{
  lib,
  config,
  keys,
  secrets,
  ...
}:

let
  inherit (lib) attrValues elem mkDefault;
  inherit (lib.attrsets) concatMapAttrs optionalAttrs;
  inherit (lib.strings) removeSuffix;

in
{
  fediversityVm.hostPublicKey = mkDefault keys.systems.${config.fediversityVm.name};

  ## The configuration of the machine. We strive to keep in this file only the
  ## options that really need to be injected from the resource. Everything else
  ## should go into the `./nixos` subdirectory.
  imports = [
    ./options.nix
    ./nixos
    ./proxmox-qemu-vm.nix
  ];

  ## Read all the secrets, filter the ones that are supposed to be readable
  ## with this host's public key, and add them correctly to the configuration
  ## as `age.secrets.<name>.file`.
  age.secrets = concatMapAttrs (
    name: secret:
    optionalAttrs (elem config.fediversityVm.hostPublicKey secret.publicKeys) {
      ${removeSuffix ".age" name}.file = secrets.rootPath + "/${name}";
    }
  ) secrets;

  ## FIXME: Remove direct root authentication once the NixOps4 NixOS provider
  ## supports users with password-less sudo.
  users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors ++ [
    # allow our panel vm access to the test machines
    keys.panel
    # allow continuous deployment access
    keys.cd
  ];
}