{
  description = "The deployment flake for the awful.systems cluster";

  inputs = {
    nixpkgs.url = "nixpkgs/nixos-23.05";
    flake-utils.url = "github:numtide/flake-utils";
    pkgs-unstable.url = "nixpkgs/nixos-unstable";
    sops-nix.url = "github:Mic92/sops-nix";
    lemmy.url = "git://these.awful.systems/lemmy.git";
    lemmy-ui.url = "git://these.awful.systems/lemmy-ui.git";
    sneer-archive-site.url = "git://these.awful.systems/sneer-archive-site.git";
  };

  outputs = { self, nixpkgs, flake-utils, sops-nix, lemmy, lemmy-ui
    , sneer-archive-site, ... }@attrs:
    {
      nixosConfigurations = {
        these = nixpkgs.lib.nixosSystem {
          specialArgs = attrs;
          modules =
            [ ./hosts/these/configuration.nix sops-nix.nixosModules.sops ];
        };
        more = nixpkgs.lib.nixosSystem {
          specialArgs = attrs;
          modules =
            [ ./hosts/more/configuration.nix sops-nix.nixosModules.sops ];
        };
      };
    } // flake-utils.lib.eachDefaultSystem (system:
      let
        pkgs = nixpkgs.legacyPackages.${system};
        deploy = name: target:
          pkgs.writeShellScriptBin "deploy-${name}" ''
            nixos-rebuild switch --fast --flake .#${name} \
            --target-host ${target} \
            $@
          '';
        go = name: target:
          pkgs.writeShellScriptBin "go-${name}" ''
            ssh ${target} $@
          '';
        init-secrets = pkgs.writeShellScriptBin "init-secrets" ''
          mkdir -p ~/.config/sops/age
          cp "$1" /tmp/init-secrets-key &&
          ${pkgs.openssh}/bin/ssh-keygen -p -N "" -f /tmp/init-secrets-key &&
          ${pkgs.ssh-to-age}/bin/ssh-to-age -private-key -i /tmp/init-secrets-key > ~/.config/sops/age/keys.txt
          rm /tmp/init-secrets-key
          echo Your age public key is:
          ${pkgs.age}/bin/age-keygen -y ~/.config/sops/age/keys.txt
        '';
        rekey-secrets = pkgs.writeShellScriptBin "rekey-secrets" ''
          ${pkgs.sops}/bin/sops updatekeys "$1"
        '';
      in {
        devShells.default = pkgs.mkShell {
          buildInputs = [
            pkgs.sops
            pkgs.ssh-to-age
            pkgs.age
            (deploy "these" "root@these.awful.systems")
            (go "these" "root@these.awful.systems")
            (deploy "more" "root@more.awful.systems")
            (go "more" "root@more.awful.systems")
            init-secrets
            pkgs.bashInteractive

            # cache these packages:
            lemmy.packages.${system}.lemmy-server
            lemmy-ui.packages.${system}.lemmy-ui
            sneer-archive-site.packages.${system}.default
          ];
        };
        packages.maint-mode = (pkgs.callPackage ./maint-mode/site.nix { });
      });
}