{
  lib,
  config,
  ...
}:

let
  inherit (lib) attrValues elem mkDefault;
  inherit (lib.attrsets) concatMapAttrs optionalAttrs;
  inherit (lib.strings) removeSuffix;

  secretsPrefix = ../secrets;
  secrets = import (secretsPrefix + "/secrets.nix");
  keys = import ../keys;

in
{
  fediversityVm.hostPublicKey = mkDefault keys.systems.${config.fediversityVm.name};

  ## The configuration of the machine. We strive to keep in this file only the
  ## options that really need to be injected from the resource. Everything else
  ## should go into the `./nixos` subdirectory.
  imports = [
    ../infra/common/options.nix
    ../infra/common/nixos
  ];

  ## Read all the secrets, filter the ones that are supposed to be readable
  ## with this host's public key, and add them correctly to the configuration
  ## as `age.secrets.<name>.file`.
  age.secrets = concatMapAttrs (
    name: secret:
    optionalAttrs (elem config.fediversityVm.hostPublicKey secret.publicKeys) {
      ${removeSuffix ".age" name}.file = secretsPrefix + "/${name}";
    }
  ) secrets;

  ## FIXME: Remove direct root authentication once the NixOps4 NixOS provider
  ## supports users with password-less sudo.
  users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors;
}