{
  self,
  inputs,
  providers,
  lib,
  config,
  ...
}:

let
  inherit (lib) attrValues elem mkOption;
  inherit (lib.attrsets) concatMapAttrs optionalAttrs;
  inherit (lib.strings) removeSuffix;

in
{
  options = {
    procolixVm = {
      name = mkOption { };
      host = mkOption { };

      hostPublicKey = mkOption {
        description = ''
          The host public key of the machine. It is used in particular
          to filter Age secrets and only keep the relevant ones.
        '';
      };
    };
  };

  config =
    let
      hostPublicKey = self.keys.systems.${config.procolixVm.name};

    in
    {
      type = providers.local.exec;

      ssh = {
        host = config.procolixVm.host;
        hostPublicKey = hostPublicKey;
      };

      nixpkgs = inputs.nixpkgs;

      nixos.module = {
        imports = [
          inputs.agenix.nixosModules.default
          ./nixosConfiguration
        ];

        ## Read all the secrets, filter the ones that are supposed to be
        ## readable with this host's public key, and add them correctly to the
        ## configuration as `age.secrets.<name>.file`.
        age.secrets = concatMapAttrs (
          name: secret:
          optionalAttrs (elem hostPublicKey secret.publicKeys) ({
            ${removeSuffix ".age" name}.file = ../../secrets + "/${name}";
          })
        ) (import ../../secrets/secrets.nix);

        ## FIXME: Remove direct root authentication once the NixOps4 NixOS
        ## provider supports users with password-less sudo.
        users.users.root.openssh.authorizedKeys.keys = attrValues self.keys.contributors;
      };
    };
}