{
  description = "hacc infra stuff";

  inputs = {
    nixpkgs.url = "nixpkgs/nixos-24.11-small";
    nixpkgs-unstable.url = "nixpkgs/nixos-unstable-small";
    nixpkgs-oldstable.url = "github:/NixOS/nixpkgs?rev=c4aec3c021620d98861639946123214207e98344";

    nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/master";
    tracktrain.url = "git+https://stuebinm.eu/git/tracktrain?ref=main";
    tracktrain.flake = false;

    deploy-rs.url = "github:serokell/deploy-rs";
    deploy-rs.inputs.nixpkgs.follows = "nixpkgs";
    sops-nix.url = "github:Mic92/sops-nix";
    sops-nix.inputs.nixpkgs.follows = "nixpkgs-unstable";
    
    # these exist mostly to make the flake.lock somewhat more human-friendly
    # note that in theory doing this might break things, but it seems fairly unlikely
    nixos-mailserver.inputs = {
      nixpkgs.follows = "nixpkgs-unstable";
      nixpkgs_24-11.follows = "nixpkgs";
      flake-compat.follows = "/deploy-rs/flake-compat";
    };
  };

  outputs = { self, nixpkgs, deploy-rs, sops-nix, ... }@inputs:
    let modules = {
          bindMounts = import ./modules/bindmounts.nix;
          nopersist = import ./modules/nopersist.nix;
          encboot = import ./modules/encboot.nix;
        };
        profiles = {
          container = import ./modules/container-profile.nix;
        };
        pkgs = import ./pkgs {
          sources = inputs;
          system = "x86_64-linux";
          config.allowUnfree = true;
        };
    in {
      nixosConfigurations.parsons = nixpkgs.lib.nixosSystem {
        system = "x86_64-linux";
        modules = [
          ./parsons/configuration.nix
          ./modules/buildinfo.nix
          ./modules/containers.nix
          sops-nix.nixosModules.sops
          { nixpkgs.pkgs = pkgs; }
        ];
        specialArgs = {
          sources = inputs;
          inherit modules profiles;
          inherit (nixpkgs.lib) nixosSystem;
        };
      };

      deploy.nodes.parsons = {
        hostname = "parsons";
        profiles.system = {
          user = "root";
          autoRollback = false;
          path = deploy-rs.lib.x86_64-linux.activate.nixos
            self.nixosConfigurations.parsons;
        };
      };

      # This is highly advised, and will prevent many possible mistakes
      checks = builtins.mapAttrs
        (system: deployLib: deployLib.deployChecks self.deploy)
        deploy-rs.lib;

      apps.x86_64-linux =
        let
	  mkApp = pkg: {
	    type = "app";
	    program = pkgs.lib.getExe pkg;
	  };
          websites = pkgs.lib.mapAttrs (name: mkApp) 
	    self.nixosConfigurations.parsons.config.hacc.websites.builders;
        in
          { docs = websites."docs.hacc.space"; } // websites;

      packages.x86_64-linux = {
        inherit (pkgs) mattermost hacc-scripts;
      };
    };

}