diff --git a/nixcfgs/hardening/nixpaks/default.nix b/nixcfgs/hardening/nixpaks/default.nix
index 8984a32..77e9ff2 100644
--- a/nixcfgs/hardening/nixpaks/default.nix
+++ b/nixcfgs/hardening/nixpaks/default.nix
@@ -2,19 +2,22 @@
   pkgs,
   inputs,
   ...
-}:
-let
+}: let
   mkNixPak = inputs.nixpak.lib.nixpak {
     inherit (pkgs) lib;
     inherit pkgs;
   };
-in
-{
-  # Expose sandboxed app(s) through nixpkgs overlay.
+
+  callNixPak = path:
+    pkgs.callPackage path {
+      inherit mkNixPak;
+    };
+in {
   nixpkgs.overlays = [
     (_: prev: {
-      nixpaks.qq = prev.callPackage ./qq.nix {
-        inherit mkNixPak;
+      nixpaks = {
+        qq = callNixPak ./qq.nix;
+        termius = callNixPak ./termius.nix;
       };
     })
   ];
diff --git a/nixcfgs/hardening/nixpaks/termius.nix b/nixcfgs/hardening/nixpaks/termius.nix
new file mode 100644
index 0000000..9ce618c
--- /dev/null
+++ b/nixcfgs/hardening/nixpaks/termius.nix
@@ -0,0 +1,86 @@
+{
+  lib,
+  pkgs,
+  mkNixPak,
+  buildEnv,
+  makeDesktopItem,
+  ...
+}: let
+  appId = "com.terminus.Termius";
+
+  wrapped = mkNixPak {
+    config = {sloth, ...}: {
+      app = {
+        package = buildEnv {
+          name = "nixpak-termius";
+          paths = with pkgs; [
+            termius
+            libglvnd
+            mesa.drivers
+            stdenv.cc.cc.lib
+          ];
+        };
+        binPath = "bin/termius-app";
+      };
+      flatpak.appId = appId;
+
+      imports = [
+        ./modules/gui-base.nix
+        ./modules/network.nix
+        ./modules/common.nix
+      ];
+
+      bubblewrap = {
+        bind.rw = [
+          sloth.xdgDocumentsDir
+          sloth.xdgDownloadDir
+          sloth.xdgMusicDir
+          sloth.xdgVideosDir
+          sloth.xdgPicturesDir
+        ];
+        bind.ro = [
+          "${pkgs.libglvnd}/lib"
+          "${pkgs.mesa.drivers}/lib"
+          "${pkgs.stdenv.cc.cc.lib}/lib"
+          "/etc/passwd"
+          "/etc/group"
+          "/etc/nsswitch.conf"
+        ];
+        sockets = {
+          x11 = false;
+          wayland = true;
+          pipewire = true;
+        };
+        env = {
+          LD_LIBRARY_PATH = "${pkgs.libglvnd}/lib:${pkgs.mesa.drivers}/lib:${pkgs.stdenv.cc.cc.lib}/lib";
+          LIBGL_DRIVERS_PATH = "${pkgs.mesa.drivers}/lib/dri";
+        };
+      };
+    };
+  };
+  exePath = lib.getExe wrapped.config.script;
+in
+  buildEnv {
+    inherit (wrapped.config.script) name meta passthru;
+    paths = [
+      wrapped.config.script
+      (makeDesktopItem {
+        name = appId;
+        desktopName = "Termius";
+        genericName = "Cross-platform SSH client";
+        comment = "The SSH client that works on Desktop and Mobile";
+        exec = "${exePath} --ozone-platform-hint=auto %U";
+        terminal = false;
+        icon = "${pkgs.termius}/share/icons/hicolor/1024x1024/termius-app.png";
+        startupNotify = true;
+        startupWMClass = "Termius";
+        type = "Application";
+        categories = [
+          "Network"
+        ];
+        extraConfig = {
+          X-Flatpak = appId;
+        };
+      })
+    ];
+  }
diff --git a/nixcfgs/users/js0ny/packages/gui.nix b/nixcfgs/users/js0ny/packages/gui.nix
index 8d794c5..0758b33 100644
--- a/nixcfgs/users/js0ny/packages/gui.nix
+++ b/nixcfgs/users/js0ny/packages/gui.nix
@@ -85,6 +85,7 @@ in {
 
       pcloud
       nixpaks.qq
+      nixpaks.termius
       signal-desktop
       siyuan
       localsend