diff --git a/modules/nixos/services/tor/default.nix b/modules/nixos/services/tor/default.nix
new file mode 100644
index 0000000..59e676d
--- /dev/null
+++ b/modules/nixos/services/tor/default.nix
@@ -0,0 +1,85 @@
+# https://wiki.nixos.org/wiki/Tor
+{
+  config,
+  lib,
+  namespace,
+  ...
+}:
+
+let
+  cfg = config.${namespace}.services.tor;
+in
+{
+  options = {
+    ${namespace}.services.tor = {
+      enable = lib.mkEnableOption "Enables the TOR router.";
+      browser.enable = lib.mkEnableOption "Installs the TOR browser.";
+      relay = {
+        enable = lib.mkEnableOption "Configures the system as a TOR relay.";
+        role = lib.mkOption {
+          description = "Whether to treat this as a regular relay or a bridge.";
+          default = "relay";
+          type = lib.types.enum [
+            "relay"
+            "bridge"
+          ];
+        };
+      };
+      # For details, see https://wiki.nixos.org/wiki/Tor#Advanced
+      settings = lib.mkOption {
+        description = "Settings to apply to the relay.";
+        type = lib.types.attrs;
+        default = {
+          # Reject all exit traffic
+          ExitPolicy = [ "reject *:*" ];
+
+          # Performance and security settings
+          CookieAuthentication = true;
+          AvoidDiskWrites = 1;
+          HardwareAccel = 1;
+          SafeLogging = 1;
+        };
+      };
+      snowflake-proxy = {
+        enable = lib.mkEnableOption "Enables Snowflake Proxy. See https://snowflake.torproject.org.";
+        capacity = lib.mkOption {
+          type = lib.types.int;
+          default = 10;
+          description = "How many concurrent clients to support.";
+        };
+      };
+    };
+  };
+
+  config = lib.mkMerge [
+    (lib.mkIf cfg.enable {
+      services.tor = {
+        enable = true;
+        settings = cfg.settings;
+      };
+
+      services.snowflake-proxy = lib.mkIf cfg.snowflake-proxy.enable {
+        enable = true;
+        capacity = cfg.snowflake-proxy.capacity;
+      };
+    })
+    (lib.mkIf cfg.browser.enable {
+      services.tor = {
+        client.enable = true;
+
+        # Enable Torsocks for transparent proxying of applications through Tor
+        torsocks.enable = true;
+      };
+
+      ${namespace}.ui.flatpak.packages = [
+        "org.torproject.torbrowser-launcher"
+      ];
+    })
+    (lib.mkIf cfg.relay.enable {
+      services.tor.relay = {
+        enable = true;
+        role = cfg.relay.role;
+      };
+    })
+  ];
+}
diff --git a/systems/x86_64-linux/Khanda/default.nix b/systems/x86_64-linux/Khanda/default.nix
index d7e71dd..fb14d03 100644
--- a/systems/x86_64-linux/Khanda/default.nix
+++ b/systems/x86_64-linux/Khanda/default.nix
@@ -55,6 +55,11 @@ in
         user = "aires";
         web.enable = true;
       };
+      tor = {
+        enable = true;
+        browser.enable = true;
+        snowflake-proxy.enable = true;
+      };
       virtualization.enable = true;
     };