{
  lib,
  pkgs,
  sources,
  ...
}:
let
  inherit (pkgs) system;
  backendPort = builtins.toString 8080;
  httpBackend = rec {
    TF_HTTP_USERNAME = "basic";
    TF_HTTP_PASSWORD = "fake-secret";
    TF_HTTP_ADDRESS = "http://localhost:${backendPort}/state/project1/example";
    TF_HTTP_LOCK_ADDRESS = TF_HTTP_ADDRESS;
    TF_HTTP_UNLOCK_ADDRESS = TF_HTTP_ADDRESS;
  };
  deployment-config = {
    inherit httpBackend;
    inherit (import ./constants.nix) pathToRoot;
    nodeName = "pve";
    targetSystem = system;
    sshOpts = [ ];
    key-file = "/root/.ssh/id_ed25519";
    proxmox-user = "root@pam";
    proxmox-password = "mytestpw";
    node-name = "pve";
    bridge = "br0";
    vlanId = 0;
    imageDatastoreId = "local";
    vmDatastoreId = "local";
    cdDatastoreId = "local";
    ipv4Gateway = "192.168.1.1";
    ipv4Address = "192.168.1.236/24";
    ipv6Gateway = "";
    ipv6Address = "";
  };
  # FIXME generate the image `nixos-generate` was to make, but now do it for a desired `-c configuration.nix` rather than whatever generic thing now
  deployment =
    (import ../common/data-model.nix {
      inherit system;
      config = deployment-config;
      # opt not to pass `inputs`, as we could only pass serializable arguments through to its self-call
    })."tf-proxmox-deployment".tf-proxmox-host;
in
{
  _class = "nixosTest";
  imports = [
    ../common/data-model-options.nix
  ];

  name = "deployment-model";
  sourceFileset = lib.fileset.unions [
    ../../run/tf-proxmox/run.sh
  ];

  nodes.pve =
    { sources, ... }:
    {
      imports = [
        "${sources.proxmox-nixos}/modules/proxmox-ve"
      ];
      environment.systemPackages = [
        pkgs.jq
      ];
      users.users.root = {
        password = "mytestpw";
        hashedPasswordFile = lib.mkForce null;
      };
      # https://github.com/SaumonNet/proxmox-nixos/blob/main/modules/proxmox-ve/default.nix
      services.proxmox-ve = {
        enable = true;
        ipAddress = "192.168.1.1";
      };
      virtualisation = {
        diskSize = 2 * 1024;
        memorySize = 2048;
      };
      # prevent error: Kernel panic - not syncing: Host injected async #PF in kernel mode
      boot.kernelParams = [ "kvm.async_pf=0" ];
    };

  nodes.deployer =
    { ... }:
    {
      imports = [
        ../../modules/terraform-backend
      ];

      nix.nixPath = [
        (lib.concatStringsSep ":" (lib.mapAttrsToList (k: v: k + "=" + v) sources))
      ];

      environment.systemPackages = [
        deployment.run
        pkgs.pve-manager
        pkgs.openssl
        (pkgs.callPackage ../../run/tf-proxmox/tf.nix { inherit sources; })
      ];

      # needed only when building from deployer
      system.extraDependenciesFromModule =
        { pkgs, ... }:
        {
          environment.systemPackages = with pkgs; [
            hello
          ];
        };
      system.extraDependencies = [
        pkgs.ubootQemuX86
        pkgs.ubootQemuX86.inputDerivation
        pkgs.pve-qemu
        pkgs.pve-qemu.inputDerivation
        pkgs.gnu-config
        pkgs.byacc
        pkgs.stdenv
        pkgs.stdenvNoCC
        sources.nixpkgs
        pkgs.vte
      ];
      services.terraform-backend = {
        enable = true;
        settings = {
          LISTEN_ADDR = ":${backendPort}";
          KMS_KEY = "tsjxw9NjKUBUlzbTnD7orqIAdEmpGYRARvxD51jtY+o=";
        };
      };
    };

  extraTestScript = ''
    pve.wait_for_unit("pveproxy.service")
    assert "running" in pve.succeed("pveproxy status")
    pve.succeed("mkdir -p /run/pve")
    assert "Proxmox" in pve.succeed("curl -s -i -k https://localhost:8006")

    # pve.succeed("pvesh set /access/password --userid root@pam --password mypwdlol --confirmation-password mytestpw 1>&2")
    # pve.succeed("curl -s -i -k -d '{\"userid\":\"root@pam\",\"password\":\"mypwdhaha\",\"confirmation-password\":\"mypwdlol\"}' -X PUT https://localhost:8006/api2/json/access/password 1>&2")
    cert = pve.succeed("cat /etc/pve/pve-root-ca.pem").strip()

    # set up proxmox
    pm_token = pve.succeed("""
      set -e
      pvesh create /pools --poolid Fediversity
      pvesh set /storage/local --content "vztmpl,rootdir,backup,snippets,import,iso,images" 1>/dev/null
      pvesh create /access/groups --groupid "roots"
      pvesh set /access/users/root@pam --enable 1 --groups "roots"
      pvesh set /access/acl --path "/" --roles "Administrator" --groups "roots"
      pvesh create /access/users/root@pam/token/mytoken --privsep 0 --output-format json | jq -r .value
    """).strip()
    # FIXME pass separate privileges rather than disabling privsep

    # skip indent for EOF
    deployer.succeed(f"""
    cat > /etc/ssl/certs/pve-root-ca.pem <<EOF
    {cert}
    EOF
    """)

    deployer.succeed("""
      set -xe
      cd /etc/ssl/certs
      { cat ca-bundle.crt
        cat ca-certificates.crt
        cat pve-root-ca.pem
      } > new-ca-bundle.crt
      rm ca-bundle.crt ca-certificates.crt
      mv new-ca-bundle.crt ca-bundle.crt
      ln -s ca-bundle.crt ca-certificates.crt
      openssl verify -CApath /etc/ssl/certs ./pve-root-ca.pem
    """)

    with subtest("Run the deployment"):
      deployer.succeed(f"""
        export SSL_CERT_FILE=/tmp/pve-ca-bundle.crt
        ${lib.getExe deployment.run} >&2
      """)
      # target.succeed("su - operator -c hello 1>&2")
  '';
}