diff --git a/README.md b/README.md
new file mode 100644
index 0000000..357e4c0
--- /dev/null
+++ b/README.md
@@ -0,0 +1,61 @@
+# tor-box
+
+This is an image/container build for a transparently tor proxied host
+
+## build
+
+This uses [mkosi](https://github.com/systemd/mkosi) which is packaged for some distros, or easy-enough to install from source.
+
+```shell
+git clone git://github.com/vbatts/tor-box
+cd ./tor-box
+sudo mkosi
+```
+
+## Usage
+
+```shell
+systemd-nspawn -bni $(pwd)/image.raw -M tor-box
+```
+
+This boots the container up, but gives you a login prompt with no root passwd set.
+The container is on private network with a veth to the host.
+This expects systemd-networkd on the host to be configured and running.
+
+To get a shell inside this container, do:
+
+```shell
+machinectl shell tor-box
+Connected to machine tor-box. Press ^] three times within 1s to exit session.
+sh-4.4# curl ifconfig.co/json
+{"ip":"91.223.82.156","ip_decimal":1541362332,"country":"Netherlands","city":"Unknown","hostname":"hosted-by.iws.co"}sh-4.4#
+```
+
+From here you can run `passwd` if you'd like, to set a password for root.
+
+
+## Start on boot
+
+The resulting `image.raw` and `image.nspawn` files can be installed and enabled like services on a host.
+
+```shell
+sudo mv ./image.raw /var/lib/machines/tor-box.raw
+sudo mkdir -p /etc/systemd/nspawn
+sudo mv ./image.nspawn /etc/systemd/nspawn/tor-box.raw.nspawn
+sudo sudo systemctl start systemd-nspawn@tor-box.raw
+sudo sudo systemctl status systemd-nspawn@tor-box.raw
+```
+
+Likewise you can enable it to start on-boot with:
+
+```shell
+sudo sudo systemctl enable systemd-nspawn@tor-box.raw
+```
+
+(this requires `systemd-machined.service` to be enabled on the host.
+
+
+## Props and References
+
+* https://blog.jessfraz.com/post/routing-traffic-through-tor-docker-container/
+* https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy
diff --git a/mkosi.build b/mkosi.build
new file mode 100755
index 0000000..577578e
--- /dev/null
+++ b/mkosi.build
@@ -0,0 +1,110 @@
+#!/bin/sh
+
+cd 
+
+mkdir -p $DESTDIR/etc/systemd/system
+cat > $DESTDIR/etc/systemd/system/tor.service <<EOF
+[Unit]
+Description=Anonymizing overlay network for TCP
+After=syslog.target network.target nss-lookup.target
+PartOf=tor-master.service
+ReloadPropagatedFrom=tor-master.service
+
+[Service]
+Type=notify
+NotifyAccess=all
+ExecStartPre=/usr/bin/tor --runasdaemon 0 -f /etc/tor/torrc.ours --verify-config
+ExecStart=/usr/bin/tor --runasdaemon 0 -f /etc/tor/torrc.ours
+ExecReload=/bin/kill -HUP \${MAINPID}
+KillSignal=SIGINT
+TimeoutSec=30
+Restart=on-failure
+RestartSec=1
+WatchdogSec=1m
+LimitNOFILE=32768
+
+[Install]
+WantedBy = multi-user.target
+EOF
+
+mkdir -p $DESTDIR/etc/tor
+cat > $DESTDIR/etc/tor/torrc.ours <<EOF
+
+DataDirectory /var/lib/tor
+DataDirectoryGroupReadable 1
+User toranon
+Log notice syslog
+#Log debug stderr
+AutomapHostsOnResolve 1
+DNSPort 5353
+Log debug stderr
+TransPort 9040
+VirtualAddrNetworkIPv4 10.192.0.0/10
+
+EOF
+
+cat > $DESTDIR/etc/systemd/system/iptables-restore.service <<EOF
+[Unit]
+Description=apply iptables rules
+After=network.target
+
+[Service]
+Type=oneshot
+ExecStart=/bin/sh /etc/rc.firewall
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+cat > $DESTDIR/etc/rc.firewall <<EOF
+### set variables
+#destinations you don't want routed through Tor
+_non_tor="192.168.1.0/24 192.168.0.0/24"
+
+#the UID that Tor runs as (varies from system to system)
+_tor_uid="\$(id -u toranon)"
+
+#Tor's TransPort
+_trans_port="9040"
+_dns_port="5353"
+
+### flush iptables
+iptables -F
+iptables -t nat -F
+
+### set iptables *nat
+iptables -t nat -A OUTPUT -m owner --uid-owner \$_tor_uid -j RETURN
+iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports \$_dns_port
+
+#allow clearnet access for hosts in \$_non_tor
+for _clearnet in \$_non_tor 127.0.0.0/9 127.128.0.0/10; do
+   iptables -t nat -A OUTPUT -d \$_clearnet -j RETURN
+done
+
+#redirect all other output to Tor's TransPort
+iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports \$_trans_port
+
+### set iptables *filter
+iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+#allow clearnet access for hosts in \$_non_tor
+for _clearnet in \$_non_tor 127.0.0.0/8; do
+   iptables -A OUTPUT -d \$_clearnet -j ACCEPT
+done
+
+#allow only Tor output
+iptables -A OUTPUT -m owner --uid-owner \$_tor_uid -j ACCEPT
+iptables -A OUTPUT -j REJECT
+EOF
+
+
+mkdir -p $DESTDIR/etc/systemd/system/multi-user.target.wants
+ln -sf /etc/systemd/system/tor.service $DESTDIR/etc/systemd/system/multi-user.target.wants/tor.service
+ln -sf /usr/lib/systemd/system/systemd-networkd.service $DESTDIR/etc/systemd/system/multi-user.target.wants/systemd-networkd.service
+mkdir -p $DESTDIR/etc/systemd/system/sockets.target.wants
+ln -sf /usr/lib/systemd/system/systemd-networkd.socket $DESTDIR/etc/systemd/system/sockets.target.wants/systemd-networkd.socket
+ln -sf /etc/systemd/system/iptables-restore.service $DESTDIR/etc/systemd/system/multi-user.target.wants/iptables-restore.service
+
+# disable failing services
+ln -sf /dev/null $DESTDIR/etc/systemd/system/systemd-update-utmp.service
+ln -sf /dev/null $DESTDIR/etc/systemd/system/systemd-tmpfiles-setup.service
diff --git a/mkosi.cache/.gitkeep b/mkosi.cache/.gitkeep
new file mode 100644
index 0000000..e69de29
diff --git a/mkosi.default b/mkosi.default
new file mode 100644
index 0000000..425afd7
--- /dev/null
+++ b/mkosi.default
@@ -0,0 +1,12 @@
+[Distribution]
+Distribution=fedora
+Release=26
+
+[Output]
+Format=raw_btrfs
+#Bootable=yes
+Hostname=tor-box
+
+[Packages]
+Packages=tor iptables net-tools iproute vim-minimal curl
+#BuildPackages=make gcc libcurl-devel
diff --git a/mkosi.nspawn b/mkosi.nspawn
new file mode 100644
index 0000000..ded8ba9
--- /dev/null
+++ b/mkosi.nspawn
@@ -0,0 +1,2 @@
+[Network]
+VirtualEthernet=yes