diff --git a/hosts/zora/default.nix b/hosts/zora/default.nix
index 6d3d543..beac76d 100644
--- a/hosts/zora/default.nix
+++ b/hosts/zora/default.nix
@@ -26,6 +26,7 @@
       ../../modules/server/link
       ../../modules/server/maistro
       ../../modules/server/mikau
+      ../../modules/server/midona
       ../../modules/server/nayru
       ../../modules/server/taf
       ../../modules/server/tetra
diff --git a/modules/server/README.md b/modules/server/README.md
index f9df551..20e23fd 100644
--- a/modules/server/README.md
+++ b/modules/server/README.md
@@ -8,6 +8,7 @@
 - `link` : Kanidm (`auth.lyes.eu`)
 - `maistro` : Incus
 - `mikau` : Jellyfin (`media.lyes.eu`)
+- `midona` : Gate Minecraft Server Proxy
 - `mogma` : VPN NetNS Configuration
 - `nayru` : Komga/Manga (`manga.lyes.eu`)
 - `taf` : Mail (`taf.lyes.eu`/`mail.lyes.eu`)
diff --git a/modules/server/midona/default.nix b/modules/server/midona/default.nix
new file mode 100644
index 0000000..7b98788
--- /dev/null
+++ b/modules/server/midona/default.nix
@@ -0,0 +1,60 @@
+{ lib, pkgs, ... }:
+
+let
+  config = lib.toFile "config.yml" ''
+    config:
+      lite:
+        enabled: true
+        routes:
+          - host: stepson.minecraft.lyes.eu
+            backend: 10.0.0.2:25565
+  '';
+in
+{
+  environment.systemPackages = with pkgs; [ gate ];
+
+  systemd.services.gate = {
+    description = "Gate Minecraft Proxy";
+    wantedBy = [ "multi-user.target" ];
+    after = [ "network.target" ];
+
+    serviceConfig = {
+      ExecStart = "${pkgs.gate}/bin/gate --config ${config}";
+      Restart = "always";
+
+      StandardInput = "socket";
+      StandardOutput = "journal";
+      StandardError = "journal";
+
+      # Hardening
+      CapabilityBoundingSet = [ "" ];
+      DeviceAllow = [ "" ];
+      LockPersonality = true;
+      PrivateDevices = true;
+      PrivateTmp = true;
+      PrivateUsers = true;
+      ProtectClock = true;
+      ProtectControlGroups = true;
+      ProtectHome = true;
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      RestrictAddressFamilies = [
+        "AF_INET"
+        "AF_INET6"
+      ];
+      RestrictNamespaces = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      SystemCallArchitectures = "native";
+      UMask = "0077";
+    };
+  };
+
+  networking.firewall = {
+    allowedTCPPorts = [ 25565 ];
+    allowedUDPPorts = [ 25565 ];
+  };
+}