{
  description = "tlater.net host configuration";

  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs/nixos-22.05";
    nixos-hardware.url = "github:nixos/nixos-hardware/master";
    sops-nix = {
      url = "github:Mic92/sops-nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };

    tlaternet-webserver = {
      url = "git+https://gitea.tlater.net/tlaternet/tlaternet.git";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };

  outputs = {
    self,
    nixpkgs,
    nixos-hardware,
    sops-nix,
    tlaternet-webserver,
  }: let
    system = "x86_64-linux";

    overlays = [
      (final: prev: {
        local = import ./pkgs {
          pkgs = prev;
        };
      })
    ];

    pkgs = import nixpkgs {inherit system overlays;};
    sops-pkgs = sops-nix.packages.${system};
  in {
    nixosConfigurations = {
      tlaternet = nixpkgs.lib.nixosSystem {
        inherit system;

        modules = [
          ({modulesPath, ...}: {
            imports = [(modulesPath + "/profiles/headless.nix")];
            nixpkgs.overlays = overlays;
          })
          (import ./modules)

          (import ./configuration)
          (import ./configuration/linode.nix)
          (import ./configuration/hardware-configuration.nix)
          sops-nix.nixosModules.sops
          tlaternet-webserver.nixosModules.default
        ];
      };

      vm = nixpkgs.lib.nixosSystem {
        inherit system;

        modules = [
          ({modulesPath, ...}: {
            imports = [(modulesPath + "/profiles/headless.nix")];
            nixpkgs.overlays = overlays;
          })
          (import ./modules)

          (import ./configuration)
          sops-nix.nixosModules.sops
          tlaternet-webserver.nixosModules.default
          ({lib, ...}: {
            users.users.tlater.password = "insecure";

            # Disable graphical tty so -curses works
            boot.kernelParams = ["nomodeset"];

            # Sets the base domain for nginx to localhost so that we
            # can easily test locally with the VM.
            services.nginx.domain = lib.mkOverride 99 "localhost";

            # Use the staging secrets
            sops.defaultSopsFile = lib.mkOverride 99 ./keys/staging.yaml;

            # # Set up VM settings to match real VPS
            # virtualisation.memorySize = 3941;
            # virtualisation.cores = 2;
          })
        ];
      };
    };

    apps.${system}.default = let
      inherit (self.nixosConfigurations.vm.config.system.build) vm;
      inherit (nixpkgs.legacyPackages.${system}) writeShellScript;
      inherit (nixpkgs.lib.attrsets) mapAttrsToList;
      inherit (nixpkgs.lib.strings) concatStringsSep;
      ports = {
        "2222" = "2222";
        "3080" = "80";
        "3443" = "443";
        "2221" = "2221";
        "21025" = "21025"; # Starbound
      };
      QEMU_NET_OPTS =
        concatStringsSep ","
        (mapAttrsToList
          (host: vm: "hostfwd=::${host}-:${vm}")
          ports);
    in {
      type = "app";
      program = builtins.toString (writeShellScript "run-vm" ''
        export QEMU_OPTS="-m 3941 -smp 2 -curses"
        export QEMU_NET_OPTS="${QEMU_NET_OPTS}"
        "${vm}/bin/run-tlaternet-vm"
      '');
    };

    devShells.${system}.default = pkgs.mkShell {
      sopsPGPKeyDirs = ["./keys/hosts/" "./keys/users/"];
      nativeBuildInputs = [
        sops-pkgs.sops-import-keys-hook
      ];
      buildInputs = with pkgs; [
        nixfmt
        git-lfs
        sops-pkgs.sops-init-gpg-key
      ];

      shellHook = ''
        # Work around sudo requiring a full terminal when deploying to
        # a remote host
        export NIX_SSHOPTS="-t"
      '';
    };
  };
}