{
  inputs.nixpkgs.url = "nixpkgs/nixos-unstable";

  outputs = { self, nixpkgs }: let
    inherit (nixpkgs) lib;

    systems = [
      "x86_64-linux"
      "aarch64-linux"
    ];

    forAllSystems = f: nixpkgs.lib.genAttrs systems (system: f system nixpkgs.legacyPackages.${system});
  in {
    apps = forAllSystems (system: pkgs: {
      default = self.apps.${system}.vm;
      vm = {
        type = "app";
        program = "${lib.getExe self.nixosConfigurations."vm-${system}".config.system.build.vm}";
      };
    });

    nixosModules.default = ./modules/user-jails.nix;

    nixosConfigurations = lib.mapAttrs' (n: v: lib.nameValuePair "vm-${n}" v) (forAllSystems (system: pkgs:
      lib.nixosSystem {
        inherit system pkgs;
        modules = [
          "${nixpkgs}/nixos/modules/virtualisation/qemu-vm.nix"
          self.nixosModules.default

          ({ config, ... }: {
            system.stateVersion = config.system.nixos.release;
            virtualisation.graphics = false;

            services.getty.autologinUser = "root";

            users.motd = ''
              ==================================
              Welcome to the user-jails test vm!

              Try logging in as a user:
                  ssh user1@localhost
                  ssh user2@localhost

              user1: default jail
                - private networking
                - global users (private users doesn't work atm)
                - allow outside network access

              user2: permissive jail
                - global networking
                - global users
                - allow outside network access

              All users have password 'foobar'

              To exit, press Ctrl+A, then X
              ==================================
            '';

            users.users.user1 = {
              uid = 1000;
              isNormalUser = true;
              createHome = true;
              password = "foobar";
            };

            users.users'.user1.jail = {
              enable = true;
              # Private users doesn't work inside VM for now
              # See https://github.com/NixOS/nixpkgs/issues/451167
              useGlobalUsers = true;
            };

            users.users.user2 = {
              uid = 1001;
              isNormalUser = true;
              createHome = true;
              password = "foobar";
            };

            users.users'.user2.jail = {
              enable = true;
              # bindGlobalNixStore = true; # doesn't do anything for now
              useGlobalNetworking = true;
              useGlobalUsers = true;
            };

            # users.users.user3 = {
            #   uid = 1002;
            #   isNormalUser = true;
            #   createHome = true;
            #   password = "foobar";
            # };

            # users.users'.user3.jail = {
            #   enable = true;
            #   allowNetworking = false;
            # };

            # MOTD description:
            # user3: strict jail
            #   - private networking
            #   - private users
            #   - deny outside network access

            services.openssh.enable = true;

            programs.vim.enable = true;
          })
        ];
      }
    ));
  };
}