{
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
    disko = {
      url = "github:nix-community/disko";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    agenix = {
      url = "github:ryantm/agenix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };

  outputs = { self, nixpkgs, disko, agenix, ... }:
  let
    pkgs = import nixpkgs { system = "x86_64-linux"; };

    # Helper to build a NixOS host config from hosts/<name>/
    mkHost = name: system: nixpkgs.lib.nixosSystem {
      modules = [
        { nixpkgs.hostPlatform = system; }
        disko.nixosModules.disko
        agenix.nixosModules.default
        ./modules/common.nix
        ./hosts/${name}
      ];
    };

    hosts = {
      telefonmann = { system = "x86_64-linux"; };
    };
  in {
    # nixosConfigurations is used by nixos-anywhere for initial install
    nixosConfigurations = nixpkgs.lib.mapAttrs
      (name: cfg: mkHost name cfg.system)
      hosts;

    devShells.x86_64-linux.default = pkgs.mkShell {
      packages = [
        pkgs.colmena
        agenix.packages.x86_64-linux.default
      ];
    };

    # colmena hive for ongoing deployments
    colmena = {
      meta = {
        nixpkgs = pkgs;
        specialArgs = { inherit disko; };
      };
    } // nixpkgs.lib.mapAttrs (name: cfg: {
      deployment = {
        # Set targetHost per host in hosts/<name>/default.nix or override here
        # targetHost = "telefonmann.example.com";
        targetUser = "root";
      };
      imports = [
        { nixpkgs.hostPlatform = cfg.system; }
        disko.nixosModules.disko
        agenix.nixosModules.default
        ./modules/common.nix
        ./hosts/${name}
      ];
    }) hosts;
  };
}