diff --git a/hosts/bicep/configuration.nix b/hosts/bicep/configuration.nix
index a43f256a..eea7aec8 100644
--- a/hosts/bicep/configuration.nix
+++ b/hosts/bicep/configuration.nix
@@ -7,6 +7,7 @@
 
     ./services/postgres.nix
     ./services/jokum.nix
+    ./services/jackson.nix
   ];
 
   sops.defaultSopsFile = ../../secrets/bicep/bicep.yaml;
diff --git a/hosts/bicep/services/jackson.nix b/hosts/bicep/services/jackson.nix
new file mode 100644
index 00000000..a0cc7bac
--- /dev/null
+++ b/hosts/bicep/services/jackson.nix
@@ -0,0 +1,15 @@
+{ pkgs, config, secrets, inputs, ... }:
+let
+  jackson = pkgs.callPackage ../../../pkgs/jackson { };
+in {
+  systemd.services.jackson = {
+    description = "Jackson";
+    wantedBy = [ "multi-user.target" ];
+    after = [ "network.target" ];
+    serviceConfig = {
+      ExecStart = "${jackson}/bin/jackson";
+      DynamicUser = true;
+      Restart = "always";
+    };
+  };
+}
diff --git a/pkgs/jackson/default.nix b/pkgs/jackson/default.nix
new file mode 100644
index 00000000..d762f45e
--- /dev/null
+++ b/pkgs/jackson/default.nix
@@ -0,0 +1,32 @@
+{ lib, buildNpmPackage, fetchFromGitHub }:
+
+buildNpmPackage rec {
+  pname = "jackson";
+  version = "1.9.6";
+
+  src = fetchFromGitHub {
+    owner = "boxyhq";
+    repo = pname;
+    rev = "v${version}";
+    hash = "sha256-iZKl2dBBEQLemHMSa6rXYAuCo02WhG/BcYKTmCm46hI=";
+  };
+
+  prePhase = ''
+    export HOME=$TMPDIR
+  '';
+
+  npmDepsHash = "sha256-pYGdbmfewdvVuNfuWLlj5TmxQGdQfqPZs6TXzttoHYo=";
+
+  # The prepack script runs the build script, which we'd rather do in the build phase.
+  npmFlags = [ "--loglevel silent" ];
+
+
+  #NODE_OPTIONS = "--openssl-legacy-provider";
+
+  meta = with lib; {
+    description = "Enterprise SSO made simple";
+    homepage = "https://github.com/boxyhq/jackson";
+    license = licenses.asl20;
+    maintainers = with maintainers; [ felixalbrigtsen ];
+  };
+}