diff --git a/nixos/modules/services/security/sks.nix b/nixos/modules/services/security/sks.nix
index 5e4b1a71fdd9..9f0261038d5b 100644
--- a/nixos/modules/services/security/sks.nix
+++ b/nixos/modules/services/security/sks.nix
@@ -53,39 +53,60 @@ in {
         type = types.ints.u16;
         description = "HKP port to listen on.";
       };
+
+      webroot = mkOption {
+        type = types.nullOr types.path;
+        default = "${sksPkg.webSamples}/OpenPKG";
+        defaultText = "\${pkgs.sks.webSamples}/OpenPKG";
+        description = ''
+          Source directory (will be symlinked, if not null) for the files the
+          built-in webserver should serve. SKS (''${pkgs.sks.webSamples})
+          provides the following examples: "HTML5", "OpenPKG", and "XHTML+ES".
+          The index file can be named index.html, index.htm, index.xhtm, or
+          index.xhtml. Files with the extensions .css, .es, .js, .jpg, .jpeg,
+          .png, or .gif are supported. Subdirectories and filenames with
+          anything other than alphanumeric characters and the '.' character
+          will be ignored.
+        '';
+      };
     };
   };
 
   config = mkIf cfg.enable {
 
-    environment.systemPackages = [ sksPkg ];
-    
-    users.users.sks = {
-      createHome = true;
-      home = cfg.dataDir;
-      isSystemUser = true;
-      shell = "${pkgs.coreutils}/bin/true";
+    users = {
+      users.sks = {
+        isSystemUser = true;
+        description = "SKS user";
+        home = cfg.dataDir;
+        createHome = true;
+        group = "sks";
+        useDefaultShell = true;
+        packages = [ sksPkg pkgs.db ];
+      };
+      groups.sks = { };
     };
 
     systemd.services = let
       hkpAddress = "'" + (builtins.concatStringsSep " " cfg.hkpAddress) + "'" ;
       hkpPort = builtins.toString cfg.hkpPort;
-      home = config.users.users.sks.home;
-      user = config.users.users.sks.name;
     in {
       "sks-db" = {
         description = "SKS database server";
         after = [ "network.target" ];
         wantedBy = [ "multi-user.target" ];
         preStart = ''
-          mkdir -p ${home}/dump
-          ${sksPkg}/bin/sks build ${home}/dump/*.gpg -n 10 -cache 100 || true #*/
+          ${lib.optionalString (cfg.webroot != null)
+            "ln -sfT \"${cfg.webroot}\" web"}
+          mkdir -p dump
+          ${sksPkg}/bin/sks build dump/*.gpg -n 10 -cache 100 || true #*/
           ${sksPkg}/bin/sks cleandb || true
           ${sksPkg}/bin/sks pbuild -cache 20 -ptree_cache 70 || true
         '';
         serviceConfig = {
-          WorkingDirectory = home;
-          User = user;
+          WorkingDirectory = "~";
+          User = "sks";
+          Group = "sks";
           Restart = "always";
           ExecStart = "${sksPkg}/bin/sks db -hkp_address ${hkpAddress} -hkp_port ${hkpPort}";
         };
diff --git a/pkgs/servers/sks/adapt-to-nixos.patch b/pkgs/servers/sks/adapt-to-nixos.patch
new file mode 100644
index 000000000000..b4403e8c7bc7
--- /dev/null
+++ b/pkgs/servers/sks/adapt-to-nixos.patch
@@ -0,0 +1,27 @@
+--- a/version.ml	2018-09-08 15:56:18.919154257 +0200
++++ b/version.ml	2018-09-08 15:56:07.544028575 +0200
+@@ -24,16 +24,6 @@
+ 
+ let run () =
+   let bdb_version = Bdb.version () in
+-  let dbstats_dir =
+-    let split = Str.regexp_string "." in
+-    let major_minor_string major minor =
+-      sprintf "Further details about the BDB environment can be seen by \
+-	  executing\ndb%s.%s_stat -x in the KDB and Ptree directories\n" major minor
+-    in
+-    match Str.split split bdb_version with
+-    | major :: minor :: _ -> major_minor_string major minor
+-    | [] | _ :: []        -> major_minor_string "X"   "Y"
+-  in
+   printf "SKS version %s%s\n"
+     Common.version Common.version_suffix;
+ 	
+@@ -44,5 +34,6 @@
+          requirement for recon of SKS %s\n"
+       Common.compatible_version_string;
+ 	
+-  printf "%s" dbstats_dir
++  printf "Further details about the BDB environment can be seen by executing\n\
++    db_stat -x in the KDB and PTree directories\n"
+ 
diff --git a/pkgs/servers/sks/default.nix b/pkgs/servers/sks/default.nix
index fe4029db1c14..deeeabda7451 100644
--- a/pkgs/servers/sks/default.nix
+++ b/pkgs/servers/sks/default.nix
@@ -11,6 +11,11 @@ stdenv.mkDerivation rec {
     sha256 = "00q5ma5rvl10rkc6cdw8d69bddgrmvy0ckqj3hbisy65l4idj2zm";
   };
 
+  # pkgs.db provides db_stat, not db$major.$minor_stat
+  patches = [ ./adapt-to-nixos.patch ];
+
+  outputs = [ "out" "webSamples" ];
+
   buildInputs = [ ocaml zlib db perl camlp4 ];
 
   makeFlags = [ "PREFIX=$(out)" "MANDIR=$(out)/share/man" ];
@@ -26,6 +31,9 @@ stdenv.mkDerivation rec {
   doCheck = true;
   checkPhase = "./sks unit_test";
 
+  # Copy the web examples for the NixOS module
+  postInstall = "cp -R sampleWeb $webSamples";
+
   meta = with stdenv.lib; {
     description = "An easily deployable & decentralized OpenPGP keyserver";
     longDescription = ''