{
  description = "cc-ci — Co-op Cloud recipe CI server (NixOS)";

  inputs = {
    # Pinned to the exact revision cc-ci already runs, so the first rebuild from
    # this repo is a true no-op-then-base (M0). Bump deliberately, not drift.
    nixpkgs.url = "github:NixOS/nixpkgs/50ab793786d9de88ee30ec4e4c24fb4236fc2674";

    # Pinned to a commit that still uses plain `buildGoModule` — sops-nix master moved to
    # `buildGo125Module` (Go 1.25), which our pinned nixpkgs 24.11 (2025-06-30) does not have.
    sops-nix.url = "github:Mic92/sops-nix/77c423a03b9b2b79709ea2cb63336312e78b72e2";
    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
  };

  outputs = { nixpkgs, sops-nix, ... }:
    let
      system = "x86_64-linux";
      pkgs = nixpkgs.legacyPackages.${system};
      # Lint/format toolchain (Phase 1b, RL1). Same tools the `.drone.yml` lint stage and
      # `scripts/lint.sh` use, built from the pinned nixpkgs so CI and local agree byte-for-byte.
      # Nix: nixpkgs-fmt (format) · statix (lints) · deadnix (dead code).
      # Python: ruff (lint + format). Shell: shellcheck + shfmt. YAML: yamllint.
      lintTools = with pkgs; [
        nixpkgs-fmt
        statix
        deadnix
        ruff
        shellcheck
        shfmt
        yamllint
      ];
    in
    {
      nixosConfigurations.cc-ci = nixpkgs.lib.nixosSystem {
        inherit system;
        modules = [
          sops-nix.nixosModules.sops
          ./nix/hosts/cc-ci/configuration.nix
        ];
      };

      devShells.${system} = {
        # Devshell for working on the harness/bridge locally (tools + lint toolchain).
        default = pkgs.mkShell {
          packages = (with pkgs; [ git jq curl ]) ++ lintTools;
        };
        # `nix develop .#lint` — exactly the lint toolchain, nothing else. Used by
        # `scripts/lint.sh` and the `.drone.yml` lint stage.
        lint = pkgs.mkShell {
          packages = lintTools;
        };
      };

      formatter.${system} = pkgs.nixpkgs-fmt;
    };
}