diff --git a/nixos/modules/overlays.nix b/nixos/modules/overlays.nix
new file mode 100644
index 0000000000000000000000000000000000000000..7e22c2f1d06f56e474e63492d3232ce9ef545cd7
--- /dev/null
+++ b/nixos/modules/overlays.nix
@@ -0,0 +1,43 @@
+self: super: {
+  python27 = super.python27.override {
+    packageOverrides = python-self: python-super: {
+      # Get the newest Tahoe-LAFS as a module instead of an application.
+      tahoe-lafs = python-super.toPythonModule (python-super.callPackage ../pkgs/tahoe-lafs.nix { });
+
+      # Get our ZKAP authorizer plugin package.
+      zkapauthorizer = python-self.callPackage ../pkgs/zkapauthorizer.nix { };
+
+      # new tahoe-lafs has a new dependency on eliot.
+      eliot = python-super.callPackage ../pkgs/eliot.nix { };
+
+      # new tahoe-lafs depends on a very recent autobahn for better websocket
+      # testing features.
+      autobahn = python-super.callPackage ../pkgs/autobahn.nix { };
+
+      # new autobahn requires a newer cryptography
+      cryptography = python-super.callPackage ../pkgs/cryptography.nix { };
+
+      # new cryptography requires a newer cryptography_vectors
+      cryptography_vectors = python-super.callPackage ../pkgs/cryptography_vectors.nix { };
+
+      # upstream twisted package is missing a recently added dependency.
+      twisted = python-super.twisted.overrideAttrs (old:
+      { propagatedBuildInputs = old.propagatedBuildInputs ++ [ python-super.appdirs ];
+        checkPhase = ''
+          ${self.python.interpreter} -m twisted.trial twisted
+        '';
+      });
+
+    };
+  };
+
+  privatestorage = self.python27.buildEnv.override
+  { extraLibs =
+    [ self.python27Packages.tahoe-lafs
+      self.python27Packages.zkapauthorizer
+    ];
+    # Twisted's dropin.cache always collides between different
+    # plugin-providing packages.
+    ignoreCollisions = true;
+  };
+}
diff --git a/nixos/modules/private-storage.nix b/nixos/modules/private-storage.nix
new file mode 100644
index 0000000000000000000000000000000000000000..cf8cbca1c1ca2dd7568c7ec94ac31ce5e8060634
--- /dev/null
+++ b/nixos/modules/private-storage.nix
@@ -0,0 +1,29 @@
+# A NixOS module which can instantiate a Tahoe-LAFS storage server in the
+# preferred configuration for the Private Storage grid.
+{ pkgs, lib, config, ... }:
+let
+  pspkgs = import pkgs.path
+  { overlays = [ (import ./overlays.nix) ];
+  };
+  cfg = config.services.private-storage;
+in
+{ imports = [ ];
+  options =
+  { services.private-storage.enable = lib.mkEnableOption "private storage service";
+    services.private-storage.tahoe.package = lib.mkOption
+    { default = pspkgs.privatestorage;
+      type = lib.types.package;
+      example = lib.literalExample "pkgs.tahoelafs";
+      description = ''
+        The package to use for the Tahoe-LAFS daemon.
+      '';
+    };
+  };
+  config = lib.mkIf cfg.enable
+  { services.tahoe.nodes."alpha" =
+    { package = config.services.private-storage.tahoe.package;
+      nickname = "alpha";
+      storage.enable = true;
+    };
+  };
+}
diff --git a/nixos/pkgs/autobahn.nix b/nixos/pkgs/autobahn.nix
new file mode 100644
index 0000000000000000000000000000000000000000..3cc1df2138e783f7bb212b50ba09435773233b88
--- /dev/null
+++ b/nixos/pkgs/autobahn.nix
@@ -0,0 +1,35 @@
+{ lib, buildPythonPackage, fetchFromGitHub, isPy3k,
+  six, txaio, twisted, zope_interface, cffi, trollius, futures, cryptography,
+  mock, pytest
+}:
+buildPythonPackage rec {
+  pname = "autobahn";
+  version = "19.7.1";
+
+  src = fetchFromGitHub {
+    owner = "crossbario";
+    repo = "autobahn-python";
+    rev = "v${version}";
+    sha256 = "1gl2m18s77hlpiglh44plv3k6b965n66ylnxbzgvzcdl9jf3l3q3";
+  };
+
+  propagatedBuildInputs = [ six txaio twisted zope_interface cffi cryptography ] ++
+    (lib.optionals (!isPy3k) [ trollius futures ]);
+
+  checkInputs = [ mock pytest ];
+  checkPhase = ''
+    runHook preCheck
+    USE_TWISTED=true py.test $out
+    runHook postCheck
+  '';
+
+  # XXX Fails for some reason I don't understand.
+  doCheck = false;
+
+  meta = with lib; {
+    description = "WebSocket and WAMP in Python for Twisted and asyncio.";
+    homepage    = "https://crossbar.io/autobahn";
+    license     = licenses.mit;
+    maintainers = with maintainers; [ nand0p ];
+  };
+}
diff --git a/nixos/pkgs/cryptography.nix b/nixos/pkgs/cryptography.nix
new file mode 100644
index 0000000000000000000000000000000000000000..bfa6d30208387b334af63b072b3e409b6d39a063
--- /dev/null
+++ b/nixos/pkgs/cryptography.nix
@@ -0,0 +1,75 @@
+{ stdenv
+, buildPythonPackage
+, fetchFromGitHub
+, openssl
+, cryptography_vectors
+, darwin
+, asn1crypto
+, packaging
+, six
+, pythonOlder
+, enum34
+, ipaddress
+, isPyPy
+, cffi
+, pytest
+, pretend
+, iso8601
+, pytz
+, hypothesis
+}:
+
+buildPythonPackage rec {
+  pname = "cryptography";
+  version = "2.7"; # Also update the hash in vectors.nix
+
+  src = fetchFromGitHub {
+    owner = "pyca";
+    repo = "cryptography";
+    rev = "2.7";
+    sha256 = "145byri5c3b8m6dbhwb6yxrv9jrr652l3z1w16mz205z8dz38qja";
+  };
+
+  outputs = [ "out" "dev" ];
+
+  buildInputs = [ openssl ]
+             ++ stdenv.lib.optional stdenv.isDarwin darwin.apple_sdk.frameworks.Security;
+  propagatedBuildInputs = [
+    asn1crypto
+    packaging
+    six
+  ] ++ stdenv.lib.optional (pythonOlder "3.4") enum34
+  ++ stdenv.lib.optional (pythonOlder "3.3") ipaddress
+  ++ stdenv.lib.optional (!isPyPy) cffi;
+
+  checkInputs = [
+    cryptography_vectors
+    hypothesis
+    iso8601
+    pretend
+    pytest
+    pytz
+  ];
+
+  checkPhase = ''
+    py.test --disable-pytest-warnings tests
+  '';
+
+  # IOKit's dependencies are inconsistent between OSX versions, so this is the best we
+  # can do until nix 1.11's release
+  __impureHostDeps = [ "/usr/lib" ];
+
+  meta = with stdenv.lib; {
+    description = "A package which provides cryptographic recipes and primitives";
+    longDescription = ''
+      Cryptography includes both high level recipes and low level interfaces to
+      common cryptographic algorithms such as symmetric ciphers, message
+      digests, and key derivation functions.
+      Our goal is for it to be your "cryptographic standard library". It
+      supports Python 2.7, Python 3.4+, and PyPy 5.3+.
+    '';
+    homepage = https://github.com/pyca/cryptography;
+    license = with licenses; [ asl20 bsd3 psfl ];
+    maintainers = with maintainers; [ primeos ];
+  };
+}
diff --git a/nixos/pkgs/cryptography_vectors.nix b/nixos/pkgs/cryptography_vectors.nix
new file mode 100644
index 0000000000000000000000000000000000000000..ea24ed908016b8ad2a534923709072b171b00b9a
--- /dev/null
+++ b/nixos/pkgs/cryptography_vectors.nix
@@ -0,0 +1,23 @@
+{ buildPythonPackage, fetchPypi, lib, cryptography }:
+
+buildPythonPackage rec {
+  pname = "cryptography_vectors";
+  # The test vectors must have the same version as the cryptography package:
+  version = cryptography.version;
+
+  src = fetchPypi {
+    inherit pname version;
+    sha256 = "1g38zw90510azyfrj6mxbslx2gp9yrnv5dac0w2819k9ssdznbgi";
+  };
+
+  # No tests included
+  doCheck = false;
+
+  meta = with lib; {
+    description = "Test vectors for the cryptography package";
+    homepage = https://cryptography.io/en/latest/development/test-vectors/;
+    # Source: https://github.com/pyca/cryptography/tree/master/vectors;
+    license = with licenses; [ asl20 bsd3 ];
+    maintainers = with maintainers; [ primeos ];
+  };
+}
diff --git a/nixos/pkgs/eliot.nix b/nixos/pkgs/eliot.nix
new file mode 100644
index 0000000000000000000000000000000000000000..f6d6b3061b1ea635bac0e694be407ca8d1b6befb
--- /dev/null
+++ b/nixos/pkgs/eliot.nix
@@ -0,0 +1,27 @@
+{ lib, buildPythonPackage, fetchPypi, zope_interface, pyrsistent, boltons
+, hypothesis, testtools, pytest }:
+buildPythonPackage rec {
+  pname = "eliot";
+  version = "1.7.0";
+
+  src = fetchPypi {
+    inherit pname version;
+    sha256 = "0ylyycf717s5qsrx8b9n6m38vyj2k8328lfhn8y6r31824991wv8";
+  };
+
+  postPatch = ''
+    substituteInPlace setup.py \
+      --replace "boltons >= 19.0.1" boltons
+    # depends on eliot.prettyprint._main which we don't have here.
+    rm eliot/tests/test_prettyprint.py
+  '';
+
+  checkInputs = [ testtools pytest hypothesis ];
+  propagatedBuildInputs = [ zope_interface pyrsistent boltons ];
+
+  meta = with lib; {
+    homepage = https://github.com/itamarst/eliot/;
+    description = "Logging library that tells you why it happened";
+    license = licenses.asl20;
+  };
+}
diff --git a/nixos/pkgs/tahoe-lafs.nix b/nixos/pkgs/tahoe-lafs.nix
new file mode 100644
index 0000000000000000000000000000000000000000..7d8b7b8efd35e27a1968e5fd69ce0f223d57f153
--- /dev/null
+++ b/nixos/pkgs/tahoe-lafs.nix
@@ -0,0 +1,11 @@
+{ fetchFromGitHub, eliot, tahoelafs, plugins ? [ ] }:
+tahoelafs.overrideAttrs (old:
+{ src = fetchFromGitHub
+  { owner = "tahoe-lafs";
+    repo = "tahoe-lafs";
+    rev = "6c1a37c95188c1d9a877286ef726280a68d38a4b";
+    sha256 = "1fd8b6j52wn04bnvnvysws4c713max6k1592lz4nzyjlhrcwawwh";
+  };
+  propagatedBuildInputs = old.propagatedBuildInputs ++ [ eliot ] ++ plugins;
+  doInstallCheck = false;
+})
diff --git a/nixos/pkgs/zkapauthorizer.nix b/nixos/pkgs/zkapauthorizer.nix
new file mode 100644
index 0000000000000000000000000000000000000000..21c0a55b5de5810f0c3757a6afb4a140fbc70523
--- /dev/null
+++ b/nixos/pkgs/zkapauthorizer.nix
@@ -0,0 +1,12 @@
+{ pkgs, fetchFromGitHub, tahoe-lafs }:
+let
+  src = fetchFromGitHub
+  { owner = "PrivateStorageio";
+    repo = "ZKAPAuthorizer";
+    rev = "a14b38f39e48d1560ea10ec26fffad6ce50fd00a";
+    sha256 = "1v81l0ylx8r8xflhi16m8hb1dm3rlzyfrldiknvggqkyi5psdja4";
+  };
+in
+pkgs.python27Packages.callPackage "${src}/zkapauthorizer.nix"
+{ inherit tahoe-lafs;
+}