{ ristrettoSigningKeyPath
, stripeSecretKeyPath
, monitoringvpnKeyDir
, monitoringvpnEndpoint
, monitoringvpnIPv4
, domain
, sshUsers
, letsEncryptAdminEmail
, issuerDomains
, allowedChargeOrigins
, ...
}:
{ config, ... }: {
  # The morph default deployment target the name of the node in the network
  # attrset.  We don't always want to give the node its proper public address
  # there (because it depends on which domain is associated with the grid
  # being configured and using variable names complicates a lot of things).
  # Instead, just tell morph how to reach the node here - by using its fully
  # qualified domain name.
  deployment.targetHost = "${config.networking.hostName}.${config.networking.domain}";

  deployment.secrets = {
    "ristretto-signing-key".source = ristrettoSigningKeyPath;
    "stripe-secret-key".source = stripeSecretKeyPath;
    "monitoringvpn-secret-key".source = "${monitoringvpnKeyDir}/${monitoringvpnIPv4}.key";
    "monitoringvpn-preshared-key".source = "${monitoringvpnKeyDir}/preshared.key";
  };

  networking.domain = domain;

  services.private-storage.sshUsers = sshUsers;
  services.private-storage.monitoring.vpn.client = {
    enable = true;
    ip = monitoringvpnIPv4;
    endpoint = monitoringvpnEndpoint;
    endpointPublicKeyFile = "${monitoringvpnKeyDir}/server.pub";
  };

  services.private-storage-issuer = {
    letsEncryptAdminEmail = letsEncryptAdminEmail;
    domains = issuerDomains;
    allowedChargeOrigins = allowedChargeOrigins;
  };

  system.stateVersion = "19.03";
}