{
  system ? builtins.currentSystem,
  sources ? import ../npins,
  pkgs ? import sources.nixpkgs {
    inherit system;
    config = { };
    overlays = [ (import ./nix/overlay.nix) ];
  },
}:
let
  inherit (pkgs) lib;
  manage = pkgs.writeScriptBin "manage" ''
    exec ${pkgs.lib.getExe pkgs.python3} ${toString ./src/manage.py} $@
  '';
  jsonschema = pkgs.callPackage ./jsonschema.nix { } {
  };
  frontend-options = jsonschema.parseModule ../deployment/options.nix;
  schema = with builtins; toFile "schema.json" (toJSON frontend-options);
  codegen = "${pkgs.python3Packages.datamodel-code-generator}/bin/datamodel-codegen";
  pydantic =
    pkgs.runCommand "schema.py"
      {
      }
      ''
        ${codegen} --input ${schema} | sed '/from pydantic/a\
        from drf_pydantic import BaseModel' > $out
      '';
in
{
  inherit frontend-options;
  shell = pkgs.mkShellNoCC {
    inputsFrom = [ (pkgs.callPackage ./nix/package.nix { }) ];
    packages = [
      pkgs.npins
      pkgs.jq
      manage
    ];
    env = import ./env.nix { inherit lib pkgs; } // {
      NPINS_DIRECTORY = toString ../npins;
      CREDENTIALS_DIRECTORY = toString ./.credentials;
      DATABASE_URL = "sqlite:///${toString ./src}/db.sqlite3";
    };
    shellHook = ''
      install -m 644 ${pydantic} ${builtins.toString ./src/panel/configuration/schema.py}

      ln -sf ${sources.htmx}/dist/htmx.js src/panel/static/htmx.min.js
      # in production, secrets are passed via CREDENTIALS_DIRECTORY by systemd.
      # use this directory for testing with local secrets
      mkdir -p $CREDENTIALS_DIRECTORY
      echo secret > ${builtins.toString ./.credentials}/SECRET_KEY
    '';
  };

  module = import ./nix/configuration.nix;
  tests = pkgs.callPackage ./nix/tests.nix { };

  # re-export inputs so they can be overridden granularly
  # (they can't be accessed from the outside any other way)
  inherit
    sources
    system
    pkgs
    ;
}