{
  description = "xyno doin nixos";

  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-unstable";
    nixpkgs-master.url = "github:nixos/nixpkgs?ref=master";
    mobile-nixos.url = "github:mobile-nixos/mobile-nixos";
    mobile-nixos.flake = false;
    home-manager.url = "github:nix-community/home-manager";
    home-manager.inputs.nixpkgs.follows = "nixpkgs";
    nixos-hardware.url = "github:NixOS/nixos-hardware/master";
    sops-nix.url = "github:Mic92/sops-nix";
    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
    impermanence.url = "github:nix-community/impermanence";
    colmena.url = "github:zhaofengli/colmena/release-0.4.x";
    colmena.inputs.nixpkgs.follows = "nixpkgs";

    # software
    lanzaboote = {
      url = "github:nix-community/lanzaboote/v0.4.2";

      # Optional but recommended to limit the size of your system closure.
      inputs.nixpkgs.follows = "nixpkgs";
    };

    zen-browser.url = "github:0xc000022070/zen-browser-flake";
    zen-browser.inputs.nixpkgs.follows = "nixpkgs-master";
    kmonad = {
      url = "git+https://github.com/jokesper/kmonad?dir=nix&ref=feat-tap-overlap";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    niri.url = "github:YaLTeR/niri";
    niri.inputs.nixpkgs.follows = "nixpkgs-master";
    xwayland-satellite.url = "github:Supreeeme/xwayland-satellite";
    xwayland-satellite.inputs.nixpkgs.follows = "nixpkgs-master";
    nheko.url = "github:Nheko-Reborn/nheko";
    nheko.flake = false;
    mtxclient.url = "github:Nheko-Reborn/mtxclient";
    mtxclient.flake = false;
    nix-ci.url = "git+https://git.xyno.systems/xyno/nix-ci";
    nix-ci.inputs.nixpkgs.follows = "nixpkgs";

    nix-index-database.url = "github:nix-community/nix-index-database";
    nix-index-database.inputs.nixpkgs.follows = "nixpkgs";

    # helix
    helix.url = "github:helix-editor/helix";
    # helix.url = "github:sofusa/helix-pull-diagnostics";
    helix.inputs.nixpkgs.follows = "nixpkgs-master";
    # csharp-language-server.url = "github:sofusa/csharp-language-server";
    # csharp-language-server.inputs.nixpkgs.follows = "nixpkgs-master";

    # authentik

    authentik.url = "github:nix-community/authentik-nix";
    authentik.inputs.nixpkgs.follows = "nixpkgs";
    terranix.url = "github:terranix/terranix";
    terranix.inputs.nixpkgs.follows = "nixpkgs";

  };

  outputs =
    inputs@{
      self,
      nixpkgs,
      nixpkgs-master,
      colmena,
      ...
    }:
    let
      lib = nixpkgs.lib.extend (
        s: super: {
          xyno = import ./lib {
            inherit inputs nixpkgs self;
            lib = s;
          };
        }
      );
      overlays = [
        self.overlays.default
        inputs.nix-ci.overlays.default
        (final: prev: {
          inherit (final.unstable.lixPackageSets.latest)
            nixpkgs-review
            nix-direnv
            nix-eval-jobs
            nix-fast-build
            colmena
            ;
        })
      ];
      genPkgs =
        system:
        import nixpkgs {
          inherit system overlays;
          config.allowUnfree = true;
        };
      modules = [
        inputs.kmonad.nixosModules.default
        inputs.home-manager.nixosModules.default
        inputs.lanzaboote.nixosModules.lanzaboote
        inputs.sops-nix.nixosModules.sops
        inputs.impermanence.nixosModules.impermanence
        inputs.authentik.nixosModules.default
        inputs.nix-index-database.nixosModules.nix-index
      ]
      ++ (import ./modules/module-list.nix);
      systems = [
        "x86_64-linux"
        "aarch64-linux"
      ];
      forEachSystem = f: (map (x: f x) systems);
      importConfigs =
        n:
        map (x: {
          ${x} = {nodes, ...}: {
            networking.hostName = x;
            imports = modules ++ [ (./instances/${x}) ];
            _module.args.otherNodes = lib.filterAttrs (n: v: n != x) nodes;
          };
        }) n;
    in
    lib.foldl' lib.recursiveUpdate { } (
      [
        {
          colmenaHive = colmena.lib.makeHive (
            lib.foldl' lib.recursiveUpdate
              {
                meta = {
                  specialArgs = { inherit inputs; };
                  nixpkgs = genPkgs "x86_64-linux";
                };
                deployment.privilegeEscalationCommand = [
                  "run0"
                  "--unit=colmena-apply"
                ];
              }
              (importConfigs [
                "ds9"
                "picard"
                "theseus"
              ])
          );
          overlays.default =
            final: prev:
            (
              {
                unstable = import nixpkgs-master {
                  system = prev.system;
                  config.allowUnfree = true;
                };
              }
              // (import ./overlays inputs final prev)
            );
          hydraJobs.systems = lib.foldl' lib.recursiveUpdate { } [
            (builtins.mapAttrs (
              host: config:
              lib.foldl' lib.recursiveUpdate { } ([
                {
                  inherit (config.config.system.build) toplevel;
                  kernel = config.config.boot.kernelPackages.kernel;
                }
              ])
            ) self.colmenaHive.nodes)
          ];
          hydraJobs.fods = {
            caddy = self.nixosConfigurations.ds9.config.services.caddy.package;
          };
        }
      ]
      ++ (forEachSystem (
        system:
        let
          pkgs = genPkgs system;
        in
        {

          devShells.${system}.default = pkgs.mkShell {
            packages = [
              pkgs.nixfmt-rfc-style
              pkgs.nil
              pkgs.sops
              (pkgs.runCommand "nix-config-bin" { } ''
                mkdir -p $out/bin
                cp ${./bin}/* $out/bin
              '')
              pkgs.colmena
            ]
            ++ (lib.attrValues self.packages.${system});
            SOPS_CONFIG = (pkgs.callPackage ./sops.nix { instanceConfigs = lib.xyno.getDirs ./instances; });

          };

          packages.${system} = {
            nix = pkgs.unstable.lixPackageSets.latest.lix;
            inherit (pkgs)
              nix-fast-build
              attic-client
              jq
              nix-ci
              ;
          };
          checks.${system}."nixos" = pkgs.testers.runNixOSTest {
            imports = (import ./modules/test-list.nix);
            node.specialArgs = { inherit inputs; };
            extraBaseModules.imports = modules;
            extraBaseModules.services.openssh.enable = true;
            node.pkgsReadOnly = false;
          };
        }
      ))
    );

}