From ca8ba444b742ab4985d8308fccd86d43452cb8e9 Mon Sep 17 00:00:00 2001
From: Kiara Grouwstra <kiara@procolix.eu>
Date: Mon, 10 Nov 2025 13:22:22 +0100
Subject: [PATCH] centralize TF

Signed-off-by: Kiara Grouwstra <kiara@procolix.eu>
---
 .../02-opentofu-sandboxed-init.patch          |  0
 deployment/check/data-model-tf/default.nix    | 22 +-------
 deployment/check/netbox-ips/default.nix       | 22 +-------
 deployment/run/tf-netbox-get-ip/tf.nix        | 47 +++++------------
 deployment/run/tf-netbox-store-ips/tf.nix     | 47 +++++------------
 deployment/run/tf-proxmox-template/tf.nix     | 49 +++++-------------
 deployment/run/tf-proxmox-vm/tf.nix           | 51 +++++--------------
 deployment/run/tf-single-host/tf.nix          | 26 +---------
 deployment/tf.nix                             | 24 +++++++++
 9 files changed, 78 insertions(+), 210 deletions(-)
 rename deployment/{check/data-model-tf => }/02-opentofu-sandboxed-init.patch (100%)
 create mode 100644 deployment/tf.nix

diff --git a/deployment/check/data-model-tf/02-opentofu-sandboxed-init.patch b/deployment/02-opentofu-sandboxed-init.patch
similarity index 100%
rename from deployment/check/data-model-tf/02-opentofu-sandboxed-init.patch
rename to deployment/02-opentofu-sandboxed-init.patch
diff --git a/deployment/check/data-model-tf/default.nix b/deployment/check/data-model-tf/default.nix
index 9fb576a6..17c68d9c 100644
--- a/deployment/check/data-model-tf/default.nix
+++ b/deployment/check/data-model-tf/default.nix
@@ -9,27 +9,7 @@ let
     terraform-backend =
       prev.callPackage "${sources.nixpkgs-unstable}/pkgs/by-name/te/terraform-backend/package.nix"
         { };
-    # FIXME centralize overlays
-    # XXX using recent revision for https://github.com/NixOS/nixpkgs/pull/447849
-    opentofu =
-      (pkgs.callPackage "${sources.nixpkgs-unstable}/pkgs/by-name/op/opentofu/package.nix" { })
-      .overrideAttrs
-        (old: rec {
-          patches = (old.patches or [ ]) ++ [
-            # TF with back-end poses a problem for nix: initialization involves both
-            # mutation (nix: only inside build) and a network call (nix: not inside build)
-            ../../check/data-model-tf/02-opentofu-sandboxed-init.patch
-          ];
-          # versions > 1.9.0 need go 1.24+
-          version = "1.9.0";
-          src = pkgs.fetchFromGitHub {
-            owner = "opentofu";
-            repo = "opentofu";
-            tag = "v${version}";
-            hash = "sha256-e0ZzbQdex0DD7Bj9WpcVI5roh0cMbJuNr5nsSVaOSu4=";
-          };
-          vendorHash = "sha256-fMTbLSeW+pw6GK8/JLZzG2ER90ss2g1FSDX5+f292do=";
-        });
+    opentofu = pkgs.callPackage ../../tf.nix { };
   };
   pkgs = import sources.nixpkgs {
     inherit system;
diff --git a/deployment/check/netbox-ips/default.nix b/deployment/check/netbox-ips/default.nix
index 9fb576a6..17c68d9c 100644
--- a/deployment/check/netbox-ips/default.nix
+++ b/deployment/check/netbox-ips/default.nix
@@ -9,27 +9,7 @@ let
     terraform-backend =
       prev.callPackage "${sources.nixpkgs-unstable}/pkgs/by-name/te/terraform-backend/package.nix"
         { };
-    # FIXME centralize overlays
-    # XXX using recent revision for https://github.com/NixOS/nixpkgs/pull/447849
-    opentofu =
-      (pkgs.callPackage "${sources.nixpkgs-unstable}/pkgs/by-name/op/opentofu/package.nix" { })
-      .overrideAttrs
-        (old: rec {
-          patches = (old.patches or [ ]) ++ [
-            # TF with back-end poses a problem for nix: initialization involves both
-            # mutation (nix: only inside build) and a network call (nix: not inside build)
-            ../../check/data-model-tf/02-opentofu-sandboxed-init.patch
-          ];
-          # versions > 1.9.0 need go 1.24+
-          version = "1.9.0";
-          src = pkgs.fetchFromGitHub {
-            owner = "opentofu";
-            repo = "opentofu";
-            tag = "v${version}";
-            hash = "sha256-e0ZzbQdex0DD7Bj9WpcVI5roh0cMbJuNr5nsSVaOSu4=";
-          };
-          vendorHash = "sha256-fMTbLSeW+pw6GK8/JLZzG2ER90ss2g1FSDX5+f292do=";
-        });
+    opentofu = pkgs.callPackage ../../tf.nix { };
   };
   pkgs = import sources.nixpkgs {
     inherit system;
diff --git a/deployment/run/tf-netbox-get-ip/tf.nix b/deployment/run/tf-netbox-get-ip/tf.nix
index 115d5cbe..ec79dab2 100644
--- a/deployment/run/tf-netbox-get-ip/tf.nix
+++ b/deployment/run/tf-netbox-get-ip/tf.nix
@@ -1,9 +1,6 @@
-# FIXME: use overlays so this gets imported just once?
 {
   pkgs,
 }:
-# FIXME centralize overlays
-# XXX using recent revision for https://github.com/NixOS/nixpkgs/pull/447849
 let
   sources = import ../../../npins;
   mkProvider =
@@ -12,36 +9,16 @@ let
       { mkProviderFetcher = { repo, ... }: sources.${repo}; } // args
     );
 in
-(
-  (pkgs.callPackage "${sources.nixpkgs-unstable}/pkgs/by-name/op/opentofu/package.nix" { })
-  .overrideAttrs
-  (old: rec {
-    patches = (old.patches or [ ]) ++ [
-      # TF with back-end poses a problem for nix: initialization involves both
-      # mutation (nix: only inside build) and a network call (nix: not inside build)
-      ../../check/data-model-tf/02-opentofu-sandboxed-init.patch
-    ];
-    # versions > 1.9.0 need go 1.24+
-    version = "1.9.0";
-    src = pkgs.fetchFromGitHub {
-      owner = "opentofu";
-      repo = "opentofu";
-      tag = "v${version}";
-      hash = "sha256-e0ZzbQdex0DD7Bj9WpcVI5roh0cMbJuNr5nsSVaOSu4=";
-    };
-    vendorHash = "sha256-fMTbLSeW+pw6GK8/JLZzG2ER90ss2g1FSDX5+f292do=";
+(pkgs.callPackage ../../tf.nix { }).withPlugins (_: [
+  (mkProvider {
+    owner = "e-breuninger";
+    repo = "terraform-provider-netbox";
+    rev = "v5.0.0";
+    spdx = "MPL-2.0";
+    # hash = "sha256-iCaCt8ZbkxCk43QEyj3PeHYuKPCPVU2oQ78aumH/l6k=";
+    hash = null;
+    vendorHash = "sha256-Q3H/6mpkWn1Gw0NRMtKtkBRGHjPJZGBFdGwfalyQ4Z0=";
+    homepage = "https://registry.terraform.io/providers/e-breuninger/netbox";
+    provider-source-address = "registry.opentofu.org/e-breuninger/netbox";
   })
-).withPlugins
-  (_: [
-    (mkProvider {
-      owner = "e-breuninger";
-      repo = "terraform-provider-netbox";
-      rev = "v5.0.0";
-      spdx = "MPL-2.0";
-      # hash = "sha256-iCaCt8ZbkxCk43QEyj3PeHYuKPCPVU2oQ78aumH/l6k=";
-      hash = null;
-      vendorHash = "sha256-Q3H/6mpkWn1Gw0NRMtKtkBRGHjPJZGBFdGwfalyQ4Z0=";
-      homepage = "https://registry.terraform.io/providers/e-breuninger/netbox";
-      provider-source-address = "registry.opentofu.org/e-breuninger/netbox";
-    })
-  ])
+])
diff --git a/deployment/run/tf-netbox-store-ips/tf.nix b/deployment/run/tf-netbox-store-ips/tf.nix
index 115d5cbe..ec79dab2 100644
--- a/deployment/run/tf-netbox-store-ips/tf.nix
+++ b/deployment/run/tf-netbox-store-ips/tf.nix
@@ -1,9 +1,6 @@
-# FIXME: use overlays so this gets imported just once?
 {
   pkgs,
 }:
-# FIXME centralize overlays
-# XXX using recent revision for https://github.com/NixOS/nixpkgs/pull/447849
 let
   sources = import ../../../npins;
   mkProvider =
@@ -12,36 +9,16 @@ let
       { mkProviderFetcher = { repo, ... }: sources.${repo}; } // args
     );
 in
-(
-  (pkgs.callPackage "${sources.nixpkgs-unstable}/pkgs/by-name/op/opentofu/package.nix" { })
-  .overrideAttrs
-  (old: rec {
-    patches = (old.patches or [ ]) ++ [
-      # TF with back-end poses a problem for nix: initialization involves both
-      # mutation (nix: only inside build) and a network call (nix: not inside build)
-      ../../check/data-model-tf/02-opentofu-sandboxed-init.patch
-    ];
-    # versions > 1.9.0 need go 1.24+
-    version = "1.9.0";
-    src = pkgs.fetchFromGitHub {
-      owner = "opentofu";
-      repo = "opentofu";
-      tag = "v${version}";
-      hash = "sha256-e0ZzbQdex0DD7Bj9WpcVI5roh0cMbJuNr5nsSVaOSu4=";
-    };
-    vendorHash = "sha256-fMTbLSeW+pw6GK8/JLZzG2ER90ss2g1FSDX5+f292do=";
+(pkgs.callPackage ../../tf.nix { }).withPlugins (_: [
+  (mkProvider {
+    owner = "e-breuninger";
+    repo = "terraform-provider-netbox";
+    rev = "v5.0.0";
+    spdx = "MPL-2.0";
+    # hash = "sha256-iCaCt8ZbkxCk43QEyj3PeHYuKPCPVU2oQ78aumH/l6k=";
+    hash = null;
+    vendorHash = "sha256-Q3H/6mpkWn1Gw0NRMtKtkBRGHjPJZGBFdGwfalyQ4Z0=";
+    homepage = "https://registry.terraform.io/providers/e-breuninger/netbox";
+    provider-source-address = "registry.opentofu.org/e-breuninger/netbox";
   })
-).withPlugins
-  (_: [
-    (mkProvider {
-      owner = "e-breuninger";
-      repo = "terraform-provider-netbox";
-      rev = "v5.0.0";
-      spdx = "MPL-2.0";
-      # hash = "sha256-iCaCt8ZbkxCk43QEyj3PeHYuKPCPVU2oQ78aumH/l6k=";
-      hash = null;
-      vendorHash = "sha256-Q3H/6mpkWn1Gw0NRMtKtkBRGHjPJZGBFdGwfalyQ4Z0=";
-      homepage = "https://registry.terraform.io/providers/e-breuninger/netbox";
-      provider-source-address = "registry.opentofu.org/e-breuninger/netbox";
-    })
-  ])
+])
diff --git a/deployment/run/tf-proxmox-template/tf.nix b/deployment/run/tf-proxmox-template/tf.nix
index e123a729..880a56ff 100644
--- a/deployment/run/tf-proxmox-template/tf.nix
+++ b/deployment/run/tf-proxmox-template/tf.nix
@@ -1,9 +1,6 @@
-# FIXME: use overlays so this gets imported just once?
 {
   pkgs,
 }:
-# FIXME centralize overlays
-# XXX using recent revision for https://github.com/NixOS/nixpkgs/pull/447849
 let
   sources = import ../../../npins;
   mkProvider =
@@ -12,37 +9,17 @@ let
       { mkProviderFetcher = { repo, ... }: sources.${repo}; } // args
     );
 in
-(
-  (pkgs.callPackage "${sources.nixpkgs-unstable}/pkgs/by-name/op/opentofu/package.nix" { })
-  .overrideAttrs
-  (old: rec {
-    patches = (old.patches or [ ]) ++ [
-      # TF with back-end poses a problem for nix: initialization involves both
-      # mutation (nix: only inside build) and a network call (nix: not inside build)
-      ../../check/data-model-tf/02-opentofu-sandboxed-init.patch
-    ];
-    # versions > 1.9.0 need go 1.24+
-    version = "1.9.0";
-    src = pkgs.fetchFromGitHub {
-      owner = "opentofu";
-      repo = "opentofu";
-      tag = "v${version}";
-      hash = "sha256-e0ZzbQdex0DD7Bj9WpcVI5roh0cMbJuNr5nsSVaOSu4=";
-    };
-    vendorHash = "sha256-fMTbLSeW+pw6GK8/JLZzG2ER90ss2g1FSDX5+f292do=";
+(pkgs.callPackage ../../tf.nix { }).withPlugins (p: [
+  p.external
+  (mkProvider {
+    owner = "bpg";
+    repo = "terraform-provider-proxmox";
+    # 0.82+ need go 1.25
+    rev = "v0.81.0";
+    spdx = "MPL-2.0";
+    hash = null;
+    vendorHash = "sha256-cpei22LkKqohlE76CQcIL5d7p+BjNcD6UQ8dl0WXUOc=";
+    homepage = "https://registry.terraform.io/providers/bpg/proxmox";
+    provider-source-address = "registry.opentofu.org/bpg/proxmox";
   })
-).withPlugins
-  (p: [
-    p.external
-    (mkProvider {
-      owner = "bpg";
-      repo = "terraform-provider-proxmox";
-      # 0.82+ need go 1.25
-      rev = "v0.81.0";
-      spdx = "MPL-2.0";
-      hash = null;
-      vendorHash = "sha256-cpei22LkKqohlE76CQcIL5d7p+BjNcD6UQ8dl0WXUOc=";
-      homepage = "https://registry.terraform.io/providers/bpg/proxmox";
-      provider-source-address = "registry.opentofu.org/bpg/proxmox";
-    })
-  ])
+])
diff --git a/deployment/run/tf-proxmox-vm/tf.nix b/deployment/run/tf-proxmox-vm/tf.nix
index bf4eea67..b387cc6b 100644
--- a/deployment/run/tf-proxmox-vm/tf.nix
+++ b/deployment/run/tf-proxmox-vm/tf.nix
@@ -1,9 +1,6 @@
-# FIXME: use overlays so this gets imported just once?
 {
   pkgs,
 }:
-# FIXME centralize overlays
-# XXX using recent revision for https://github.com/NixOS/nixpkgs/pull/447849
 let
   sources = import ../../../npins;
   mkProvider =
@@ -12,38 +9,18 @@ let
       { mkProviderFetcher = { repo, ... }: sources.${repo}; } // args
     );
 in
-(
-  (pkgs.callPackage "${sources.nixpkgs-unstable}/pkgs/by-name/op/opentofu/package.nix" { })
-  .overrideAttrs
-  (old: rec {
-    patches = (old.patches or [ ]) ++ [
-      # TF with back-end poses a problem for nix: initialization involves both
-      # mutation (nix: only inside build) and a network call (nix: not inside build)
-      ../../check/data-model-tf/02-opentofu-sandboxed-init.patch
-    ];
-    # versions > 1.9.0 need go 1.24+
-    version = "1.9.0";
-    src = pkgs.fetchFromGitHub {
-      owner = "opentofu";
-      repo = "opentofu";
-      tag = "v${version}";
-      hash = "sha256-e0ZzbQdex0DD7Bj9WpcVI5roh0cMbJuNr5nsSVaOSu4=";
-    };
-    vendorHash = "sha256-fMTbLSeW+pw6GK8/JLZzG2ER90ss2g1FSDX5+f292do=";
+(pkgs.callPackage ../../tf.nix { }).withPlugins (p: [
+  p.external
+  p.null
+  (mkProvider {
+    owner = "bpg";
+    repo = "terraform-provider-proxmox";
+    # 0.82+ need go 1.25
+    rev = "v0.81.0";
+    spdx = "MPL-2.0";
+    hash = null;
+    vendorHash = "sha256-cpei22LkKqohlE76CQcIL5d7p+BjNcD6UQ8dl0WXUOc=";
+    homepage = "https://registry.terraform.io/providers/bpg/proxmox";
+    provider-source-address = "registry.opentofu.org/bpg/proxmox";
   })
-).withPlugins
-  (p: [
-    p.external
-    p.null
-    (mkProvider {
-      owner = "bpg";
-      repo = "terraform-provider-proxmox";
-      # 0.82+ need go 1.25
-      rev = "v0.81.0";
-      spdx = "MPL-2.0";
-      hash = null;
-      vendorHash = "sha256-cpei22LkKqohlE76CQcIL5d7p+BjNcD6UQ8dl0WXUOc=";
-      homepage = "https://registry.terraform.io/providers/bpg/proxmox";
-      provider-source-address = "registry.opentofu.org/bpg/proxmox";
-    })
-  ])
+])
diff --git a/deployment/run/tf-single-host/tf.nix b/deployment/run/tf-single-host/tf.nix
index b34b0be3..dd6bb141 100644
--- a/deployment/run/tf-single-host/tf.nix
+++ b/deployment/run/tf-single-host/tf.nix
@@ -1,29 +1,5 @@
-# FIXME: use overlays so this gets imported just once?
 {
   pkgs,
-  sources ? import ../../../npins,
   ...
 }:
-# FIXME centralize overlays
-# XXX using recent revision for https://github.com/NixOS/nixpkgs/pull/447849
-(
-  (pkgs.callPackage "${sources.nixpkgs-unstable}/pkgs/by-name/op/opentofu/package.nix" { })
-  .overrideAttrs
-  (old: rec {
-    patches = (old.patches or [ ]) ++ [
-      # TF with back-end poses a problem for nix: initialization involves both
-      # mutation (nix: only inside build) and a network call (nix: not inside build)
-      ../../check/data-model-tf/02-opentofu-sandboxed-init.patch
-    ];
-    # versions > 1.9.0 need go 1.24+
-    version = "1.9.0";
-    src = pkgs.fetchFromGitHub {
-      owner = "opentofu";
-      repo = "opentofu";
-      tag = "v${version}";
-      hash = "sha256-e0ZzbQdex0DD7Bj9WpcVI5roh0cMbJuNr5nsSVaOSu4=";
-    };
-    vendorHash = "sha256-fMTbLSeW+pw6GK8/JLZzG2ER90ss2g1FSDX5+f292do=";
-  })
-).withPlugins
-  (p: [ p.external ])
+(pkgs.callPackage ../../tf.nix { }).withPlugins (p: [ p.external ])
diff --git a/deployment/tf.nix b/deployment/tf.nix
new file mode 100644
index 00000000..a2294d75
--- /dev/null
+++ b/deployment/tf.nix
@@ -0,0 +1,24 @@
+{
+  pkgs,
+  sources ? import ../npins,
+  ...
+}:
+# XXX using recent revision for https://github.com/NixOS/nixpkgs/pull/447849
+(pkgs.callPackage "${sources.nixpkgs-unstable}/pkgs/by-name/op/opentofu/package.nix" { })
+.overrideAttrs
+  (old: rec {
+    patches = (old.patches or [ ]) ++ [
+      # TF with back-end poses a problem for nix: initialization involves both
+      # mutation (nix: only inside build) and a network call (nix: not inside build)
+      ./02-opentofu-sandboxed-init.patch
+    ];
+    # versions > 1.9.0 need go 1.24+
+    version = "1.9.0";
+    src = pkgs.fetchFromGitHub {
+      owner = "opentofu";
+      repo = "opentofu";
+      tag = "v${version}";
+      hash = "sha256-e0ZzbQdex0DD7Bj9WpcVI5roh0cMbJuNr5nsSVaOSu4=";
+    };
+    vendorHash = "sha256-fMTbLSeW+pw6GK8/JLZzG2ER90ss2g1FSDX5+f292do=";
+  })