diff --git a/hosts/hainich/services/keytracker.nix b/hosts/hainich/services/keytracker.nix
new file mode 100644
index 0000000..43dc488
--- /dev/null
+++ b/hosts/hainich/services/keytracker.nix
@@ -0,0 +1,31 @@
+{pkgs, config, ...}:
+
+{
+
+  services.keytracker = {
+    enable = true;
+    domain = "keytracker.infra4future.de";
+    stateDir = "/var/lib/keytracker";
+
+    # we have to overwrite this package, since the api url is backed into its code
+    frontendPackage = pkgs.keytracker-frontend.overrideAttrs (old: { apiUrl = "https://keytracker.infra4future.de:5000"; });
+
+    config.Default = {
+      Port = 5000;
+      DbPath = "history.db";
+      CorsOrigin = "off";
+    };
+    config.Keys = {
+      "8174875f7d85" = "Chris Büro;49c5dbda74fe86eae0dd1ce6;247f16f579033a6a947b3be301407319cd9bfe14f11554d71ea3190e04f7cb91";
+      "7fc944c9e632" = "Test=2;74fffaf6e463950fc6da3fd3;95313e37ff448b1a19b133fd8067c160f9f1c6d417f5d8dbec6f4f931097d389";
+      "7a05c8441f3a" = "testkey;694403310905ed4ac26e56f8;13852ec7855fc51b012874ea5786c215c37c3ed592685a04d1ad56152eccccc5";
+    };
+
+    nginx = {
+      enableACME = true;
+      forceSSL = true;
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 5000 ];
+}
diff --git a/modules/keytracker.nix b/modules/keytracker.nix
new file mode 100644
index 0000000..dc1735a
--- /dev/null
+++ b/modules/keytracker.nix
@@ -0,0 +1,64 @@
+{pkgs, lib, config, ...}:
+
+with lib;
+let format = pkgs.formats.toml {};
+in
+ {
+  options.services.keytracker = {
+    enable = mkOption {
+      default = false;
+      type = types.bool;
+    };
+    domain = mkOption {
+      default = "example.org";
+      type = types.str;
+    };
+    frontendPackage = mkOption {
+      default = pkgs.keytracker-frontend;
+      type = types.package;
+    };
+    serverPackage = mkOption {
+      default = pkgs.keytracker-server;
+      type = types.package;
+    };
+    stateDir = mkOption {
+      default = "/var/lib/keytracker";
+      type = types.str;
+    };
+    config = mkOption {
+      default = {};
+      type = format.type;
+    };
+    nginx = mkOption {
+      default = {};
+      type = types.attrs;
+    };
+  };
+
+  config =
+    let cfg = config.services.keytracker;
+        configfile = format.generate "config" cfg.config;
+    in {
+    services.nginx = mkIf cfg.enable {
+      enable = true;
+      virtualHosts.${cfg.domain} = {
+        root = cfg.frontendPackage.outPath;
+      } // cfg.nginx;
+    };
+
+    systemd.services = mkIf cfg.enable {
+      "keytracker" = {
+        enable = true;
+        description = "Keytracker backend server";
+        wantedBy = [ "multi-user.target" ];
+        serviceConfig.Type = "simple";
+        script = ''
+          mkdir -p ${cfg.stateDir}
+          cd ${cfg.stateDir}
+          ln -sf ${configfile} config
+          ${cfg.serverPackage}/wrapped
+        '';
+      };
+    };
+  };
+}
diff --git a/pkgs/default.nix b/pkgs/default.nix
index 193f443..be7074c 100644
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@@ -34,6 +34,9 @@ let
       '';
     });
 
+    keytracker-frontend = callPackage ./keytracker/frontend.nix {};
+    keytracker-server = callPackage ./keytracker/server.nix {};
+
     inherit (unstable) bottom;
   };
 
diff --git a/pkgs/keytracker/frontend.nix b/pkgs/keytracker/frontend.nix
new file mode 100644
index 0000000..3566874
--- /dev/null
+++ b/pkgs/keytracker/frontend.nix
@@ -0,0 +1,26 @@
+{ stdenv
+, fetchgit
+, ...}:
+
+stdenv.mkDerivation rec {
+  pname = "keytracker-frontend";
+  version = "0.0.1";
+
+  src = (fetchgit {
+    url = "https://gitlab.infra4future.de/octycs/keytracker";
+    rev = "0a124c3e7bc5c0e840d45399ad5e69485bb3e49c";
+    sha256 = "1l3djg3qfisrvv9shi2p44h026n58pimwbvr2idjnaill688s1qf";
+  }).outPath + "/frontend";
+
+  apiUrl = "https://localhost:5000";
+
+  buildPhase = ''
+    substituteInPlace assets/main.js --replace "http://localhost:5000" $apiUrl
+    rm Readme.md
+  '';
+
+  installPhase = ''
+    mkdir -p $out
+    cp -r * $out
+  '';
+}
diff --git a/pkgs/keytracker/server.nix b/pkgs/keytracker/server.nix
new file mode 100644
index 0000000..087787a
--- /dev/null
+++ b/pkgs/keytracker/server.nix
@@ -0,0 +1,28 @@
+{ stdenv
+, python38
+, lib
+, fetchgit
+, ...}:
+
+stdenv.mkDerivation rec {
+  pname = "keytracker";
+  version = "0.0.1";
+
+  src = (fetchgit {
+    url = "https://gitlab.infra4future.de/octycs/keytracker";
+    rev = "0a124c3e7bc5c0e840d45399ad5e69485bb3e49c";
+    sha256 = "1l3djg3qfisrvv9shi2p44h026n58pimwbvr2idjnaill688s1qf";
+  }).outPath + "/server";
+
+  buildPhase = ''
+    echo "${python38.withPackages(ps: with ps; [ flask ])}/bin/python $out/server.py" > wrapped
+    chmod +x wrapped
+  '';
+
+  python = true;
+
+  installPhase = ''
+    mkdir -p $out
+    cp -r * $out
+  '';
+}