{
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
    flake-parts.url = "github:hercules-ci/flake-parts";
    flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs";
    rust-overlay = {
      url = "github:oxalica/rust-overlay";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };

  outputs =
    inputs@{ flake-parts, ... }:
    flake-parts.lib.mkFlake { inherit inputs; } {
      systems = [
        "x86_64-linux"
        "aarch64-linux"
      ];

      perSystem =
        {
          pkgs,
          system,
          ...
        }:
        let
          overlays = [ (import inputs.rust-overlay) ];
          pkgs' = import inputs.nixpkgs {
            inherit system overlays;
          };

          buildEnvVars = {
            BIN_XDG_PERMISSION_STORE = "${pkgs.xdg-desktop-portal}/libexec/xdg-permission-store";
            BIN_XDG_DOCUMENT_PORTAL = "${pkgs.xdg-desktop-portal}/libexec/xdg-document-portal";
            BIN_VIRTIOFSD = "${pkgs.virtiofsd}/bin/virtiofsd";
          };

          rustToolchain = pkgs'.pkgsBuildHost.rust-bin.fromRustupToolchainFile ./rust-toolchain.toml;
          rustPlatform = pkgs'.makeRustPlatform {
            cargo = rustToolchain;
            rustc = rustToolchain;
          };

          rustPackage =
            crate:
            let
              cargoToml = builtins.fromTOML (builtins.readFile ./${crate}/Cargo.toml);
            in
            rustPlatform.buildRustPackage {
              inherit (cargoToml.package) name version;
              src = ./.;
              cargoLock.lockFile = ./Cargo.lock;
              cargoLock.outputHashes = {
                "zbus-5.9.0" = "sha256-uaHPHdmDWYy0jeKPd0/eCUupID2tswGHmEmscp6fCII=";
                "busd-0.4.0" = "sha256-hIvjt3v6AYc7URLFknXTmSc+NdxOlN/2RGXVsuoNgA4=";
              };
              buildAndTestSubdir = crate;
              env = buildEnvVars;
            };
        in
        {
          devShells.default = pkgs'.mkShell {
            buildInputs = [ rustToolchain ];
            env = buildEnvVars;
          };

          packages.sidebus-agent = rustPackage "sidebus-agent";
          packages.sidebus-broker = rustPackage "sidebus-broker";
        };

      flake = {
        nixosModules.sidebus-vm =
          { ... }:
          {
            environment.sessionVariables.DBUS_SESSION_BUS_ADDRESS = "unix:path=/run/sidebus.sock";
            systemd.sockets.sidebus-agent = {
              # SocketMode= is 0666 by default
              listenStreams = [ "/run/sidebus.sock" ];
              wantedBy = [ "sockets.target" ];
              documentation = [ "https://git.clan.lol/valpackett/sidebus" ];
            };
            systemd.services.sidebus-agent = {
              # TODO: confinement (can do a lot)
              serviceConfig = {
                ExecStart = throw "sidebus-vm module requires setting systemd.services.sidebus-agent.serviceConfig.ExecStart to a sidebus-agent package";
                ImportCredential = "sidebus.*";
              };
              documentation = [ "https://git.clan.lol/valpackett/sidebus" ];
            };
            systemd.mounts = [
              {
                type = "virtiofs";
                what = "vm-doc-portal";
                where = "/run/vm-doc-portal";
                wantedBy = [ "multi-user.target" ];
              }
            ];
          };
      };
    };
}