{
  tflib,
  pkgs,
}: {
  name,
  flake ? "$FLAKE_ROOT",
  hosts ? [],
}: {
  lib,
  config,
  ...
}: let
  inherit
    (tflib)
    tf
    ;
  inherit
    (lib)
    singleton
    concatMapStringsSep
    ;

  flakePath = "${flake}#nixngConfigurations.${name}.config.system.build.toplevel.outPath";
in {
  data."external"."nixng-system-${name}" = {
    program = singleton (pkgs.writeShellScript "build_nixng_system_${name}.sh" ''
      set -euo pipefail

      _system_path="$(nix eval --raw "${flakePath}")"

      jq -n --arg _system_path "$_system_path" '{"out":$_system_path}'
    '');
  };

  resource."terraform_data"."nixng-system-${name}-copy" = {
    triggers_replace = [
      (tf "data.external.nixng-system-${name}.result.out")
    ];
    provisioner."local-exec" = {
      interpreter = [
        (pkgs.writeShellScript "copy_nixng_system_${name}.sh" ''
          set -euo pipefail

          _system_path="$1"

          cd $FLAKE_ROOT
          nix build "${flakePath}"
          mkdir -p /tmp/terranix
          ${concatMapStringsSep "\n" (host: ''
              flock -x /tmp/terranix/${host} nix copy "$_system_path" --to ssh-ng://${host} -s --no-check-sigs
            '')
            hosts}

        '')
        (tf "data.external.nixng-system-${name}.result.out")
      ];
      command = "ignoreme";
    };
  };
}