diff --git a/.gitignore b/.gitignore
index 2f258c9..f89d960 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,5 @@
 /gomod2nix-template
-.direnv
-.env
-tsnet-proxy
+/.direnv
+/.env
+/tsnet-proxy
+/result
diff --git a/default.nix b/default.nix
index 2e0b1b5..f72ee43 100644
--- a/default.nix
+++ b/default.nix
@@ -1,18 +1,4 @@
-{ pkgs ? (
-    let
-      inherit (builtins) fetchTree fromJSON readFile;
-      inherit ((fromJSON (readFile ./flake.lock)).nodes) nixpkgs gomod2nix;
-    in
-    import (fetchTree nixpkgs.locked) {
-      overlays = [
-        (import "${fetchTree gomod2nix.locked}/overlay.nix")
-      ];
-    }
-  )
-, buildGoApplication ? pkgs.buildGoApplication
-}:
-
-buildGoApplication {
+{ buildGoApplication }: buildGoApplication {
   pname = "tsnet-proxy";
   version = "0.1";
   pwd = ./.;
diff --git a/flake.nix b/flake.nix
index 89f3bd3..fc73798 100644
--- a/flake.nix
+++ b/flake.nix
@@ -25,6 +25,49 @@
         inherit (goModPkgs) mkGoEnv gomod2nix;
       };
     });
+    nixosModules.default = { config, pkgs, lib, ... }: {
+      options.services.bluepython508.tsnet-proxy = with lib; with types; {
+        clientId = mkOption {
+          type = str;
+        };
+        clientSecretFile = mkOption {
+          type = str;
+        };
+        tags = mkOption { type = listOf str; };
+        proxies = mkOption {
+          type = attrsOf (submodule ({ config }: {
+            options = let
+              proto = enum ["udp" "tcp" "unix"];
+            in {
+              enable = mkOption { type = bool; default = true; };
+              proto = mkOption { type = proto; };
+              dest = mkOption { type = str; };
+              hostProto = mkOption { type = proto; };
+              port = mkOption { type = int; };
+            };
+            config.hostProto = mkDefault config.proto;
+          }));
+        };
+      };
+      config.systemd.services = let
+        cfg = config.services.bluepython508.tsnet-proxy;
+        get-authkey = pkgs.tailscale.overrideAttrs { subPackages = ["cmd/get-authkey"]; postInstall = ""; };
+      in lib.mapAttrs (hostname: { proto, hostProto, port, dest, enable, ... }: {
+        inherit enable;
+        script = ''
+          TS_AUTHKEY=$(cat $RUNTIME_DIRECTORY/authkey) ${lib.getExe self.packages.${pkgs.system}.default} ${hostProto} ${hostname} ${port} ${proto} ${dest}
+        '';
+        wantedBy = [ "multi-user.target" ];
+        serviceConfig = {
+          DynamicUser = true;
+          RuntimeDirectory = hostname;
+          ExecStartPre = "!${pkgs.writeShellScript "get-authkey" ''
+            TS_API_CLIENT_ID=${cfg.clientId} TS_API_CLIENT_SECRET=$(cat ${cfg.clientSecretFile}) ${get-authkey}/bin/get-authkey -ephemeral -tags ${lib.concatStringsSep "," cfg.tags} > $RUNTIME_DIRECTORY/authkey
+            chown ${hostname}:${hostname} $RUNTIME_DIRECTORY/authkey
+          ''}";
+        };
+      }) cfg.proxies;
+    };
   };
 }