diff --git a/agenix/hosts/sail/config.nix b/agenix/hosts/sail/config.nix
index c6298d7..3f0ce65 100644
--- a/agenix/hosts/sail/config.nix
+++ b/agenix/hosts/sail/config.nix
@@ -99,5 +99,16 @@
       owner = "nginx";
       group = "nginx";
     };
+
+    proxitok-environment = {
+      file = ./proxitok/environment.age;
+      mode = "444";
+    };
+
+    proxitok-auth = {
+      file = ./proxitok/auth.age;
+      owner = "nginx";
+      group = "nginx";
+    };
   };
 }
diff --git a/agenix/hosts/sail/proxitok/auth.age b/agenix/hosts/sail/proxitok/auth.age
new file mode 100644
index 0000000..a0a08cd
--- /dev/null
+++ b/agenix/hosts/sail/proxitok/auth.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 MtGp6g UsWqApJ+OzlhjmqFPWX+9lYH8WiGLGiRb9ljd2aoE0s
+2QnM7xKexxWwDaP/dkIPn4t62cl0SYgFwJmPjP4qmQg
+-> ssh-ed25519 NbV4hw Jxe6FiuxaJ3976a9J3iGFB4voOABKtxOFjjiV5lJg1E
+jYiki61pPUnvcXM0p4zTW/SAdXpdirEPaBVB8qQFSGI
+-> SZ+-grease 7`Z3we,h O2THy w@-G^,*
+pING13NREsxJOhDYbGGmh6M
+--- YYugx3x05vCiO23wzFQH3E7/HkehfSZJZ4I1Hhn7gCI
+—Õß[ŒŽïJë™Þ:KBKŽöçS‰ãÈVMœ×Š˜ÛJkù$ÿn‡D„KN±ä4áù.<™,à.¿iÆ48§ôF¤8¹kŠû](&nÁ—‹úêš‰‘Œ31þìjr]ñv[Ë•âË=ôhÓ›‘
\ No newline at end of file
diff --git a/agenix/hosts/sail/proxitok/environment.age b/agenix/hosts/sail/proxitok/environment.age
new file mode 100644
index 0000000..cbbaa62
Binary files /dev/null and b/agenix/hosts/sail/proxitok/environment.age differ
diff --git a/container/proxitok/default.nix b/container/proxitok/default.nix
new file mode 100644
index 0000000..1bba301
--- /dev/null
+++ b/container/proxitok/default.nix
@@ -0,0 +1,57 @@
+{ config, ... }:
+
+{
+  virtualisation.arion.projects.proxitok.settings = {
+    services = {
+      proxitok-web = {
+        service = {
+          image = "ghcr.io/pablouser1/proxitok:master";
+          container_name = "proxitok-web";
+          restart = "unless-stopped";
+          depends_on = [ "proxitok-signer" ];
+          ports = [ "127.0.0.1:8005:80" ];
+          env_file = [ config.age.secrets.proxitok-environment.path ];
+          labels = {
+            "com.centurylinklabs.watchtower.enable" = "true";
+          };
+        };
+      };
+
+      proxitok-signer = {
+        service = {
+          image = "ghcr.io/pablouser1/signtok:master";
+          container_name = "proxitok-signer";
+          restart = "unless-stopped";
+          labels = {
+            "com.centurylinklabs.watchtower.enable" = "true";
+          };
+        };
+      };
+    };
+  };
+
+  services.nginx = {
+    enable = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+    recommendedBrotliSettings = true;
+
+    virtualHosts."proxitok.only.internal" = {
+      listen = [
+        {
+          addr = "127.0.0.1";
+          port = 80;
+        }
+      ];
+
+      forceSSL = false;
+      enableACME = false;
+
+      locations."/" = {
+        basicAuthFile = config.age.secrets.proxitok-auth.path;
+        recommendedProxySettings = true;
+        proxyPass = "http://127.0.0.1:8005";
+      };
+    };
+  };
+}
diff --git a/secrets.nix b/secrets.nix
index 124a460..46943e2 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -31,4 +31,7 @@ in
 
   "agenix/hosts/sail/anonymous-overflow/config.age".publicKeys = sail;
   "agenix/hosts/sail/anonymous-overflow/auth.age".publicKeys = sail;
+
+  "agenix/hosts/sail/proxitok/environment.age".publicKeys = sail;
+  "agenix/hosts/sail/proxitok/auth.age".publicKeys = sail;
 }
diff --git a/system/hosts/sail.nix b/system/hosts/sail.nix
index 4ad97a7..604d56f 100644
--- a/system/hosts/sail.nix
+++ b/system/hosts/sail.nix
@@ -39,6 +39,7 @@ in
     ../nixos/arion.nix
     ../../container/webserver
     ../../container/matrix
+    ../../container/proxitok
   ];
 
   system.stateVersion = "22.11";