{ hardware
, ristrettoSigningKeyPath
, stripeSecretKeyPath
, issuerDomain
, letsEncryptAdminEmail
, allowedChargeOrigins
, sshUsers
, stateVersion
, publicIPv4
, monitoringvpnKeyDir ? null
, monitoringvpnIPv4 ? null
, monitoringvpnEndpoint ? null
, ...
}: let

  enableVpn = monitoringvpnKeyDir != null &&
              monitoringvpnIPv4 != null &&
              monitoringvpnEndpoint != null;

  vpnSecrets = if !enableVpn then {} else {
    "monitoringvpn-secret-key" = {
      source = monitoringvpnKeyDir + "/${monitoringvpnIPv4}.key";
      destination = "/run/keys/monitoringvpn/client.key";
      owner.user = "root";
      owner.group = "root";
      permissions = "0400";
      action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
    };
    "monitoringvpn-preshared-key" = {
      source = monitoringvpnKeyDir + "/preshared.key";
      destination = "/run/keys/monitoringvpn/preshared.key";
      owner.user = "root";
      owner.group = "root";
      permissions = "0400";
      action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
    };
  };

in rec {
  deployment = {
    targetUser = "root";
    targetHost = publicIPv4;

    secrets = {
      "ristretto-signing-key" = {
        source = ristrettoSigningKeyPath;
        destination = "/run/keys/ristretto.signing-key";
        owner.user = "root";
        owner.group = "root";
        permissions = "0400";
        action = ["sudo" "systemctl" "restart" "zkapissuer.service"];
      };
      "stripe-secret-key" = {
        source = stripeSecretKeyPath;
        destination = "/run/keys/stripe.secret-key";
        owner.user = "root";
        owner.group = "root";
        permissions = "0400";
        action = ["sudo" "systemctl" "restart" "zkapissuer.service"];
      };
    } // vpnSecrets;
  };

  imports = [
    hardware
    ../../nixos/modules/issuer.nix
    ../../nixos/modules/monitoring/vpn/client.nix
  ];

  services.private-storage.sshUsers = sshUsers;
  services.private-storage-issuer = {
    enable = true;
    tls = true;
    ristrettoSigningKeyPath = deployment.secrets.ristretto-signing-key.destination;
    stripeSecretKeyPath = deployment.secrets.stripe-secret-key.destination;
    database = "SQLite3";
    databasePath = "/var/db/vouchers.sqlite3";
    inherit letsEncryptAdminEmail;
    domain = issuerDomain;
    inherit allowedChargeOrigins;
  };

  system.stateVersion = stateVersion;

  services.private-storage.monitoring.vpn.client = if !enableVpn then {} else {
    enable = true;
    ip = monitoringvpnIPv4;
    endpoint = monitoringvpnEndpoint;
    endpointPublicKeyFile = monitoringvpnKeyDir + "/server.pub";
  };
}