diff --git a/default.nix b/default.nix
index bf130a1..60f9802 100644
--- a/default.nix
+++ b/default.nix
@@ -1,164 +1,11 @@
-{
-  pkgs,
-  python ? pkgs.python310,
-  nodejs ? pkgs.nodejs,
-  ...}:
-let 
-  nixNodePackage = builtins.fetchGit {
-    url = "https://github.com/mkg20001/nix-node-package.git";
-    rev = "03285e212016db5f28530563b58cfcc5706ff73f";
-  };
-  makeNode = import "${nixNodePackage}/nix/default.nix" pkgs {
-    root = ./.;
-    install = false;
-    nodejs = nodejs;
-  };
-  node-env = makeNode { };
 
-  urlobject = with python.pkgs; buildPythonPackage rec {
-    pname = "URLObject";
-    version = "2.4.3";
-    src = fetchPypi {
-      inherit pname version;
-      sha256 = "47b2e20e6ab9c8366b2f4a3566b6ff4053025dad311c4bb71279bbcfa2430caa";
-    };
-    doCheck = true;
-    propagatedBuildInputs = [
-    ];
-  };
-
-  python_attrs = with python.pkgs; buildPythonPackage rec {
-    pname = "attrs";
-    version = "21.4.0";
-    src = fetchPypi {
-      inherit pname version;
-      sha256 = "626ba8234211db98e869df76230a137c4c40a12d72445c45d5f5b716f076e2fd";
-    };
-    #doCheck = true;
-    doCheck = false;
-    propagatedBuildInputs = [
-    ];
-  };
-
-  flask-dance = with python.pkgs; buildPythonPackage rec {
-    pname = "Flask-Dance";
-    version = "6.0.0";
-    src = fetchPypi {
-      inherit pname version;
-      sha256 = "15bb3c412eb789a2d904bfd0fd44aac2d94f82703a51d14123fd336136d55db0";
-    };
-    doCheck = false;
-    propagatedBuildInputs = [
-      requests
-      oauthlib
-      requests_oauthlib
-      flask
-      urlobject
-    ];
-    checkInputs = [
-      pytest
-      nose
-      pytest-mock
-      responses
-      freezegun
-      coverage
-# testing sqlalchemy support
-      sqlalchemy
-      flask_sqlalchemy
-# testing integration with other extensions
-      flask_login
-      flask-caching
-      betamax
-# we need the `signedtoken` extra for `oauthlib`
-#      oauthlib[signedtoken]
-    ];
-
-  };
-  ldap3-orm = with python.pkgs; buildPythonPackage rec {
-    pname = "ldap3-orm";
-    version = "2.7.0";
-    src = fetchPypi {
-      inherit pname version;
-      sha256 = "8783886d4ce90d66da61ce24619593a265b50f0de1fbebe86df95c6788661664";
-    };
-    doCheck = false;
-    propagatedBuildInputs = [
-      ldap3
-      six
-    ];
-
-  };
-  u2flib-server = {};
-  ory-hydra-client-old = with python.pkgs; buildPythonPackage rec {
-    pname = "ory-hydra-client";
-    version = "1.10.6";
-    src = fetchPypi {
-      inherit pname version;
-      sha256 = "57f877e55a8f202db27f5cbae9c55a1b1a91848ef46d0cbd3b710ef77882095c";
-    };
-    doCheck = false;
-    propagatedBuildInputs = [
-      urllib3
-      python-dateutil
-    ];
-  };
-  ory-hydra-client = with python.pkgs; buildPythonPackage rec {
-    pname = "ory-hydra-client";
-    version = "1.9.2";
-    src = ./libs/ory-hydra-client; 
-#    doCheck = false;
-    propagatedBuildInputs = [
-      urllib3
-      python-dateutil
-      #python_attrs
-      attrs
-      httpx
-    ];
-  };
-in
-{
-  nativeBuildInputs = with python.pkgs; [
-      flask
-      flask-restful
-      flask_sqlalchemy
-      flask_wtf
-      flask-babel
-      flask_login
-      requests
-      requests_oauthlib
-      ldap3
-      ldap3-orm
-      pyotp
-      cryptography
-      blinker
-      ory-hydra-client
-      authlib # as oauth client lib
-      fido2 # for webauthn
-      flask_migrate # db migrations
-
-      nodejs
-      #node-env
-      gunicorn
-
-      flask-dance
-
-#python-u2flib-server
-
-
-#flask-debug
-
-  ];
-
-  testBuildInputs = with python.pkgs; [
-    pytest
-    pytest-mypy
-    flask_testing
-    tox
-
-    types-dateutil
-
-    nose
-    mypy
-
-  ];
-}
+(import
+  (
+    let lock = builtins.fromJSON (builtins.readFile ./flake.lock); in
+    fetchTarball {
+      url = "https://github.com/edolstra/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz";
+      sha256 = lock.nodes.flake-compat.locked.narHash;
+    }
+  )
+  { src = ./.; }
+).defaultNix
\ No newline at end of file
diff --git a/flake.lock b/flake.lock
new file mode 100644
index 0000000..46a7b16
--- /dev/null
+++ b/flake.lock
@@ -0,0 +1,60 @@
+{
+  "nodes": {
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1673956053,
+        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "nix-node-package": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1645439390,
+        "narHash": "sha256-mYkNbWBzQkv7O0mVZ4llqo9ZNeeo/IWPJk5WMa34SgQ=",
+        "owner": "mkg20001",
+        "repo": "nix-node-package",
+        "rev": "03285e212016db5f28530563b58cfcc5706ff73f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "mkg20001",
+        "repo": "nix-node-package",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1679037998,
+        "narHash": "sha256-WnlfwX3IbZ/+hgxNZokGBVDwN7EciJA3ivrKQqoRr00=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "1a19ae5b677797c0f2ba4f28304dd054964ed3b9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "nix-node-package": "nix-node-package",
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
diff --git a/flake.nix b/flake.nix
new file mode 100644
index 0000000..965856b
--- /dev/null
+++ b/flake.nix
@@ -0,0 +1,160 @@
+{
+  description = "Lenticular cloud interface";
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs";
+    flake-compat = {
+      url = "github:edolstra/flake-compat";
+      flake = false;
+    };
+    nix-node-package = {
+      url = "github:mkg20001/nix-node-package";
+      flake = false;
+    };
+  };
+  outputs = inputs@{ self, nixpkgs, nix-node-package, ...  }:
+    let
+      makeNode = nix-node-package.lib.nix-node-package.makeNode;
+      node-env = makeNode { };
+      pkgs = nixpkgs.legacyPackages.x86_64-linux;
+      python_default = pkgs.python310;
+      nodejs = pkgs.nodejs;
+      lenticular_cloud = {python}: with python.pkgs; let
+
+        urlobject = buildPythonPackage rec {
+          pname = "URLObject";
+          version = "2.4.3";
+          src = fetchPypi {
+            inherit pname version;
+            sha256 = "47b2e20e6ab9c8366b2f4a3566b6ff4053025dad311c4bb71279bbcfa2430caa";
+          };
+          doCheck = true;
+          propagatedBuildInputs = [
+          ];
+        };
+        flask-dance = with python.pkgs; buildPythonPackage rec {
+          pname = "Flask-Dance";
+          version = "6.0.0";
+          src = fetchPypi {
+            inherit pname version;
+            sha256 = "15bb3c412eb789a2d904bfd0fd44aac2d94f82703a51d14123fd336136d55db0";
+          };
+          doCheck = false;
+          propagatedBuildInputs = [
+            requests
+            oauthlib
+            requests_oauthlib
+            flask
+            urlobject
+          ];
+          checkInputs = [
+            pytest
+            nose
+            pytest-mock
+            responses
+            freezegun
+            coverage
+      # testing sqlalchemy support
+            sqlalchemy
+            flask_sqlalchemy
+      # testing integration with other extensions
+            flask_login
+            flask-caching
+            betamax
+      # we need the `signedtoken` extra for `oauthlib`
+      #      oauthlib[signedtoken]
+          ];
+
+        };
+        ory-hydra-client = buildPythonPackage rec {
+          pname = "ory-hydra-client";
+          version = "2.0.3";
+          src = ./libs/ory-hydra-client; 
+      #    doCheck = false;
+          propagatedBuildInputs = [
+            urllib3
+            python-dateutil
+            attrs
+            httpx
+          ];
+        };
+      in
+      buildPythonApplication rec { # TODO change to buildPythonApplication
+        pname = "lenticular_cloud";
+        version = "0.2";
+        src = ./.;
+        propagatedBuildInputs = [
+          flask
+          flask-restful
+          flask_sqlalchemy
+          flask_wtf
+          flask-babel
+          flask_login
+          requests
+          requests_oauthlib
+          ldap3
+          #ldap3-orm
+          pyotp
+          cryptography
+          blinker
+          ory-hydra-client
+          authlib # as oauth client lib
+          fido2 # for webauthn
+          flask_migrate # db migrations
+
+          nodejs
+          #node-env
+          gunicorn
+
+          flask-dance
+        ];
+        testBuildInputs = with python.pkgs; [
+          pytest
+          pytest-mypy
+          flask_testing
+          tox
+
+          types-dateutil
+
+          nose
+          mypy
+
+        ];
+        passthru = {
+          inherit python;
+          pythonPath = python.pkgs.makePythonPath propagatedBuildInputs;
+        };
+
+
+        doCheck = false;
+        checkInputs = [
+          pytest
+        ] ++ lenticular_settings.testBuildInputs;
+      };
+    in {
+      formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt;
+      #packages.x86_64-linux.default = import ./shell.nix { inherit pkgs; };
+      # TODO
+
+      packages.x86_64-linux.default = lenticular_cloud {python=python_default;}; 
+      nixosModules = {
+        default = (import "${self}/module.nix" { inherit lenticular_cloud; });
+      };
+    };
+
+}
+
+
+#ldap3-orm = with python.pkgs; buildPythonPackage rec {
+#  pname = "ldap3-orm";
+#  version = "2.7.0";
+#  src = fetchPypi {
+#    inherit pname version;
+#    sha256 = "8783886d4ce90d66da61ce24619593a265b50f0de1fbebe86df95c6788661664";
+#  };
+#  doCheck = false;
+#  propagatedBuildInputs = [
+#    ldap3
+#    six
+#  ];#
+#};
+
diff --git a/module.nix b/module.nix
new file mode 100644
index 0000000..640c236
--- /dev/null
+++ b/module.nix
@@ -0,0 +1,68 @@
+{ lenticular_cloud }: { config, pkgs, lib, modulesPath, ... }:
+let
+  python = pkgs.python310;
+  gevent = python.pkgs.gevent;
+  gunicorn = python.pkgs.gunicorn;
+  psycopg2 = python.pkgs.psycopg2;
+  lenticular-pkg = lenticular_cloud { inherit python;};
+in
+{
+  options = with lib.options; {
+    services.lenticular-cloud ={
+      enable = mkEnableOption "lenticluar service enable";
+    };
+  };
+  imports = [
+  ];
+  config = {
+    environment.systemPackages = [ lenticular-pkg ];
+    
+    users = {
+      groups.lenticular = {
+      };
+      users.lenticular = {
+        createHome = true;
+        home = "/var/lib/lenticular";
+        description = "web server";
+        extraGroups = [
+        ];
+        group = "lenticular";
+        isSystemUser = true;
+      };
+    };
+
+    systemd.services.lenticular-cloud = {
+      description = "lenticular account";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+
+      environment = let
+        python_path = python.pkgs.makePythonPath [ lenticular-pkg gevent psycopg2];
+      in {
+        CONFIG_FILE = "/etc/lenticular_cloud/production.conf";
+        PYTHONPATH =  "${lenticular-pkg.pythonPath}:${lenticular-pkg}/lib/python3.10/site-packages:${python_path}";
+      };
+
+      serviceConfig = {
+        Type = "simple";
+        WorkingDirectory = /var/lib/lenticular;
+        #User="lenticular"; #done by gunicorn
+        ExecStartPre = pkgs.writeScript "lenticular-cloud-server-init" ''
+              #!/bin/sh
+              #cat > /var/lib/lenticular/foobar.conf <<EOF
+              #SECRET_KEY=""
+              #EOF
+              ${lenticular-pkg}/bin/lenticular_cloud-cli db_upgrade
+            '';
+        ExecStart = ''${gunicorn}/bin/gunicorn lenticular_cloud.wsgi --name lenticular_cloud \
+              -u lenticular \
+              -g lenticular \
+              --workers 3 --log-level=info \
+              --bind=unix:/run/lenticular.sock \
+              -k gevent'';
+        Restart = "on-failure";
+      };
+    };
+
+  };
+}
diff --git a/mypy.ini b/mypy.ini
index c061cfa..2a9e7eb 100644
--- a/mypy.ini
+++ b/mypy.ini
@@ -6,3 +6,4 @@ warn_unused_configs = True
 ignore_missing_imports = True
 follow_imports_for_stubs= True
 files=lenticular_cloud/**/*.py
+#plugins = sqlalchemy.ext.mypy.plugin
\ No newline at end of file
diff --git a/shell.nix b/shell.nix
index a9c603b..e6195e8 100644
--- a/shell.nix
+++ b/shell.nix
@@ -1,12 +1,10 @@
-{
-  pkgs ? import <nixpkgs> {},
-  python ? pkgs.python310
-}:
-let
-  settings = import ./default.nix {inherit pkgs python;};
-in
-pkgs.mkShell {
-    # nativeBuildInputs is usually what you want -- tools you need to run
-    nativeBuildInputs = settings.nativeBuildInputs ++ settings.testBuildInputs ++ [ pkgs.nodePackages.npm pkgs.nodejs python.pkgs.build ];
-}
-
+(import
+  (
+    let lock = builtins.fromJSON (builtins.readFile ./flake.lock); in
+    fetchTarball {
+      url = "https://github.com/edolstra/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz";
+      sha256 = lock.nodes.flake-compat.locked.narHash;
+    }
+  )
+  { src = ./.; }
+).defaultNix
\ No newline at end of file