{
  inputs,
  lib,
  config,
  ...
}:

let
  inherit (lib) attrValues elem;
  inherit (lib.attrsets) concatMapAttrs optionalAttrs;
  inherit (lib.strings) removeSuffix;

  secretsPrefix = ../../secrets;
  secrets = import (secretsPrefix + "/secrets.nix");
  keys = import ../../keys;

in
{
  imports = [ ./options.nix ];

  config =
    let
      hostPublicKey = keys.systems.${config.procolixVm.name};

    in
    {
      ssh = {
        host = config.procolixVm.host;
        hostPublicKey = hostPublicKey;
      };

      nixpkgs = inputs.nixpkgs;

      nixos.module = {
        imports = [
          inputs.agenix.nixosModules.default
          ./options.nix
          ./nixos
        ];

        ## Inject the shared options from the resource's `config` into the NixOS
        ## configuration.
        procolixVm = config.procolixVm;

        ## Read all the secrets, filter the ones that are supposed to be
        ## readable with this host's public key, and add them correctly to the
        ## configuration as `age.secrets.<name>.file`.
        age.secrets = concatMapAttrs (
          name: secret:
          optionalAttrs (elem hostPublicKey secret.publicKeys) ({
            ${removeSuffix ".age" name}.file = secretsPrefix + "/${name}";
          })
        ) secrets;

        ## FIXME: Remove direct root authentication once the NixOps4 NixOS
        ## provider supports users with password-less sudo.
        users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors;
      };
    };
}