diff --git a/apps/k8s01/tor/deployment.yaml b/apps/k8s01/tor/deployment.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..361bf3f034585c20c5c08604f620b27888583f34
--- /dev/null
+++ b/apps/k8s01/tor/deployment.yaml
@@ -0,0 +1,51 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/name: tor
+  name: tor
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: tor
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: tor
+    spec:
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: kubernetes.io/hostname
+          whenUnsatisfiable: DoNotSchedule
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/name: tor
+          matchLabelKeys:
+            - pod-template-hash
+      containers:
+      - image: thetorproject/obfs4-bridge:latest
+        name: torproxy
+        command:
+          - tor
+        args:
+          - --SOCKSPort
+          - 0.0.0.0:9050
+        ports:
+          - name: socks
+            containerPort: 9050
+            protocol: tcp
+        resources:
+          requests:
+            cpu: 100m
+            memory: 256Mi
+          limits:
+            cpu: "1"
+            memory: 512Mi
+        securityContext:
+          runAsUser: 994
+          runAsGroup: 994
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          allowPrivilegeEscalation: false
+
diff --git a/apps/k8s01/tor/egress-policy.yaml b/apps/k8s01/tor/egress-policy.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..e144d9b97f5ba4008f45c1656935bf1741d6fce7
--- /dev/null
+++ b/apps/k8s01/tor/egress-policy.yaml
@@ -0,0 +1,18 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-to-public-web
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: tor
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-to-kubedns
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: tor
\ No newline at end of file
diff --git a/apps/k8s01/tor/kustomization.yaml b/apps/k8s01/tor/kustomization.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..c1b1b075e53b3f9148ff4b9c976d568b67f07b2b
--- /dev/null
+++ b/apps/k8s01/tor/kustomization.yaml
@@ -0,0 +1,15 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: tor
+resources:
+  - namespace.yaml
+  - deployment.yaml
+  - service.yaml
+  - networkpolicy.yaml
+  - ../../../shared/networkpolicies/deny-by-default-ingress.yaml
+  - ../../../shared/networkpolicies/allow-to-kubedns.yaml
+  - ../../../shared/networkpolicies/allow-to-public-web.yaml
+  - ../../../shared/networkpolicies/deny-by-default-egress.yaml
+  - ../../../shared/resourcequotas/default.yaml
+patchesStrategicMerge:
+  - egress-policy.yaml
\ No newline at end of file
diff --git a/apps/k8s01/tor/namespace.yaml b/apps/k8s01/tor/namespace.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..ab20cae9e91a1f48fc28b6e18f6af1c0a713895e
--- /dev/null
+++ b/apps/k8s01/tor/namespace.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: syncthing
+  labels:
+    pod-security.kubernetes.io/audit: restricted
+    pod-security.kubernetes.io/enforce: baseline
+    pod-security.kubernetes.io/warn: restricted
+    pod-security.kubernetes.io/audit-version: v1.26
+    pod-security.kubernetes.io/enforce-version: v1.23
+    pod-security.kubernetes.io/warn-version: v1.26
diff --git a/apps/k8s01/tor/networkpolicy.yaml b/apps/k8s01/tor/networkpolicy.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..75dc5669474a2f62b9a114338615c1e76a9470a9
--- /dev/null
+++ b/apps/k8s01/tor/networkpolicy.yaml
@@ -0,0 +1,25 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-from-tor-enabled
+  namespace: tor
+  labels:
+    app.kubernetes.io/name: tor
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: tor
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          tor.shivering-isles.com/egress-enabled: "true"
+      podSelector:
+        matchLabels:
+          tor.shivering-isles.com/egress-enabled: "true"
+  ports:
+    - port: 9050
+      protocol: TCP
+  policyTypes:
+  - Ingress
\ No newline at end of file
diff --git a/apps/k8s01/tor/service.yaml b/apps/k8s01/tor/service.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..8a2b3b99cb4875626fa9e90ed4e52d4450b0f02e
--- /dev/null
+++ b/apps/k8s01/tor/service.yaml
@@ -0,0 +1,17 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/name: tor
+  name: tor
+  namespace: tor
+spec:
+  ports:
+  - name: socks
+    port: 9050
+    protocol: TCP
+    targetPort: socks
+  selector:
+    app.kubernetes.io/name: tor
+  type: ClusterIP
\ No newline at end of file