diff --git a/flake.nix b/flake.nix
index 74d2683..062a330 100644
--- a/flake.nix
+++ b/flake.nix
@@ -99,53 +99,12 @@
             };
         };
 
-      nixosModules.default = { config, pkgs, lib, ... }: with lib; let cfg = config.services.ssh-cert-dist; in {
-        options.services.ssh-cert-dist = {
-          enable = mkEnableOption "ssh-cert-dist";
-          host = mkOption {
-            type = types.str;
-            default = "127.0.0.1";
-          };
-          port = mkOption {
-            type = types.port;
-            default = 6877;
-          };
-          package = mkOption {
-            type = types.package;
-            default = pkgs.ssh-cert-dist;
-          };
-          dataDir = mkOption {
-            type = types.path;
-            default = "/var/lib/ssh-cert-dist";
-          };
-          user = mkOption {
-            type = types.str;
-            default = "cert-dist";
-          };
-          group = mkOption {
-            type = types.str;
-            default = "cert-dist";
-          };
-        };
-        config = mkIf {
-          users = {
-            users.${cfg.user} = {
-              isSystemUser = true;
-              group = cfg.group;
-            };
-            groups.${cfg.group} = { };
-
-          };
-          systemd.services.ssh-cert-dist = {
-            preStart = ''
-              chown ${cfg.user}:${cfg.group} ${cfg.dataDir}
-            '';
-            serviceConfig.User = cfg.user;
-            serviceConfig.ExecStart = "${cfg.package}/bin/ssh-cert-dist server --address ${cfg.host}:${toString cfg.port} -c ${cfg.dataDir} --ca ${cfg.ca}";
-          };
-        };
-      };
-      homeManagerModules.default = { config, pkgs, lib, ... }: with lib; let cfg = config.services.ssh-cert-dist; in { };
+        nixosModules.default = {
+          imports = [ ./modules/nixos.nix ];
+        }; 
+        homeManagerModules.default = {
+          imports = [ ./modules/home-manager.nix ];
+        }; 
 
     };
 
diff --git a/modules/home-manager.nix b/modules/home-manager.nix
new file mode 100644
index 0000000..40de4a2
--- /dev/null
+++ b/modules/home-manager.nix
@@ -0,0 +1,2 @@
+{ config, pkgs, lib, ... }: with lib; let cfg = config.services.ssh-cert-dist; in { }
+
diff --git a/modules/nixos.nix b/modules/nixos.nix
new file mode 100644
index 0000000..e45e8e0
--- /dev/null
+++ b/modules/nixos.nix
@@ -0,0 +1,58 @@
+{ config, pkgs, lib, ... }: with lib; let
+  cfg = config.services.ssh-cert-dist;
+  ca = if builtins.isPath cfg.ca then cfg.ca else pkgs.writeText "ssh-ca" cfg.ca;
+in
+{
+  options.services.ssh-cert-dist = {
+    enable = mkEnableOption "ssh-cert-dist";
+    host = mkOption {
+      type = types.str;
+      default = "127.0.0.1";
+    };
+    port = mkOption {
+      type = types.port;
+      default = 6877;
+    };
+    package = mkOption {
+      type = types.package;
+      default = pkgs.ssh-cert-dist;
+    };
+    ca = mkOption {
+      type = with types; either str path;
+    };
+    dataDir = mkOption {
+      type = types.path;
+      default = "/var/lib/ssh-cert-dist";
+    };
+    user = mkOption {
+      type = types.str;
+      default = "cert-dist";
+    };
+    group = mkOption {
+      type = types.str;
+      default = "cert-dist";
+    };
+  };
+  config = mkIf cfg.enable {
+    users = {
+      users.${cfg.user} = {
+        isSystemUser = true;
+        group = cfg.group;
+      };
+      groups.${cfg.group} = { };
+
+    };
+    systemd.services.ssh-cert-dist = {
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        ExecStartPre = "+${pkgs.writeShellScript "pre-start" ''
+          mkdir -p ${cfg.dataDir}
+          chown ${cfg.user}:${cfg.group} ${cfg.dataDir}
+        ''}";
+        User = cfg.user;
+        ExecStart = "${cfg.package}/bin/ssh-cert-dist server --address ${cfg.host}:${toString cfg.port} -c ${cfg.dataDir} --ca ${ca}";
+      };
+    };
+  };
+}
+