{
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
  };

  nixConfig = {
    extra-substituters = [ "https://cache.kyouma.net" ];
    extra-trusted-public-keys = [ "cache.kyouma.net:Frjwu4q1rnwE/MnSTmX9yx86GNA/z3p/oElGvucLiZg=" ];
  };

  outputs = { self, nixpkgs, ... }:
  let
    inherit (nixpkgs) lib;
    eachSystem = lib.genAttrs [ "x86_64-linux" ];
    legacyPackages = eachSystem (system: import nixpkgs { inherit system; });

    linux-hardened = pkgs: arch: configfile:
    let
      inherit (pkgs) linuxKernel fetchFromGitHub gccStdenv;

      kernel = linuxKernel.manualConfig rec {
        pname = "linux-hardened";
        version = "6.10.2-hardened1";

        src = fetchFromGitHub {
          owner = "anthraxx";
          repo = pname;
          rev = "v${version}";
          hash = "sha256-a9kxt09pQjUJUsdqaIMyA7Us6sxueaacetWKv59Xy3s=";
        };

        stdenv = gccStdenv;

        extraMakeFlags = [ "KCFLAGS=-march=${arch}" ];

        isHardened = true;
        inherit configfile features;
      };

      features = { efiBootStub = true; };
    in kernel.overrideAttrs (base: {
      passthru = base.passthru // { inherit features; };
    });
  in {
    packages.x86_64-linux =
    let
      pkgs = legacyPackages.x86_64-linux;
    in {
      qemu-virtio =
        linux-hardened pkgs "x86-64-v3" ./x86-64/qemu-virtio;
      thinkpad-x1-extreme-gen5 =
        linux-hardened pkgs "alderlake" ./x86-64/thinkpad-x1-extreme-gen5;
    };

    devShells.x86_64-linux =
    let
      pkgs = legacyPackages.x86_64-linux;
      mkShell = packages: pkgs.mkShell {
        inherit packages;
        shellHook = ''
          exec $SHELL
        '';
      };
    in {
      default = mkShell
        (with pkgs; self.packages.x86_64-linux.qemu-virtio.nativeBuildInputs ++ [ ncurses pkg-config ]);
    };

    hydraJobs = {
      kernel = self.packages;
      shell = self.devShells;
    };
  };
}