{
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";

    nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";

    nixos-hardware.url = "github:NixOS/nixos-hardware";

    home-manager = {
      url = "github:nix-community/home-manager/release-25.11";
      inputs.nixpkgs.follows = "nixpkgs";
    };

    agenix = {
      url = "github:ryantm/agenix";
      inputs = {
        nixpkgs.follows = "nixpkgs";
        home-manager.follows = "home-manager";
      };
    };

    flake-compat.url = "github:edolstra/flake-compat";

    oisd = {
      url = "github:sjhgvr/oisd";
      flake = false;
    };

    cloudflare-ips-v4 = {
      url = "https://www.cloudflare.com/ips-v4";
      flake = false;
    };
    cloudflare-ips-v6 = {
      url = "https://www.cloudflare.com/ips-v6";
      flake = false;
    };
  };

  outputs = inputs @ { self, nixpkgs, nixpkgs-unstable, home-manager, agenix, ... }:
  let
    tailnetName = "serval-moth";

    systems = {
      x86 = "x86_64-linux";
      arm = "aarch64-linux";
    };

    mkMachines = let
      mkMachine = m: {
        inherit (m) name system;
        tailscale = {
          inherit (m.tailscale) ip;
          domain = "${m.name}.${tailnetName}.ts.net";
        };
      };

    in machines: map (m: mkMachine m) machines;

    mkMachineIdentities = ms: current:
      lib.genAttrs (lib.catAttrs "name" ms) (m: current.name == m);

    machines = with systems; mkMachines [
      { name = "corsac"; system = x86; tailscale.ip = "100.64.100.100"; }
      { name = "lapin"; system = arm; tailscale.ip = "100.83.254.27"; }
      { name = "renard"; system = x86; tailscale.ip = "100.75.17.75"; }
      { name = "loup"; system = x86; tailscale.ip = "100.70.108.22"; }
      { name = "fourmi"; system = arm; tailscale.ip = "100.99.119.83"; }
      { name = "taupe"; system = arm; tailscale.ip = "100.103.211.75"; }
      { name = "truite"; system = x86; tailscale.ip = "100.103.200.75"; }
      { name = "taureau"; system = x86; tailscale.ip = "100.67.75.4"; }
    ];

    overlays = [ agenix.overlays.default ];

    packageSetsForSystem = system: let
      pkgsInputs =
        i: { inherit system; config = import ./config.nix; } // i;
    in rec {
      pkgs = import nixpkgs (pkgsInputs { inherit overlays; });

      unstablePkgs = import nixpkgs-unstable (pkgsInputs { });

      auxiliaryPkgs = import ./pkgs (pkgsInputs { inherit pkgs unstablePkgs; });
    };

    inherit (nixpkgs) lib;
  in {
    nixosConfigurations = lib.mergeAttrsList (map (machine: {
      ${machine.name} = nixpkgs.lib.nixosSystem {
        inherit (machine) system;

        specialArgs = inputs // (packageSetsForSystem machine.system) // {
          inherit machines;
          me = machine // { is = mkMachineIdentities machines machine; };
          keys = import ./secrets/keys.nix;
          util = import ./util.nix { inherit lib; };
        };

        modules = [
          ./machines/${machine.name}

          home-manager.nixosModules.home-manager {
            home-manager.useGlobalPkgs = true;
            home-manager.useUserPackages = true;
            home-manager.users.mel = import ./machines/${machine.name}/home.nix;
          }

          agenix.nixosModules.default
        ];
      };
    }) machines);

    # compatibility wrapper for nixos-option
    legacyPackages = lib.genAttrs (lib.attrValues systems)
      (system: with packageSetsForSystem system; lib.recurseIntoAttrs pkgs);
  };
}