{
  description = "Noisebridge Wiki — Standalone NixOS Infrastructure";

  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
    agenix = {
      url = "github:ryantm/agenix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    deploy-rs = {
      url = "github:serokell/deploy-rs";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };

  outputs = { self, nixpkgs, agenix, deploy-rs, ... }:
    let
      system = "x86_64-linux";
      pkgs = nixpkgs.legacyPackages.${system};
    in
    {
      overlays.default = import ./overlays/caddy.nix;

      nixosConfigurations.wiki = nixpkgs.lib.nixosSystem {
        inherit system;
        specialArgs = { inherit agenix; };
        modules = [
          { nixpkgs.overlays = [ self.overlays.default ]; }
          agenix.nixosModules.default
          ./hosts/wiki
          ./modules/common.nix
          ./modules/tailscale.nix
          ./modules/security.nix
          ./modules/users.nix
          ./modules/tor.nix
          ./modules/mediawiki-base.nix
          ./modules/wiki-primary/mediawiki.nix
          ./modules/wiki-primary/mysql.nix
          ./modules/wiki-primary/caddy.nix
          ./modules/wiki-primary/prometheus.nix
          ./modules/wiki-primary/alerting.nix
          ./modules/wiki-primary/grafana.nix
          ./modules/wiki-primary/backup.nix
          ./modules/wiki-primary/postfix.nix
        ];
      };

      nixosConfigurations.wiki-replica = nixpkgs.lib.nixosSystem {
        inherit system;
        specialArgs = { inherit agenix; };
        modules = [
          { nixpkgs.overlays = [ self.overlays.default ]; }
          agenix.nixosModules.default
          ./hosts/wiki-replica
          ./modules/common.nix
          ./modules/tailscale.nix
          ./modules/security.nix
          ./modules/users.nix
          ./modules/tor.nix
          ./modules/mediawiki-base.nix
          ./modules/wiki-replica/mediawiki.nix
          ./modules/wiki-replica/mysql.nix
          ./modules/wiki-replica/caddy.nix
        ];
      };

      deploy.nodes = {
        wiki = {
          hostname = "wiki";  # Tailscale hostname
          profiles.system = {
            user = "root";
            sshUser = "root";
            path = deploy-rs.lib.${system}.activate.nixos
              self.nixosConfigurations.wiki;
          };
        };
        wiki-replica = {
          hostname = "wiki-replica";  # Tailscale hostname
          profiles.system = {
            user = "root";
            sshUser = "root";
            path = deploy-rs.lib.${system}.activate.nixos
              self.nixosConfigurations.wiki-replica;
          };
        };
      };

      checks = builtins.mapAttrs
        (system: deployLib: deployLib.deployChecks self.deploy)
        deploy-rs.lib;

      apps.${system}.deploy = {
        type = "app";
        program = "${deploy-rs.packages.${system}.default}/bin/deploy";
      };

      devShells.${system}.default = pkgs.mkShell {
        packages = with pkgs; [
          deploy-rs.packages.${system}.default
          agenix.packages.${system}.default
          mariadb.client
          rclone
          curl
          jq
          hey
          mydumper
        ];
      };
    };
}