diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index f361163ca63..24dcf53e635 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -598,6 +598,7 @@
   ./services/networking/coredns.nix
   ./services/networking/corerad.nix
   ./services/networking/coturn.nix
+  ./services/networking/croc.nix
   ./services/networking/dante.nix
   ./services/networking/ddclient.nix
   ./services/networking/dhcpcd.nix
diff --git a/nixos/modules/services/networking/croc.nix b/nixos/modules/services/networking/croc.nix
new file mode 100644
index 00000000000..adba6f7f565
--- /dev/null
+++ b/nixos/modules/services/networking/croc.nix
@@ -0,0 +1,78 @@
+{ config, lib, pkgs, ... }:
+let
+  inherit (lib) types;
+  cfg = config.services.croc;
+in
+{
+  options.services.croc = {
+    enable = lib.mkEnableOption "croc relay";
+    ports = lib.mkOption {
+      type = types.listOf types.port;
+      default = [9009 9010 9011 9012 9013];
+      description = "Ports of the relay.";
+    };
+    pass = lib.mkOption {
+      type = types.str;
+      default = "pass123";
+      description = "Password for the relay (warning: it will be visible in the Nix store and the list of processes).";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd.services.croc = {
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        ExecStart = "${pkgs.croc}/bin/croc --pass '${cfg.pass}' relay --ports ${lib.concatMapStringsSep "," toString cfg.ports}";
+        # systemd-analyze security croc
+        # → Overall exposure level for croc.service: 1.1 OK
+        AmbientCapabilities = "";
+        CapabilityBoundingSet = "";
+        DynamicUser = true;
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        PrivateMounts = true;
+        PrivateNetwork = false;
+        PrivateTmp = true;
+        PrivateUsers = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectSystem = "strict";
+        RemoveIPC = true;
+        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallFilter = [
+          # perf stat -o /dev/stdout -e 'syscalls:sys_enter_*' croc relay |
+          # awk '$1 && $2 ~ /syscalls:/ { sub("syscalls:sys_enter_", ""); print $2 }' |
+          # sort >croc.syscalls
+          # <use croc>
+          # pkill croc
+          # systemd-analyze syscall-filter | grep -v -e '#' |
+          # sed -e ':loop; /^[^ ]/N; s/\n //; t loop' |
+          # grep --color $(printf ' -e \\<%s\\>' $(cat croc.syscalls))
+          "@default" "@basic-io" "@file-system" "@io-event" "@ipc" "@network-io" "@process" "@signal"
+          "brk getrandom ioctl madvise mprotect sched_getaffinity sched_yield uname"
+        ];
+        SystemCallArchitectures = "native";
+        SystemCallErrorNumber = "EPERM";
+        UMask = "0077";
+      };
+    };
+
+    networking.firewall =
+      { allowedTCPPorts = [ cfg.ports ];
+        allowedUDPPorts = [ cfg.ports ];
+      };
+  };
+
+  meta.maintainers = with lib.maintainers; [ julm ];
+}