diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix
new file mode 100644
index 0000000..5df16c1
--- /dev/null
+++ b/modules/nixos/default.nix
@@ -0,0 +1,66 @@
+{ config, lib, perSystem, ... }:
+
+let
+  cfg = config.services.calapi;
+  types = lib.types;
+in
+{
+  options.services.calapi = {
+    enable = lib.mkEnableOption "calapi";
+
+    port = lib.mkOption {
+      type = types.int;
+      default = 8434;
+    };
+
+    proxy = lib.mkOption {
+      type = types.enum [
+        "nginx"
+      ];
+      default = null;
+      example = "nginx";
+    };
+
+    nginx.virtualHost = lib.mkOption {
+      example = lib.literalExpression ''
+        {
+          serverName = "survey.example.org";
+          forceSSL = true;
+          enableACME = true;
+        }
+      '';
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    users = {
+      groups."calapi" = {};
+      users."calapi" = {
+        group = "calapi";
+        isSystemUser = true;
+      };
+    };
+
+    systemd.services.calapi = {
+      enable = true;
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        ExecStart = "${perSystem.calapi.default}/bin/calapi --port ${toString cfg.port}";
+        Type = "exec";
+        User = "calapi";
+      };
+    };
+
+    services.nginx.virtualHosts = lib.mkIf (cfg.proxy == "nginx") {
+      "${cfg.nginx.virtualHost.serverName}" = lib.mkMerge [
+        cfg.nginx.virtualHost
+        {
+          locations."/" = {
+            proxyPass = "http://127.0.0.1:${toString cfg.port}/";
+          };
+        }
+      ];
+    };
+  };
+}