{
    description = "flake to deploy and manage cccb k8s cluster"
    inputs = {
        nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05"
        nixpkgs-k8s.url = "github:NixOS/nixpkgs/846711e6d39699c930ea30630f57bbdc1b7bf824" # kubernetes 1.33.1
        flake-utils.url = "github:numtide/flake-utils";
        agenix = {
            url = "github:ryantm/agenix";
            inputs.nixpkgs.follows = "nixpkgs";
        };
    };
    outputs = { self, nixpkgs, nixpkgs-k8s, flake-utils, agenix }: flake-utils.lib.eachDefaultSystem (system:
    let
        pkgs = import nixpkgs { inherit system };
        pkgs-k8s = import nixpkgs-k8s { inherit system };
    in
    {
        formatter = pkgs.nixpkgs-fmt;
        devShells.default = pkgs.mkShell {
            packages = with pkgs; [
                agenix.packages.${system}.default
                gnumake
                kubectl
                kubernetes-helm
                cfssl

                # debugging
                age
                etcd
                openssl
            ];
        };
        nixosConfigurations."k8s" = nixpkgs.lib.nixosSystem {
            inherit system;
            modules = [
                agenix.nixosModules.default
                { environment.systemPackages = [ agenix.packages.${system}.default ]; }
                {
                    age.secrets = {
                        #etcd-root-crt = {
                        #    file = ./secrets/etcd-root-crt.age;
                        #    mode = "444";
                        #    owner = "root";
                        #    group = "root";
                        #};
                        #k8s-root-crt = {
                        #    file = ./secrets/k8s-root-crt.age;
                        #    mode = "444";
                        #    owner = "root";
                        #    group = "root";
                        #};
                    };
                }
                ./configuration.nix
                {
                    virtualisation = {
                        useEFIBoot = true;
                        libvirtd.enable = true;
                    };
                }

                #./services/etcd.nix
                #./services/k8s.nix
                #./services/k8s-apiserver.nix
                #./services/k8s-controller-manager.nix
                #./services/k8s-kubelet.nix
                #./services/k8s-proxy.nix
                #./services/k8s-scheduler.nix
            ];
        };
    });
}