deployment/check/data-model-tf/02-opentofu-sandboxed-init.patch

@@ -1,14 +0,0 @@
-diff --git a/internal/command/init.go b/internal/command/init.go
-index 4491590ea9..56241d93e9 100644
---- a/internal/command/init.go
-+++ b/internal/command/init.go
-@@ -263,8 +263,7 @@ func (c *InitCommand) Run(args []string) int {
- 		}
-
- 		if err := sMgr.RefreshState(); err != nil {
--			c.Ui.Error(fmt.Sprintf("Error refreshing state: %s", err))
--			return 1
-+			c.Ui.Warn(fmt.Sprintf("Issue refreshing state: %s", err))
- 		}
-
- 		state = sMgr.State()

deployment/check/data-model-tf/default.nix

@@ -1,40 +1,10 @@
 {
+  runNixOSTest,
   inputs,
   sources,
-  system,
 }:
 
-let
+runNixOSTest {
-  overlay = _: prev: {
-    terraform-backend = prev.callPackage ../../modules/terraform-backend/package.nix { };
-    # FIXME centralize overlays
-    # XXX using recent revision for https://github.com/NixOS/nixpkgs/pull/447849
-    opentofu =
-      (pkgs.callPackage "${sources.nixpkgs-unstable}/pkgs/by-name/op/opentofu/package.nix" { })
-      .overrideAttrs
-        (old: rec {
-          patches = (old.patches or [ ]) ++ [
-            # TF with back-end poses a problem for nix: initialization involves both
-            # mutation (nix: only inside build) and a network call (nix: not inside build)
-            ../../check/data-model-tf/02-opentofu-sandboxed-init.patch
-          ];
-          # versions > 1.9.0 need go 1.24+
-          version = "1.9.0";
-          src = pkgs.fetchFromGitHub {
-            owner = "opentofu";
-            repo = "opentofu";
-            tag = "v${version}";
-            hash = "sha256-e0ZzbQdex0DD7Bj9WpcVI5roh0cMbJuNr5nsSVaOSu4=";
-          };
-          vendorHash = "sha256-fMTbLSeW+pw6GK8/JLZzG2ER90ss2g1FSDX5+f292do=";
-        });
-  };
-  pkgs = import sources.nixpkgs {
-    inherit system;
-    overlays = [ overlay ];
-  };
-in
-pkgs.testers.runNixOSTest {
   imports = [
     ../../data-model.nix
     ../../function.nix

deployment/check/data-model-tf/nixosTest.nix

@@ -1,15 +1,14 @@
 {
   lib,
   pkgs,
-  sources,
   ...
 }:
 let
   inherit (pkgs) system;
-  inherit (import ./constants.nix) pathToRoot;
   nodeName = "target";
   deployment-config = {
-    inherit nodeName pathToRoot;
+    inherit nodeName;
+    inherit (import ./constants.nix) pathToRoot;
     targetSystem = system;
     sshOpts = [ ];
   };
@@ -34,13 +33,8 @@ in
   nodes.deployer =
     { ... }:
     {
-      imports = [
-        ../../modules/terraform-backend
-      ];
-
       environment.systemPackages = [
         deploy
-        (pkgs.callPackage ../../run/tf-single-host/tf.nix { inherit sources; })
       ];
 
       # needed only when building from deployer
@@ -51,13 +45,6 @@ in
             hello
           ];
         };
-      services.terraform-backend = {
-        enable = true;
-        settings = {
-          LISTEN_ADDR = ":8080";
-          KMS_KEY = "l99yC7MhbuuraACQ8bjaU1rMrT6L4PXEYupX6BzhJvY=";
-        };
-      };
     };
 
   extraTestScript = ''
@@ -65,8 +52,6 @@ in
       target.fail("hello 1>&2")
 
     with subtest("Run the deployment"):
-      deployer.wait_for_unit("multi-user.target")
-      deployer.succeed("curl -u basic:fake-secret -X GET http://localhost:8080/state/project1/example")
       output = deployer.fail("""
         ${lib.getExe deploy}
       """)

deployment/data-model.nix

@@ -3,6 +3,7 @@
   config,
   inputs,
   pkgs,
+  sources ? import ../npins,
   ...
 }:
 let
@@ -265,7 +266,7 @@ let
               pkgs.writers.writeBashBin "deploy-tf.sh"
                 (withPackages [
                   pkgs.jq
-                  (pkgs.callPackage ./run/tf-single-host/tf.nix { })
+                  (pkgs.callPackage ./run/tf-single-host/tf.nix { inherit sources; })
                 ])
                 ''
                   env ${toString (lib.mapAttrsToList (k: v: "TF_VAR_${k}=\"${toBash v}\"") environment)} \

deployment/flake-part.nix

@@ -38,7 +38,8 @@
         };
 
         deployment-model-tf = import ./check/data-model-tf {
-          inherit inputs sources system;
+          inherit (pkgs.testers) runNixOSTest;
+          inherit inputs sources;
         };
       };
     };

deployment/modules/terraform-backend/default.nix

@@ -1,39 +0,0 @@
-{
-  lib,
-  pkgs,
-  config,
-  ...
-}:
-let
-  cfg = config.services.terraform-backend;
-in
-{
-  options.services.terraform-backend = {
-    enable = lib.mkEnableOption "Nimbolus Terraform HTTP back-end";
-    package = lib.mkPackageOption pkgs "terraform-backend" { };
-    settings = lib.mkOption {
-      type = lib.types.attrsOf lib.types.str;
-      default = { };
-      description = ''
-        [Environment variables](https://github.com/nimbolus/terraform-backend#default-settings)
-        for the Terraform HTTP back-end.
-      '';
-    };
-  };
-  config = lib.mkIf cfg.enable {
-    systemd.services.terraform-backend = {
-      wantedBy = [ "multi-user.target" ];
-      serviceConfig = {
-        Type = "exec";
-        DynamicUser = true;
-        ExecStart = lib.getExe cfg.package;
-        Environment = lib.mapAttrsToList (k: v: "${k}=${v}") cfg.settings;
-
-        # FIXME remove after switching away from file storage?
-        StateDirectory = "terraform-backend";
-        WorkingDirectory = "/var/lib/terraform-backend";
-        StateDirectoryMode = "0700";
-      };
-    };
-  };
-}

deployment/modules/terraform-backend/package.nix

@@ -1,32 +0,0 @@
-{
-  lib,
-  buildGoModule,
-  fetchFromGitHub,
-}:
-
-# FIXME upstream: https://github.com/NixOS/nixpkgs/pull/447753
-buildGoModule rec {
-  pname = "terraform-backend";
-  version = "0.1.3";
-
-  src = fetchFromGitHub {
-    owner = "nimbolus";
-    repo = "terraform-backend";
-    tag = "v${version}";
-    hash = "sha256-S3ih7dLSQs3xJMHyQyWy43OG1maizBPVT8IsrWcSRUM=";
-  };
-
-  vendorHash = "sha256-5L8MNhjEPI3OOmtHdkB9ZQp02d7nzPp5h0/gVHTiCws=";
-
-  ldflags = [
-    "-s"
-    "-w"
-  ];
-
-  meta = {
-    description = "State backend server which implements the Terraform HTTP backend API with pluggable modules for authentication, storage, locking and state encryption";
-    homepage = "https://github.com/nimbolus/terraform-backend";
-    license = lib.licenses.bsd3;
-    mainProgram = "cmd";
-  };
-}

deployment/run/tf-setup.nix

@@ -4,7 +4,7 @@
   sources,
 }:
 pkgs.writeScriptBin "setup" ''
-  set -e
+  set -xe
   # calculated pins
   echo '${lib.strings.toJSON sources}' > ./.npins.json
   # generate TF lock for nix's TF providers

deployment/run/tf-single-host/main.tf

@@ -1,14 +1,3 @@
-terraform {
-  # TODO un-hardcode
-  backend "http" {
-    username       = "basic"
-    password       = "fake-secret"
-    address        = "http://localhost:8080/state/project1/example"
-    lock_address   = "http://localhost:8080/state/project1/example"
-    unlock_address = "http://localhost:8080/state/project1/example"
-  }
-}
-
 # hash of our code directory, used to trigger re-deploy
 # FIXME calculate separately to reduce false positives
 data "external" "hash" {

deployment/run/tf-single-host/run.sh

@@ -6,4 +6,4 @@ export TF_LOG=info
 
 cd "${tf_env}/deployment/run/tf-single-host"
 # parallelism=1: limit OOM risk
-tofu apply --auto-approve -parallelism=1
+tofu apply --auto-approve -lock=false -parallelism=1

deployment/run/tf-single-host/tf-env.nix

@@ -10,10 +10,10 @@ pkgs.stdenv.mkDerivation {
     toSource {
       root = ../../../.;
       # don't copy ignored files
-      fileset = gitTracked ../../../.;
+      fileset = intersection (gitTracked ../../../.) ../../../.;
     };
   buildInputs = [
-    (pkgs.callPackage ./tf.nix { inherit sources; })
+    (pkgs.callPackage ./tf.nix { })
     (pkgs.callPackage ../tf-setup.nix { inherit sources; })
   ];
   buildPhase = ''

deployment/run/tf-single-host/tf.nix

@@ -1,29 +1,11 @@
 # FIXME: use overlays so this gets imported just once?
 {
   pkgs,
-  sources ? import ../../../npins,
   ...
 }:
-# FIXME centralize overlays
+let
-# XXX using recent revision for https://github.com/NixOS/nixpkgs/pull/447849
+  tf = pkgs.opentofu;
-(
+in
-  (pkgs.callPackage "${sources.nixpkgs-unstable}/pkgs/by-name/op/opentofu/package.nix" { })
+tf.withPlugins (p: [
-  .overrideAttrs
+  p.external
-  (old: rec {
+])
-    patches = (old.patches or [ ]) ++ [
-      # TF with back-end poses a problem for nix: initialization involves both
-      # mutation (nix: only inside build) and a network call (nix: not inside build)
-      ../../check/data-model-tf/02-opentofu-sandboxed-init.patch
-    ];
-    # versions > 1.9.0 need go 1.24+
-    version = "1.9.0";
-    src = pkgs.fetchFromGitHub {
-      owner = "opentofu";
-      repo = "opentofu";
-      tag = "v${version}";
-      hash = "sha256-e0ZzbQdex0DD7Bj9WpcVI5roh0cMbJuNr5nsSVaOSu4=";
-    };
-    vendorHash = "sha256-fMTbLSeW+pw6GK8/JLZzG2ER90ss2g1FSDX5+f292do=";
-  })
-).withPlugins
-  (p: [ p.external ])

npins/sources.json

@@ -180,19 +180,6 @@
       "url": "https://github.com/nixos/nixpkgs/archive/a1ae8ef72f64a845ecce5c6dcf65d546bf7deeb4.tar.gz",
       "hash": "0d7lp30wyy5647gpm8rnihvdcpmgmfr9c5yg4fhl31lsg8mlbg16"
     },
-    "nixpkgs-unstable": {
-      "type": "Git",
-      "repository": {
-        "type": "GitHub",
-        "owner": "nixos",
-        "repo": "nixpkgs"
-      },
-      "branch": "nixpkgs-unstable",
-      "submodules": false,
-      "revision": "d7f52a7a640bc54c7bb414cca603835bf8dd4b10",
-      "url": "https://github.com/nixos/nixpkgs/archive/d7f52a7a640bc54c7bb414cca603835bf8dd4b10.tar.gz",
-      "hash": "0c9kjncpmbdx6gwww9fn81hyr3bngi4hg51g4n2q4808c321kf4j"
-    },
     "proxmox-nixos": {
       "type": "Git",
       "repository": {