{ inputs, deployment-hosts, description, enable-rollback ? true, ... }:
with inputs.nixpkgs.lib; let
  network-config = {
    nixpkgs = inputs.nixpkgs;
    network = {
      inherit description;
      enableRollback = enable-rollback;
    };
  };

  host-config = hostname: inputs.fudo-nixos.nixopsHostConfigurations.${hostname};

  host-ip = hostname: domain: let
    zone-hosts = inputs.fudo-entities.entities.zones.${domain}.hosts;
  in zone-hosts.${hostname}.ipv4-address;

  host-uber-secrets = hostname: { config, ... }: let
    uber-secrets = config.fudo.secrets.files.host-filesystem-keys;
  in {
    config.deployment.keys = mkIf (hasAttr hostname uber-secrets)
      (mapAttrs (secret: secret-file: {
        keyFile = secret-file;
        user = "root";
        permissions = "0400";
      }) uber-secrets.${hostname});
  };

in network-config // (mapAttrs (hostname: hostOpts: {
  imports = [
    (host-config hostname)
    (host-uber-secrets hostname)
  ];

  deployment.targetHost = host-ip hostname hostOpts.domain;
}) deployment-hosts)