{
  lib,
  pkgs,
  sources,
  ...
}:
let
  inherit (pkgs) system;
  inherit (import ./constants.nix) pathToRoot;
  nodeName = "target";
  deployment-config = {
    inherit nodeName pathToRoot;
    targetSystem = system;
    sshOpts = [ ];
  };
  deploy =
    (import ../common/data-model.nix {
      inherit system;
      config = deployment-config;
      # opt not to pass `inputs`, as we could only pass serializable arguments through to its self-call
    })."tf-deployment".tf-host.run;
in
{
  _class = "nixosTest";
  imports = [
    ../common/data-model-options.nix
  ];

  name = "deployment-model";
  sourceFileset = lib.fileset.unions [
    ../../run/tf-single-host/run.sh
  ];

  nodes.deployer =
    { ... }:
    {
      imports = [
        ../../modules/terraform-backend
      ];

      environment.systemPackages = [
        deploy
        (pkgs.callPackage ../../run/tf-single-host/tf.nix { inherit sources; })
      ];

      # needed only when building from deployer
      system.extraDependenciesFromModule =
        { pkgs, ... }:
        {
          environment.systemPackages = with pkgs; [
            hello
          ];
        };
      services.terraform-backend = {
        enable = true;
        settings = {
          LISTEN_ADDR = ":8080";
          KMS_KEY = "l99yC7MhbuuraACQ8bjaU1rMrT6L4PXEYupX6BzhJvY=";
        };
      };
    };

  extraTestScript = ''
    with subtest("Check the status before deployment"):
      target.fail("hello 1>&2")

    with subtest("Run the deployment"):
      deployer.wait_for_unit("multi-user.target")
      deployer.succeed("curl -u basic:fake-secret -X GET http://localhost:8080/state/project1/example")
      output = deployer.fail("""
        ${lib.getExe deploy}
      """)
      assert "Timeout, server ${nodeName} not responding" in output
      target.wait_for_unit("multi-user.target")
      target.succeed("su - operator -c hello 1>&2")
  '';
}