diff --git a/examples/krops/deploy.nix b/examples/krops/deploy.nix
new file mode 100644
index 0000000..7ed634f
--- /dev/null
+++ b/examples/krops/deploy.nix
@@ -0,0 +1,20 @@
+let
+  # FIXME:
+  target = "root@HOSTNAME_OR_IP_ADDRESS";
+
+  extraSources = {
+    "hardware-configuration.nix".file = toString ../hardware-configuration.nix;
+  };
+
+  krops = (import <nix-bitcoin> {}).krops;
+in
+krops.pkgs.krops.writeDeploy "deploy" {
+  inherit target;
+
+  source = import ./sources.nix { inherit extraSources krops; };
+
+  # Avoid having to create a sentinel file.
+  # Otherwise /var/src/.populate must be created on the target node to signal krops
+  # that it is allowed to deploy.
+  force = true;
+}
diff --git a/examples/krops/krops-configuration.nix b/examples/krops/krops-configuration.nix
new file mode 100644
index 0000000..0182bca
--- /dev/null
+++ b/examples/krops/krops-configuration.nix
@@ -0,0 +1,7 @@
+# This file allows you to build your krops configuration locally
+{
+  imports = [
+    ../configuration.nix
+    <nix-bitcoin/modules/deployment/krops.nix>
+  ];
+}
diff --git a/examples/krops/sources.nix b/examples/krops/sources.nix
new file mode 100644
index 0000000..64ae641
--- /dev/null
+++ b/examples/krops/sources.nix
@@ -0,0 +1,33 @@
+{ extraSources, krops }:
+
+krops.lib.evalSource [({
+  nixos-config.file = builtins.toFile "nixos-config" ''
+    {
+      imports = [
+        ./configuration.nix
+        <nix-bitcoin/modules/deployment/krops.nix>
+      ];
+    }
+  '';
+
+  "configuration.nix".file = toString ../configuration.nix;
+
+  # Enable `useChecksum` for sources which might be located in the nix store
+  # and which therefore might have static timestamps.
+
+  nixpkgs.file = {
+    path = toString <nixpkgs>;
+    useChecksum = true;
+  };
+
+  nix-bitcoin.file = {
+    path = toString <nix-bitcoin>;
+    useChecksum = true;
+    filters = [{
+      type = "exclude";
+      pattern = ".git";
+    }];
+  };
+
+  secrets.file = toString ../secrets;
+} // extraSources)]
diff --git a/examples/shell.nix b/examples/shell.nix
index 8f57cd3..7f30899 100644
--- a/examples/shell.nix
+++ b/examples/shell.nix
@@ -28,6 +28,13 @@ stdenv.mkDerivation rec {
 
     alias fetch-release="${toString nix-bitcoin-path}/helper/fetch-release"
 
+    krops-deploy() {
+      # Ensure strict permissions on secrets/ directory before rsyncing it to
+      # the target machine
+      chmod 700 ${toString ./secrets}
+      $(nix-build --no-out-link ${toString ./krops/deploy.nix})
+    }
+
     figlet "nix-bitcoin"
     (mkdir -p secrets; cd secrets; env -i ${nix-bitcoin.generate-secrets})
 
diff --git a/modules/deployment/krops.nix b/modules/deployment/krops.nix
new file mode 100644
index 0000000..a31a01b
--- /dev/null
+++ b/modules/deployment/krops.nix
@@ -0,0 +1,24 @@
+{ lib, ... }:
+{
+  nix-bitcoin = {
+    secretsDir = "/var/src/secrets";
+    setupSecrets = true;
+  };
+  environment.variables.NIX_PATH = lib.mkForce "/var/src";
+
+  # The file syncing step in krops resets the secrets file permissions.
+  # So force `setup-secrets.service` to restart on deployment.
+  # Stop it at activation start so that it gets restarted at the end.
+  system.activationScripts.nixBitcoinStopSetupSecrets = ''
+    ${/* Skip this step if systemd is not running, i.e. when booting or in nixos-install */ ""}
+    if [[ -e /run/systemd/system ]]; then
+      if ! output=$(/run/current-system/systemd/bin/systemctl stop setup-secrets.service --no-block 2>&1); then
+        # Ignore if the unit is not loaded, which can happen on the first deployment
+        if [[ $output != *setup-secrets.service\ not\ loaded* ]]; then
+          echo "$output"
+          false
+        fi
+      fi
+    fi
+  '';
+}