{
  description = "cc-ci-orchestrator — NixOS host for the cc-ci loops runtime (Builder/Adversary/Watchdog)";

  inputs = {
    # Pinned to the same revision as the cc-ci server for ecosystem consistency.
    nixpkgs.url = "github:NixOS/nixpkgs/50ab793786d9de88ee30ec4e4c24fb4236fc2674";

    # Same pin as cc-ci server (buildGo125Module compatibility with nixpkgs 24.11).
    sops-nix.url = "github:Mic92/sops-nix/77c423a03b9b2b79709ea2cb63336312e78b72e2";
    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
  };

  outputs = { nixpkgs, sops-nix, ... }:
    let
      system = "x86_64-linux";
    in
    {
      # Hetzner cpx11 host (nixos-infect generated hardware.nix + orchestrator config).
      # Provision with terraform/ then run Stage 2 per terraform/README.md.
      nixosConfigurations.cc-ci-orchestrator-hetzner = nixpkgs.lib.nixosSystem {
        inherit system;
        modules = [
          sops-nix.nixosModules.sops
          ./nix/hosts/cc-ci-orchestrator-hetzner/hardware.nix
          ./nix/hosts/cc-ci-orchestrator-hetzner/configuration.nix
        ];
      };
    };
}