{
  description = "Constellation";

  inputs = {
    nixpkgsUnstable = {
      url = "github:NixOS/nixpkgs/nixpkgs-unstable";
    };
    # TODO(msanft): Remove once https://github.com/NixOS/nixpkgs/commit/c429fa2ffa21229eeadbe37c11a47aff35f53ce0
    # lands in nixpkgs-unstable.
    nixpkgsBazel = {
      url = "github:NixOS/nixpkgs/c429fa2ffa21229eeadbe37c11a47aff35f53ce0";
    };
    flake-utils = {
      url = "github:numtide/flake-utils";
    };
    uplosi = {
      url = "github:edgelesssys/uplosi";
      inputs.nixpkgs.follows = "nixpkgsUnstable";
      inputs.flake-utils.follows = "flake-utils";
    };
  };

  outputs =
    { self
    , nixpkgsUnstable
    , nixpkgsBazel
    , flake-utils
    , uplosi
    }:
    flake-utils.lib.eachDefaultSystem (system:
    let
      pkgsUnstable = import nixpkgsUnstable { inherit system; };

      bazelPkgsUnstable = import nixpkgsBazel { inherit system; };

      callPackage = pkgsUnstable.callPackage;

      mkosiDev = (pkgsUnstable.mkosi.overrideAttrs (oldAttrs: rec {
        propagatedBuildInputs = oldAttrs.propagatedBuildInputs ++ (with pkgsUnstable;  [
          # package management
          dnf5
          rpm
          createrepo_c

          # filesystem tools
          squashfsTools # mksquashfs
          dosfstools # mkfs.vfat
          mtools # mcopy
          cryptsetup # dm-verity
          util-linux # flock
          kmod # depmod
          cpio # cpio
          zstd # zstd
          xz # xz

          # utils
          gnused # sed
          gnugrep # grep
        ]);
      }));

      uplosiDev = uplosi.outputs.packages."${system}".uplosi;

      openssl-static = pkgsUnstable.openssl.override { static = true; };

      bazel_7 = bazelPkgsUnstable.callPackage ./nix/packages/bazel.nix { pkgs = bazelPkgsUnstable; nixpkgs = nixpkgsBazel; };

    in
    {
      packages.mkosi = mkosiDev;

      packages.uplosi = uplosiDev;

      packages.openssl = callPackage ./nix/cc/openssl.nix { pkgs = pkgsUnstable; };

      packages.cryptsetup = callPackage ./nix/cc/cryptsetup.nix { pkgs = pkgsUnstable; pkgsLinux = import nixpkgsUnstable { system = "x86_64-linux"; }; };

      packages.libvirt = callPackage ./nix/cc/libvirt.nix { pkgs = pkgsUnstable; pkgsLinux = import nixpkgsUnstable { system = "x86_64-linux"; }; };

      packages.libvirtd_base = callPackage ./nix/container/libvirtd_base.nix { pkgs = pkgsUnstable; pkgsLinux = import nixpkgsUnstable { system = "x86_64-linux"; }; };

      packages.vpn = callPackage ./nix/container/vpn/vpn.nix { pkgs = pkgsUnstable; pkgsLinux = import nixpkgsUnstable { system = "x86_64-linux"; }; };

      packages.awscli2 = pkgsUnstable.awscli2;

      packages.bazel_7 = bazel_7;

      packages.createrepo_c = pkgsUnstable.createrepo_c;

      packages.dnf5 = pkgsUnstable.dnf5;

      devShells.default = callPackage ./nix/shells/default.nix { inherit bazel_7; };

      formatter = nixpkgsUnstable.legacyPackages.${system}.nixpkgs-fmt;
    });
}