{ ... }: {
  flake.nixosModules.systemUconsoleKernelBuilder =
    { config, lib, pkgs, ... }:
    let
      cfg = config.chiasson.system.uconsoleKernelBuilder;
    in
    {
      options.chiasson.system.uconsoleKernelBuilder = {
        enable = lib.mkEnableOption ''
          x86_64 box: binfmt aarch64, looser sandbox, uConsole cache, ccache — for building the Pi image. Not for the device.
        '';
      };

      config = lib.mkIf cfg.enable {
        nix.settings = {
          extra-platforms = lib.mkDefault [ "aarch64-linux" ];

          # Cross builds hit seccomp weirdness — turn sandbox off on this role.
          sandbox = lib.mkDefault false;
          filter-syscalls = lib.mkDefault false;

          extra-sandbox-paths = [ config.programs.ccache.cacheDir ];
        };

        boot.binfmt.emulatedSystems = lib.mkDefault [ "aarch64-linux" ];

        programs.ccache.enable = true;
      };
    };
}