{
  description = "Homey - self-hosted home server NixOS configuration";

  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";

    # sops-nix for secret management
    sops-nix = {
      url = "github:Mic92/sops-nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };

    # nixos-hardware provides RPi4 wireless firmware.
    # We use only the minimal pieces needed for a headless server —
    # no display, audio, or bluetooth modules.
    nixos-hardware.url = "github:NixOS/nixos-hardware/master";
  };

  outputs = { self, nixpkgs, sops-nix, nixos-hardware, ... }@inputs:
  let
    # Shared specialArgs passed to every host
    commonArgs = {
      inherit inputs;
      # Top-level site config — override per-host if needed
      homeyConfig = {
        domain       = "zakobar.com";   # base domain for all services
        organization = "Zakobar Home Server";
        timezone     = "Asia/Jerusalem";
      };
    };

    # Minimal RPi4 hardware module for a headless server.
    # Provides only: bootloader, initrd modules, wireless firmware, DTB filter.
    # Deliberately excludes display, audio, bluetooth from the full nixos-hardware module.
    rpi4Headless = { pkgs, ... }: {
      boot.loader.grub.enable = false;
      boot.loader.generic-extlinux-compatible.enable = true;
      boot.initrd.availableKernelModules = [
        "pcie-brcmstb"  # PCIe bus (USB3, NVMe)
        "reset-raspberrypi"  # required for vl805 firmware
        "usb-storage"
        "usbhid"
        "vc4"           # VideoCore (needed even headless for boot)
      ];
      # sd-image-aarch64.nix lists modules for many SoCs (including sun4i-drm
      # for Allwinner boards) that don't exist in linux_rpi4. Allow missing.
      boot.initrd.includeDefaultModules = false;
      hardware.deviceTree.filter = "bcm2711-rpi-*.dtb";
      hardware.firmware = [
        (pkgs.callPackage "${nixos-hardware}/raspberry-pi/common/raspberry-pi-wireless-firmware.nix" {})
      ];
    };

    mkHost = { hostPath, extraModules ? [] }:
      nixpkgs.lib.nixosSystem {
        specialArgs = commonArgs;
        modules = [
          sops-nix.nixosModules.sops
          rpi4Headless
          hostPath
          ./modules/common.nix
          ./modules/storage.nix
          ./modules/caddy.nix
          ./modules/cloudflared.nix
          ./modules/backup.nix
          ./modules/services/openldap.nix
          ./modules/services/authelia.nix
          ./modules/services/gitea.nix
          ./modules/services/nextcloud.nix
          ./modules/services/phpldapadmin.nix
          ./modules/services/jellyfin.nix
          ./modules/services/transmission.nix
          ./modules/services/gitea-runner.nix
          ./modules/services/uptime-kuma.nix
          ./modules/services/ntfy.nix
          ./modules/monitoring.nix
        ] ++ extraModules;
      };

  in {
    nixosConfigurations = {

      # Bootstrap image — flash this first, then deploy pi-main.
      # See hosts/pi-main-bootstrap/default.nix for details.
      pi-main-bootstrap = nixpkgs.lib.nixosSystem {
        specialArgs = commonArgs;
        modules = [
          rpi4Headless
          ({ modulesPath, ... }: {
            imports = [ "${modulesPath}/installer/sd-card/sd-image-aarch64.nix" ];
          })
          ./hosts/pi-main/hardware.nix
          ./hosts/pi-main-bootstrap/default.nix
        ];
      };

      # Primary Raspberry Pi 4
      pi-main = mkHost {
        hostPath = ./hosts/pi-main/default.nix;
      };

      # Future second machine (placeholder — uncomment and configure when ready)
      # pi-secondary = mkHost {
      #   hostPath = ./hosts/pi-secondary/default.nix;
      # };

    };

    devShells = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system:
      (import ./shells) { pkgs = nixpkgs.legacyPackages.${system}; }
    );
  };
}