{
  inputs,
  lib,
  config,
  ...
}:

let
  inherit (lib) attrValues elem;
  inherit (lib.attrsets) concatMapAttrs optionalAttrs;
  inherit (lib.strings) removeSuffix;

  secretsPrefix = ../../secrets;
  secrets = import (secretsPrefix + "/secrets.nix");
  keys = import ../../keys;
  hostPublicKey = keys.systems.${config.procolixVm.name};

in
{
  imports = [ ./options.nix ];

  ssh = {
    host = config.procolixVm.ipv4.address;
    hostPublicKey = hostPublicKey;
  };

  nixpkgs = inputs.nixpkgs;

  ## The configuration of the machine. We strive to keep in this file only the
  ## options that really need to be injected from the resource. Everything else
  ## should go into the `./nixos` subdirectory.
  nixos.module = {
    imports = [
      inputs.agenix.nixosModules.default
      ./options.nix
      ./nixos
    ];

    ## Inject the shared options from the resource's `config` into the NixOS
    ## configuration.
    procolixVm = config.procolixVm;

    ## Read all the secrets, filter the ones that are supposed to be readable
    ## with this host's public key, and add them correctly to the configuration
    ## as `age.secrets.<name>.file`.
    age.secrets = concatMapAttrs (
      name: secret:
      optionalAttrs (elem hostPublicKey secret.publicKeys) ({
        ${removeSuffix ".age" name}.file = secretsPrefix + "/${name}";
      })
    ) secrets;

    ## FIXME: Remove direct root authentication once the NixOps4 NixOS provider
    ## supports users with password-less sudo.
    users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors;
  };
}