{
  inputs = {
    nixpkgs.url = "github:nixOS/nixpkgs/nixpkgs-unstable";
  };

  nixConfig = {
    extra-substituters = [ "https://cache.kyouma.net" ];
    extra-trusted-public-keys = [ "cache.kyouma.net:Frjwu4q1rnwE/MnSTmX9yx86GNA/z3p/oElGvucLiZg=" ];
  };

  outputs = { self, nixpkgs, ... }:
  let
    inherit (nixpkgs) lib;
    eachSystem = lib.genAttrs [ "x86_64-linux" ];

    linux-hardened = pkgs: configfile:
    let
      inherit (pkgs) overrideCC;
      inherit (pkgs.stdenv) hostPlatform;
      inherit (pkgs.llvmPackages_latest) clangUseLLVM bintools;

      kernel = pkgs.linuxKernel.manualConfig rec {
        pname = "linux-hardened";
        version = "6.9.10-hardened1";

        src = pkgs.fetchFromGitHub {
          owner = "anthraxx";
          repo = pname;
          rev = "v${version}";
          hash = "sha256-8ekD3H8R8d9mJJ684+cmgiTpE0svhXrL/9FWMCeFsuc=";
        };

        stdenv = overrideCC pkgs.stdenv
          (clangUseLLVM.override { inherit bintools; });

        extraMakeFlags = [ "LLVM=1" ]
          ++ lib.optionals (hostPlatform ? gcc.arch)
            [ "KCFLAGS=-march=${hostPlatform.gcc.arch}" ];

        isHardened = true;
        inherit configfile features;
      };

      features = { efiBootStub = true; };
    in kernel.overrideAttrs (base: {
      passthru = base.passthru // {
        inherit features;
      };
    });
  in {
    legacyPackages = eachSystem
      (system: import nixpkgs { inherit system; });

    packages = eachSystem (system:
    let
      pkgs = self.legacyPackages.${system};
      arch = (lib.systems.elaborate system).parsed.cpu.name;
    in lib.mapAttrs
      (profile: _: linux-hardened pkgs ./${arch}/${profile})
      (builtins.readDir ./${arch}));

    hydraJobs = self.packages;
  };
}