infra/common/nixos/default.nix

@@ -1,7 +1,8 @@
-{ lib, ... }:
+{ lib, pkgs, ... }:
 
 let
   inherit (lib) mkDefault;
+  nixPath = "/run/current-system/nixpkgs";
 in
 {
   imports = [
@@ -15,6 +16,15 @@ in
   system.stateVersion = "24.05"; # do not change
   nixpkgs.hostPlatform = mkDefault "x86_64-linux";
 
+  # use flake's nixpkgs over channels
+  nix.nixPath = [ "nixpkgs=${nixPath}" ];
+  system.extraSystemBuilderCmds = ''
+    ln -sv ${pkgs.path} $out/nixpkgs
+  '';
+  systemd.tmpfiles.rules = [
+    "L+ ${nixPath} - - - - ${pkgs.path}"
+  ];
+
   ## This is just nice to have, but it is also particularly important for the
   ## Forgejo CI runners because the Nix configuration in the actions is directly
   ## taken from here.

launch/main.tf

@@ -50,7 +50,6 @@ variable "initialUser" {
 locals {
   system = "x86_64-linux"
   pins = jsondecode(file("${path.module}/.npins.json"))
-  nix_path = "${join(":", [for name, path in local.pins : "${name}=${path}"])}:flake=${local.pins["nixpkgs"]}:flake"
   peripheral_configs = {
     garage = "test01"
   }
@@ -106,8 +105,7 @@ resource "terraform_data" "nixos" {
   provisioner "local-exec" {
     working_dir = path.root
     environment = {
-      # nix path used on deploy
-      NIX_PATH = local.nix_path
+      NIX_PATH = join(":", [for name, path in local.pins : "${name}=${path}"]),
     }
     # TODO: refactor back to command="ignoreme" interpreter=concat([]) to protect sensitive data from error logs?
     # TODO: build on target?
@@ -134,8 +132,6 @@ resource "terraform_data" "nixos" {
                 # FIXME: get VM details from TF
                 ${path.root}/../infra/test-machines/${each.value.hostname}
               ];
-              # nix path for debugging
-              nix.nixPath = [ "${local.nix_path}" ];
             };
           };
         in {