{
  inputs,
  config,
  lib,
  modulesPath,
  ...
}:

let
  testCerts = import "${inputs.nixpkgs}/nixos/tests/common/acme/server/snakeoil-certs.nix";
  inherit (lib) mkIf mkMerge;

in
{
  _class = "nixos";

  imports = [
    (modulesPath + "/profiles/qemu-guest.nix")
    (modulesPath + "/../lib/testing/nixos-test-base.nix")
    ./sharedOptions.nix
    ../../../infra/common/nixos/users.nix
  ];

  config = mkMerge [
    {
      ## Test framework disables switching by default. That might be OK by itself,
      ## but we also use this config for getting the dependencies in
      ## `deployer.system.extraDependencies`.
      system.switch.enable = true;

      nix = {
        # short-cut network time-outs
        settings.download-attempts = 1;
        ## Not used; save a large copy operation
        channel.enable = false;
        registry = lib.mkForce { };
      };

      services.openssh = {
        enable = true;
        settings.PermitRootLogin = "yes";
      };

      networking.firewall.allowedTCPPorts = [ 22 ];

      ## Test VMs don't have a bootloader by default.
      # boot.loader = {
      #   # GRUB enabled: installation of GRUB on /dev/disk/by-id/virtio-root failed: No such file or directory
      #   grub.enable = false;
      #   # systemd boot enabled: '/boot' is not a mounted partition. Is the path configured correctly?
      #   systemd-boot.enable = true;
      #   efi.canTouchEfiVariables = true;
      # };
      # # same issue as no bootloader
      # boot.loader.generic-extlinux-compatible.enable = false;
      # builds but won't boot back up
      boot.loader.grub.forceInstall = true;
      # # builds but won't boot back up
      # # to be used with --no-bootloader, which i could only find for flakes
      # boot.loader.grub.enable = false;
    }

    (mkIf config.enableAcme {
      security.acme = {
        acceptTerms = true;
        defaults.email = "test@test.com";
        defaults.server = "https://acme.test/dir";
      };

      security.pki.certificateFiles = [
        ## NOTE: This certificate is the one used by the Pebble HTTPS server.
        ## This is NOT the root CA of the Pebble server. We do add it here so
        ## that Pebble clients can talk to its API, but this will not allow
        ## those machines to verify generated certificates.
        testCerts.ca.cert
      ];

      ## FIXME: it is a bit sad that all this logistics is necessary. look into
      ## better DNS stuff
      networking.extraHosts = "${config.acmeNodeIP} acme.test";
    })
  ];
}