diff --git a/README.md b/README.md
index f24556c..aa0611d 100644
--- a/README.md
+++ b/README.md
@@ -6,4 +6,20 @@ Declaratively keep your stuff up to date in your nixos config.
 
 ## Usage
 ```nix
+services.fooud = {
+  enable = true;
+  repos = [
+    {
+      path = "/full/path/to/your/repo.git";
+      hooks = [
+        pkgs.writeScriptBin "post-recieve" ''
+          git clone . /var/www/your/deployed/location
+        '';
+      ];
+    }
+  ];
+};
 ```
+
+# TODO
+- [ ] add support for non-git files
diff --git a/flake.lock b/flake.lock
index 4e7cf41..5e53944 100644
--- a/flake.lock
+++ b/flake.lock
@@ -2,18 +2,17 @@
   "nodes": {
     "nixpkgs": {
       "locked": {
-        "lastModified": 1764733908,
-        "narHash": "sha256-QJiih52NU+nm7XQWCj+K8SwUdIEayDQ1FQgjkYISt4I=",
+        "lastModified": 1767892417,
+        "narHash": "sha256-dhhvQY67aboBk8b0/u0XB6vwHdgbROZT3fJAjyNh5Ww=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "cadcc8de247676e4751c9d4a935acb2c0b059113",
+        "rev": "3497aa5c9457a9d88d71fa93a4a8368816fbeeba",
         "type": "github"
       },
       "original": {
-        "owner": "NixOS",
-        "ref": "nixpkgs-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
+        "id": "nixpkgs",
+        "ref": "nixos-unstable",
+        "type": "indirect"
       }
     },
     "root": {
diff --git a/flake.nix b/flake.nix
index 3d8d708..f881612 100644
--- a/flake.nix
+++ b/flake.nix
@@ -1,6 +1,10 @@
 {
   description = "Declaratively update your data.";
-  inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
+  inputs.nixpkgs.url = "nixpkgs/nixos-unstable";
   outputs = { ... }: {
+    nixosModules = rec {
+      fooud = builtins.import ./module.nix;
+      default = fooud;
+    };
   };
 }
diff --git a/lib.nix b/lib.nix
deleted file mode 100644
index 9f360bb..0000000
--- a/lib.nix
+++ /dev/null
@@ -1,72 +0,0 @@
-{ pkgs, ... }:
-let
-  defaultUpdater = { git ? null, url ? null, path ? null, keys ? null, dest, check, config }:
-    let
-      config.systemd.services."fooud-${dest}" = {
-        serviceConfig = {
-          Type = "oneshot";
-          User = "root";
-          Group = "root";
-          ExecStart = let
-            dest = pkgs.lib.assertMsg dest "dest must be set";
-            remote =
-              if git then "--git " + git
-              else if url then "--url " + url
-              else if path then "--path " + path
-              else builtins.throw "one of git, url or path must be set";
-            keys_str = if git then
-              pkgs.lib.strings.concatStrings builtins.map (x: "--key ${x} ") keys
-            else throw "cannot use keys with git";
-          in pkgs.writeShellScript "fooud-${dest}-wrapper" ''
-              ${pkgs.fooud}/bin/fooud ${keys_str} ${remote} ${dest}
-              '';
-        };
-      };
-
-      config.systemd.timers."fooud-${dest}" = {
-        wantedBy = [ "timers.target" ];
-        timerConfig = {
-          OnActiveSec = "0s";
-          OnUnitActiveSec = check;
-          Unit = "fooud-${dest}.service";
-          Persistent = true;
-        };
-      };
-    in
-      {
-        config = config;
-        dest = dest;
-      };
-in
-let
-  gitUpdater = config: { git, keys, dest, check }:
-    (defaultUpdater {
-      git = git;
-      keys = keys;
-      dest = dest;
-      check = check;
-      config = config;
-    }).dest;
-  fsUpdater = config: { path, dest, check }:
-    (defaultUpdater {
-      path = path;
-      dest = dest;
-      check = check;
-      config = config;
-    }).dest;
-  urlUpdater = config: { url, dest, check }:
-    (defaultUpdater {
-      url = url;
-      dest = dest;
-      check = check;
-      config = config;
-    }).dest;
-
-  lib = {
-    inherit
-      gitUpdater
-      fsUpdater
-      urlUpdater;
-  };
-in
-  lib
diff --git a/module.nix b/module.nix
new file mode 100644
index 0000000..992ffa8
--- /dev/null
+++ b/module.nix
@@ -0,0 +1,58 @@
+{ config, pkgs, lib, ... }:
+{
+  options.services.fooud = {
+    enable = lib.mkEnableOption config.description;
+    repos = lib.mkOption {
+      type = lib.listOf {
+        path = lib.mkOption {
+          description = "fullpath to the repositiory on your server";
+          type = lib.types.string;
+        };
+        hooks = lib.mkOption {
+          type = lib.listOf lib.types.path;
+          example = [
+            pkgs.writeScriptBin "post-recieve" ''
+              git clone . /var/www/your/deployed/location
+            ''
+          ];
+        };
+      };
+    };
+    user = lib.mkOption {
+      type = lib.types.str;
+      default = "fooud-deploy";
+    };
+  };
+
+  config = let
+    cfg = config.services.fooud;
+  in lib.mkIf cfg.enable {
+    users.users."${cfg.user}" = {
+      group = "${cfg.user}";
+      isSystemUser = true;
+      createHome = true;
+      home = "/var/lib/${cfg.user}";
+      shell = "${pkgs.git}/bin/git-shell";
+    };
+    users.groups."${cfg.user}" = {};
+
+    systemd = {
+      services."fooud" = {
+        wantedBy = [ "multi-user.target" ];
+        serviceConfig = {
+          Type = "oneshot";
+          User = cfg.user;
+          ExecStart = pkgs.writeScriptBin "fooud-deploy"
+            (lib.concatMapStrings
+              (repo: ''
+                if [ -d ${repo.path} ]; then
+                  rm -f ${repo.path}/hooks/*
+                  cp ${repo.hooks}/bin/* ${repo.name}/hooks/
+                fi
+              '')
+            cfg.repos);
+        };
+      };
+    };
+  };
+}