{
  description = "Fudo Host Configuration";

  inputs = {
    nixpkgs.url = "nixpkgs/nixos-21.05";

    fudo-home.url = "path:/state/nixops/fudo-home";

    fudo-pkgs.url = "path:/state/nixops/fudo-pkgs";

    fudo-secrets.url = "path:/state/secrets";
  };

  outputs = { self, nixpkgs, fudo-home, fudo-pkgs, fudo-secrets, ... }: {
    nixosConfigurations = let
      hostlib = import ./lib/hosts.nix { lib = nixpkgs.lib; };

      nixos-hosts = nixpkgs.lib.filterAttrs (hostname: hostOpts:
        hostOpts.nixos-system) (hostlib.base-host-config ./config/hosts);

      build-timestamp = self.sourceInfo.lastModified;

      pkgs-for = arch: import nixpkgs {
        system = arch;
        config = {
          allowUnfree = true;
          permittedInsecurePackages = [
            "openssh-with-gssapi-8.4p1"
          ];
        };
        overlays = [
          fudo-pkgs.overlay
          (import ./lib/overlay.nix)
        ];
      };
    in nixpkgs.lib.mapAttrs (hostname: hostOpts: let
      system = hostOpts.arch;
      site = hostOpts.site;
      domain = hostOpts.domain;
      profile = hostOpts.profile;
      build-seed =
        builtins.readFile fudo-secrets.build-seed;
    in nixpkgs.lib.nixosSystem {
      inherit system;

      modules = let
        config-path = ./config;
      in [
        fudo-home.nixosModule
        fudo-secrets.nixosModule
        ./lib
        ./config

        (config-path + /hardware/${hostname}.nix)
        (config-path + /host-config/${hostname}.nix)
        (config-path + /profile-config/${profile}.nix)
        (config-path + /domain-config/${domain}.nix)
        (config-path + /site-config/${site}.nix)
        ({ ... }: {
          config = {
            instance = {
              inherit hostname build-timestamp build-seed;
            };

            nixpkgs.pkgs = pkgs-for system;
          };
        })
      ];
    }) nixos-hosts;
  };
}