{
	description = "Sandboxed MicroVMs";

	nixConfig = {
		extra-substituters = [ "https://microvm.cachix.org" ];
		extra-trusted-public-keys = [ "microvm.cachix.org-1:oXnBc6hRE3eX5rSYdRyMYXnfzcCxC7yKPTbZXALsqys=" ];
	};

	inputs = {
		nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-unstable";
		microvm = {
			url = "github:microvm-nix/microvm.nix";
			inputs.nixpkgs.follows = "nixpkgs";
		};
		nullclaw.url = "github:nullclaw/nullclaw";
	};

	outputs = { self, nixpkgs, microvm, nullclaw }: let
		system = "x86_64-linux";
	in {
		packages.${system} = {
			cc-sandbox = self.nixosConfigurations.claude-code.config.microvm.declaredRunner;
			nullclaw = self.nixosConfigurations.nullclaw.config.microvm.declaredRunner;
		};

		nixosConfigurations.claude-code = nixpkgs.lib.nixosSystem {
			inherit system;
			modules = [
				microvm.nixosModules.microvm
				({ pkgs, ... }: {
					nixpkgs.config.allowUnfree = true;

					networking.hostName = "claude-code";
					users.users.root.password = "";
					services.getty.autologinUser = "root";

					nix.settings.experimental-features = [ "nix-command" "flakes" ];

					environment.systemPackages = with pkgs; [
						claude-code-bin
						git
						curl
						vim
					];

					microvm = {
						hypervisor = "qemu";
						vcpu = 4;
						mem = 4096;
						socket = "claude-code.socket";

						writableStoreOverlay = "/nix/.rw-store";

						interfaces = [{
							type = "user";
							id = "usernet";
							mac = "02:00:00:00:00:01";
						}];

						shares = [
							{
								proto = "9p";
								tag = "ro-store";
								source = "/nix/store";
								mountPoint = "/nix/.ro-store";
							}
							{
								proto = "9p";
								tag = "claude-config";
								source = "/home/illustris/.claude";
								mountPoint = "/var/lib/claude-lower";
								readOnly = true;
							}
						];

						volumes = [{
							image = "claude-code-data.img";
							mountPoint = "/var/lib/claude-code";
							size = 1024;
							label = "claude-code-data";
						}];
					};

					# tmpfs backing for the writable nix store overlay
					fileSystems."/nix/.rw-store" = {
						fsType = "tmpfs";
						options = [ "size=2G" "mode=0755" ];
						neededForBoot = true;
					};

					# Claude config: persistent overlay on top of host's ~/.claude
					fileSystems."/root/.claude" = {
						overlay = {
							lowerdir = [ "/var/lib/claude-lower" ];
							upperdir = "/var/lib/claude-code/claude-upper";
							workdir = "/var/lib/claude-code/claude-work";
						};
					};

					system.stateVersion = "24.11";
				})
			];
		};

		nixosConfigurations.nullclaw = nixpkgs.lib.nixosSystem {
			inherit system;
			modules = [
				microvm.nixosModules.microvm
				({ pkgs, ... }: {
					networking.hostName = "nullclaw";
					users.users.root.password = "";
					services.getty.autologinUser = "root";

					environment.systemPackages = [
						nullclaw.packages.${system}.default
						pkgs.curl
						pkgs.vim
					];

					microvm = {
						hypervisor = "qemu";
						vcpu = 2;
						mem = 2048;
						socket = "nullclaw.socket";

						interfaces = [{
							type = "user";
							id = "usernet";
							mac = "02:00:00:00:00:02";
						}];

						shares = [{
							proto = "9p";
							tag = "ro-store";
							source = "/nix/store";
							mountPoint = "/nix/.ro-store";
						}];

						volumes = [{
							image = "nullclaw-data.img";
							mountPoint = "/var/lib/nullclaw";
							size = 512;
							label = "nullclaw-data";
						}];
					};

					system.stateVersion = "24.11";
				})
			];
		};
	};
}