{
  lib,
  pkgs,
  sources,
  ...
}:
let
  inherit (pkgs.callPackage ../../utils.nix { }) evalOption;
  backendPort = builtins.toString 8080;
  tfBackend = fragment: {
    address = "http://localhost:${backendPort}/state/${fragment}";
  };
  inherit
    (pkgs.callPackage ../../run {
      inherit sources;
    })
    tf-netbox-store-ips
    tf-netbox-get-ip
    ;
  netbox-store-ips = evalOption "tf-netbox-store-ips" tf-netbox-store-ips {
    httpBackend = tfBackend "proxmox-test/store-ips";
    startAddress = "192.168.10.236/24";
    endAddress = "192.168.10.240/24";
  };
  netbox-get-ip = evalOption "tf-netbox-get-ip" tf-netbox-get-ip {
    httpBackend = tfBackend "proxmox-test/get-ip";
  };
  netboxUser = "netbox";
  netboxPassword = "netbox";
  changePassword = pkgs.writeText "change-password.py" ''
    from users.models import User
    u = User.objects.get(username='${netboxUser}')
    u.set_password('${netboxPassword}')
    u.save()
  '';
in
{
  _class = "nixosTest";
  name = "netbox-ips";

  nodes.deployer =
    { ... }:
    {
      imports = [
        ../../modules/terraform-backend
      ];

      environment.systemPackages = [
        pkgs.jq
        (pkgs.callPackage ../../run/tf-netbox-store-ips/tf.nix { })
        (pkgs.callPackage ../../run/tf-netbox-get-ip/tf.nix { })
      ];

      services.terraform-backend = {
        enable = true;
        settings = {
          LISTEN_ADDR = ":${backendPort}";
          # FIXME randomly generate this
          KMS_KEY = "tsjxw9NjKUBUlzbTnD7orqIAdEmpGYRARvxD51jtY+o=";
        };
      };
      services.netbox = {
        enable = true;
        # FIXME randomly generate this
        secretKeyFile = pkgs.writeText "netbox-secret" "634da8232803a8155a58584d3186127000207e079d600fc10a890e5cd59c2f4b8f0e0654005944d2ce87f5be9c22ceebec66";
        port = 8001;
      };
      systemd.services.netbox.serviceConfig.TimeoutStartSec = "15m";
    };

  extraTestScript = ''
    deployer.succeed("""
      netbox-manage createsuperuser --noinput --user "${netboxUser}" --email "test@domain.tld" >&2
      cat '${changePassword}' | netbox-manage shell
    """)
    netbox_token = deployer.succeed("""
      curl -X POST -H "Content-Type: application/json" -H "Accept: application/json" http://localhost:8001/api/users/tokens/provision/ --data '{"username":"${netboxUser}","password":"${netboxPassword}"}' | jq -r .key
    """).strip()
    ip_range_id = deployer.succeed(f"""
      export NETBOX_SERVER_URL="localhost:8001"
      export NETBOX_API_TOKEN="{netbox_token}"
      ${lib.getExe netbox-store-ips.run} | jq -r '.id.value'
    """).strip()
    ipv4 = deployer.succeed(f"""
      export NETBOX_SERVER_URL="localhost:8001"
      export NETBOX_API_TOKEN="{netbox_token}"
      export TF_VAR_ip_range_id={ip_range_id}
      ${lib.getExe netbox-get-ip.run} | jq -r '.ipv4.value'
    """).strip()
    assert ipv4 == "192.168.10.236/24"
  '';
}