diff --git a/flake.nix b/flake.nix
index 97b32d3..7f3da75 100644
--- a/flake.nix
+++ b/flake.nix
@@ -15,11 +15,20 @@
         src = ./.;
 
         vendorHash = "sha256-SrsjcNtqQdE8Gekjn72JhCysfNmKJs7ju2BcKnOQf/U=";
+
+        meta = {
+          mainProgram = "scan-to-gpg";
+        };
       };
 
       default = scan-to-gpg;
     });
 
+    nixosModules = rec {
+      scan-to-gpg = import ./module.nix;
+      default = scan-to-gpg;
+    };
+
     hydraJobs = {
       inherit (self)
         packages;
diff --git a/module.nix b/module.nix
new file mode 100644
index 0000000..95dc01b
--- /dev/null
+++ b/module.nix
@@ -0,0 +1,46 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.scan-to-gpg;
+in {
+
+  options = {
+    services.scan-to-gpg = {
+      enable = mkEnableOption "scan-to-gpg";
+      gpgkey = mkOption {
+        type = types.path;
+        description = "Path to a file containing to GPG public key to encrypt to";
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+
+    systemd.services.scan-to-gpg = {
+      description = "FTP server that saves uploaded files GPG encrypted";
+      wantedBy = [ "multi-user.target" ];
+      requires = [ "network.target" ];
+      after = [ "network.target" ];
+
+      serviceConfig = {
+        type = "simple";
+        ExecStart = "${getExe pkgs.scan-to-gpg} -host 0.0.0.0 -output /var/lib/scan-to-gpg -gpgkey ${cfg.gpgkey}";
+        User = "scan-to-gpg";
+        Group = "scan-to-gpg";
+        StateDirectory = "scan-to-gpg";
+        StateDirectoryMode = "775";
+      };
+
+    };
+
+    users.users.scan-to-gpg = {
+      isSystemUser = true;
+      group = "scan-to-gpg";
+    };
+
+    users.groups.scan-to-gpg = {};
+
+  };
+}