diff --git a/hosts/h/default.nix b/hosts/h/default.nix
index eee1f3b..5857071 100644
--- a/hosts/h/default.nix
+++ b/hosts/h/default.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, lib, isUnstable, ... }:
+{ config, pkgs, lib, isUnstable, inputs, ... }:
 with pkgs;
 let
   restic = pkgs.writeScriptBin "restic"
@@ -26,6 +26,7 @@ in {
     ./hardware-configuration.nix
     ../../modules/gotosocial.nix
     ../../modules/yarr.nix
+    ../../modules/tsvnstat.nix
   ];
 
   boot.loader.grub.enable = true;
@@ -77,6 +78,11 @@ in {
       mode = "400";
       sopsFile = config.xin-secrets.h.services;
     };
+    # TODO: rename
+    router_stats_ts_key = {
+      sopsFile = config.xin-secrets.h.services;
+      owner = config.users.users.tsvnstat.name;
+    };
     wireguard_private_key = { sopsFile = config.xin-secrets.h.services; };
   };
 
@@ -181,7 +187,10 @@ in {
   };
 
   services = {
-    vnstat.enable = true;
+    tsvnstat = {
+      enable = true;
+      keyPath = "${config.sops.secrets.router_stats_ts_key.path}";
+    };
     yarr.enable = true;
     gotosocial = {
       enable = true;
diff --git a/hosts/router/default.nix b/hosts/router/default.nix
index be82d94..7167cff 100644
--- a/hosts/router/default.nix
+++ b/hosts/router/default.nix
@@ -9,7 +9,6 @@ let
   userBase = {
     openssh.authorizedKeys.keys = pubKeys ++ config.myconf.managementPubKeys;
   };
-  inherit (inputs.tsvnstat.packages.${pkgs.system}) tsvnstat;
 
   wan = "enp5s0f0";
   trunk = "enp5s0f1";
@@ -272,7 +271,7 @@ let
   };
 in {
   _module.args.isUnstable = false;
-  imports = [ ./hardware-configuration.nix ];
+  imports = [ ./hardware-configuration.nix ../../modules/tsvnstat.nix ];
 
   boot.kernel.sysctl = {
     "net.ipv4.conf.all.forwarding" = true;
@@ -284,6 +283,10 @@ in {
     wireguard_private_key = {
       sopsFile = config.xin-secrets.router.networking;
     };
+    router_stats_ts_key = {
+      sopsFile = config.xin-secrets.router.networking;
+      owner = config.users.users.tsvnstat.name;
+    };
   };
 
   networking = {
@@ -403,7 +406,10 @@ in {
   };
 
   services = {
-    vnstat.enable = true;
+    tsvnstat = {
+      enable = true;
+      keyPath = "${config.sops.secrets.router_stats_ts_key.path}";
+    };
     atftpd = {
       enable = true;
       extraOptions = [
@@ -444,28 +450,7 @@ in {
     };
   };
 
-  environment.systemPackages = with pkgs; [ bmon termshark tcpdump tsvnstat ];
-
-  users.groups.tsvnstat = { };
-
-  users.users.tsvnstat = {
-    createHome = true;
-    isSystemUser = true;
-    home = "/var/lib/tsvnstat";
-    group = "tsvnstat";
-  };
-
-  systemd.services.tsvnstat = {
-    wantedBy = [ "network.target" ];
-    serviceConfig = {
-      User = "tsvnstat";
-      Group = "tsvnstat";
-      Restart = "always";
-      WorkingDirectory = "/var/lib/tsvnstat";
-      ExecStart =
-        "${tsvnstat}/bin/tsvnstat -name ${config.networking.hostName}-stats";
-    };
-  };
+  environment.systemPackages = with pkgs; [ bmon termshark tcpdump ];
 
   users.users.root = userBase;
   users.users.qbit = userBase;
diff --git a/modules/tsvnstat.nix b/modules/tsvnstat.nix
new file mode 100644
index 0000000..0e1fc52
--- /dev/null
+++ b/modules/tsvnstat.nix
@@ -0,0 +1,94 @@
+{ config, lib, pkgs, inputs, ... }:
+with pkgs;
+let
+  cfg = config.services.tsvnstat;
+  inherit (inputs.tsvnstat.packages.${pkgs.system}) tsvnstat;
+in {
+  options = with lib; {
+    services.tsvnstat = {
+      enable = mkEnableOption "Enable tsvnstat";
+
+      user = mkOption {
+        type = with types; oneOf [ str int ];
+        default = "tsvnstat";
+        description = ''
+          The user the service will use.
+        '';
+      };
+
+      keyPath = mkOption {
+        type = types.path;
+        default = "";
+        description = ''
+          Path to the TS API key file
+        '';
+      };
+
+      nodeName = mkOption {
+        type = types.str;
+        default = "${config.networking.hostName}-stats";
+        description = ''
+          The name of the TS node.
+        '';
+      };
+
+      group = mkOption {
+        type = with types; oneOf [ str int ];
+        default = "tsvnstat";
+        description = ''
+          The user the service will use.
+        '';
+      };
+      package = mkOption {
+        type = types.package;
+        default = tsvnstat;
+        defaultText = literalExpression "pkgs.tsvnstat";
+        description = "The package to use for tsvnstat";
+      };
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    users.groups.${cfg.group} = { };
+    users.users.${cfg.user} = {
+      description = "tsvnstat service user";
+      isSystemUser = true;
+      home = "/var/lib/tsvnstat";
+      createHome = true;
+      group = "${cfg.group}";
+    };
+
+    services.vnstat.enable = true;
+
+    systemd.services.tsvnstat = {
+      enable = true;
+      description = "tsvnstat server";
+      wantedBy = [ "network-online.target" ];
+      after = [ "network-online.target" ];
+
+      path = [
+        pkgs.vnstat
+        pkgs.coreutils
+        pkgs.bash
+      ];
+
+      environment = {
+        HOME = "/var/lib/tsvnstat";
+        HOSTNAME = config.networking.hostName;
+      };
+
+      serviceConfig = {
+        User = cfg.user;
+        Group = cfg.group;
+
+        RuntimeDirectory = "tsvnstat";
+        StateDirectory = "tsvnstat";
+        StateDirectoryMode = "0755";
+        CacheDirectory="tsvnstat";
+        CacheDirectoryMode = "0755";
+
+        ExecStart =
+          "${cfg.package}/bin/tsvnstat -vnstati ${pkgs.vnstat}/bin/vnstati -name ${cfg.nodeName} -key ${cfg.keyPath}";
+      };
+    };
+  };
+}