{
  description = "Personal infra on Infomaniak Public Cloud (OpenStack)";

  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";

    sops-nix.url = "github:Mic92/sops-nix";
    sops-nix.inputs.nixpkgs.follows = "nixpkgs";

    nixos-generators.url = "github:nix-community/nixos-generators";
    nixos-generators.inputs.nixpkgs.follows = "nixpkgs";
  };

  outputs = { self, nixpkgs, sops-nix, nixos-generators, ... }:
    let
      system = "x86_64-linux";
      pkgs = nixpkgs.legacyPackages.${system};
    in {
      # `nix develop` to enter a shell with every tool this repo needs.
      devShells.${system}.default = pkgs.mkShell {
        packages = with pkgs; [
          openstackclient   # `openstack` CLI
          opentofu          # `tofu` — drop-in for terraform, OSS license
          jq
          age
          sops              # for sops-nix secrets
        ];
        shellHook = ''
          if [ -f "$PWD/terraform/infomaniak/.env" ]; then
            set -a; . "$PWD/terraform/infomaniak/.env"; set +a
            echo "loaded terraform/infomaniak/.env"
          fi
        '';
      };

      # Runtime config — what the watcher box actually IS.
      # Push updates with:
      #   nixos-rebuild switch --flake .#watcher --target-host tyro@<ip> --use-remote-sudo
      nixosConfigurations.watcher = nixpkgs.lib.nixosSystem {
        inherit system;
        modules = [
          ({ modulesPath, ... }: {
            imports = [
              "${modulesPath}/virtualisation/openstack-config.nix"
            ];
          })
          sops-nix.nixosModules.sops
          ./hosts/watcher
        ];
      };

      # Build a QCOW2 image of the watcher to upload to Infomaniak Glance:
      #   nix build .#watcher-image
      #   ls -lh result/nixos.qcow2
      packages.${system}.watcher-image = nixos-generators.nixosGenerate {
        inherit system pkgs;
        format = "openstack";
        modules = [
          sops-nix.nixosModules.sops
          ./hosts/watcher
        ];
      };
    };
}