{
  description = "pbsds' system/home flake";

  inputs = {
    nixpkgs.url      = "github:NixOS/nixpkgs/nixos-23.05";
    unstable.url     = "github:NixOS/nixpkgs/nixos-unstable";
    home-manager.url = "github:nix-community/home-manager/release-23.05";
    home-manager.inputs.nixpkgs.follows = "nixpkgs";
    nixos-hardware.url = "github:NixOS/nixos-hardware";

    #TODO:
    #sops-nix.url = "github:Mic92/sops-nix";
    #sops-nix.inputs.nixpkgs.follows = "nixpkgs";
    #matrix-next.url = "github:dali99/nixos-matrix-modules"; # see https://git.pvv.ntnu.no/Drift/pvv-nixos-config/src/main/flake.nix

    # used to host old docs
    #nixpkgs-22.url = "github:NixOS/nixpkgs/nixos-22.11";
    #nixpkgs-21.url = "github:NixOS/nixpkgs/nixos-21.11";
    #nixpkgs-20.url = "github:NixOS/nixpkgs/nixos-20.09";
    #nixpkgs-19.url = "github:NixOS/nixpkgs/nixos-19.09";
    #nixpkgs-19.flake = false; # Earlier versions are not flake-pure

    # TODO: somehow make these private repos optional (a lazy fetch would be nice)
    pbsds-papers.url = "git+ssh://git@github.com/pbsds/papers.git";

    # temporary stuff i want to use
    # TODO: can i fetch a subset of files of these?
    pr-polaris14.url   = "github:pbsds/nixpkgs/polaris-14";
    pr-remote-exec.url = "github:pbsds/nixpkgs/remote-exec-init";
  };

  outputs = {
    self,
    nixpkgs,
    unstable,
    nixos-hardware,
    nur,
    home-manager,
    ...
  } @ inputs:
  let
    nixlib = nixpkgs.lib;
    systems = [
      "x86_64-linux"
      "aarch64-linux"
      #"riscv64-linux"
    ];
    forAllSystems = f: nixlib.genAttrs systems (system: f {
      inherit system;
      pkgs = nixpkgs.legacyPackages.${system};
      lib  = nixpkgs.legacyPackages.${system}.lib;
    });

    # TODO: move unstable here?
    tmpConfig = {
      disabledModules = [ "services/misc/polaris.nix" ];
      imports = [ "${inputs.pr-polaris14}/nixos/modules/services/misc/polaris.nix" ];
      nixpkgs.overlays = [(final: prev: { # TODO: nixpkgs.config.packageOverrides ?
        polaris     = prev.callPackage "${inputs.pr-polaris14}/pkgs/servers/polaris" { };
        polaris-web = prev.callPackage "${inputs.pr-polaris14}/pkgs/servers/polaris/web.nix" { };
        remote-exec = prev.python3Packages.callPackage "${inputs.pr-remote-exec}/pkgs/tools/misc/remote-exec" { };
      })];
    };
    mkConfig = hostname: domain: system: modules: nixlib.nixosSystem {
      inherit system;
      specialArgs = {
        inherit inputs;
        packages = self.packages.${system};
      };
      modules = modules ++ [ ./base.nix "${self}/hosts/${hostname}" tmpConfig ({
        home-manager.extraSpecialArgs = {
          inherit inputs;
          packages = self.packages.${system};
        };
        # still needed even if using networkd
        networking.hostName = hostname;
        networking.domain   = domain;
        networking.search = [ domain ];
        nixpkgs.overlays = [ # TODO: consider nixpkgs.config.packageOverrides
          (final: prev: {
            unstable = unstable.legacyPackages.${final.system};
          })
        ];
        # This makes commandline tools like 'nix run nixpkgs#hello'
        # and 'nix-shell -p hello' use the same channel as system was built with
        nix.registry.nixpkgs.flake  = inputs.nixpkgs;
        nix.registry.unstable.flake = inputs.unstable;
        nix.registry.nixpkgs-unstable.flake = inputs.unstable;
        nix.nixPath = [
          "nixpkgs=${inputs.nixpkgs}"
          # TODO: are these needed?
          "unstable=${inputs.unstable}"
          "nixpkgs-unstable=${inputs.unstable}"
        ];
      })];
    };
  in {
    inherit inputs;

    packages = forAllSystems({ pkgs, ... }: {
      mpv-webm = pkgs.callPackage ./pkgs/mpv-webm.nix {}; # https://github.com/NixOS/nixpkgs/pull/238659
      remote-exec = pkgs.python3Packages.callPackage "${inputs.pr-remote-exec}/pkgs/tools/misc/remote-exec" {};
    });

    nixosConfigurations = let nm = nixos-hardware.nixosModules; in {
      # TODO: move nixos-hardware imports to the nixos configs?
      noximilien = mkConfig "noximilien" "pbsds.net" "x86_64-linux" (with nm; [ common-pc common-pc-ssd common-cpu-intel ]);
      bolle      = mkConfig "bolle"      "pbsds.net" "x86_64-linux" (with nm; [ common-pc common-pc-ssd common-cpu-intel ]);
      nord       = mkConfig "nord"       "pbsds.net" "x86_64-linux" (with nm; [ common-pc common-pc-ssd common-cpu-intel-cpu-only common-gpu-amd common-hidpi ]);
      sopp       = mkConfig "sopp"       "pbsds.net" "x86_64-linux" (with nm; [ common-pc common-pc-ssd common-cpu-intel common-gpu-nvidia-nonprime ]);
    };

    homeConfigurations = forAllSystems ({ pkgs, system, ... }: let
      mkHome = user: home: modules: home-manager.lib.homeManagerConfiguration {
        inherit pkgs;
        modules = modules ++ [{
          home.username = user;
          home.homeDirectory = home;
        }];
        extraSpecialArgs.packages = self.packages.${system};
      };
    in {
      pbsds       = mkHome "pbsds" "/home/pbsds" [ ./users/pbsds/home ];
      pbsds-gnome = mkHome "pbsds" "/home/pbsds" [ ./users/pbsds/home/gnome.nix ];
    });

    devShells = forAllSystems ({ system, pkgs, ... }: let
      inherit (self.packages.${system}) remote-exec;
      mkShell = packages: pkgs.mkShell { inherit packages; };
      nixos-rebuild-nom = pkgs.writeScriptBin "nixos-rebuild" ''
        exec ${pkgs.nixos-rebuild}/bin/nixos-rebuild "$@" |& ${pkgs.nix-output-monitor}/bin/nom
      '';
    in {
      remoteenv = mkShell [
          nixos-rebuild-nom
      ];
      envrc = mkShell [
          nixos-rebuild-nom
          pkgs.home-manager
          pkgs.nix-output-monitor
          pkgs.cachix
      ];
      envrc-remote = mkShell [
          remote-exec
          pkgs.yq
      ];
    });

  };
}