{
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.11";
    home-manager.url = "github:nix-community/home-manager/release-22.11";
    home-manager.inputs.nixpkgs.follows = "nixpkgs";
    private.url = "git+ssh://git@git.tempest.dev/ashe/nixos-config-private";
    tmpfiles.url = "git+http://git.tempest.dev/ashe/tmpfiles";
    tempestdev.url = "git+http://git.tempest.dev/ashe/tempest.dev";
    tempest-secret.url = "git+ssh://git@git.tempest.dev/ashe/tempest-skycord-secret";
    tempest-contact.url = "git+http://git.tempest.dev/ashe/contact-api";
    gotosocial.url = "git+http://git.tempest.dev/ashe/nixos-wrapper-gotosocial";
    ashen-earth.url = "git+ssh://git@git.tempest.dev/ashe/ashen-earth?ref=post/wasm-gol-2";
    drowning.url = "git+http://git.tempest.dev/ashe/drowning-among-stars";
  };

  outputs = { self, nixpkgs, home-manager, private, tmpfiles, tempestdev, tempest-secret, tempest-contact, gotosocial, ashen-earth, drowning }: {
    nixosConfigurations = {

      nyx = nixpkgs.lib.nixosSystem {
        system = "x86_64-linux";
        modules = [
          ./hosts/nyx/configuration.nix
          home-manager.nixosModules.home-manager
          private.nixosModules.nyx

          ashen-earth.nixosModule
          tmpfiles.nixosModule
          tempestdev.nixosModule
          tempest-secret.nixosModule
          tempest-contact.nixosModule
          gotosocial.nixosModule
          drowning.nixosModule

          ({ pkgs, ...}: {
            networking.firewall.allowedTCPPorts = [ 80 443 ];

            home-manager.useGlobalPkgs = true;
            home-manager.useUserPackages = true;

            services.nginx.enable = true;
            services.nginx.recommendedProxySettings = true;
            services.nginx.appendHttpConfig = ''
              types {
                text/plain wat;
              }
            '';

            security.acme.acceptTerms = true;
            security.acme.defaults.email = "acme@tempest.dev";

            ashe.services."ashen.earth".enable = true;
            ashe.services."ashen.earth".domain = "ashen.earth";

            ashe.services.tmpfiles.enable = true;
            ashe.services.tmpfiles.domain = "files.tempest.dev";
            ashe.services.tmpfiles.port = 4441;

            ashe.services."tempest.dev".enable = true;
            ashe.services."tempest.dev".domain = "tempest.dev";
            ashe.services."tempest.dev".port = 4442;

            ashe.services.tempest-secret.enable = true;
            ashe.services.tempest-secret.domain = "tempest.dev";
            ashe.services.tempest-secret.path = "/secret";
            ashe.services.tempest-secret.port = 4443;

            ashe.services.tempest-api-contact.enable = true;
            ashe.services.tempest-api-contact.domain = "contact.tempest.dev";
            ashe.services.tempest-api-contact.configFile = "/etc/tempest/contact.json";
            ashe.services.tempest-api-contact.port = 4444;

            ashe.services.social.enable = true;
            ashe.services.social.appDomain = "social.tempest.dev";
            ashe.services.social.accountDomain = "tempest.dev";
            ashe.services.social.port = 4445;

            ashe.services.drowning.enable = true;
            ashe.services.drowning.domain = "drowning.ashen.earth";

            services.nginx.virtualHosts."static.tempest.dev" = {
              root = "/var/www/static";
              forceSSL = true;
              enableACME = true;

              locations."/" = {
                extraConfig = ''
                  if ($request_method = GET) {
                    add_header Access-Control-Allow-Origin *;
                    add_header Access-Control-Allow-Credentials true;
                    add_header Access-Control-Allow-Methods "GET, OPTIONS";
                    add_header Access-Control-Allow-Headers "origin, accept, range";
                  }

                  if ($request_method = OPTIONS ) {
                    add_header Access-Control-Allow-Origin *;
                    add_header Access-Control-Allow-Credentials true;
                    add_header Access-Control-Allow-Methods "GET, OPTIONS";
                    add_header Access-Control-Allow-Headers "origin, accept, range";
                    add_header Content-Length 0;
                    add_header Content-Type text/plain;
                    return 204;
                  }
                '';
              };
            };

            services.nginx.virtualHosts."phantomthieves.net" = {
              locations."/" = { proxyPass = "http://necronomicon.tempest.local:4000"; };
              forceSSL = true;
              enableACME = true;
            };

            services.nginx.virtualHosts."forum.phantomthieves.net" = {
              locations."/" = { proxyPass = "http://melete.tempest.local:8999"; };
              forceSSL = true;
              enableACME = true;
            };
          })
        ];
      };

      hemera = nixpkgs.lib.nixosSystem {
        system = "x86_64-linux";
        modules = [
          ./hosts/hemera/configuration.nix
          private.nixosModules.hemera

          ({ config, pkgs, ...}: {
            services.nix-serve = {
              enable = true;
              secretKeyFile = "/etc/tempest/bincache/key-priv.pem";
            };

            services.nginx = {
              enable = true;
              recommendedProxySettings = true;
              virtualHosts."hemera.tempest.local" = {
                locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
              };
            };
          })
        ];
      };
    };
  };
}