{
  system,
  host-mapping,
  sources ? import ../../npins,
  conf ? { },
  ...
}:
let
  inherit (sources) nixpkgs;
  pkgs = import nixpkgs { inherit system; };
  inherit (pkgs) lib;
  inherit (lib) types;
  pathToRoot = builtins.path {
    path = ../..;
    name = "root";
  };
  sshOpts = [ ];
in
(pkgs.callPackage ../utils.nix { }).evalModel (
  { config, ... }:
  {
    imports = [
      ./resources
      ./applications
      ./configurations.nix
      ../../infra/common/options.nix
    ];
    options =
      {
        operator = lib.mkOption {
          default = pkgs.writeShellScriptBin "deploy-apps.sh" (
            lib.concatStringsSep "\n" (
              lib.mapAttrsToList (app: _: ''
                echo 'DEPLOYING APP: ${app}'
                ${config.${app}}
              '') host-mapping
            )
          );
        };
        # get a typed reference to the app deployments to expose their `run`
        tags = lib.mkOption {
          type = types.attrsOf config.deployment-type;
          default = lib.mapAttrs (
            app: _:
            config.environments.${app}.deployment {
              # these are the values used in recursion, i.e. those for ssh-host.nix
              configuration = config."default-configuration";
              deployment-name = "default";
            }
          ) host-mapping;
        };
      }
      // lib.mapAttrs (
        app: _:
        lib.mkOption {
          type = types.path;
          default = lib.getExe config.tags.${app}.ssh-host.run;
        }
      ) host-mapping;
    config = lib.mkMerge [
      {
        environments = lib.mapAttrs (app: host: {
          resources =
            {
              "external".garage = { };
              "fediversity".nixos-module = { };
              "age".secrets = { };
            }
            // lib.mapAttrs (_: host: {
              network = (import ../../machines/operator/${host}).fediversityVm;
            }) host-mapping;
          implementation =
            {
              deployment-name,
              ...
            }:
            {
              # try and use `ssh-host` since as of writing there is no plural variant
              ssh-host = {
                inherit system;
                ssh = {
                  username = "root";
                  host = "${host}.abundos.eu";
                  key-file = null;
                  inherit sshOpts;
                };
                inherit deployment-name;
                root-path = pathToRoot;
                # recursion happens on the level of ssh-single-host, so let's go by that
                caller = "deployment/fediversity/ssh-host.nix";
                args = {
                  inherit system;
                  nodeName = "${host}.abundos.eu";
                  network = (import ../../machines/operator/${host}).fediversityVm;
                  conf = lib.recursiveUpdate conf {
                    default-configuration.applications = lib.mapAttrs (_app: _: { enable = false; }) host-mapping // {
                      ${app}.enable = true;
                    };
                  };
                };
                # omitting `nixos-configuration` as it's instead passed thru recursion's `ssh-host`
              };
            };
        }) host-mapping;
      }
      conf
      # splice global config into apps using it
      {
        default-configuration.applications.pixelfed = { inherit (conf.default-configuration) initialUser; };
      }
    ];
  }
)