diff --git a/flake.nix b/flake.nix
index 0d54c2d..abd5769 100644
--- a/flake.nix
+++ b/flake.nix
@@ -34,6 +34,28 @@
       default = self.packages.${system}.keikos;
     });
 
+    nixosModules = {
+      keikos = {
+        pkgs,
+        lib,
+        ...
+      }: {
+        options._keikos-flake = with lib;
+        with lib.types; {
+          pkg = mkOption {
+            type = anything;
+            default = self.packages.${pkgs.system}.default;
+          };
+        };
+        imports = [
+          ./module.nix
+        ];
+      };
+      default = self.nixosModules.keikos;
+    };
+
+    legacyPackages = self.packages;
+
     devShells = forAllSystems (system: pkgs: {
       default = pkgs.mkShell {
         CGO_ENABLED = "0";
diff --git a/module.nix b/module.nix
new file mode 100644
index 0000000..40735ac
--- /dev/null
+++ b/module.nix
@@ -0,0 +1,48 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.services.keikos.web;
+in {
+  options.services.keikos.web = with lib;
+  with lib.types; {
+    enable = mkEnableOption "";
+    port = mkOption {
+      type = port;
+      default = 7331;
+    };
+    package = mkOption {
+      type = package;
+      default = config._keikos-flake.pkg;
+    };
+    user = mkOption {
+      type = str;
+      default = "keikoswork";
+    };
+    group = mkOption {
+      type = str;
+      default = "keikoswork";
+    };
+  };
+  config = with lib;
+    mkIf cfg.enable {
+      systemd.services."keikoswork" = {
+        after = ["network.target"];
+        wantedBy = ["multi-user.target"];
+        serviceConfig = {
+          Type = "simple";
+          User = cfg.user;
+          Group = cfg.group;
+          ExecStart = "${lib.escapeShellArg (lib.getExe cfg.package)} web -port ${toString cfg.port}";
+          Restart = "on-success";
+        };
+      };
+
+      users.users."${cfg.user}" = {
+        isSystemUser = true;
+        group = cfg.group;
+      };
+      users.groups."${cfg.group}" = {};
+    };
+}