diff --git a/flake.nix b/flake.nix
index 3c5be84..74d2683 100644
--- a/flake.nix
+++ b/flake.nix
@@ -15,17 +15,18 @@
       root = inputs.source or self;
       pname = (builtins.fromTOML (builtins.readFile (root + "/Cargo.toml"))).package.name;
       # toolchains: stable, beta, default(nightly)
-      toolchain = pkgs: if inputs ? fenix then inputs.fenix.packages."${pkgs.system}".complete.toolchain 
-                  else with pkgs; symlinkJoin { name = "rust-toolchain"; paths = [ rustc cargo ]; };
+      toolchain = pkgs:
+        if inputs ? fenix then inputs.fenix.packages."${pkgs.system}".complete.toolchain
+        else with pkgs; symlinkJoin { name = "rust-toolchain"; paths = [ rustc cargo ]; };
       forSystem = system:
-      let 
-        pkgs = nixpkgs.legacyPackages."${system}";
-      in
+        let
+          pkgs = nixpkgs.legacyPackages."${system}";
+        in
         rec {
           # `nix build`
           packages.${pname} = (self.overlay pkgs pkgs).${pname};
 
-          packages.dockerImage = pkgs.runCommandLocal "docker-${pname}.tar.gz" {} "${apps.streamDockerImage.program} | gzip --fast > $out";
+          packages.dockerImage = pkgs.runCommandLocal "docker-${pname}.tar.gz" { } "${apps.streamDockerImage.program} | gzip --fast > $out";
 
           packages.default = packages.${pname};
 
@@ -33,7 +34,7 @@
           apps.${pname} = utils.lib.mkApp {
             drv = packages.${pname};
           };
-          
+
           # `nix run .#streamDockerImage | docker load`
           apps.streamDockerImage = utils.lib.mkApp {
             drv = with pkgs; dockerTools.streamLayeredImage {
@@ -84,8 +85,8 @@
             rustc = toolchain prev;
             cargo = toolchain prev;
           };
-          buildInputs = with prev; [ 
-            openssl 
+          buildInputs = with prev; [
+            openssl
           ];
           nativeBuildInputs = with prev; [
             pkg-config
@@ -98,6 +99,54 @@
             };
         };
 
+      nixosModules.default = { config, pkgs, lib, ... }: with lib; let cfg = config.services.ssh-cert-dist; in {
+        options.services.ssh-cert-dist = {
+          enable = mkEnableOption "ssh-cert-dist";
+          host = mkOption {
+            type = types.str;
+            default = "127.0.0.1";
+          };
+          port = mkOption {
+            type = types.port;
+            default = 6877;
+          };
+          package = mkOption {
+            type = types.package;
+            default = pkgs.ssh-cert-dist;
+          };
+          dataDir = mkOption {
+            type = types.path;
+            default = "/var/lib/ssh-cert-dist";
+          };
+          user = mkOption {
+            type = types.str;
+            default = "cert-dist";
+          };
+          group = mkOption {
+            type = types.str;
+            default = "cert-dist";
+          };
+        };
+        config = mkIf {
+          users = {
+            users.${cfg.user} = {
+              isSystemUser = true;
+              group = cfg.group;
+            };
+            groups.${cfg.group} = { };
+
+          };
+          systemd.services.ssh-cert-dist = {
+            preStart = ''
+              chown ${cfg.user}:${cfg.group} ${cfg.dataDir}
+            '';
+            serviceConfig.User = cfg.user;
+            serviceConfig.ExecStart = "${cfg.package}/bin/ssh-cert-dist server --address ${cfg.host}:${toString cfg.port} -c ${cfg.dataDir} --ca ${cfg.ca}";
+          };
+        };
+      };
+      homeManagerModules.default = { config, pkgs, lib, ... }: with lib; let cfg = config.services.ssh-cert-dist; in { };
+
     };
 
 }