{
  description = "Matiss NixOS - Hyprland Workstation";

  inputs = {
    # Stable NixOS foundation
    nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11";

    # Unstable for bleeding-edge packages
    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";

    # Home Manager (matches system 25.11)
    home-manager.url = "github:nix-community/home-manager/release-25.11";
    home-manager.inputs.nixpkgs.follows = "nixpkgs";

    # Nixvim (Neovim configuration as Nix)
    nixvim.url = "github:nix-community/nixvim/nixos-25.11";

    # sops-nix (secrets management)
    sops-nix.url = "github:mic92/sops-nix";

    # Helium Browser (privacy-first Chromium)
    helium-browser.url = "github:schembriaiden/helium-browser-nix-flake";
    helium-browser.inputs.nixpkgs.follows = "nixpkgs";
  };

  outputs = { self, nixpkgs, nixpkgs-unstable, home-manager, nixvim, sops-nix, ... }@inputs:
  let
    system = "x86_64-linux";

    # Shared modules for all NixOS hosts
    sharedModules = [
      sops-nix.nixosModules.sops

      # Home Manager
      home-manager.nixosModules.home-manager
      {
        home-manager.useGlobalPkgs = true;
        home-manager.useUserPackages = true;
        home-manager.extraSpecialArgs = { inherit inputs; };
        home-manager.backupFileExtension = "backup";
        home-manager.users.matiss = import ./home.nix;
      }

      # Overlays
      ({ config, pkgs, ... }: {
        nixpkgs.overlays = [
          (final: prev: {
            unstable = import nixpkgs-unstable {
              localSystem = final.stdenv.hostPlatform;
              config.allowUnfree = true;
            };
          })
        ];
      })
    ];
  in
  {
    nixosConfigurations.matiss = nixpkgs.lib.nixosSystem {
      inherit system;
      specialArgs = { inherit inputs; };
      modules = [ ./hosts/default/configuration.nix ] ++ sharedModules;
    };
  };
}