{
  description = "hacc infra stuff";

  inputs = {
    mattermost-webapp.url = "https://releases.mattermost.com/7.1.7/mattermost-7.1.7-linux-amd64.tar.gz";
    mattermost-webapp.flake = false;
    mattermost-server.url = "github:mattermost/mattermost-server?ref=v7.1.7";
    mattermost-server.flake = false;

    nixpkgs.url = "nixpkgs/nixos-22.11";
    nixpkgs-unstable.url = "nixpkgs/nixpkgs-unstable";
    nix-hexchen.url = "gitlab:hexchen/nixfiles";
    nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-22.05";
    tracktrain.url = "git+https://stuebinm.eu/git/tracktrain?ref=main";
    tracktrain.flake = false;

    deploy-rs.url = "github:serokell/deploy-rs";
    deploy-rs.inputs.nixpkgs.follows = "nixpkgs";
    
    # these exist mostly to make the flake.lock somewhat more human-friendly
    # note that in theory doing this might break things, but it seems fairly unlikely
    nix-hexchen.inputs = {
      nixos-mailserver.follows = "nixos-mailserver";
      nixpkgs.follows = "nixpkgs-unstable";
      deploy-rs.follows = "deploy-rs";
      doom-emacs.follows = "nix-hexchen/nix-doom-emacs/doom-emacs";
      emacs-overlay.follows = "nix-hexchen/nix-doom-emacs/emacs-overlay";
      flake-utils.follows = "/deploy-rs/utils";
    };
    nixos-mailserver.inputs = {
      "nixpkgs-22_05".follows = "nixpkgs";
      nixpkgs.follows = "nixpkgs-unstable";
    };
  };

  outputs = { self, nixpkgs, nix-hexchen, deploy-rs, ... }@inputs:
    let modules = nix-hexchen.nixosModules;
        profiles = nix-hexchen.nixosModules.profiles // {
          container = import ./modules/container-profile.nix;
        };
        pkgs = import ./pkgs {
          sources = inputs;
          system = "x86_64-linux";
        };
        evalConfig = config: (nixpkgs.lib.nixosSystem {
          system = "x86_64-linux";
          modules = [
            config
            nix-hexchen.nixosModules.network.nftables
            { nixpkgs.pkgs = pkgs; }
          ];
          specialArgs = {
            inherit modules profiles evalConfig;
            sources = inputs;
          };
        }).config.system.build.toplevel;
    in {
      # do this by hand instead of via nix-hexchen/lib/hosts.nix, since that one
      # apparently can't support pkgs depending on flake inputs
      nixosConfigurations.parsons = nixpkgs.lib.nixosSystem {
        system = "x86_64-linux";
        modules = [
          ./hosts/parsons/configuration.nix
          { nixpkgs.pkgs = pkgs; }
          { environment.etc."haccfiles".source = self.outPath; }
        ];
        specialArgs = {
          # with a few exceptions, the flake inputs can be used the same
          # as the niv-style (import nix/sources.nix {})
          sources = inputs;
          inherit modules profiles evalConfig;
        };
      };

      deploy.nodes.parsons = {
        hostname = "parsons";
        profiles.system = {
          user = "root";
          autoRollback = false;
          path = deploy-rs.lib.x86_64-linux.activate.nixos
            self.nixosConfigurations.parsons;
        };
      };

      # This is highly advised, and will prevent many possible mistakes
      checks = builtins.mapAttrs
        (system: deployLib: deployLib.deployChecks self.deploy)
        deploy-rs.lib;

      packages.x86_64-linux =
        self.nixosConfigurations.parsons.config.hacc.websites.builders;
    };

}