{
  inputs.nixpkgs-stable.url = "github:NixOS/nixpkgs/25.05";
  inputs.nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
  inputs.disko.url = "github:nix-community/disko";
  inputs.disko.inputs.nixpkgs.follows = "nixpkgs-stable";
  inputs.nixos-facter-modules.url = "github:numtide/nixos-facter-modules";
  inputs.sops-nix.url = "github:Mic92/sops-nix";
  inputs.sops-nix.inputs.nixpkgs.follows = "nixpkgs-stable";
  inputs.nixos-anywhere.url = "github:nix-community/nixos-anywhere";
  inputs.nixos-anywhere.inputs.nixpkgs.follows = "nixpkgs-stable";

  outputs =
    {
      nixpkgs-stable,
      nixpkgs-unstable,
      disko,
      nixos-facter-modules,
      sops-nix,
      nixos-anywhere,
      ...
    }:
    let
      systems = [
        "x86_64-linux"
        "x86_64-darwin"
        "aarch64-linux"
        "aarch64-darwin"
      ];
    in
    {
      nixosConfigurations.kj-laptop01 = nixpkgs-unstable.lib.nixosSystem {
        system = "x86_64-linux";
        modules = [
          disko.nixosModules.disko
          ./kj-laptop01/configuration.nix
          nixos-facter-modules.nixosModules.facter
          sops-nix.nixosModules.sops
          {
            config.facter.reportPath = ./kj-laptop01/facter.json;
          }
        ];
      };

      formatter = nixpkgs-stable.lib.genAttrs systems (
        system: nixpkgs-stable.legacyPackages.${system}.nixfmt-tree
      );

      apps = nixpkgs-stable.lib.genAttrs systems (system:
        let
          pkgs = nixpkgs-stable.legacyPackages.${system};

          install-script = pkgs.writers.writeRubyBin "install" {
            libraries = [];
          } /* ruby */ ''
            require 'tmpdir'
            require 'open3'
            require 'json'
            require 'fileutils'

            system_flake = ARGV[0]
            ENV['SOPS_AGE_KEY_FILE'] ||= File.expand_path("~/.config/sops/age/keys.txt")
            sops_exe = "${pkgs.sops}/bin/sops"
            nixos_anywhere_exe = "${pkgs.nixos-anywhere}/bin/nixos-anywhere"

            secret_data_raw, status = Open3.capture2(sops_exe, "decrypt", "--output-type", "json", "#{system_flake}/secrets.yaml")
            raise "Failed to decrypt secrets.yaml" unless status.success?
            secret_data = JSON.parse(secret_data_raw)

            Dir.mktmpdir("secrets") do |secret_dir|
                FileUtils.mkdir_p(File.join(secret_dir, 'copy_dir/etc/ssh'))
                File.write(File.join(secret_dir, 'copy_dir/etc/ssh/ssh_host_ed25519_key'), secret_data["ssh_host_key_ed25519"])
                File.write(File.join(secret_dir, 'luks_passphrase'), secret_data["luks_passphrase"])

                system nixos_anywhere_exe, "--disk-encryption-keys", File.join(secret_dir, 'luks_passphrase'),
                    "--extra-files", File.join(secret_dir, 'copy_dir'), "--flake", ".##{system_flake}", *ARGV[1..-1],
                    exception: true
            end
          '';
        in
        {
          install = {
            type = "app";
            program = "${install-script}/bin/install";
          };
        });
    };
}