       outbounds = [
-        { type = "direct"; tag = "direct"; }
-        { type = "block"; tag = "block"; }
+        { protocol = "freedom"; tag = "direct"; }
       ];
-    };
-  };
-
-  systemd.services.sing-box.preStart = let 
-    file = "/etc/sing-box/config.json";
+    });
   in ''
     users=$(${pkgs.yaml2json}/bin/yaml2json < ${config.desu.secrets.arumi-singbox-users.path})
-    ${pkgs.jq}/bin/jq --arg users "$users" \
-      '.inbounds[0].users = ($users | fromjson | map({ "uuid": ., "flow": "xtls-rprx-vision" }))' \
-      ${file} > ${file}.tmp
-    mv ${file}.tmp ${file}
+    pk=$(cat ${config.desu.secrets.arumi-singbox-pk.path})
+    sid=$(cat ${config.desu.secrets.arumi-singbox-sid.path})
+    ${pkgs.jq}/bin/jq --arg users "$users" --arg pk "$pk" --arg sid "$sid" \
+      '.inbounds[0].settings.clients = ($users | fromjson | map({ "id": ., "flow": "xtls-rprx-vision" }))
+        | .inbounds[0].streamSettings.realitySettings.privateKey = $pk
+        | .inbounds[0].streamSettings.realitySettings.shortIds = [$sid]' ${template} > ${file}
   '';
 
   networking.firewall.allowedTCPPorts = [ 443 ];
diff --git a/secrets/arumi-singbox-users.age b/secrets/arumi-singbox-users.age
index 34fc6ec..2c0ac0b 100644
Binary files a/secrets/arumi-singbox-users.age and b/secrets/arumi-singbox-users.age differ