{ config, lib, modulesPath, ... }:
{
  imports = [
    # modulesPath points at the upstream nixos/modules directory.
    "${modulesPath}/virtualisation/vagrant-guest.nix"
  ];

  options.grid = {
    publicIPv4 = lib.mkOption {
      type = lib.types.str;
      description = ''
        The primary IPv4 address of the virtual machine.
      '';
    };
  };

  config = {
    virtualisation.virtualbox.guest.enable = true;

    boot.loader.grub.device = "/dev/sda";

    boot.initrd.availableKernelModules = [ "ata_piix" "sd_mod" "sr_mod" ];
    boot.kernel.sysctl = { "vm.swappiness" = 0; };

    # remove the fsck that runs at startup. It will always fail to run, stopping
    # your boot until you press *.
    boot.initrd.checkJournalingFS = false;

    networking.interfaces.enp0s8.ipv4.addresses = [{
      address = config.grid.publicIPv4;
      prefixLength = 24;
    }];

    # The issuer configuration wants to read the location of its database
    # directory from the filesystem configuration.  Since the Vagrant
    # environment doesn't have separate volume-as-infrastructure management
    # (maybe it could?  but why bother?) we do a bind-mount here so there is a
    # configured value readable.  The database won't really have a dedicated
    # volume but it will sort of appear as if it does.
    services.private-storage-issuer.databaseFileSystem = {
      device = "/var/lib/origin-zkapissuer-v2";
      options = ["bind"];
    };

    # XXX This should be handled by the storage module like the zkap
    # filesystem above is handled by the issuer module.
    fileSystems."/storage" = { fsType = "tmpfs"; };

    fileSystems."/" =
      { device = "/dev/sda1";
        fsType = "ext4";
      };

    # We want to push packages with morph without having to sign them
    nix.trustedUsers = [ "@wheel" "root" "vagrant" ];
  };
}