diff --git a/abusesa/manifests/services.pp b/abusesa/manifests/services.pp
new file mode 100644
index 0000000..19e5882
--- /dev/null
+++ b/abusesa/manifests/services.pp
@@ -0,0 +1,54 @@
+# Configure AbuseSA services.
+#
+class abusesa::services(
+  $services=[],
+  $socketdir="/var/lib/abuserv/run",
+) {
+
+  include user::system
+  realize(User['abuserv'], Group['abuserv'])
+
+  exec { 'usermod-abusesa-abuserv':
+    path    => '/bin:/usr/bin:/sbin:/usr/sbin',
+    command => 'usermod -a -G abuserv abusesa',
+    unless  => 'id -n -G abusesa | grep \'\babuserv\b\'',
+    require => [
+      User['abusesa'],
+      Group['abuserv'],
+    ],
+  }
+
+  exec { 'usermod-nginx-abuserv':
+    path    => '/bin:/usr/bin:/sbin:/usr/sbin',
+    command => 'usermod -a -G abuserv nginx',
+    unless  => 'id -n -G nginx | grep \'\babuserv\b\'',
+    require => [
+      Class['nginx'],
+      Group['abuserv'],
+    ],
+  }
+
+  file { [
+    '/var/lib/abuserv',
+    '/var/lib/abuserv/run',
+  ]:
+    ensure => directory,
+    mode   => '2770',
+    owner  => 'abuserv',
+    group  => 'abuserv',
+  }
+
+  file { '/var/lib/abuserv/.profile':
+    ensure  => present,
+    mode    => '0600',
+    owner   => 'abuserv',
+    group   => 'abuserv',
+    content => "umask 007\n",
+  }
+
+  include nginx
+  nginx::config { 'abusesa.conf':
+    content => template('abusesa/services/nginx.conf.erb'),
+  }
+
+}
diff --git a/abusesa/templates/services/nginx.conf.erb b/abusesa/templates/services/nginx.conf.erb
new file mode 100644
index 0000000..f0486b4
--- /dev/null
+++ b/abusesa/templates/services/nginx.conf.erb
@@ -0,0 +1,33 @@
+log_format abusesa '$remote_addr - $http_x_remote_user [$time_local] '
+                   '"$request" $status $body_bytes_sent '
+                   '"$http_referer" "$http_user_agent"';
+
+server {
+    listen 8443;
+
+    access_log <%= scope.lookupvar('nginx::logdir') %>/abusesa.log abusesa;
+
+    ssl on;
+    ssl_verify_client on;
+    ssl_certificate <%= @puppet_ssldir %>/certs/<%= @homename %>.pem;
+    ssl_certificate_key <%= @puppet_ssldir %>/private_keys/<%= @homename %>.pem;
+    ssl_client_certificate <%= @puppet_ssldir %>/certs/ca.pem;
+
+    proxy_buffering off;
+
+<% @services.each do |service|
+     dir, sep, sock = service.rpartition('/')
+     dir = @socketdir if dir.empty?
+     sockpath = File.join(dir, sock)
+     location = sock.gsub('.', '/')
+-%>
+    location /<%= location %>/ {
+        proxy_pass http://unix:<%= sockpath %>:/;
+    }
+
+<% end -%>
+    location / {
+        deny all;
+    }
+
+}