{
  description = "compsigh Minecraft server";

  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
    disko = {
      url = "github:nix-community/disko";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    agenix = {
      url = "github:ryantm/agenix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };

  outputs = { self, nixpkgs, disko, ... }@inputs:
    let
      system = "x86_64-linux";
      pkgs = nixpkgs.legacyPackages.${system};
      deploy = pkgs.writeShellScriptBin "nhs" ''
        nh os switch --hostname compsigh-minecraft --target-host root@compsigh-minecraft path:. "$@"
      '';
      mcLogs = pkgs.writeShellScriptBin "mc-logs" ''
        ssh root@compsigh-minecraft "docker logs --tail ''${1:-100} -f minecraft"
      '';
      mcRegister = pkgs.writeShellScriptBin "mc-register" ''
        set -euo pipefail
        USERNAME="''${1:?Usage: mc-register <username> <password>}"
        PASSWORD="''${2:?Usage: mc-register <username> <password>}"
        ssh root@compsigh-minecraft "docker exec minecraft rcon-cli auth register $USERNAME $PASSWORD"
      '';
      mcUpdatePassword = pkgs.writeShellScriptBin "mc-update-password" ''
        set -euo pipefail
        USERNAME="''${1:?Usage: mc-update-password <username> <password>}"
        PASSWORD="''${2:?Usage: mc-update-password <username> <password>}"
        ssh root@compsigh-minecraft "docker exec minecraft rcon-cli auth update $USERNAME $PASSWORD"
      '';
      bootstrap = pkgs.writeShellScriptBin "mc-bootstrap" ''
        set -euo pipefail
        IP="''${1:?Usage: mc-bootstrap <server-ip>}"
        echo "==> Installing NixOS (bootstrap config with port 22 open)..."
        nix run github:nix-community/nixos-anywhere -- --flake path:.#compsigh-minecraft-bootstrap "root@$IP"
        echo ""
        echo "==> Removing old host key..."
        ssh-keygen -R "$IP"
        echo ""
        echo "==> Fetching new server host key..."
        echo "Run: ssh root@$IP cat /etc/ssh/ssh_host_ed25519_key.pub"
        echo "Then update secrets/secrets.nix with the new key and run: agenix -r"
        echo "Then run: nhs"
      '';
    in
    {
      nixosConfigurations.compsigh-minecraft = nixpkgs.lib.nixosSystem {
        inherit system;
        specialArgs = { inherit inputs; };
        modules = [
          disko.nixosModules.disko
          inputs.agenix.nixosModules.default
          ./disk-config.nix
          ./configuration.nix
        ];
      };

      # Bootstrap config: opens port 22 on public interface for initial setup
      nixosConfigurations.compsigh-minecraft-bootstrap = nixpkgs.lib.nixosSystem {
        inherit system;
        specialArgs = { inherit inputs; };
        modules = [
          disko.nixosModules.disko
          inputs.agenix.nixosModules.default
          ./disk-config.nix
          ./configuration.nix
          {
            networking.firewall.allowedTCPPorts = [ 22 ];
          }
        ];
      };

      devShells.${system}.default = pkgs.mkShell {
        packages = [
          deploy
          bootstrap
          mcLogs
          mcRegister
          mcUpdatePassword
          pkgs.nh
          pkgs.age
          inputs.agenix.packages.${system}.default
        ];

      };
    };
}