{
  lib,
  ...
}:
{
  _class = "nixops4Resource";

  # XXX this needs an SSH config entry `forgejo-ci` to locate and access the machine. also needs `HostKeyAlias`.
  ssh.host = lib.mkForce "forgejo-ci";

  fediversityVm = {
    domain = "procolix.com";

    ipv4 = {
      interface = "enp1s0f0";
      address = "192.168.201.65";
      prefixLength = 24;
      gateway = "192.168.201.1";
    };
    ipv6.enable = false;
  };

  nixos.module =
    {
      config,
      lib,
      ...
    }:
    let
      inherit (lib) mkDefault mkForce;
    in
    {
      _class = "nixos";

      imports = [
        ./forgejo-actions-runner.nix
      ];

      hardware.cpu.intel.updateMicrocode = mkDefault config.hardware.enableRedistributableFirmware;

      networking = {
        nftables.enable = mkForce false;
        hostId = "1d6ea552";
      };

      ## NOTE: This is a physical machine, so is not covered by disko
      fileSystems."/" = {
        device = "rpool/root";
        fsType = "zfs";
      };

      fileSystems."/home" = {
        device = "rpool/home";
        fsType = "zfs";
      };

      fileSystems."/boot" = {
        device = "/dev/disk/by-uuid/50B2-DD3F";
        fsType = "vfat";
        options = [
          "fmask=0077"
          "dmask=0077"
        ];
      };
    };
}