diff --git a/flake.nix b/flake.nix
index 4e7c54e..9cb60fb 100644
--- a/flake.nix
+++ b/flake.nix
@@ -37,6 +37,8 @@
       '');
     };
 
+    nixosModules.default = import ./nix/module.nix {inherit self system;};
+
     devShells.${system} = {
       templates = flakeOutputs.templates.devShells.${system}.default.overrideAttrs (old: {
         buildInputs = with nixpkgs.legacyPackages.${system};
diff --git a/nix/module.nix b/nix/module.nix
new file mode 100644
index 0000000..255e15c
--- /dev/null
+++ b/nix/module.nix
@@ -0,0 +1,78 @@
+{
+  self,
+  system,
+}: {
+  config,
+  lib,
+  ...
+}: let
+  inherit (lib) mkEnableOption mkIf mkOption;
+  inherit (lib.types) submodule str int;
+  inherit (lib.strings) escapeShellArgs;
+  inherit (self.packages.${system}) server templates;
+
+  cfg = config.services.tlaternet-webserver;
+in {
+  options = {
+    services.tlaternet-webserver = {
+      enable = mkEnableOption "tlaternet web server";
+      listen = mkOption {
+        type = submodule {
+          options = {
+            addr = mkOption {
+              type = str;
+              description = "IP address.";
+              default = "127.0.0.1";
+            };
+
+            port = mkOption {
+              type = int;
+              description = "Port number.";
+              default = 8000;
+            };
+          };
+        };
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services.tlaternet-webserver = {
+      description = "tlaternet webserver";
+      wantedBy = ["multi-user.target"];
+      after = ["network.target"];
+
+      script = escapeShellArgs [
+        "${server}/bin/tlaternet-webserver"
+        "--template-directory"
+        templates
+        "--address"
+        "${cfg.listen.addr}:${toString cfg.listen.port}"
+      ];
+
+      serviceConfig = {
+        Restart = "always";
+
+        DynamicUser = true;
+        ProtectHome = true; # Override the default (read-only)
+        PrivateDevices = true;
+        PrivateIPC = true;
+        PrivateUsers = true;
+        ProtectHostname = true;
+        ProtectClock = true;
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+        ProtectKernelLogs = true;
+        ProtectControlGroups = true;
+        RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"];
+        RestrictNamespaces = true;
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = ["@system-service" "~@privileged @resources @setuid @keyring"];
+      };
+    };
+  };
+}