diff --git a/configurations/nixos/arma-reforger-tofu/default.nix b/configurations/nixos/arma-reforger-tofu/default.nix
new file mode 100644
index 0000000..4665437
--- /dev/null
+++ b/configurations/nixos/arma-reforger-tofu/default.nix
@@ -0,0 +1,57 @@
+{
+  flake,
+  modulesPath,
+  config,
+  ...
+}:
+
+let
+  inherit (flake) inputs;
+  inherit (inputs) self;
+in
+{
+  imports = [
+    self.nixosModules.default
+    "${modulesPath}/virtualisation/lxc-container.nix"
+  ];
+  # sample way to make a directory
+  # systemd.tmpfiles.rules = [
+  #   "d /var/lib/myapp 0755 myuser mygroup -"
+  # ];
+  # read more options here
+  # https://search.nixos.org/options?channel=25.05&show=virtualisation.oci-containers.containers.%3Cname%3E.workdir&from=0&size=50&sort=relevance&type=packages&query=oci+containers
+  # https://wiki.nixos.org/wiki/NixOS_Containers
+  services.yggdrasil.persistentKeys = false;
+  virtualisation.podman.enable = true;
+  virtualisation.oci-containers.containers = {
+    arma = {
+      image = "ghcr.io/acemod/arma-reforger:latest";
+      ports = [
+        "2001:2001/udp"
+        "17777:17777/udp"
+        "19999:19999/udp"
+      ];
+      volumes = [
+        # make sure this is a path that exists
+        # my recomendation is to use /var/lib/reforger
+        # be sure to have that directory created
+        "./reforger/configs:/reforger/Configs"
+        "./reforger/profile:/home/profile"
+        "./reforger/workshop:/reforger/workshop"
+      ];
+      environment = {
+        SERVER_PUBLIC_ADDRESS = "public-ip";
+        GAME_NAME = "My Docker Reforger Server";
+      };
+    };
+  };
+  deploy = {
+    enable = false;
+  };
+  networking = {
+    hostName = "arma-reforger-tofu";
+  };
+  environment.systemPackages = [
+  ];
+  system.stateVersion = "25.05";
+}
diff --git a/modules/nixos/common/firewall.nix b/modules/nixos/common/firewall.nix
new file mode 100644
index 0000000..6c93641
--- /dev/null
+++ b/modules/nixos/common/firewall.nix
@@ -0,0 +1,33 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
+{
+  networking.nftables = {
+    enable = true;
+    ruleset = ''
+      table inet filter {
+        chain input {
+          type filter hook input priority filter; policy accept;
+          ct state related,established accept
+
+          # Restrict ygg0: only allow SSH in
+          iifname "ygg0" tcp dport 22 accept
+          iifname "ygg0" drop
+        }
+
+        chain forward {
+          type filter hook forward priority filter; policy accept;
+          # Optional: drop forwarding via ygg0
+          iifname "ygg0" drop
+        }
+
+        chain output {
+          type filter hook output priority filter; policy accept;
+        }
+      }
+    '';
+  };
+}