diff --git a/makefu/2configs/deployment/bgt/hidden_service.nix b/makefu/2configs/deployment/bgt/hidden_service.nix
new file mode 100644
index 000000000..c1a31b8dc
--- /dev/null
+++ b/makefu/2configs/deployment/bgt/hidden_service.nix
@@ -0,0 +1,48 @@
+{ pkgs, lib, ... }:
+
+with lib;
+let
+  name = "bgt_cyberwar_hidden_service";
+  sec = (toString <secrets>) + "/";
+  secdir = sec + name;
+  srvdir = "/var/lib/tor/onion/";
+  basedir = srvdir + name;
+  hn = builtins.readFile (secdir + "/hostname");
+in
+{
+  systemd.services.prepare-hidden-service = {
+    wantedBy = [ "local-fs.target" ];
+    before = [ "tor.service" ];
+    serviceConfig = {
+      ExecStart = pkgs.writeScript "prepare-euer-blog-service" ''
+        #!/bin/sh
+        set -euf
+        if ! test -d "${basedir}" ;then
+          mkdir -p "${srvdir}"
+          cp -r "${secdir}" "${srvdir}"
+          chown -R tor:tor "${srvdir}"
+          chmod -R 700 "${basedir}"
+        else
+          echo "not overwriting ${basedir}"
+        fi
+      '';
+      Type = "oneshot";
+      RemainAfterExit = "yes";
+      TimeoutSec = "0";
+    };
+  };
+  services.nginx.virtualHosts."${hn}".locations."/" = {
+    proxyPass = "https://blog.binaergewitter.de";
+    extraConfig = ''
+        proxy_set_header  Host blog.binaergewitter.de;
+        proxy_ssl_server_name on;
+    '';
+  };
+  services.tor = {
+    enable = true;
+    hiddenServices."${name}".map = [
+     { port = "80"; }
+     # { port = "443"; toHost = "blog.binaergewitter.de"; }
+    ];
+  };
+}