factor out TF http back-end settings (#564)

Reviewed-on: #564

deployment/check/data-model-tf-proxmox/nixosTest.nix

@@ -8,12 +8,8 @@
 let
   inherit (pkgs) system;
   backendPort = builtins.toString 8080;
-  tfBackend = fragment: rec {
+  tfBackend = fragment: {
-    TF_HTTP_USERNAME = "basic";
+    address = "http://localhost:${backendPort}/state/${fragment}";
-    TF_HTTP_PASSWORD = "fake-secret";
-    TF_HTTP_LOCK_ADDRESS = TF_HTTP_ADDRESS;
-    TF_HTTP_UNLOCK_ADDRESS = TF_HTTP_ADDRESS;
-    TF_HTTP_ADDRESS = "http://localhost:${backendPort}/state/${fragment}";
   };
   template-deployment =
     (import ./setups/template.nix {

deployment/check/data-model-tf/nixosTest.nix

@@ -17,13 +17,7 @@ let
         inherit nodeName pathToRoot;
         targetSystem = system;
         sshOpts = [ ];
-        httpBackend = rec {
+        httpBackend.address = "http://localhost:${backendPort}/state/project1/example";
-          TF_HTTP_USERNAME = "basic";
-          TF_HTTP_PASSWORD = "fake-secret";
-          TF_HTTP_ADDRESS = "http://localhost:${backendPort}/state/project1/example";
-          TF_HTTP_LOCK_ADDRESS = TF_HTTP_ADDRESS;
-          TF_HTTP_UNLOCK_ADDRESS = TF_HTTP_ADDRESS;
-        };
       };
     }).default.tf-host.run;
 in

deployment/data-model.nix

@@ -74,6 +74,91 @@ let
     description = "A NixOS configuration.";
     type = raw;
   };
+  httpBackend = mkOption {
+    description = "environment variables to configure the TF HTTP back-end, see <https://developer.hashicorp.com/terraform/language/backend/http#configuration-variables>";
+    type = types.submodule (http-backend: {
+      options = {
+        value = mkOption {
+          readOnly = true;
+          default = lib.mapAttrs' (k: v: lib.nameValuePair "TF_HTTP_${lib.toUpper k}" (builtins.toString v)) {
+            inherit (http-backend.config)
+              address
+              update_method
+              lock_address
+              lock_method
+              unlock_address
+              unlock_method
+              username
+              password
+              skip_cert_verification
+              retry_max
+              retry_wait_min
+              retry_wait_max
+              ;
+          };
+        };
+        address = mkOption {
+          description = "The address of the REST endpoint";
+          type = str;
+        };
+        update_method = mkOption {
+          description = "HTTP method to use when updating state.";
+          type = str;
+          default = "POST";
+        };
+        lock_address = mkOption {
+          description = "The address of the lock REST endpoint.";
+          type = str;
+          default = http-backend.config.address;
+        };
+        lock_method = mkOption {
+          description = "The HTTP method to use when locking.";
+          type = str;
+          default = "LOCK";
+        };
+        unlock_address = mkOption {
+          description = "The address of the unlock REST endpoint.";
+          type = str;
+          default = http-backend.config.address;
+        };
+        unlock_method = mkOption {
+          description = "The HTTP method to use when unlocking.";
+          type = str;
+          default = "UNLOCK";
+        };
+        username = mkOption {
+          description = "The username for HTTP basic authentication.";
+          type = str;
+          default = "basic";
+        };
+        password = mkOption {
+          description = "The password for HTTP basic authentication.";
+          type = str;
+          default = "fake-secret";
+        };
+        skip_cert_verification = mkOption {
+          description = "Whether to skip TLS verification.";
+          type = str;
+          default = "false";
+        };
+        retry_max = mkOption {
+          description = "The number of HTTP request retries.";
+          type = types.int;
+          default = 2;
+        };
+        retry_wait_min = mkOption {
+          description = "The minimum time in seconds to wait between HTTP request attempts.";
+          type = types.int;
+          default = 1;
+        };
+        retry_wait_max = mkOption {
+          description = "The maximum time in seconds to wait between HTTP request attempts.";
+          type = types.int;
+          default = 30;
+        };
+      };
+    });
+  };
   host-ssh = mkOption {
     description = "SSH connection info to connect to a single host.";
     type = submodule {
@@ -195,7 +280,7 @@ let
             description = "The architecture of the system to deploy to.";
             type = types.str;
           };
-          inherit nixos-configuration;
+          inherit httpBackend nixos-configuration;
           ssh = host-ssh;
           caller = mkOption {
             description = "The calling module to obtain the NixOS configuration from.";
@@ -213,10 +298,6 @@ let
             description = "The path to the root of the repository.";
             type = types.path;
           };
-          httpBackend = mkOption {
-            description = "environment variables to configure the TF HTTP back-end, see <https://developer.hashicorp.com/terraform/language/backend/http#configuration-variables>";
-            type = types.attrsOf (types.either types.str types.int);
-          };
           run = mkOption {
             type = types.package;
             # error: The option `tf-deployment.tf-host.run' is read-only, but it's set multiple times.
@@ -278,16 +359,12 @@ let
             description = "The architecture of the system to deploy to.";
             type = types.str;
           };
-          inherit nixos-configuration;
+          inherit httpBackend nixos-configuration;
           ssh = host-ssh;
           node-name = mkOption {
             description = "the name of the ProxmoX node to use.";
             type = types.str;
           };
-          httpBackend = mkOption {
-            description = "environment variables to configure the TF HTTP back-end, see <https://developer.hashicorp.com/terraform/language/backend/http#configuration-variables>";
-            type = types.attrsOf (types.either types.str types.int);
-          };
           imageDatastoreId = mkOption {
             description = "ID of the datastore of the image.";
             type = types.str;
@@ -366,7 +443,7 @@ let
             description = "The architecture of the system to deploy to.";
             type = types.str;
           };
-          inherit nixos-configuration;
+          inherit httpBackend nixos-configuration;
           ssh = host-ssh;
           caller = mkOption {
             description = "The calling module to obtain the NixOS configuration from.";
@@ -388,10 +465,6 @@ let
             description = "the name of the ProxmoX node to use.";
             type = types.str;
           };
-          httpBackend = mkOption {
-            description = "environment variables to configure the TF HTTP back-end, see <https://developer.hashicorp.com/terraform/language/backend/http#configuration-variables>";
-            type = types.attrsOf (types.either types.str types.int);
-          };
           bridge = mkOption {
             description = "The name of the network bridge (defaults to vmbr0).";
             type = types.str;

deployment/run/tf-setup.nix

@@ -17,6 +17,6 @@ pkgs.writeScriptBin "setup" ''
   # suppress warning on architecture-specific generated lock file:
   # `Warning: Incomplete lock file information for providers`.
   env TF_HTTP_RETRY_MAX=1 TF_HTTP_RETRY_WAIT_MIN=0 \
-  ${toString (lib.mapAttrsToList (k: v: "${k}=\"${toBash v}\"") httpBackend)} \
+  ${toString (lib.mapAttrsToList (k: v: "${k}=\"${toBash v}\"") httpBackend.value)} \
   tofu init -input=false 1>/dev/null
 ''

deployment/utils.nix

@@ -56,7 +56,7 @@ rec {
             )
           )
         } \
-        ${toString (lib.mapAttrsToList (k: v: "${k}=\"${toBash v}\"") httpBackend)} \
+        ${toString (lib.mapAttrsToList (k: v: "${k}=\"${toBash v}\"") httpBackend.value)} \
       '';
       tfPackage = pkgs.callPackage ./run/${directory}/tf.nix { };
       tf-env = pkgs.callPackage ./run/tf-env.nix {