{
  self,
  inputs,
  lib,
  ...
}:

let
  inherit (lib) attrValues mapAttrs;
  inherit (lib.attrsets) genAttrs;

  makeResource =
    vmid:
    { providers, ... }:
    let
      vmConfig = import (./. + "/${vmid}");
    in
    {
      type = providers.local.exec;
      imports = [ inputs.nixops4-nixos.modules.nixops4Resource.nixos ];

      ssh = {
        host = vmConfig.procolix.vm.ip4;
        opts = "";
        hostPublicKey = self.keys.systems.${vmid};
      };

      nixpkgs = inputs.nixpkgs;

      nixos.module = {
        imports = [
          ## NOTE: We import an attrset as a NixOS module, for convenience, so
          ## as to be able to use it in NixOps4 and to grab information from it
          ## (eg. the IP) without evaluating the whole configuration first.
          vmConfig

          ./common
          self.nixosModules.ageSecrets
        ];

        ## Necessary to filter Age secrets.
        fediversity.hostPublicKey = self.keys.systems.${vmid};

        ## FIXME: Remove direct root authentication once the NixOps4 NixOS
        ## provider supports users with password-less sudo.
        users.users.root.openssh.authorizedKeys.keys = attrValues self.keys.contributors;
      };
    };

  makeDeployments = mapAttrs (
    _: vmids:
    { providers, ... }:
    {
      providers.local = inputs.nixops4-nixos.modules.nixops4Provider.local;
      resources = genAttrs vmids (vmid: makeResource vmid { inherit providers; });
    }
  );

in
{
  nixops4Deployments = makeDeployments {
    git = [
      "vm02116"
      "fedi300"
    ];
    web = [ "vm02187" ];
    other = [
      "vm02179"
      "vm02186"
    ];
  };
}