diff --git a/custom-recipes/buildernet/mkosi/playground.yaml b/custom-recipes/buildernet/mkosi/playground.yaml
index 68286b40..c1c77bcd 100644
--- a/custom-recipes/buildernet/mkosi/playground.yaml
+++ b/custom-recipes/buildernet/mkosi/playground.yaml
@@ -4,6 +4,30 @@ description: Deploy the stack with the BuilderNet mkosi image (QEMU)
 recipe:
   builder-vm:
     services:
+      attested-tls-proxy:
+        image: ghcr.io/flashbots/attested-tls-proxy
+        tag: "1.0.1"
+        args:
+          - server
+          - --listen-addr
+          - 0.0.0.0:7000
+          - --server-attestation-type
+          - none
+          - --allowed-remote-attestation-type
+          - none
+          - --tls-private-key-path
+          - /server.key
+          - --tls-certificate-path
+          - /server.crt
+          - builder-hub-proxy:8888
+        ports:
+          http: 7000
+        depends_on:
+          - builder-hub-proxy:healthy
+        files:
+          "/server.key": "server.key"
+          "/server.crt": "server.crt"
+
       builder:
         lifecycle_hooks: true
         init:
diff --git a/custom-recipes/buildernet/mkosi/server.crt b/custom-recipes/buildernet/mkosi/server.crt
new file mode 100644
index 00000000..527d6a6d
--- /dev/null
+++ b/custom-recipes/buildernet/mkosi/server.crt
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDCTCCAfGgAwIBAgIUJiyepwRfje5+tjuPhiA9uWQj4WgwDQYJKoZIhvcNAQEL
+BQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTI2MDIxMjAwMzMyOVoXDTI3MDIx
+MjAwMzMyOVowFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAlLiVis9jbau8jlwE2uwnphidIuanbWdPJP4KQyrXsq7/
+DnF02qnghl9nT4bHSMUYCciOS2PNp9DH2ZWUJwX3tEO1nsT4V0msdYglz5x/1sYn
+3hqI8U7GEh3NAA0qkvzEdupyR3FhioRQSrAO6CMOoK84CtwcbCg8+sl1VXJgH7s6
+D2daEF3HyxaX4EQKj+vpZQ/TsOSRq2FFeJWtvOCHAczPk2A/3/kLqN2wlxmlJ6Dt
+hMoXg8ZwYZKdDIW0qkvtAfvaee0AB4M2OwRQ8Hxgqb+kqMAn7Goo2WxZyIjQ6Mvi
+Fl6Ljhp7f4G4RLb0ramVLCbGw3LHEEmQwhbb6i3Z2wIDAQABo1MwUTAdBgNVHQ4E
+FgQULJFWsw3onq6iTBFmznbdp1CNoI4wHwYDVR0jBBgwFoAULJFWsw3onq6iTBFm
+znbdp1CNoI4wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAjZor
+0q0GiMU5D5puCVPEBexXzSeaATSxnQj88wjKYhYnsljniMS78TSNwGqHZQF5y4/M
+50S65+eNySfb5KP+3yKMQbVZwM+LCZkifQGaLKat6MqWS5blTMNJuGZAxTM8ba3K
+RmidXHhio8VuR+gItOaB3tyYYEGKmDlzajFne68dwGTe9hwzmgqLVzDIE3GFxJ/H
+lScxoqF0hiqtkhf8DxrFgC7IOLdItYaZAQluLKnGWS/0tmSYP/pxkaGL3m7M1G35
+egYidvH/Z0IJ42S+7Y6a/yhZaqMFqnMHd3rqobMUeUnCJd3MSJp1BRCf03u1JuIe
+917M8ZdcpnSZwd78FA==
+-----END CERTIFICATE-----
diff --git a/custom-recipes/buildernet/mkosi/server.key b/custom-recipes/buildernet/mkosi/server.key
new file mode 100644
index 00000000..907fe0fd
--- /dev/null
+++ b/custom-recipes/buildernet/mkosi/server.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCUuJWKz2Ntq7yO
+XATa7CemGJ0i5qdtZ08k/gpDKteyrv8OcXTaqeCGX2dPhsdIxRgJyI5LY82n0MfZ
+lZQnBfe0Q7WexPhXSax1iCXPnH/WxifeGojxTsYSHc0ADSqS/MR26nJHcWGKhFBK
+sA7oIw6grzgK3BxsKDz6yXVVcmAfuzoPZ1oQXcfLFpfgRAqP6+llD9Ow5JGrYUV4
+la284IcBzM+TYD/f+Quo3bCXGaUnoO2EyheDxnBhkp0MhbSqS+0B+9p57QAHgzY7
+BFDwfGCpv6SowCfsaijZbFnIiNDoy+IWXouOGnt/gbhEtvStqZUsJsbDcscQSZDC
+FtvqLdnbAgMBAAECggEANUB013vT++CbBxR+7o7R0aENnwIdIEj2J2ZJcWyFSKdt
+j5Pjhip+yU6e9PRrJizgoxwri2YkrPrOnKP5JRH3dJYsEbowvDyWoo0KEPFWOya/
+/sDcmR8eQD1oeqS8Ql580KG5Isi/5vPitiOdatSmt7WV6RmQmc+8qgX53As0zRdW
++HSIRcEgDpBKqsSs/TSHJcKjGIpVaJkfimY/p6xTmQ/SPOQ+Zw8zo3OigQU6dD3P
+fVHq5avab1+uZ8dby3HPZ7xwzETeNIVP7OhGLBK4hz2Nyp7HIuDH/zydeQ90p1/H
+eXLFJbcw6uZUTMEwTqEbQ0qDiFkMRgo+3J4X1ju05QKBgQDHuq4HAYI1kGBecaLt
+r2ADLQBrjqmFSvEoUO4VeCP8ttuL/lUZTZadWIzyzzPJ0agq+1UFJDbU0p4/BHim
+0PRHz9QWF5W8HuLFoBLH1ZCc7lR9jvZPacoDbIW5VrXMI+CbZ44t/cgJUVqBevOJ
+VU9NvQo1k+WRjMXtPqmdyPKkdwKBgQC+nvomUmXBFm34bHthcUtqs8XCsx8dsLfZ
+31LfpIC450Qo1KIf+VKAWbG9nZK+3Px0ohX1M4HLpL/zf5c9Xxk5hDc9zQfeXgwf
+9lgCjZrRQ+3215XdwBrnKT8XpEkR4ka+5NrzqF+CH3/dfX9bOS4+z7sn18aKdP5w
+WG3BhCqCvQKBgQCntVMnwtaJD6A77YN3vYkLYaA2sGYb7J+u0LX6BRWCwDB9zqO6
+SXIs0QwZXm8ICioBXWU4mf4ImooSNDjzKgXUvuhBXLB4dB7K/uyGLAfwHheIDqE4
+cYYVdeybgfnJXl7dXwj+CVkMqekrTAhuytl6Vz/ZWUStAN25pqJaQT+tZQKBgECM
+NMilPi+UGMj2cxEb/B21olG7td2n6ZmtNbLlUXFLXpk053FMS9OKi9VZdkeLLTGR
+cT4Gov0CXL1nhx8RBMmlK8+RjgiOcCyijkrPCI20IvBjMCxW0MVWAjdPOi8EIFCj
+zkCT00OMxw+JX4bUZgR+8zEar/BSjZYdW40b5AlBAoGBAIZC+HhJpdJxNoUnndqj
+x0nvWM5ZrnPa/6QXyMNn52vbqG7ZMyYCHwDXWJfBfxM9wdsMJKoH8pES9BF9Qr4o
+Vv7hb/t9kbB0mg2QgxRTFwiGW06LU03u/4YhluwePEHydUoai+hTV35rbAaKiNE9
+QXzE0i3NWnSqX3hksZSn+UD5
+-----END PRIVATE KEY-----
diff --git a/custom-recipes/buildernet/mkosi/test-atls-proxy.sh b/custom-recipes/buildernet/mkosi/test-atls-proxy.sh
new file mode 100755
index 00000000..715666d5
--- /dev/null
+++ b/custom-recipes/buildernet/mkosi/test-atls-proxy.sh
@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+# Spins up an atls-proxy client, curls through it, tears it down.
+# Usage: ./test-atls-proxy.sh [server:port] [path]
+set -euo pipefail
+
+IMAGE="ghcr.io/flashbots/attested-tls-proxy:1.0.1"
+NAME="atls-proxy-client-test"
+PORT=6000
+SERVER="${1:-localhost:7000}"
+PATH_="${2:-/api/l1-builder/v1/configuration}"
+
+trap 'docker rm -f $NAME >/dev/null 2>&1 || true' EXIT
+docker rm -f "$NAME" >/dev/null 2>&1 || true
+
+echo "-> client connecting to ${SERVER}"
+docker run -d --name "$NAME" --network host "$IMAGE" \
+  client --listen-addr "0.0.0.0:${PORT}" \
+  --client-attestation-type none \
+  --allowed-remote-attestation-type none \
+  --allow-self-signed \
+  "$SERVER" >/dev/null
+
+for i in $(seq 1 10); do
+  curl -s -o /dev/null "http://127.0.0.1:${PORT}/" 2>/dev/null && break
+  [ "$i" -eq 10 ] && { echo "client failed to start:"; docker logs "$NAME"; exit 1; }
+  sleep 0.5
+done
+
+echo "-> GET ${PATH_}"
+curl -s -w "\n--- %{http_code}\n" "http://127.0.0.1:${PORT}${PATH_}"
\ No newline at end of file