centralize TF

Signed-off-by: Kiara Grouwstra <kiara@procolix.eu>
2025-11-10 13:22:22 +01:00 · 2025-11-10 13:22:22 +01:00 · ca8ba444b7
commit ca8ba444b7
parent 18bc596e76
9 changed files with 78 additions and 210 deletions
--- a/deployment/check/data-model-tf/02-opentofu-sandboxed-init.patch
+++ b/deployment/check/data-model-tf/02-opentofu-sandboxed-init.patch
--- a/deployment/check/data-model-tf/default.nix
+++ b/deployment/check/data-model-tf/default.nix
@ -9,27 +9,7 @@ let
    terraform-backend =
      prev.callPackage "${sources.nixpkgs-unstable}/pkgs/by-name/te/terraform-backend/package.nix"
        { };
-    # FIXME centralize overlays
+    opentofu = pkgs.callPackage ../../tf.nix { };
    # XXX using recent revision for https://github.com/NixOS/nixpkgs/pull/447849
    opentofu =
      (pkgs.callPackage "${sources.nixpkgs-unstable}/pkgs/by-name/op/opentofu/package.nix" { })
      .overrideAttrs
        (old: rec {
          patches = (old.patches or [ ]) ++ [
            # TF with back-end poses a problem for nix: initialization involves both
            # mutation (nix: only inside build) and a network call (nix: not inside build)
            ../../check/data-model-tf/02-opentofu-sandboxed-init.patch
          ];
          # versions > 1.9.0 need go 1.24+
          version = "1.9.0";
          src = pkgs.fetchFromGitHub {
            owner = "opentofu";
            repo = "opentofu";
            tag = "v${version}";
            hash = "sha256-e0ZzbQdex0DD7Bj9WpcVI5roh0cMbJuNr5nsSVaOSu4=";
          };
          vendorHash = "sha256-fMTbLSeW+pw6GK8/JLZzG2ER90ss2g1FSDX5+f292do=";
        });
  };
  pkgs = import sources.nixpkgs {
    inherit system;
--- a/deployment/check/netbox-ips/default.nix
+++ b/deployment/check/netbox-ips/default.nix
@ -9,27 +9,7 @@ let
    terraform-backend =
      prev.callPackage "${sources.nixpkgs-unstable}/pkgs/by-name/te/terraform-backend/package.nix"
        { };
-    # FIXME centralize overlays
+    opentofu = pkgs.callPackage ../../tf.nix { };
    # XXX using recent revision for https://github.com/NixOS/nixpkgs/pull/447849
    opentofu =
      (pkgs.callPackage "${sources.nixpkgs-unstable}/pkgs/by-name/op/opentofu/package.nix" { })
      .overrideAttrs
        (old: rec {
          patches = (old.patches or [ ]) ++ [
            # TF with back-end poses a problem for nix: initialization involves both
            # mutation (nix: only inside build) and a network call (nix: not inside build)
            ../../check/data-model-tf/02-opentofu-sandboxed-init.patch
          ];
          # versions > 1.9.0 need go 1.24+
          version = "1.9.0";
          src = pkgs.fetchFromGitHub {
            owner = "opentofu";
            repo = "opentofu";
            tag = "v${version}";
            hash = "sha256-e0ZzbQdex0DD7Bj9WpcVI5roh0cMbJuNr5nsSVaOSu4=";
          };
          vendorHash = "sha256-fMTbLSeW+pw6GK8/JLZzG2ER90ss2g1FSDX5+f292do=";
        });
  };
  pkgs = import sources.nixpkgs {
    inherit system;
--- a/deployment/run/tf-netbox-get-ip/tf.nix
+++ b/deployment/run/tf-netbox-get-ip/tf.nix
@ -1,9 +1,6 @@
 # FIXME: use overlays so this gets imported just once?
 {
  pkgs,
 }:
 # FIXME centralize overlays
 # XXX using recent revision for https://github.com/NixOS/nixpkgs/pull/447849
 let
  sources = import ../../../npins;
  mkProvider =
@ -12,36 +9,16 @@ let
      { mkProviderFetcher = { repo, ... }: sources.${repo}; } // args
    );
 in
-(
+(pkgs.callPackage ../../tf.nix { }).withPlugins (_: [
-  (pkgs.callPackage "${sources.nixpkgs-unstable}/pkgs/by-name/op/opentofu/package.nix" { })
+  (mkProvider {
-  .overrideAttrs
+    owner = "e-breuninger";
-  (old: rec {
+    repo = "terraform-provider-netbox";
-    patches = (old.patches or [ ]) ++ [
+    rev = "v5.0.0";
-      # TF with back-end poses a problem for nix: initialization involves both
+    spdx = "MPL-2.0";
-      # mutation (nix: only inside build) and a network call (nix: not inside build)
+    # hash = "sha256-iCaCt8ZbkxCk43QEyj3PeHYuKPCPVU2oQ78aumH/l6k=";
-      ../../check/data-model-tf/02-opentofu-sandboxed-init.patch
+    hash = null;
-    ];
+    vendorHash = "sha256-Q3H/6mpkWn1Gw0NRMtKtkBRGHjPJZGBFdGwfalyQ4Z0=";
-    # versions > 1.9.0 need go 1.24+
+    homepage = "https://registry.terraform.io/providers/e-breuninger/netbox";
-    version = "1.9.0";
+    provider-source-address = "registry.opentofu.org/e-breuninger/netbox";
    src = pkgs.fetchFromGitHub {
      owner = "opentofu";
      repo = "opentofu";
      tag = "v${version}";
      hash = "sha256-e0ZzbQdex0DD7Bj9WpcVI5roh0cMbJuNr5nsSVaOSu4=";
    };
    vendorHash = "sha256-fMTbLSeW+pw6GK8/JLZzG2ER90ss2g1FSDX5+f292do=";
  })
-).withPlugins
+])
  (_: [
    (mkProvider {
      owner = "e-breuninger";
      repo = "terraform-provider-netbox";
      rev = "v5.0.0";
      spdx = "MPL-2.0";
      # hash = "sha256-iCaCt8ZbkxCk43QEyj3PeHYuKPCPVU2oQ78aumH/l6k=";
      hash = null;
      vendorHash = "sha256-Q3H/6mpkWn1Gw0NRMtKtkBRGHjPJZGBFdGwfalyQ4Z0=";
      homepage = "https://registry.terraform.io/providers/e-breuninger/netbox";
      provider-source-address = "registry.opentofu.org/e-breuninger/netbox";
    })
  ])
--- a/deployment/run/tf-netbox-store-ips/tf.nix
+++ b/deployment/run/tf-netbox-store-ips/tf.nix
@ -1,9 +1,6 @@
 # FIXME: use overlays so this gets imported just once?
 {
  pkgs,
 }:
 # FIXME centralize overlays
 # XXX using recent revision for https://github.com/NixOS/nixpkgs/pull/447849
 let
  sources = import ../../../npins;
  mkProvider =
@ -12,36 +9,16 @@ let
      { mkProviderFetcher = { repo, ... }: sources.${repo}; } // args
    );
 in
-(
+(pkgs.callPackage ../../tf.nix { }).withPlugins (_: [
-  (pkgs.callPackage "${sources.nixpkgs-unstable}/pkgs/by-name/op/opentofu/package.nix" { })
+  (mkProvider {
-  .overrideAttrs
+    owner = "e-breuninger";
-  (old: rec {
+    repo = "terraform-provider-netbox";
-    patches = (old.patches or [ ]) ++ [
+    rev = "v5.0.0";
-      # TF with back-end poses a problem for nix: initialization involves both
+    spdx = "MPL-2.0";
-      # mutation (nix: only inside build) and a network call (nix: not inside build)
+    # hash = "sha256-iCaCt8ZbkxCk43QEyj3PeHYuKPCPVU2oQ78aumH/l6k=";
-      ../../check/data-model-tf/02-opentofu-sandboxed-init.patch
+    hash = null;
-    ];
+    vendorHash = "sha256-Q3H/6mpkWn1Gw0NRMtKtkBRGHjPJZGBFdGwfalyQ4Z0=";
-    # versions > 1.9.0 need go 1.24+
+    homepage = "https://registry.terraform.io/providers/e-breuninger/netbox";
-    version = "1.9.0";
+    provider-source-address = "registry.opentofu.org/e-breuninger/netbox";
    src = pkgs.fetchFromGitHub {
      owner = "opentofu";
      repo = "opentofu";
      tag = "v${version}";
      hash = "sha256-e0ZzbQdex0DD7Bj9WpcVI5roh0cMbJuNr5nsSVaOSu4=";
    };
    vendorHash = "sha256-fMTbLSeW+pw6GK8/JLZzG2ER90ss2g1FSDX5+f292do=";
  })
-).withPlugins
+])
  (_: [
    (mkProvider {
      owner = "e-breuninger";
      repo = "terraform-provider-netbox";
      rev = "v5.0.0";
      spdx = "MPL-2.0";
      # hash = "sha256-iCaCt8ZbkxCk43QEyj3PeHYuKPCPVU2oQ78aumH/l6k=";
      hash = null;
      vendorHash = "sha256-Q3H/6mpkWn1Gw0NRMtKtkBRGHjPJZGBFdGwfalyQ4Z0=";
      homepage = "https://registry.terraform.io/providers/e-breuninger/netbox";
      provider-source-address = "registry.opentofu.org/e-breuninger/netbox";
    })
  ])
--- a/deployment/run/tf-proxmox-template/tf.nix
+++ b/deployment/run/tf-proxmox-template/tf.nix
@ -1,9 +1,6 @@
 # FIXME: use overlays so this gets imported just once?
 {
  pkgs,
 }:
 # FIXME centralize overlays
 # XXX using recent revision for https://github.com/NixOS/nixpkgs/pull/447849
 let
  sources = import ../../../npins;
  mkProvider =
@ -12,37 +9,17 @@ let
      { mkProviderFetcher = { repo, ... }: sources.${repo}; } // args
    );
 in
-(
+(pkgs.callPackage ../../tf.nix { }).withPlugins (p: [
-  (pkgs.callPackage "${sources.nixpkgs-unstable}/pkgs/by-name/op/opentofu/package.nix" { })
+  p.external
-  .overrideAttrs
+  (mkProvider {
-  (old: rec {
+    owner = "bpg";
-    patches = (old.patches or [ ]) ++ [
+    repo = "terraform-provider-proxmox";
-      # TF with back-end poses a problem for nix: initialization involves both
+    # 0.82+ need go 1.25
-      # mutation (nix: only inside build) and a network call (nix: not inside build)
+    rev = "v0.81.0";
-      ../../check/data-model-tf/02-opentofu-sandboxed-init.patch
+    spdx = "MPL-2.0";
-    ];
+    hash = null;
-    # versions > 1.9.0 need go 1.24+
+    vendorHash = "sha256-cpei22LkKqohlE76CQcIL5d7p+BjNcD6UQ8dl0WXUOc=";
-    version = "1.9.0";
+    homepage = "https://registry.terraform.io/providers/bpg/proxmox";
-    src = pkgs.fetchFromGitHub {
+    provider-source-address = "registry.opentofu.org/bpg/proxmox";
      owner = "opentofu";
      repo = "opentofu";
      tag = "v${version}";
      hash = "sha256-e0ZzbQdex0DD7Bj9WpcVI5roh0cMbJuNr5nsSVaOSu4=";
    };
    vendorHash = "sha256-fMTbLSeW+pw6GK8/JLZzG2ER90ss2g1FSDX5+f292do=";
  })
-).withPlugins
+])
  (p: [
    p.external
    (mkProvider {
      owner = "bpg";
      repo = "terraform-provider-proxmox";
      # 0.82+ need go 1.25
      rev = "v0.81.0";
      spdx = "MPL-2.0";
      hash = null;
      vendorHash = "sha256-cpei22LkKqohlE76CQcIL5d7p+BjNcD6UQ8dl0WXUOc=";
      homepage = "https://registry.terraform.io/providers/bpg/proxmox";
      provider-source-address = "registry.opentofu.org/bpg/proxmox";
    })
  ])
--- a/deployment/run/tf-proxmox-vm/tf.nix
+++ b/deployment/run/tf-proxmox-vm/tf.nix
@ -1,9 +1,6 @@
 # FIXME: use overlays so this gets imported just once?
 {
  pkgs,
 }:
 # FIXME centralize overlays
 # XXX using recent revision for https://github.com/NixOS/nixpkgs/pull/447849
 let
  sources = import ../../../npins;
  mkProvider =
@ -12,38 +9,18 @@ let
      { mkProviderFetcher = { repo, ... }: sources.${repo}; } // args
    );
 in
-(
+(pkgs.callPackage ../../tf.nix { }).withPlugins (p: [
-  (pkgs.callPackage "${sources.nixpkgs-unstable}/pkgs/by-name/op/opentofu/package.nix" { })
+  p.external
-  .overrideAttrs
+  p.null
-  (old: rec {
+  (mkProvider {
-    patches = (old.patches or [ ]) ++ [
+    owner = "bpg";
-      # TF with back-end poses a problem for nix: initialization involves both
+    repo = "terraform-provider-proxmox";
-      # mutation (nix: only inside build) and a network call (nix: not inside build)
+    # 0.82+ need go 1.25
-      ../../check/data-model-tf/02-opentofu-sandboxed-init.patch
+    rev = "v0.81.0";
-    ];
+    spdx = "MPL-2.0";
-    # versions > 1.9.0 need go 1.24+
+    hash = null;
-    version = "1.9.0";
+    vendorHash = "sha256-cpei22LkKqohlE76CQcIL5d7p+BjNcD6UQ8dl0WXUOc=";
-    src = pkgs.fetchFromGitHub {
+    homepage = "https://registry.terraform.io/providers/bpg/proxmox";
-      owner = "opentofu";
+    provider-source-address = "registry.opentofu.org/bpg/proxmox";
      repo = "opentofu";
      tag = "v${version}";
      hash = "sha256-e0ZzbQdex0DD7Bj9WpcVI5roh0cMbJuNr5nsSVaOSu4=";
    };
    vendorHash = "sha256-fMTbLSeW+pw6GK8/JLZzG2ER90ss2g1FSDX5+f292do=";
  })
-).withPlugins
+])
  (p: [
    p.external
    p.null
    (mkProvider {
      owner = "bpg";
      repo = "terraform-provider-proxmox";
      # 0.82+ need go 1.25
      rev = "v0.81.0";
      spdx = "MPL-2.0";
      hash = null;
      vendorHash = "sha256-cpei22LkKqohlE76CQcIL5d7p+BjNcD6UQ8dl0WXUOc=";
      homepage = "https://registry.terraform.io/providers/bpg/proxmox";
      provider-source-address = "registry.opentofu.org/bpg/proxmox";
    })
  ])
--- a/deployment/run/tf-single-host/tf.nix
+++ b/deployment/run/tf-single-host/tf.nix
@ -1,29 +1,5 @@
 # FIXME: use overlays so this gets imported just once?
 {
  pkgs,
  sources ? import ../../../npins,
  ...
 }:
-# FIXME centralize overlays
+(pkgs.callPackage ../../tf.nix { }).withPlugins (p: [ p.external ])
 # XXX using recent revision for https://github.com/NixOS/nixpkgs/pull/447849
 (
  (pkgs.callPackage "${sources.nixpkgs-unstable}/pkgs/by-name/op/opentofu/package.nix" { })
  .overrideAttrs
  (old: rec {
    patches = (old.patches or [ ]) ++ [
      # TF with back-end poses a problem for nix: initialization involves both
      # mutation (nix: only inside build) and a network call (nix: not inside build)
      ../../check/data-model-tf/02-opentofu-sandboxed-init.patch
    ];
    # versions > 1.9.0 need go 1.24+
    version = "1.9.0";
    src = pkgs.fetchFromGitHub {
      owner = "opentofu";
      repo = "opentofu";
      tag = "v${version}";
      hash = "sha256-e0ZzbQdex0DD7Bj9WpcVI5roh0cMbJuNr5nsSVaOSu4=";
    };
    vendorHash = "sha256-fMTbLSeW+pw6GK8/JLZzG2ER90ss2g1FSDX5+f292do=";
  })
 ).withPlugins
  (p: [ p.external ])
--- a/deployment/tf.nix
+++ b/deployment/tf.nix
@ -0,0 +1,24 @@
 {
  pkgs,
  sources ? import ../npins,
  ...
 }:
 # XXX using recent revision for https://github.com/NixOS/nixpkgs/pull/447849
 (pkgs.callPackage "${sources.nixpkgs-unstable}/pkgs/by-name/op/opentofu/package.nix" { })
 .overrideAttrs
  (old: rec {
    patches = (old.patches or [ ]) ++ [
      # TF with back-end poses a problem for nix: initialization involves both
      # mutation (nix: only inside build) and a network call (nix: not inside build)
      ./02-opentofu-sandboxed-init.patch
    ];
    # versions > 1.9.0 need go 1.24+
    version = "1.9.0";
    src = pkgs.fetchFromGitHub {
      owner = "opentofu";
      repo = "opentofu";
      tag = "v${version}";
      hash = "sha256-e0ZzbQdex0DD7Bj9WpcVI5roh0cMbJuNr5nsSVaOSu4=";
    };
    vendorHash = "sha256-fMTbLSeW+pw6GK8/JLZzG2ER90ss2g1FSDX5+f292do=";
  })