unlog steps

Signed-off-by: Kiara Grouwstra <kiara@procolix.eu>

deployment/check/common/data-model.nix

@@ -369,6 +369,7 @@ let
                     inherit
                       args
                       deployment-name
+                      httpBackend
                       proxmox-user
                       proxmox-password
                       node-name

deployment/check/data-model-tf-proxmox/default.nix

@@ -9,7 +9,8 @@ let
     inherit system;
     overlays = [ overlay ];
   };
-  overlay = _: _: {
+  overlay = _: prev: {
+    terraform-backend = prev.callPackage ../../modules/terraform-backend/package.nix { };
     inherit
       (import "${sources.proxmox-nixos}/pkgs" {
         craneLib = pkgs.callPackage "${sources.crane}/lib" { };

deployment/check/data-model-tf-proxmox/nixosTest.nix

@@ -6,7 +6,16 @@
 }:
 let
   inherit (pkgs) system;
+  backendPort = builtins.toString 8080;
+  httpBackend = rec {
+    TF_HTTP_USERNAME = "basic";
+    TF_HTTP_PASSWORD = "fake-secret";
+    TF_HTTP_ADDRESS = "http://localhost:${backendPort}/state/project1/example";
+    TF_HTTP_LOCK_ADDRESS = TF_HTTP_ADDRESS;
+    TF_HTTP_UNLOCK_ADDRESS = TF_HTTP_ADDRESS;
+  };
   deployment-config = {
+    inherit httpBackend;
     inherit (import ./constants.nix) pathToRoot;
     nodeName = "pve";
     targetSystem = system;
@@ -22,8 +31,6 @@ let
       config = deployment-config;
       # opt not to pass `inputs`, as we could only pass serializable arguments through to its self-call
     })."tf-proxmox-deployment".tf-proxmox-host;
-  # tracking non-tarball downloads seems unsupported still in npins:
-  # https://github.com/andir/npins/issues/163
 in
 {
   _class = "nixosTest";
@@ -46,6 +53,7 @@ in
         password = "mytestpw";
         hashedPasswordFile = lib.mkForce null;
       };
+      # https://github.com/SaumonNet/proxmox-nixos/blob/main/modules/proxmox-ve/default.nix
       services.proxmox-ve = {
         enable = true;
         ipAddress = "192.168.1.1";
@@ -59,6 +67,10 @@ in
   nodes.deployer =
     { ... }:
     {
+      imports = [
+        ../../modules/terraform-backend
+      ];
+
       nix.nixPath = [
         (lib.concatStringsSep ":" (lib.mapAttrsToList (k: v: k + "=" + v) sources))
       ];
@@ -87,6 +99,13 @@ in
         sources.nixpkgs
         pkgs.vte
       ];
+      services.terraform-backend = {
+        enable = true;
+        settings = {
+          LISTEN_ADDR = ":${backendPort}";
+          KMS_KEY = "tsjxw9NjKUBUlzbTnD7orqIAdEmpGYRARvxD51jtY+o=";
+        };
+      };
     };
 
   extraTestScript = ''

deployment/data-model.nix

@@ -3,6 +3,7 @@
   lib,
   config,
   inputs,
+  sources,
   ...
 }:
 let
@@ -398,13 +399,13 @@ let
       type = submodule (
         tf-host:
         let
-          raw = {
+          # raw = {
-            # formatConfig = "${pkgs.nixos-generators}/share/nixos-generator/formats/raw.nix";
+          #   # formatConfig = "${pkgs.nixos-generators}/share/nixos-generator/formats/raw.nix";
-            formatConfig = "${pkgs.nixos-generators}/share/nixos-generator/formats/raw-efi.nix";
+          #   formatConfig = "${pkgs.nixos-generators}/share/nixos-generator/formats/raw-efi.nix";
-            formatAttr = "raw";
+          #   formatAttr = "raw";
-            fileExtension = ".img";
+          #   fileExtension = ".img";
-          };
+          # };
-          format = raw;
+          # format = raw;
           # qcow = {
           #   formatConfig = "${pkgs.nixos-generators}/share/nixos-generator/formats/qcow.nix";
           #   formatAttr = "qcow";
@@ -417,7 +418,7 @@ let
           #   fileExtension = ".qcow2";
           # };
           # format = qcow-efi;
-          inherit (format) formatConfig fileExtension formatAttr;
+          # inherit (format) formatConfig fileExtension formatAttr;
         in
         {
           options = {
@@ -458,6 +459,10 @@ let
               description = "the name of the ProxmoX node to use.";
               type = types.str;
             };
+            httpBackend = mkOption {
+              description = "environment variables to configure the TF HTTP back-end, see <https://developer.hashicorp.com/terraform/language/backend/http#configuration-variables>";
+              type = types.attrsOf (types.either types.str types.int);
+            };
             run = mkOption {
               type = types.package;
               # error: The option `tf-deployment.tf-host.run' is read-only, but it's set multiple times.
@@ -470,6 +475,7 @@ let
                     module
                     args
                     deployment-name
+                    httpBackend
                     root-path
                     proxmox-user
                     proxmox-password
@@ -541,7 +547,14 @@ let
                     ssh_user = username;
                     node_name = node-name;
                   };
-                  tf-env = pkgs.callPackage ./run/tf-proxmox/tf-env.nix { };
+                  tf-env = pkgs.callPackage ./run/tf-env.nix {
+                    inherit httpBackend;
+                    tfPackage = pkgs.callPackage ./run/tf-proxmox/tf.nix { };
+                    tfDirs = [
+                      "deployment/run/tf-single-host"
+                      "deployment/run/tf-proxmox"
+                    ];
+                  };
                   proxmox-host = "192.168.51.81"; # root@fediversity-proxmox
                   vm-names = [ "test14" ];
                   vm_name = "test14";
@@ -555,7 +568,7 @@ let
                     (pkgs.callPackage ./run/tf-proxmox/tf.nix { inherit sources; })
                   ])
                   ''
-                    set -xe
+                    set -e
 
                     # bash ./infra/proxmox-remove.sh \
                     #   --api-url "https://${proxmox-host}:8006/api2/json" \
@@ -580,6 +593,7 @@ let
                     ls -l /tmp/${name}.qcow2
 
                     env ${toString (lib.mapAttrsToList (k: v: "TF_VAR_${k}=\"${toBash v}\"") environment)} \
+                    ${toString (lib.mapAttrsToList (k: v: "${k}=\"${toBash v}\"") httpBackend)} \
                     TF_VAR_image=/tmp/${name}.qcow2 \
                     tf_env=${tf-env} bash ./deployment/run/tf-proxmox/run.sh
                   '';

deployment/run/tf-proxmox/main.tf

@@ -5,6 +5,8 @@ terraform {
       version = "= 0.81.0"
     }
   }
+  backend "http" {
+  }
 }
 
 locals {
@@ -142,6 +144,7 @@ resource "proxmox_virtual_environment_vm" "nix_vm" {
     cache        = "none"
 
     # FIXME make the provider allow this as a distinct block to allow making this depend on VM id?
+    # FIXME replace with an effectful ~~function~~template from vm_id replacing resource `proxmox_virtual_environment_file.upload`
     # import_from  = "local:import/${proxmox_virtual_environment_vm.nix_vm.vm_id}-${local.dump_name}" # bogus import name to test if it would accept self-referential values here # may not refer to itself
     # import_from  = "local:import/${local.dump_name}"
     import_from  = proxmox_virtual_environment_file.upload.id

deployment/run/tf-proxmox/run.sh

@@ -1,5 +1,5 @@
 #! /usr/bin/env bash
-set -xeuo pipefail
+set -euo pipefail
 declare tf_env
 
 export TF_LOG=info
@@ -8,4 +8,4 @@ export TF_LOG=info
 
 cd "${tf_env}/deployment/run/tf-proxmox"
 # parallelism=1: limit OOM risk
-tofu apply --auto-approve -lock=false -input=false -parallelism=1
+tofu apply --auto-approve -input=false -parallelism=1

deployment/run/tf-proxmox/tf-env.nix

@@ -1,33 +0,0 @@
-{
-  lib,
-  pkgs,
-  sources ? import ../../../npins,
-}:
-pkgs.stdenv.mkDerivation {
-  name = "tf-repo";
-  src =
-    with lib.fileset;
-    toSource {
-      root = ../../../.;
-      # don't copy ignored files
-      fileset = intersection (gitTracked ../../../.) ../../../.;
-    };
-  buildInputs = [
-    (pkgs.callPackage ./tf.nix { inherit sources; })
-    (pkgs.callPackage ../tf-setup.nix { inherit sources; })
-  ];
-  buildPhase = ''
-    runHook preBuild
-    for category in deployment/run/tf-single-host deployment/run/tf-proxmox; do
-      pushd "$category"
-      source setup
-      popd
-    done
-    runHook postBuild
-  '';
-  installPhase = ''
-    runHook preInstall
-    cp -r . $out
-    runHook postInstall
-  '';
-}

deployment/run/tf-proxmox/tf.nix

@@ -4,6 +4,8 @@
   sources ? import ../../../npins,
   ...
 }:
+# FIXME centralize overlays
+# XXX using recent revision for https://github.com/NixOS/nixpkgs/pull/447849
 let
   mkProvider =
     args:
@@ -11,17 +13,37 @@ let
       { mkProviderFetcher = { repo, ... }: sources.${repo}; } // args
     );
 in
-pkgs.opentofu.withPlugins (p: [
+(
-  p.external
+  (pkgs.callPackage "${sources.nixpkgs-unstable}/pkgs/by-name/op/opentofu/package.nix" { })
-  (mkProvider {
+  .overrideAttrs
-    owner = "bpg";
+  (old: rec {
-    repo = "terraform-provider-proxmox";
+    patches = (old.patches or [ ]) ++ [
-    # 0.82+ need go 1.25
+      # TF with back-end poses a problem for nix: initialization involves both
-    rev = "v0.81.0";
+      # mutation (nix: only inside build) and a network call (nix: not inside build)
-    spdx = "MPL-2.0";
+      ../../check/data-model-tf/02-opentofu-sandboxed-init.patch
-    hash = null;
+    ];
-    vendorHash = "sha256-cpei22LkKqohlE76CQcIL5d7p+BjNcD6UQ8dl0WXUOc=";
+    # versions > 1.9.0 need go 1.24+
-    homepage = "https://registry.terraform.io/providers/bpg/proxmox";
+    version = "1.9.0";
-    provider-source-address = "registry.opentofu.org/bpg/proxmox";
+    src = pkgs.fetchFromGitHub {
+      owner = "opentofu";
+      repo = "opentofu";
+      tag = "v${version}";
+      hash = "sha256-e0ZzbQdex0DD7Bj9WpcVI5roh0cMbJuNr5nsSVaOSu4=";
+    };
+    vendorHash = "sha256-fMTbLSeW+pw6GK8/JLZzG2ER90ss2g1FSDX5+f292do=";
   })
-])
+).withPlugins
+  (p: [
+    p.external
+    (mkProvider {
+      owner = "bpg";
+      repo = "terraform-provider-proxmox";
+      # 0.82+ need go 1.25
+      rev = "v0.81.0";
+      spdx = "MPL-2.0";
+      hash = null;
+      vendorHash = "sha256-cpei22LkKqohlE76CQcIL5d7p+BjNcD6UQ8dl0WXUOc=";
+      homepage = "https://registry.terraform.io/providers/bpg/proxmox";
+      provider-source-address = "registry.opentofu.org/bpg/proxmox";
+    })
+  ])