{
  description = "hacc infra stuff";

  inputs = {
    nixpkgs.url = "nixpkgs/nixos-23.11-small";
    nixpkgs-unstable.url = "nixpkgs/nixos-unstable-small";
    nixpkgs-oldstable.url = "github:/NixOS/nixpkgs?rev=c4aec3c021620d98861639946123214207e98344";

    nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.11";
    tracktrain.url = "git+https://stuebinm.eu/git/tracktrain?ref=main";
    tracktrain.flake = false;

    deploy-rs.url = "github:serokell/deploy-rs";
    deploy-rs.inputs.nixpkgs.follows = "nixpkgs";
    sops-nix.url = "github:Mic92/sops-nix";
    sops-nix.inputs.nixpkgs-stable.follows = "nixpkgs";
    
    # these exist mostly to make the flake.lock somewhat more human-friendly
    # note that in theory doing this might break things, but it seems fairly unlikely
    nixos-mailserver.inputs = {
      "nixpkgs-23_05".follows = "nixpkgs";
      utils.follows = "/deploy-rs/utils";
      flake-compat.follows = "/deploy-rs/flake-compat";
    };
  };

  outputs = { self, nixpkgs, deploy-rs, sops-nix, ... }@inputs:
    let modules = {
          bindMounts = import ./modules/bindmounts.nix;
          nopersist = import ./modules/nopersist.nix;
          encboot = import ./modules/encboot.nix;
        };
        profiles = {
          container = import ./modules/container-profile.nix;
        };
        pkgs = import ./pkgs {
          sources = inputs;
          system = "x86_64-linux";
          config.allowUnfree = true;
        };
        evalConfig = config: (nixpkgs.lib.nixosSystem {
          system = "x86_64-linux";
          modules = [
            config
            {
              nixpkgs.pkgs = pkgs.lib.mkForce pkgs;
              imports = [ modules.nopersist profiles.container ];
            }
          ];
          specialArgs = {
            # some of our modules import each other, and evalConfig is used for containers
            inherit modules evalConfig;
            sources = inputs;
          };
        }).config.system.build.toplevel;
    in {
      nixosConfigurations.parsons = nixpkgs.lib.nixosSystem {
        system = "x86_64-linux";
        modules = [
          ./parsons/configuration.nix
          ./modules/buildinfo.nix
          sops-nix.nixosModules.sops
          { nixpkgs.pkgs = pkgs; }
        ];
        specialArgs = {
          sources = inputs;
          inherit modules evalConfig;
        };
      };

      deploy.nodes.parsons = {
        hostname = "parsons";
        profiles.system = {
          user = "root";
          autoRollback = false;
          path = deploy-rs.lib.x86_64-linux.activate.nixos
            self.nixosConfigurations.parsons;
        };
      };

      # This is highly advised, and will prevent many possible mistakes
      checks = builtins.mapAttrs
        (system: deployLib: deployLib.deployChecks self.deploy)
        deploy-rs.lib;

      packages.x86_64-linux =
        let
          websites = self.nixosConfigurations.parsons.config.hacc.websites.builders;
        in
          { docs = websites."docs.hacc.space"; } // websites;
    };

}