{
  description = "Portable NixOS + Home Manager configuration with sops secrets and disko";

  inputs = {
    # Core
    nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11";
    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";

    # Flakes
    flake-utils.url = "github:numtide/flake-utils";

    # Home Manager
    home-manager = {
      url = "github:nix-community/home-manager/release-25.11";
      inputs.nixpkgs.follows = "nixpkgs";
    };

    # Secrets management
    sops-nix = {
      url = "github:mic92/sops-nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };

    # Disk partitioning
    disko = {
      url = "github:nix-community/disko";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };

  outputs = { self, nixpkgs, nixpkgs-unstable, flake-utils, home-manager, sops-nix, disko }:
    let
      mkPkgs = system: import nixpkgs {
        inherit system;
        config.allowUnfree = true;
      };

      mkPkgsUnstable = system: import nixpkgs-unstable {
        inherit system;
        config.allowUnfree = true;
      };

      mkOverlayUnstable = system:
        final: prev: { unstable = mkPkgsUnstable system; };

      # Set enableHomeManager = false for servers or minimal installs that
      # don't need user-level dotfile/package management.
      mkNixosSystem = { system, hostModule, enableHomeManager ? true }:
        let
          pkgs-unstable = mkPkgsUnstable system;
          hmModules = if enableHomeManager then [
            home-manager.nixosModules.home-manager
            {
              home-manager.useGlobalPkgs = true;
              home-manager.useUserPackages = true;
              home-manager.extraSpecialArgs = {
                inherit sops-nix pkgs-unstable;
              };
              home-manager.users.youruser = import ./home/default.nix;
            }
          ] else [];
        in nixpkgs.lib.nixosSystem {
          inherit system;

          specialArgs = {
            inherit sops-nix disko pkgs-unstable;
          };

          modules = [
            (mkOverlayUnstable system)
            sops-nix.nixosModules.sops
            disko.nixosModules.disko

            hostModule
            ./nixos/default.nix
          ] ++ hmModules;
        };

      mkHomeConfig = system: home-manager.lib.homeManagerConfiguration {
        pkgs = import nixpkgs {
          inherit system;
          config.allowUnfree = true;
          overlays = [ (mkOverlayUnstable system) ];
        };
        extraSpecialArgs = {
          pkgs-unstable = mkPkgsUnstable system;
          inherit sops-nix;
        };
        modules = [
          ./home/default.nix
        ];
      };

      defaultSystem = "x86_64-linux";
      pkgs = mkPkgs defaultSystem;

      mkDevShell = pkgs: pkgs.mkShell {
        buildInputs = with pkgs; [
          nix
          nixpkgs-fmt
          sops
          age
          disko
          git
        ];

        shellHook = ''
          echo "NixOS Configuration Development Shell"
          echo "Available commands:"
          echo "  - nix flake check              # Check flake validity"
          echo "  - nix flake show               # Show all outputs"
          echo "  - sudo nixos-rebuild switch --flake .#hostname"
          echo "  - home-manager switch --flake .#youruser@linux"
          echo "  - sops secrets/secrets.yaml    # Edit encrypted secrets"
        '';
      };

    in {

      # ============================================
      # NixOS System Configurations
      # ============================================

      nixosConfigurations = {

        # x86_64 laptop (most common)
        laptop = mkNixosSystem {
          system = "x86_64-linux";
          hostModule = ./hosts/laptop/default.nix;
        };

        # x86_64 server (no home-manager — minimal system-only config)
        server = mkNixosSystem {
          system = "x86_64-linux";
          hostModule = ./hosts/server/default.nix;
          enableHomeManager = false;
        };

        # Example: ARM64 host (e.g. Raspberry Pi 4, Apple Silicon VM)
        # laptop-arm = mkNixosSystem {
        #   system = "aarch64-linux";
        #   hostModule = ./hosts/laptop/default.nix;
        # };
      };

      # ============================================
      # Home Manager Standalone (Non-NixOS systems)
      # ============================================

      homeConfigurations = {
        "eliaskohout@linux"     = mkHomeConfig "x86_64-linux";
        "eliaskohout@linux-arm" = mkHomeConfig "aarch64-linux";
      };

      # ============================================
      # Development Shell
      # ============================================

      devShells = {
        x86_64-linux.default = mkDevShell (mkPkgs "x86_64-linux");
        aarch64-linux.default = mkDevShell (mkPkgs "aarch64-linux");
      };

      # ============================================
      # Installer Script
      # ============================================

      apps.${defaultSystem}.installer = {
        type = "app";
        program = toString (pkgs.writeShellScript "installer" ''
          set -e

          if [ -z "$1" ]; then
            echo "Usage: nix run .#installer -- <hostname>"
            echo "Example: nix run .#installer -- laptop"
            exit 1
          fi

          HOSTNAME=$1

          echo "🚀 Bootstrapping NixOS: $HOSTNAME"

          # Check if on NixOS
          if [ -f /etc/os-release ]; then
            . /etc/os-release
            if [ "$ID" = "nixos" ]; then
              echo "✓ Running on NixOS"
              sudo nixos-rebuild switch --flake ".#$HOSTNAME"
              echo "✓ NixOS system configured"
            else
              echo "⚠ Not on NixOS - installing home-manager only"
              home-manager switch --flake ".#youruser@linux"
              echo "✓ Home manager configured"
            fi
          else
            echo "⚠ Cannot determine OS"
            exit 1
          fi
        '');
      };

    };
}