pass vars separately

infra/machines/fedi201/fedipanel.nix

@@ -1,6 +1,5 @@
 {
   config,
-  lib,
   ...
 }:
 let
@@ -56,11 +55,6 @@ in
         COMPRESS_OFFLINE = true;
         LIBSASS_OUTPUT_STYLE = "compressed";
       };
-    environment = {
-      TF_VARS = lib.strings.toJSON {
-        ssh_private_key_file = config.age.secrets.panel-ssh-key.path;
-      };
-    };
     secrets = {
       SECRET_KEY = config.age.secrets.panel-secret-key.path;
     };

panel/env.nix

@@ -13,5 +13,5 @@
     pkgs.gnugrep # used in terraform-nixos
     (import ../launch/tf.nix { inherit lib pkgs; })
   ];
-  TF_VARS = lib.strings.toJSON { };
+  SSH_PRIVATE_KEY_FILE = "";
 }

panel/nix/configuration.nix

@@ -31,6 +31,7 @@ let
     ];
     REPO_DIR = import ../../launch/tf-env.nix { inherit lib pkgs; };
     LOGGING_DIR = "/var/log/${name}";
+    SSH_PRIVATE_KEY_FILE = config.age.secrets.panel-ssh-key.path;
   };
 
   python-environment = pkgs.python3.withPackages (

panel/src/panel/settings.py

@@ -259,5 +259,6 @@ bin_path=env['BIN_PATH']
 # to deploy this should be specified, for dev just use a relative path.
 repo_dir = env["REPO_DIR"]
 
-ENV_VARS = json.loads(env["TF_VARS"]) | {
+ENV_VARS = {
+    "ssh_private_key_file": env["SSH_PRIVATE_KEY_FILE"],
 }