{
  lib,
  pkgs,
  sources,
  ...
}:
let
  inherit (pkgs) system;
  backendPort = builtins.toString 8080;
  tfBackend = fragment: {
    address = "http://localhost:${backendPort}/state/${fragment}";
  };
  inherit
    (pkgs.callPackage ../../run {
      inherit sources system;
    })
    tf-netbox-store-ips
    tf-netbox-get-ip
    ;
  netbox-store-ips =
    (lib.evalModules {
      modules = [
        {
          options = { inherit tf-netbox-store-ips; };
          config.tf-netbox-store-ips = {
            httpBackend = tfBackend "proxmox-test/store-ips";
            startAddress = "192.168.10.236/24";
            endAddress = "192.168.10.240/24";
          };
        }
      ];
    }).config.tf-netbox-store-ips;
  netbox-get-ip =
    (lib.evalModules {
      modules = [
        {
          options = { inherit tf-netbox-get-ip; };
          config.tf-netbox-get-ip = {
            httpBackend = tfBackend "proxmox-test/get-ip";
          };
        }
      ];
    }).config.tf-netbox-get-ip;
  netboxUser = "netbox";
  netboxPassword = "netbox";
  changePassword = pkgs.writeText "change-password.py" ''
    from users.models import User
    u = User.objects.get(username='${netboxUser}')
    u.set_password('${netboxPassword}')
    u.save()
  '';
in
{
  _class = "nixosTest";
  name = "netbox-ips";

  nodes.deployer =
    { ... }:
    {
      imports = [
        ../../modules/terraform-backend
      ];

      nix.nixPath = [
        (lib.concatStringsSep ":" (lib.mapAttrsToList (k: v: k + "=" + v) sources))
      ];

      environment.systemPackages = [
        pkgs.jq
        (pkgs.callPackage ../../run/tf-netbox-store-ips/tf.nix { })
        (pkgs.callPackage ../../run/tf-netbox-get-ip/tf.nix { })
      ];

      services.terraform-backend = {
        enable = true;
        settings = {
          LISTEN_ADDR = ":${backendPort}";
          # FIXME randomly generate this
          KMS_KEY = "tsjxw9NjKUBUlzbTnD7orqIAdEmpGYRARvxD51jtY+o=";
        };
      };
      services.netbox = {
        enable = true;
        # FIXME randomly generate this
        secretKeyFile = pkgs.writeText "netbox-secret" "634da8232803a8155a58584d3186127000207e079d600fc10a890e5cd59c2f4b8f0e0654005944d2ce87f5be9c22ceebec66";
        port = 8001;
      };
    };

  extraTestScript = ''
    deployer.succeed("""
      netbox-manage createsuperuser --noinput --user "${netboxUser}" --email "test@domain.tld" >&2
      cat '${changePassword}' | netbox-manage shell
    """)
    netbox_token = deployer.succeed("""
      curl -X POST -H "Content-Type: application/json" -H "Accept: application/json" http://localhost:8001/api/users/tokens/provision/ --data '{"username":"${netboxUser}","password":"${netboxPassword}"}' | jq -r .key
    """).strip()
    ip_range_id = deployer.succeed(f"""
      export NETBOX_SERVER_URL="localhost:8001"
      export NETBOX_API_TOKEN="{netbox_token}"
      ${lib.getExe netbox-store-ips.run} | jq -r '.id.value'
    """).strip()
    ipv4 = deployer.succeed(f"""
      export NETBOX_SERVER_URL="localhost:8001"
      export NETBOX_API_TOKEN="{netbox_token}"
      export TF_VAR_ip_range_id={ip_range_id}
      ${lib.getExe netbox-get-ip.run} | jq -r '.ipv4.value'
    """).strip()
    assert ipv4 == "192.168.10.236/24"
  '';
}