{
  lib,
  inputs,
  sources,
  keys,
  secrets,
  ...
}:

## NOTE: Hackish solution mostly taken from `../common/resource.nix`.
## Eventually, `forgejo-ci` should move to a datacentre somewhere and this code
## should be integrated with the code for other machines (in particular VMs).

let
  inherit (lib) attrValues elem;
  inherit (lib.attrsets) concatMapAttrs optionalAttrs;
  inherit (lib.strings) removeSuffix;

  hostPublicKey = keys.systems.forgejo-ci;
in
{
  _class = "flake";

  nixops4Deployments.forgejo-ci =
    { providers, ... }:
    {
      providers.local = inputs.nixops4.modules.nixops4Provider.local;

      resources.forgejo-ci = {
        type = providers.local.exec;
        imports = [ inputs.nixops4-nixos.modules.nixops4Resource.nixos ];

        ssh = {
          host = "forgejo-ci";
          hostPublicKey = hostPublicKey;
        };

        nixpkgs = inputs.nixpkgs;

        nixos.module = {
          imports = with sources; [
            "${agenix}/modules/age.nix"
            "${disko}/module.nix"
            ./configuration.nix
          ];

          age.secrets = concatMapAttrs (
            name: secret:
            optionalAttrs (elem hostPublicKey secret.publicKeys) {
              ${removeSuffix ".age" name}.file = secrets.rootPath + "/${name}";
            }
          ) secrets.mapping;

          users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors;
        };
      };
    };
}