diff --git a/machines/renge/configuration.nix b/machines/renge/configuration.nix
index e28148a..151d032 100644
--- a/machines/renge/configuration.nix
+++ b/machines/renge/configuration.nix
@@ -7,6 +7,7 @@
 
     ./services/ankisyncd.nix
     ./services/bang-evaluator.nix
+    ./services/buchborgen.nix
     ./services/coturn.nix
     ./services/element-web.nix
     ./services/gitea.nix
diff --git a/machines/renge/services/buchborgen.nix b/machines/renge/services/buchborgen.nix
new file mode 100644
index 0000000..be35205
--- /dev/null
+++ b/machines/renge/services/buchborgen.nix
@@ -0,0 +1,43 @@
+{ pkgs, ... }:
+let
+  hiddenService = "kx5thpx2olielkihfyo4jgjqfb7zx7wxr3sd4xzt26ochei4m6f7tayd.onion";
+in
+{
+  services.tor = {
+    enable = true;
+    client.enable = true;
+  };
+  systemd.services."socat-trantor" = {
+    after = [ "network.target" ];
+    before = [ "nginx.target" ];
+    wantedBy = [ "multi-user.target" ];
+
+    serviceConfig = {
+      DynamicUser = true;
+      ExecStart = "${pkgs.socat}/bin/socat tcp4-LISTEN:3003,reuseaddr,fork,keepalive,bind=127.0.0.1 SOCKS4A:127.0.0.1:${hiddenService}:80,socksport=9050";
+      Restart = "on-failure";
+    };
+  };
+
+  services.nginx = {
+    appendHttpConfig = ''
+      proxy_cache_path /var/cache/nginx/trantor levels=1:2 keys_zone=trantor:10m max_size=200m inactive=3600m use_temp_path=off;
+    '';
+    virtualHosts."buchborgen.sbruder.xyz" = {
+      enableACME = true;
+      forceSSL = true;
+
+      basicAuthFile = "/etc/nginx/trantor.htpasswd";
+
+      locations."/" = {
+        extraConfig = ''
+          proxy_set_header Authorization "";
+          proxy_set_header Host "${hiddenService}";
+          proxy_cache trantor;
+          proxy_cache_valid any 1h;
+          proxy_pass http://127.0.0.1:3003;
+        '';
+      };
+    };
+  };
+}