diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
deleted file mode 100644
index e2cb9dd..0000000
--- a/.github/workflows/deploy.yml
+++ /dev/null
@@ -1,62 +0,0 @@
-name: Deploy
-
-on:
-    push:
-        branches: [ master ]
-
-jobs:
-    build:
-        name: Build a Release Binary
-        runs-on: ubuntu-latest
-        steps:
-            - uses: actions/checkout@v2
-            - uses: actions-rs/toolchain@v1
-              id: cargo
-              with:
-                  toolchain: stable
-                  components: clippy
-            - uses: actions/cache@v2
-              with:
-                  path: |
-                        ~/.cargo/registry
-                        ~/.cargo/git
-                        target
-                  key: ${{ runner.os }}-rust-${{ steps.cargo.outputs.rustc_hash }}-${{ hashFiles('**/Cargo.lock') }}-release-build
-            - name: Build release
-              run: cargo build --release
-              env:
-                  SQLX_OFFLINE: "true"
-            - name: Upload compiled binary artifact
-              uses: actions/upload-artifact@v1
-              with:
-                  name: youmubot-release
-                  path: target/release/youmubot
-    deploy:
-        name: Deploy to remote
-        needs: build
-        runs-on: ubuntu-latest
-        steps:
-            - name: Collect artifact
-              uses: actions/download-artifact@v1
-              with:
-                  name: youmubot-release
-            - name: Upload binary
-              uses: appleboy/scp-action@master
-              with:
-                  host: ${{ secrets.HOST }}
-                  username: ${{ secrets.USERNAME }}
-                  key: ${{ secrets.SSH_KEY }}
-                  port: ${{ secrets.PORT }}
-                  source: youmubot-release/youmubot
-                  target: youmubot
-                  strip_components: 1
-            - name: Restart youmubot
-              uses: appleboy/ssh-action@master
-              with:
-                  host: ${{ secrets.HOST }}
-                  username: ${{ secrets.USERNAME }}
-                  key: ${{ secrets.SSH_KEY }}
-                  port: ${{ secrets.PORT }}
-                  script: |
-                      chmod +x youmubot/youmubot
-                      systemctl --user restart youmubot
diff --git a/flake.nix b/flake.nix
index acc6680..48b7e3e 100644
--- a/flake.nix
+++ b/flake.nix
@@ -16,6 +16,11 @@
 
         root = ./.;
         cargoBuildOptions = opts: opts ++ [ "--package youmubot" ];
+
+        nativeBuildInputs = nixpkgs.lib.optionals (nixpkgs.lib.strings.hasSuffix "linux" system) (with pkgs; [
+          pkg-config
+          openssl
+        ]);
       };
 
       defaultPackage = packages.youmubot;
@@ -31,5 +36,8 @@
       devShell = pkgs.mkShell {
         nativeBuildInputs = with pkgs; [ rustc cargo ];
       };
+
+      # module
+      nixosModule = import ./module.nix defaultPackage;
     });
 }
diff --git a/module.nix b/module.nix
new file mode 100644
index 0000000..b8afb05
--- /dev/null
+++ b/module.nix
@@ -0,0 +1,81 @@
+youmubot: { config, pkgs, lib, ... }:
+
+with lib;
+let
+  cfg = config.services.youmubot;
+in
+{
+  options.services.youmubot = {
+    enable = mkEnableOption "Enable youmubot, the discord bot made with Rust.";
+
+    envFile = mkOption {
+      type = types.path;
+      description = "Path to the environment variable file, for secrets like TOKEN and OSU_API_KEY.";
+    };
+
+    prefixes = mkOption {
+      type = types.listOf types.str;
+      default = [ "y!" "y2!" ];
+      description = "The prefixes that the bot will listen on";
+    };
+
+    databasePath = mkOption {
+      type = types.str;
+      default = "/var/lib/youmubot";
+      description = "The path to the database directory";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    # systemd unit
+    systemd.services.youmubot = {
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+
+      description = "the discord bot made with Rust";
+      documentation = [ "https://github.com/natsukagami/youmubot" ];
+
+      script = "${youmubot}/bin/youmubot";
+
+      environment = {
+        DBPATH = cfg.databasePath;
+        SQLPATH = cfg.databasePath + "/youmubot.db";
+        PREFIX = lib.strings.concatStringsSep "," cfg.prefixes;
+      };
+
+      serviceConfig = {
+        DynamicUser = true;
+
+        WorkingDirectory = "/var/lib/youmubot";
+
+        StateDirectory = "youmubot";
+
+        EnvironmentFile = cfg.envFile;
+
+        # Strict sandboxing. You have no reason to trust code written by strangers from GitHub.
+        PrivateTmp = true;
+        ProtectHome = true;
+        ProtectSystem = "strict";
+        ProtectKernelTunables = true;
+        ProtectHostname = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
+
+        # Additional sandboxing. You need to disable all of these options
+        # for privileged helper binaries (for system auth) to work correctly.
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        DeviceAllow = "/dev/syslog";
+        RestrictSUIDSGID = true;
+        ProtectKernelModules = true;
+        MemoryDenyWriteExecute = true;
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        LockPersonality = true;
+
+        Restart = "always";
+      };
+    };
+  };
+}