diff --git a/flake.nix b/flake.nix
index c44f4fa..f6234ad 100644
--- a/flake.nix
+++ b/flake.nix
@@ -20,6 +20,8 @@
       trok = pkgs.callPackage ./default.nix {};
     });
 
+    nixosModules.default = ./module.nix;
+
     devShells = forAllSystems (pkgs: {
       default = pkgs.callPackage ./shell.nix {};
     });
diff --git a/module.nix b/module.nix
new file mode 100644
index 0000000..81a8c9f
--- /dev/null
+++ b/module.nix
@@ -0,0 +1,96 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.tux.services.trok;
+in {
+  options.tux.services.trok = {
+    enable = mkEnableOption "Enable trok";
+
+    host = mkOption {
+      type = lib.types.str;
+      default = "0.0.0.0";
+      description = "Host addr on which the trok service will listen.";
+    };
+
+    port = mkOption {
+      type = lib.types.port;
+      default = 1337;
+      description = "Port number on which the trok service will listen.";
+    };
+
+    openFirewall = mkEnableOption "Enable firewall port";
+
+    user = mkOption {
+      type = types.str;
+      default = "trok";
+      description = "User under which the trok service runs.";
+    };
+
+    group = mkOption {
+      type = types.str;
+      default = "trok";
+      description = "Group under which the trok service runs.";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [cfg.port];
+
+    systemd.services = {
+      trok = {
+        description = "trok server";
+        after = ["network.target"];
+        wantedBy = ["multi-user.target"];
+
+        serviceConfig = {
+          Type = "simple";
+          User = "trok";
+          Group = "trok";
+          ExecStart = "${getExe pkgs.trok} server -a ${cfg.host}:${toString cfg.port}";
+          Restart = "always";
+
+          LockPersonality = true;
+          MemoryDenyWriteExecute = true;
+          NoNewPrivileges = true;
+          PrivateDevices = true;
+          PrivateIPC = true;
+          PrivateTmp = true;
+          PrivateUsers = true;
+          ProtectClock = true;
+          ProtectControlGroups = true;
+          ProtectHome = true;
+          ProtectHostname = true;
+          ProtectKernelLogs = true;
+          ProtectKernelModules = true;
+          ProtectKernelTunables = true;
+          ProtectProc = "invisible";
+          ProtectSystem = "strict";
+          RestrictNamespaces = "uts ipc pid user cgroup";
+          RestrictRealtime = true;
+          RestrictSUIDSGID = true;
+          SystemCallArchitectures = "native";
+          SystemCallFilter = ["@system-service"];
+          UMask = "0077";
+        };
+      };
+    };
+    # Ensure the user and group exist
+    users.users = mkIf (cfg.user == "trok") {
+      ${cfg.user} = {
+        isSystemUser = true;
+        group = cfg.group;
+        description = "trok service user";
+        home = "/var/lib/trok";
+        createHome = true;
+      };
+    };
+
+    users.groups = mkIf (cfg.group == "trok") {
+      ${cfg.group} = {};
+    };
+  };
+}