{
  description = "MariaDB flake usage example";

  inputs = {
    nixpkgs.url = "nixpkgs/nixos-25.11";
    sops-nix = {
      url = "github:Mic92/sops-nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    mariadb-server = {
      url = "./services/mariadb/";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };

  outputs = {
    self, nixpkgs, sops-nix, mariadb-server, ...
  }: {
    # Re-export individual modules
    nixosModules = {
      mariadb = mariadb-server.nixosModules.mariadb;
    };

    # Convenience module: imports all service modules + sets default config
    nixosModules.ogc = {config, lib, ...}:
    let
      cfg = config.ogc;
    in {
      imports = [
        mariadb-server.nixosModules.mariadb
        sops-nix.nixosModules.sops
      ];

      options.ogc = {
        organization = lib.mkOption {
          type = lib.types.str;
        };
        extension = lib.mkOption {
          type = lib.types.str;
        };
        domain = lib.mkOption {
          type = lib.types.str;
        };
      };

      config = {
        sops = {
          defaultSopsFile = ./secrets/ogc.yaml;
          # This will automatically import SSH keys as age keys
          age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
          # This is using an age key that is expected to already be in the filesystem
          age.keyFile = "~/.config/sops/age/keys.txt";
          # This will generate a new key if the key specified above does not exist
          age.generateKey = true;
          secrets."mariadb/root" = {};
          secrets."mariadb/nextcloud" = {};
        };

        # MariaDB
        mariadb = {
          enable = lib.mkDefault true;
          rootPasswordFile = lib.mkDefault "/run/secrets/mariadb/root";
          nextcloudPasswordFile = lib.mkDefault "/run/secrets/mariadb/nextcloud";
        };
      };
    };

    nixosModules.default = self.nixosModules.ogc;
  };
}