{
  description = "ops-jrz1 NixOS server configuration with Matrix platform";

  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
    nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";

    sops-nix = {
      url = "github:Mic92/sops-nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };

    opencode = {
      url = "github:sst/opencode/f6fe709f6ee75427ba64829af25b64d9a3111569";
      inputs.nixpkgs.follows = "nixpkgs-unstable";
    };

    beads = {
      url = "github:steveyegge/beads";
      inputs.nixpkgs.follows = "nixpkgs-unstable";
    };

    musiclink = {
      url = "git+file:///home/dan/proj/musiclink";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };

  outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, ... }@inputs:
  let
    system = "x86_64-linux";
    pkgs = import nixpkgs { inherit system; };
    pkgs-unstable = import nixpkgs-unstable {
      inherit system;
      config = {
        allowUnfree = true;
        permittedInsecurePackages = [ "olm-3.2.16" ];
      };
    };
    opencode = inputs.opencode.packages.${system}.default;
    beads = inputs.beads.packages.${system}.default;
    musiclink = inputs.musiclink.packages.${system}.default.overrideAttrs (old: {
      nativeBuildInputs = [ pkgs-unstable.go_1_24 ]
        ++ (old.nativeBuildInputs or []);
    });
  in {
    # Pre-deploy checks: nix flake check
    checks.${system} = {
      # Verify production config evaluates and builds
      ops-jrz1-config = self.nixosConfigurations.ops-jrz1.config.system.build.toplevel;

      # Verify VM config evaluates (lighter weight)
      ops-jrz1-vm-config = self.nixosConfigurations.ops-jrz1-vm.config.system.build.toplevel;

      # Shell script linting (errors and warnings)
      shellcheck = pkgs.runCommand "shellcheck-scripts" {
        nativeBuildInputs = [ pkgs.shellcheck ];
        src = ./scripts;
      } ''
        cd $src
        shellcheck *.sh killswitch cpu-watchdog egress-watchdog egress-status
        touch $out
      '';

      # VM integration test - boots VM and verifies services
      vm-integration = import ./tests/vm-integration.nix {
        inherit pkgs pkgs-unstable opencode musiclink;
      };
    };

    nixosConfigurations = {
      # Production configuration (for actual VPS deployment)
      ops-jrz1 = nixpkgs.lib.nixosSystem {
        system = "x86_64-linux";
        specialArgs = {
          pkgs-unstable = import nixpkgs-unstable {
            system = "x86_64-linux";
            config = {
              allowUnfree = true;
              permittedInsecurePackages = [
                "olm-3.2.16"  # Required by mautrix bridges
              ];
            };
          };
          opencode = inputs.opencode.packages.x86_64-linux.default;
          beads = inputs.beads.packages.x86_64-linux.default;
          musiclink = musiclink;
        };
        modules = [
          ./configuration.nix
          ./hosts/ops-jrz1.nix
          sops-nix.nixosModules.sops
        ];
      };

      # VM testing configuration (for local validation before deployment)
      ops-jrz1-vm = nixpkgs.lib.nixosSystem {
        system = "x86_64-linux";
        specialArgs = {
          pkgs-unstable = import nixpkgs-unstable {
            system = "x86_64-linux";
            config = {
              allowUnfree = true;
              permittedInsecurePackages = [
                "olm-3.2.16"  # Required by mautrix bridges (VM testing only)
              ];
            };
          };
          opencode = inputs.opencode.packages.x86_64-linux.default;
          beads = inputs.beads.packages.x86_64-linux.default;
          musiclink = musiclink;
        };
        modules = [
          ./configuration.nix
          ./hosts/ops-jrz1-vm.nix
          # Note: No sops-nix for VM testing
        ];
      };
    };
  };
}