diff --git a/flake.lock b/flake.lock
deleted file mode 100644
index 3fb63ec..0000000
--- a/flake.lock
+++ /dev/null
@@ -1,27 +0,0 @@
-{
-  "nodes": {
-    "nixpkgs": {
-      "locked": {
-        "lastModified": 1716361217,
-        "narHash": "sha256-mzZDr00WUiUXVm1ujBVv6A0qRd8okaITyUp4ezYRgc4=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "46397778ef1f73414b03ed553a3368f0e7e33c2f",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-23.11",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "root": {
-      "inputs": {
-        "nixpkgs": "nixpkgs"
-      }
-    }
-  },
-  "root": "root",
-  "version": 7
-}
diff --git a/flake.nix b/flake.nix
deleted file mode 100644
index 5c0c2d6..0000000
--- a/flake.nix
+++ /dev/null
@@ -1,22 +0,0 @@
-{
-  inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11";
-  };
-
-  outputs = { self, nixpkgs, ... }@inputs: {
-    nixosConfigurations = {
-      tohru = nixpkgs.lib.nixosSystem {
-        system = "x86_64-linux";
-        modules = [
-          ./hosts/tohru/configuration.nix
-        ];
-      };
-      yevaud = nixpkgs.lib.nixosSystem {
-        system = "x86_64-linux";
-        modules = [
-          ./hosts/yevaud/configuration.nix
-        ];
-      };
-    };
-  };
-}
diff --git a/hive.nix b/hive.nix
new file mode 100644
index 0000000..4e4ffb9
--- /dev/null
+++ b/hive.nix
@@ -0,0 +1,25 @@
+let sources = import ./npins;
+in {
+  meta = {
+    nixpkgs = sources.nixpkgs;
+  };
+
+  defaults = { pkgs, ... }: {
+    imports = [ ./pinning.nix ];
+    deployment.replaceUnknownProfiles = false;
+  };
+
+  tohru = { name, nodes, ... }: {
+    deployment = {
+      allowLocalDeployment = true;
+      targetHost = null;
+    };
+
+    imports = [ ./hosts/tohru/configuration.nix ];
+  };
+
+  yevaud = {
+    deployment.targetHost = "yevaud.birdsong.network";
+    imports = [ ./hosts/yevaud/configuration.nix ];
+  };
+}
diff --git a/npins/default.nix b/npins/default.nix
new file mode 100644
index 0000000..4a7c372
--- /dev/null
+++ b/npins/default.nix
@@ -0,0 +1,47 @@
+# Generated by npins. Do not modify; will be overwritten regularly
+let
+  data = builtins.fromJSON (builtins.readFile ./sources.json);
+  version = data.version;
+
+  mkSource = spec:
+    assert spec ? type; let
+      path =
+        if spec.type == "Git" then mkGitSource spec
+        else if spec.type == "GitRelease" then mkGitSource spec
+        else if spec.type == "PyPi" then mkPyPiSource spec
+        else if spec.type == "Channel" then mkChannelSource spec
+        else builtins.throw "Unknown source type ${spec.type}";
+    in
+    spec // { outPath = path; };
+
+  mkGitSource = { repository, revision, url ? null, hash, ... }:
+    assert repository ? type;
+    # At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository
+    # In the latter case, there we will always be an url to the tarball
+    if url != null then
+      (builtins.fetchTarball {
+        inherit url;
+        sha256 = hash; # FIXME: check nix version & use SRI hashes
+      })
+    else assert repository.type == "Git"; builtins.fetchGit {
+      url = repository.url;
+      rev = revision;
+      # hash = hash;
+    };
+
+  mkPyPiSource = { url, hash, ... }:
+    builtins.fetchurl {
+      inherit url;
+      sha256 = hash;
+    };
+
+  mkChannelSource = { url, hash, ... }:
+    builtins.fetchTarball {
+      inherit url;
+      sha256 = hash;
+    };
+in
+if version == 3 then
+  builtins.mapAttrs (_: mkSource) data.pins
+else
+  throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`"
diff --git a/npins/sources.json b/npins/sources.json
new file mode 100644
index 0000000..e3ca425
--- /dev/null
+++ b/npins/sources.json
@@ -0,0 +1,23 @@
+{
+  "pins": {
+    "home-manager": {
+      "type": "Git",
+      "repository": {
+        "type": "GitHub",
+        "owner": "nix-community",
+        "repo": "home-manager"
+      },
+      "branch": "release-23.11",
+      "revision": "2c78a57c544dd19b07442350727ced097e1aa6e6",
+      "url": "https://github.com/nix-community/home-manager/archive/2c78a57c544dd19b07442350727ced097e1aa6e6.tar.gz",
+      "hash": "1zb4qsyn7l1zdiv1kjx07jvgnakpsifc62fxcim50w3ni27cwxk3"
+    },
+    "nixpkgs": {
+      "type": "Channel",
+      "name": "nixos-23.11",
+      "url": "https://releases.nixos.org/nixos/23.11/nixos-23.11.7313.9d29cd266ceb/nixexprs.tar.xz",
+      "hash": "0phfgypnshhlh6ri54yp2f9qabq0hlq06jn46zv692jy6axss4kx"
+    }
+  },
+  "version": 3
+}
\ No newline at end of file
diff --git a/pinning.nix b/pinning.nix
new file mode 100644
index 0000000..dd508f5
--- /dev/null
+++ b/pinning.nix
@@ -0,0 +1,23 @@
+{ config, pkgs, ... }:
+let sources = import ./npins;
+in {
+  # https://jade.fyi/blog/pinning-nixos-with-npins/
+
+  # We need the flakes experimental feature to do the NIX_PATH thing cleanly
+  # below. Given that this is literally the default config for flake-based
+  # NixOS installations in the upcoming NixOS 24.05, future Nix/Lix releases
+  # will not get away with breaking it.
+  nix.settings.experimental-features = "nix-command flakes";
+
+  # FIXME(24.05 or nixos-unstable): change following two rules to
+  #
+  # nixpkgs.flake.source = sources.nixpkgs;
+  #
+  # which does the exact same thing, using the same machinery as flake configs
+  # do as of 24.05.
+  nix.registry.nixpkgs.to = {
+    type = "path";
+    path = sources.nixpkgs;
+  };
+  nix.nixPath = ["nixpkgs=flake:nixpkgs"];
+}