diff --git a/modules/nixos/containers/tor.nix b/modules/nixos/containers/tor.nix
new file mode 100644
index 0000000..b792faa
--- /dev/null
+++ b/modules/nixos/containers/tor.nix
@@ -0,0 +1,74 @@
+{
+  config,
+  lib,
+  pkgs,
+  secretsDir,
+  ...
+}:
+let
+  inherit (lib) mkEnableOption mkIf;
+  inherit (config.virtualisation.quadlet) networks;
+
+  cfg = config.ataraxia.containers.tor;
+  dockerfile = pkgs.writeText "Dockerfile.tor" ''
+    FROM alpine:3
+
+    LABEL name="tor-socks-proxy"
+    LABEL version="latest"
+
+    RUN echo '@edge https://dl-cdn.alpinelinux.org/alpine/edge/community' >> /etc/apk/repositories && \
+        echo '@edge https://dl-cdn.alpinelinux.org/alpine/edge/testing'   >> /etc/apk/repositories && \
+        apk -U upgrade && \
+        apk -v add tor@edge lyrebird@edge curl && \
+        chmod 700 /var/lib/tor && \
+        rm -rf /var/cache/apk/* && \
+        tor --version
+
+    RUN echo -e "HardwareAccel 1\nLog notice stdout\nDNSPort 0.0.0.0:8853\nSocksPort 0.0.0.0:9150\nDataDirectory /var/lib/tor" > /etc/tor/torrc && \
+        chown tor:root /etc/tor/torrc
+
+    HEALTHCHECK --timeout=30s --start-period=60s \
+        CMD curl --fail --socks5-hostname localhost:9150 -I -L 'https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion' || exit 1
+
+    USER tor
+    EXPOSE 8853/udp 9150/tcp
+
+    CMD ["/usr/bin/tor", "-f", "/etc/tor/torrc"]
+  '';
+in
+{
+  options.ataraxia.containers.tor = {
+    enable = mkEnableOption "Enable tor client container";
+  };
+
+  config = mkIf cfg.enable {
+    sops.secrets.tor-container.sopsFile = secretsDir + /proxy.yaml;
+    sops.secrets.tor-container.mode = "0444";
+    virtualisation.quadlet = {
+      builds.tor-proxy = {
+        autoStart = true;
+        buildConfig = {
+          file = toString dockerfile;
+          tag = "tor-socks-proxy:latest";
+        };
+      };
+      containers.tor-proxy = {
+        autoStart = true;
+        containerConfig = {
+          exec = "sh -c 'cat /home/torrc-extra >> /etc/tor/torrc && /usr/bin/tor -f /etc/tor/torrc'";
+          image = config.virtualisation.quadlet.builds.tor-proxy.ref;
+          networks = [ networks.br-services.ref ];
+          publishPorts = [
+            "0.0.0.0:9150:9150/tcp"
+            "0.0.0.0:8853:8853/udp"
+          ];
+          volumes = [
+            "${config.sops.secrets.tor-container.path}:/home/torrc-extra:ro"
+          ];
+        };
+      };
+    };
+    networking.firewall.allowedTCPPorts = [ 9150 ];
+    networking.firewall.allowedUDPPorts = [ 8853 ];
+  };
+}