{
  system ? builtins.currentSystem,
  sources ? import ../npins,
  pkgs ? import sources.nixpkgs {
    inherit system;
    config = { };
    overlays = [ ];
  },
}:
let
  package =
    let
      callPackage = pkgs.lib.callPackageWith (pkgs // pkgs.python3.pkgs);
    in
    callPackage ./nix/package.nix { };

  pkgs' = pkgs.extend (_final: _prev: { panel = package; });

  manage = pkgs.writeScriptBin "manage" ''
    exec ${pkgs.lib.getExe pkgs.python3} ${toString ./src/manage.py} $@
  '';
in
{
  shell = pkgs.mkShellNoCC {
    inputsFrom = [ package ];
    packages = [
      pkgs.npins
      manage
    ];
    env = {
      NPINS_DIRECTORY = toString ../npins;
    };
    shellHook = ''
      # in production, secrets are passed via CREDENTIALS_DIRECTORY by systemd.
      # use this directory for testing with local secrets
      mkdir -p .credentials
      echo secret > ${builtins.toString ./.credentials}/SECRET_KEY
      export CREDENTIALS_DIRECTORY=${builtins.toString ./.credentials}
      export DATABASE_URL="sqlite:///${toString ./src}/db.sqlite3"
    '';
  };

  tests = pkgs'.callPackage ./nix/tests.nix { };
  inherit package;

  # re-export inputs so they can be overridden granularly
  # (they can't be accessed from the outside any other way)
  inherit
    sources
    system
    pkgs
    ;
}