5 changed files with 13 additions and 5 deletions
--- a/launch/.gitignore
+++ b/launch/.gitignore
@ -1,7 +1,5 @@
-# generated
 .auto.tfvars.json
 .npins.json
 .terraform/
-.terraform.lock.hcl
 .terraform.tfstate.lock.info
 terraform.tfstate*
--- a/launch/.terraform.lock.hcl
+++ b/launch/.terraform.lock.hcl
@ -0,0 +1,9 @@
+# This file is maintained automatically by "tofu init".
+# Manual edits may be lost in future updates.
+
+provider "registry.opentofu.org/hashicorp/external" {
+  version = "2.3.4"
+  hashes = [
+    "h1:HfVaWMC7Tz+tRfoWZtGCX2MATcgX3HsexoirWdi/voo=",
+  ]
+}
--- a/launch/options.nix
+++ b/launch/options.nix
@ -1,4 +1,3 @@
-# TODO: could (part of) this be generated somehow?
 {
  lib,
  ...
--- a/launch/resource.nix
+++ b/launch/resource.nix
@ -10,7 +10,7 @@ let
  inherit (lib.strings) removeSuffix;

  secretsPrefix = ../secrets;
-  secrets = import "${secretsPrefix}/secrets.nix";
+  secrets = import (secretsPrefix + "/secrets.nix");
  keys = import ../keys;

 in
@ -35,7 +35,8 @@ in
    }
  ) secrets;

-  ## FIXME: switch root authentication to users with password-less sudo, see #24
+  ## FIXME: Remove direct root authentication once the NixOps4 NixOS provider
+  ## supports users with password-less sudo.
  users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors ++ [
    # allow our panel vm access to the test machines
    keys.panel
--- a/launch/tf-env.nix
+++ b/launch/tf-env.nix
@ -19,6 +19,7 @@ pkgs.stdenv.mkDerivation {
    runHook preBuild
    pushd launch/
    echo '${lib.strings.toJSON sources}' > .npins.json
+    rm .terraform.lock.hcl
    tofu init -input=false
    popd
    runHook postBuild