{
  inputs,
  lib,
  config,
  keys,
  secrets,
  ...
}:

let
  inherit (lib) attrValues elem mkDefault;
  inherit (lib.attrsets) concatMapAttrs optionalAttrs;
  inherit (lib.strings) removeSuffix;

in
{
  _class = "nixops4Resource";

  imports = [ ./options.nix ];

  fediversityVm.hostPublicKey = mkDefault keys.systems.${config.fediversityVm.name};

  ssh = {
    host = config.fediversityVm.ipv4.address;
    hostPublicKey = config.fediversityVm.hostPublicKey;
  };

  inherit (inputs) nixpkgs;

  ## The configuration of the machine. We strive to keep in this file only the
  ## options that really need to be injected from the resource. Everything else
  ## should go into the `./nixos` subdirectory.
  nixos.module = {
    imports = [
      ./options.nix
      ./nixos
      ./proxmox-qemu-vm.nix
    ];

    ## Inject the shared options from the resource's `config` into the NixOS
    ## configuration.
    fediversityVm = config.fediversityVm;

    ## Read all the secrets, filter the ones that are supposed to be readable with
    ## public key, and create a mapping from `<name>.file` to the absolute path of
    ## the secret's file.
    age.secrets = concatMapAttrs (
      name: secret:
      optionalAttrs (elem config.fediversityVm.hostPublicKey secret.publicKeys) {
        ${removeSuffix ".age" name}.file = secrets.rootPath + "/${name}";
      }
    ) secrets.mapping;

    ## FIXME: Remove direct root authentication once the NixOps4 NixOS provider
    ## supports users with password-less sudo.
    users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors ++ [
      # allow our panel vm access to the test machines
      keys.panel
      # allow continuous deployment access
      keys.cd
    ];

  };
}