{
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
  };

  nixConfig = {
    extra-substituters = [ "https://cache.kyouma.net" ];
    extra-trusted-public-keys = [ "cache.kyouma.net:Frjwu4q1rnwE/MnSTmX9yx86GNA/z3p/oElGvucLiZg=" ];
  };

  outputs = { self, nixpkgs, ... }:
  let
    inherit (nixpkgs) lib;
    inherit (lib) mapAttrs;

    profiles = import ./profiles.nix;
    legacyPackages = mapAttrs (system: profile: import nixpkgs { inherit system; }) profiles;
    linux-hardened = import ./linux-hardened.nix;
  in {
    packages = mapAttrs
      (system: profiles: mapAttrs
        (name: profile: linux-hardened legacyPackages.${system} profile)
      profiles) profiles;

    devShells = mapAttrs (system: profile:
    let
      pkgs = legacyPackages.${system};
      dummy = linux-hardened pkgs { arch = ""; config = ./dummy.nix; firmware = [ ]; };

      mkShell = packages:
        pkgs.mkShell {
          inherit packages;
          shellHook = ''
            exec $SHELL
          '';
        };
    in {
      default = mkShell
        (with pkgs; dummy.nativeBuildInputs ++ [ ncurses pkg-config ]);
    }) profiles;

    hydraJobs = {
      kernel = self.packages;
      shell = self.devShells;
    };
  };
}