{
  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11";

    get-flake.url = "github:ursi/get-flake";

    home-manager.url = "github:nix-community/home-manager/release-23.11";
    home-manager.inputs.nixpkgs.follows = "nixpkgs";

    disko.url = "github:nix-community/disko";
    disko.inputs.nixpkgs.follows = "nixpkgs";
    srvos.url = "github:numtide/srvos";
    srvos.inputs.nixpkgs.follows = "nixpkgs";

    bpir3.url =
      "github:steveej-forks/nixos-bpir3/pr_kernel_config_for_nixpkgs_update"
      # "/home/steveej/src/steveej/nixos-bpir3"
      ;

    bpir3.inputs.nixpkgs.follows = "nixpkgs";

    nixos-nftables-firewall.url = "github:thelegy/nixos-nftables-firewall";
    nixos-nftables-firewall.inputs.nixpkgs.follows = "nixpkgs";

    hostapd.url = "git://w1.fi/hostap.git?branch=main";
    hostapd.flake = false;

    openwrt.url = "git+https://github.com/openwrt/openwrt.git?ref=main&rev=847984c773d819d5579d5abae4b80a4983103ed9";
    openwrt.flake = false;

    # TODO: would be nice if this worked but it throws an error when using the input as a patch:
    # error: flake input has unsupported input type 'file'
    # hostapd_patch_vlan_no_bridge = {
    #   url = "file+https://raw.githubusercontent.com/openwrt/openwrt/847984c773d819d5579d5abae4b80a4983103ed9/package/network/services/hostapd/patches/710-vlan_no_bridge.patch";
    #   flake = false;
    # };
  };

  outputs = {
    self,
    get-flake,
    nixpkgs,
    bpir3,
    ...
  }: let
    nativeSystem = "aarch64-linux";
    nodeName = "router0-dmz0";

    pkgs = nixpkgs.legacyPackages.${nativeSystem};
    pkgsCross = import self.inputs.nixpkgs {
      system = "x86_64-linux";
      crossSystem = {
        config = "aarch64-unknown-linux-gnu";
      };
    };

    mkNixosConfiguration = {extraModules ? [], ...} @ attrs:
      nixpkgs.lib.nixosSystem (
        nixpkgs.lib.attrsets.recursiveUpdate
        attrs
        {
          specialArgs =
            (import ./default.nix {
              system = nativeSystem;
              inherit nodeName;

              repoFlake = get-flake ../../../..;
              nodeFlake = self;
            })
            .meta
            .nodeSpecialArgs
            .${nodeName};

          modules =
            [
              ./configuration.nix

              # flake registry
              {
                nix.registry.nixpkgs.flake = nixpkgs;
              }

              {
                nixpkgs.overlays = [
                  (final: previous: let
                    bpir3Pkgs = previous.callPackage "${bpir3}/pkgs" {};
                  in {
                    inherit
                      (bpir3Pkgs)
                      linuxPackages_bpir3
                      linuxPackages_bpir3_6_6
                      linuxPackages_bpir3_latest
                      ;
                  })
                ];
              }
            ]
            ++ extraModules;
        }
      );
  in {
    nixosConfigurations = {
      native = mkNixosConfiguration {
        system = nativeSystem;
      };

      cross = mkNixosConfiguration {
        extraModules = [
          {
            nixpkgs.buildPlatform.system = "x86_64-linux";
            nixpkgs.hostPlatform.system = nativeSystem;
          }
        ];
      };
    };

    packages = let
      mkPatchedHostapd = pkgs:
        pkgs.hostapd.overrideDerivation (attrs: {
          patches =
            attrs.patches
            ++ [
              "${self.inputs.openwrt}/package/network/services/hostapd/patches/710-vlan_no_bridge.patch"
            ];
        });
    in {
      "${nativeSystem}" = {
        hostapd_patched = mkPatchedHostapd pkgs;
      };

      cross = {
        hostapd_patched = mkPatchedHostapd pkgsCross;
      };
    };
  };
}