diff --git a/examples/configuration.nix b/examples/configuration.nix
index da23ca2..f1030ff 100644
--- a/examples/configuration.nix
+++ b/examples/configuration.nix
@@ -129,6 +129,12 @@
   # a network-level as much as possible.
   # nix-bitcoin.netns-isolation.enable = true;
 
+  ### lightning-loop
+  # Enable this module to use lightninglab's non-custodial off/on chain bridge.
+  # loopd (lightning-loop daemon) will be started automatically. Users can
+  # interact with off/on chain bridge using `loop in` and `loop out`.
+  # services.lightning-loop.enable = true;
+
   # FIXME: Define your hostname.
   networking.hostName = "nix-bitcoin";
   time.timeZone = "UTC";
diff --git a/modules/lightning-loop.nix b/modules/lightning-loop.nix
new file mode 100644
index 0000000..0c84873
--- /dev/null
+++ b/modules/lightning-loop.nix
@@ -0,0 +1,72 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.lightning-loop;
+  inherit (config) nix-bitcoin-services;
+  secretsDir = config.nix-bitcoin.secretsDir;
+in {
+
+  options.services.lightning-loop = {
+    enable = mkEnableOption "lightning-loop";
+    package = mkOption {
+      type = types.package;
+      default = pkgs.nix-bitcoin.lightning-loop;
+      defaultText = "pkgs.nix-bitcoin.lightning-loop";
+      description = "The package providing lightning-loop binaries.";
+    };
+    proxy = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+      description = "Connect through SOCKS5 proxy";
+    };
+    extraArgs = mkOption {
+      type = types.separatedString " ";
+      default = "";
+      description = "Extra command line arguments passed to loopd.";
+    };
+    cli = mkOption {
+      default = pkgs.writeScriptBin "loop"
+      # Switch user because lnd makes datadir contents readable by user only
+      ''
+        exec sudo -u lnd ${cfg.package}/bin/loop "$@"
+      '';
+      description = "Binary to connect with the lnd instance.";
+    };
+    enforceTor =  nix-bitcoin-services.enforceTor;
+  };
+
+  config = mkIf cfg.enable {
+    assertions = [
+      { assertion = config.services.lnd.enable;
+        message = "lightning-loop requires lnd.";
+      }
+    ];
+
+    environment.systemPackages = [ cfg.package (hiPrio cfg.cli) ];
+
+    systemd.services.lightning-loop = {
+      description = "Run loopd";
+      wantedBy = [ "multi-user.target" ];
+      requires = [ "lnd.service" ];
+      after = [ "lnd.service" ];
+      serviceConfig = nix-bitcoin-services.defaultHardening // {
+        ExecStart = ''
+          ${cfg.package}/bin/loopd \
+          --lnd.host=${config.services.lnd.listen}:10009 \
+          --lnd.macaroondir=${config.services.lnd.dataDir}/chain/bitcoin/mainnet \
+          --lnd.tlspath=${secretsDir}/lnd-cert \
+          ${optionalString (cfg.proxy != null) "--server.proxy=${cfg.proxy}"} \
+          ${cfg.extraArgs}
+        '';
+        User = "lnd";
+        Restart = "on-failure";
+        RestartSec = "10s";
+        ReadWritePaths = "${config.services.lnd.dataDir}";
+      } // (if cfg.enforceTor
+          then nix-bitcoin-services.allowTor
+          else nix-bitcoin-services.allowAnyIP);
+    };
+  };
+}
diff --git a/modules/modules.nix b/modules/modules.nix
index dd6d936..c3965d4 100644
--- a/modules/modules.nix
+++ b/modules/modules.nix
@@ -13,6 +13,7 @@
     ./recurring-donations.nix
     ./hardware-wallets.nix
     ./lnd.nix
+    ./lightning-loop.nix
     ./secrets/secrets.nix
     ./netns-isolation.nix
     ./dbus.nix
diff --git a/modules/netns-isolation.nix b/modules/netns-isolation.nix
index f9ba6d6..a010425 100644
--- a/modules/netns-isolation.nix
+++ b/modules/netns-isolation.nix
@@ -127,6 +127,10 @@ in {
           id = 21;
           connections = [];
         };
+        lightning-loop = {
+          id = 22;
+          connections = [ "lnd" ];
+        };
       };
 
       systemd.services = {
@@ -291,6 +295,14 @@ in {
       # nginx: Custom netns configs
       services.nix-bitcoin-webindex.host = mkIf config.services.nix-bitcoin-webindex.enable netns.nginx.address;
 
+      # loop: Custom netns configs
+      services.lightning-loop = mkIf config.services.lightning-loop.enable {
+        cli = pkgs.writeScriptBin "loop"
+        # Switch user because lnd makes datadir contents readable by user only
+        ''
+          netns-exec nb-lightning-loop sudo -u lnd ${config.services.lightning-loop.package}/bin/loop "$@"
+        '';
+      };
     })
     # Custom netns config option values if netns-isolation not enabled
     (mkIf (!cfg.enable) {
diff --git a/modules/presets/secure-node.nix b/modules/presets/secure-node.nix
index 2789f69..043586f 100644
--- a/modules/presets/secure-node.nix
+++ b/modules/presets/secure-node.nix
@@ -91,6 +91,12 @@ in {
     };
     services.tor.hiddenServices.lnd = mkIf cfg.lnd.enable (mkHiddenService { port = cfg.lnd.onionport; toHost = cfg.lnd.listen; });
 
+    # lightning-loop
+    services.lightning-loop = {
+      proxy = cfg.tor.client.socksListenAddress;
+      enforceTor = true;
+    };
+
     # liquidd
     services.liquidd = {
       rpcuser = "liquidrpc";