{
  description = "Flake for server muffin";

  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11-small";

    lanzaboote = {
      url = "github:nix-community/lanzaboote";
      inputs.nixpkgs.follows = "nixpkgs";
    };

    nixos-hardware.url = "github:NixOS/nixos-hardware/master";

    nix-minecraft = {
      url = "github:Infinidoge/nix-minecraft";
      inputs.nixpkgs.follows = "nixpkgs";
    };

    vpn-confinement.url = "github:Maroka-chan/VPN-Confinement";

    nixpkgs-qbt.url = "github:NixOS/nixpkgs/pull/287923/head";

    home-manager = {
      url = "github:nix-community/home-manager/release-24.11";
      inputs.nixpkgs.follows = "nixpkgs";
    };

    disko = {
      url = "github:nix-community/disko";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };

  outputs =
    {
      nixpkgs,
      nix-minecraft,
      nixos-hardware,
      vpn-confinement,
      nixpkgs-qbt,
      home-manager,
      lanzaboote,
      disko,
      ...
    }@inputs:
    let
      username = "primary";
      hostname = "muffin";
      eth_interface = "enp4s0";

      service_configs = rec {
        zpool_ssds = "tank";
        zpool_hdds = "hdds";
        torrents_path = "/torrents";
        services_dir = "/${zpool_ssds}/services";
        music_dir = "/${zpool_ssds}/music";
        torrent_group = "media";

        # TODO: add checks to make sure none of these collide
        ports = {
          https = 443;
          jellyfin = 8096; # no services.jellyfin option for this
          torrent = 6011;
          ollama = 11434;
          bitmagnet = 3333;
          owntracks = 3825;
          gitea = 2283;
          immich = 2284;
          soulseek_web = 5030;
          soulseek_listen = 50300;
        };

        https = {
          certs = services_dir + "/http_certs";
          # TODO! generate website from repo directly using hugo
          data_dir = services_dir + "/http";
          domain = "gardling.com";
          wg_ip = "192.168.15.1";
          matrix_hostname = "matrix.${service_configs.https.domain}";
        };

        gitea = {
          dir = services_dir + "/gitea";
          domain = "git.${https.domain}";
        };

        postgres = {
          socket = "/run/postgresql";
        };

        immich = {
          dir = services_dir + "/immich";
        };

        minecraft = {
          parent_dir = services_dir + "/minecraft";
          server_name = "main";
        };

        torrent = {
          SavePath = torrents_path;
          TempPath = torrents_path + "/incomplete";
        };

        jellyfin = {
          dir = services_dir + "/jellyfin";
        };

        owntracks = {
          data_dir = services_dir + "/owntracks";
        };
      };
    in
    {
      nixosConfigurations.${hostname} = nixpkgs.lib.nixosSystem {
        specialArgs = {
          inherit
            username
            hostname
            eth_interface
            service_configs
            inputs
            ;
        };
        modules =
          [
            ./disk-config.nix
            disko.nixosModules.disko
            ./configuration.nix

            vpn-confinement.nixosModules.default

            # import the `services.qbittorrent` module
            (nixpkgs-qbt + "/nixos/modules/services/torrent/qbittorrent.nix")

            # get nix-minecraft working!
            nix-minecraft.nixosModules.minecraft-servers
            {
              nixpkgs.overlays = [ nix-minecraft.overlay ];
            }

            lanzaboote.nixosModules.lanzaboote

            home-manager.nixosModules.home-manager
            (
              {
                pkgs,
                username,
                home-manager,
                stateVersion,
                ...
              }:
              {
                home-manager.users.${username} = import ./home.nix;
              }
            )
          ]
          ++ (with nixos-hardware.nixosModules; [
            common-cpu-amd-pstate
            common-cpu-amd-zenpower
            common-pc-ssd
            common-gpu-intel
          ]);
      };
    };
}