{
  lib,
  pkgs,
  sources,
  ...
}:
let
  inherit (pkgs) system;
  backendPort = builtins.toString 8080;
  httpBackend = rec {
    TF_HTTP_USERNAME = "basic";
    TF_HTTP_PASSWORD = "fake-secret";
    TF_HTTP_ADDRESS = "http://localhost:${backendPort}/state/project1/example";
    TF_HTTP_LOCK_ADDRESS = TF_HTTP_ADDRESS;
    TF_HTTP_UNLOCK_ADDRESS = TF_HTTP_ADDRESS;
  };
  # FIXME generate the image `nixos-generate` was to make, but now do it for a desired `-c configuration.nix` rather than whatever generic thing now
  deployment =
    (import ./data-model.nix {
      inherit sources system;
      config = {
        inherit httpBackend;
        inherit (import ./constants.nix) pathToRoot;
        nodeName = "pve";
        targetSystem = system;
        sshOpts = [
          "ProxyCommand=ssh -W %h:%p pve"
        ];
        key-file = "/root/.ssh/id_ed25519";
        node-name = "pve";
        bridge = "br0";
        vlanId = 0;
        imageDatastoreId = "local";
        vmDatastoreId = "local";
        cdDatastoreId = "local";
        ipv4Gateway = "192.168.10.1";
        ipv4Address = "192.168.10.236/24";
        ipv6Gateway = "";
        ipv6Address = "";
      };
    }).default.tf-proxmox-vm;
in
{
  _class = "nixosTest";
  name = "deployment-model";
  sourceFileset = lib.fileset.unions [
    ../../run/tf-proxmox-vm/run.sh
    ../../run/tf-proxmox-vm/await-ssh.sh
  ];

  nodes.pve =
    { sources, ... }:
    {
      imports = [
        "${sources.proxmox-nixos}/modules/proxmox-ve"
      ];
      environment.systemPackages = [
        pkgs.jq
        pkgs.qemu
      ];
      networking.firewall.enable = false;
      networking.vlans = {
        vlan0 = {
          id = 0;
          interface = "eth0";
        };
      };
      networking.useDHCP = false;

      networking = {
        bridges.br0.interfaces = [ ];
        interfaces.br0.ipv4.addresses = [
          {
            address = "192.168.10.1";
            prefixLength = 24;
          }
        ];
        nat = {
          enable = true;
          internalInterfaces = [ "br0" ];
        };
      };
      boot.kernel.sysctl."net.ipv4.ip_forward" = "1";

      users.users.root = {
        password = "mytestpw";
        hashedPasswordFile = lib.mkForce null;
      };
      # https://github.com/SaumonNet/proxmox-nixos/blob/main/modules/proxmox-ve/default.nix
      services.proxmox-ve = {
        enable = true;
        ipAddress = "192.168.1.1";
      };
      virtualisation = {
        diskSize = 5 * 1024;
        memorySize = 3 * 1024;
      };
    };

  nodes.deployer =
    { ... }:
    {
      imports = [
        ../../modules/terraform-backend
      ];

      networking.firewall.enable = false;
      nix.nixPath = [
        (lib.concatStringsSep ":" (lib.mapAttrsToList (k: v: k + "=" + v) sources))
      ];

      environment.systemPackages = [
        deployment.run
        pkgs.pve-manager
        pkgs.openssl
        pkgs.jq
        (pkgs.callPackage ../../run/tf-proxmox-vm/tf.nix { })
      ];

      # needed only when building from deployer
      system.extraDependenciesFromModule =
        { pkgs, ... }:
        {
          environment.systemPackages = with pkgs; [
            hello
          ];
        };
      system.extraDependencies = [
        pkgs.ubootQemuX86
        pkgs.ubootQemuX86.inputDerivation
        pkgs.pve-qemu
        pkgs.pve-qemu.inputDerivation
        pkgs.gnu-config
        pkgs.byacc
        pkgs.stdenv
        pkgs.stdenvNoCC
        sources.nixpkgs
        pkgs.vte
      ];
      services.terraform-backend = {
        enable = true;
        settings = {
          LISTEN_ADDR = ":${backendPort}";
          KMS_KEY = "tsjxw9NjKUBUlzbTnD7orqIAdEmpGYRARvxD51jtY+o=";
        };
      };
    };

  extraTestScript = ''
    pve.wait_for_unit("pveproxy.service")
    assert "running" in pve.succeed("pveproxy status")
    pve.succeed("mkdir -p /run/pve")
    assert "Proxmox" in pve.succeed("curl -s -i -k https://localhost:8006")

    cert = pve.succeed("cat /etc/pve/pve-root-ca.pem").strip()

    # set up proxmox
    pm_token = pve.succeed("""
      set -e
      pvesh create /pools --poolid Fediversity
      pvesh set /storage/local --content "vztmpl,rootdir,backup,snippets,import,iso,images" 1>/dev/null
      pvesh create /access/groups --groupid "roots"
      pvesh set /access/users/root@pam --enable 1 --groups "roots"
      pvesh set /access/acl --path "/" --roles "Administrator" --groups "roots"
      pvesh create /access/users/root@pam/token/mytoken --privsep 0 --output-format json | jq -r .value
    """).strip()
    # FIXME pass separate privileges rather than disabling privsep

    # skip indent for EOF
    deployer.succeed(f"""
    cat > /etc/ssl/certs/pve-root-ca.pem <<EOF
    {cert}
    EOF

    mkdir -p /root/.ssh
    cat > /root/.ssh/id_ed25519 <<EOF
    -----BEGIN OPENSSH PRIVATE KEY-----
    b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
    QyNTUxOQAAACBWbJXVjBLGo2MrI2LBKTbzDozuA/C9taU630EtU/h38gAAAJDAOy8uwDsv
    LgAAAAtzc2gtZWQyNTUxOQAAACBWbJXVjBLGo2MrI2LBKTbzDozuA/C9taU630EtU/h38g
    AAAECcF8xjLavgWePoVx45Euewsh6Kw07L6QDDy3WXFCn4bFZsldWMEsajYysjYsEpNvMO
    jO4D8L21pTrfQS1T+HfyAAAAC2tpYXJhQG5peG9zAQI=
    -----END OPENSSH PRIVATE KEY-----
    EOF
    chmod 600 /root/.ssh/id_ed25519
    """)

    deployer.succeed("""
      set -xe
      cd /etc/ssl/certs
      { cat ca-bundle.crt
        cat ca-certificates.crt
        cat pve-root-ca.pem
      } > new-ca-bundle.crt
      rm ca-bundle.crt ca-certificates.crt
      mv new-ca-bundle.crt ca-bundle.crt
      ln -s ca-bundle.crt ca-certificates.crt
      openssl verify -CApath /etc/ssl/certs ./pve-root-ca.pem
    """)

    deploy = f"""
      ssh -o BatchMode=yes -o StrictHostKeyChecking=no pve "true"
      export PROXMOX_VE_INSECURE="true"
      export SSL_CERT_FILE=/tmp/pve-ca-bundle.crt
      export PROXMOX_VE_API_TOKEN="root@pam!mytoken={pm_token}"
      ${lib.getExe deployment.run} | jq -r '.ipv4.value[0]'
    """

    with subtest("Run the deployment"):
      ip = deployer.succeed(deploy).strip()

    with subtest("Verify package"):
      deployer.succeed(f"""
        ssh -i "/root/.ssh/id_ed25519" -o StrictHostKeyChecking=no -o BatchMode=yes -J pve root@{ip} su - operator -c hello >&2
      """)

    with subtest("No-op update"):
      deployer.succeed(deploy, timeout=120)
  '';
}