{ hostsMap
, domain
, monitoringvpnKeyDir
, monitoringvpnIPv4
, vpnClientIPs
, nodeExporterTargets
, nginxExporterTargets ? []
, stateVersion
, ...
}:
{ config, ... }: {
  # See customize-issuer.nix for an explanatoin of targetHost value.
  deployment.targetHost = "${config.networking.hostName}.${config.networking.domain}";

  deployment.secrets = {
    "monitoringvpn-private-key".source = "${monitoringvpnKeyDir}/server.key";
    "monitoringvpn-preshared-key".source = "${monitoringvpnKeyDir}/preshared.key";
  };

  networking.domain = domain;
  networking.hosts = hostsMap;

  services.private-storage.monitoring.vpn.server = {
    enable = true;
    ip = monitoringvpnIPv4;
    inherit vpnClientIPs;
    pubKeysPath = monitoringvpnKeyDir;
  };

  services.private-storage.monitoring.prometheus = {
    inherit nodeExporterTargets;
    inherit nginxExporterTargets;
  };

  system.stateVersion = stateVersion;
}