diff --git a/hosts/architect/docker.nix b/hosts/architect/docker.nix
index 2d8070e..6e294da 100644
--- a/hosts/architect/docker.nix
+++ b/hosts/architect/docker.nix
@@ -1,4 +1,10 @@
 {
-  virtualisation.docker.enable = true;
+  virtualisation.docker = {
+    enable = true;
+    extraOptions = ''
+      --dns 127.0.0.1 --dns 10.0.0.250 --data-root /docker
+    '';
+    enableOnBoot = false;
+  };
   users.users.giulio.extraGroups = [ "docker" ];
 }
diff --git a/hosts/architect/firewall.nix b/hosts/architect/firewall.nix
index bf7435e..dc80d8c 100644
--- a/hosts/architect/firewall.nix
+++ b/hosts/architect/firewall.nix
@@ -64,6 +64,7 @@ in {
                     oifname ${wan-if} ip saddr {${
                       lib.concatStringsSep "," towan-wg
                     }} masquerade
+                    oifname ${wan-if} ip saddr ${docker-net} masquerade
                   }
                 }
 
@@ -78,6 +79,7 @@ in {
                     iifname ${wan-if} accept comment "bind any ip to intf ${wan-if}"
                     iifname ${proxy-if} ip saddr ${proxy-net} accept comment "bind ip ${proxy-net} to intf ${proxy-if}"
                     iifname ${vpn-if} ip saddr ${vpn-net} accept comment "bind ip ${vpn-net} to intf ${vpn-if}"
+                    iifname ${docker-if} ip saddr ${docker-net} accept comment "bind ip ${docker-net} to intf ${docker-if}"
                     iifname "lo" accept comment "bind any ip to intf lo"
                     jump mangle_drop
                   }
@@ -139,7 +141,7 @@ in {
                     iifname ${vpn-if} tcp dport {${open_tcp_ports_vpn}} accept
                     iifname ${vpn-if} udp dport {${open_udp_ports_vpn}} accept
                     iifname ${vpn-if} icmp type echo-request accept
-
+                    iifname ${docker-if} udp dport 53 accept
                     jump filter_drop
                   }
 
@@ -165,6 +167,8 @@ in {
                       lib.concatStringsSep "," towan-wg
                     }} accept
                     
+                    oifname ${wan-if} ip saddr ${docker-net} accept
+                    
                     jump filter_drop
                   }
 
diff --git a/hosts/architect/network.nix b/hosts/architect/network.nix
index 722e155..45bb1ec 100644
--- a/hosts/architect/network.nix
+++ b/hosts/architect/network.nix
@@ -3,12 +3,14 @@ rec {
   wan-if = "enp5s0";
   vpn-if = "wg0";
   proxy-if = "proxy";
+  docker-if = "docker0";
 
   # nets
   lan-net = "10.0.0.0/24";
   vpn-net = "10.3.0.0/24";
   proxy-net = "10.4.0.0/24";
   external_lan-net = "192.168.1.0/24";
+  docker-net = "172.17.0.0/16";
 
   # ips
   dvr-lan = "10.0.0.2";