{ inputs, deployment-hosts, description, enable-rollback ? true, ... }:
with inputs.nixpkgs.lib; let
  network-config = {
    nixpkgs = inputs.nixpkgs;
    network = {
      inherit description;
      enableRollback = enable-rollback;
    };
  };

  host-configs = genAttrs deployment-hosts
    (hostname: fudo-nixos.nixopsHostConfigurations.${hostname});

  host-uber-secrets = genAttrs deployment-hosts
    (hostname: { config, ... }: let
      uber-secrets = config.fudo.secrets.files.host-filesystem-keys;
    in {
      imports = [
        inputs.fudo-secrets.nixosModule
        ({ config, ... }: {
          deployment.keys = mkIf (hasAttr hostname uber-secrets) {
            deployment.keys = mapAttrs (secret: secret-file: {
              keyFile = secret-file;
              user = "root";
              permissions = "0400";
            }) uber-secrets.${hostname};
          };
        })
      ];
    });
in network-config // host-configs // host-uber-secrets