ditch hermetic to simplify - still gets infinite recursion

launch/main.tf

@@ -109,24 +109,20 @@ module "deploy" {
   target_system = local.system
   NIX_PATH = join(":", [for name, path in local.pins : "${name}=${path}"])
   deploy_environment = var.deploy_environment
-  hermetic = true
   config_pwd = path.root
   config = <<-EOT
-    let
+    {
       terraform = builtins.fromJSON ''${jsonencode({
         domain = var.domain
         hostname = each.value.hostname
         initialUser = var.initialUser
       })}'';
-    in
+      imports = [
-    import <nixpkgs/nixos/lib/eval-config.nix> {
+        ${path.root}/options.nix
-      system = "${local.system}";
-      specialArgs = { inherit terraform; };
-      modules = [
-        # ${path.root}/options.nix
         ${path.root}/shared.nix
         ${path.root}/${each.key}.nix
-        # (terraform)
+        # FIXME: get VM details from TF
+        ${path.root}./infra/test-machines/${each.value.hostname}
       ];
     }
   EOT

launch/options.nix

@@ -0,0 +1,53 @@
+{
+  lib,
+  ...
+}:
+let
+  inherit (lib) types mkOption;
+  inherit (types) str enum submodule;
+in
+{
+  options.terraform = {
+    domain = mkOption {
+      type = enum [
+        "fediversity.net"
+      ];
+      description = ''
+        Apex domain under which the services will be deployed.
+      '';
+      default = "fediversity.net";
+    };
+    hostname = mkOption {
+      type = str;
+      description = ''
+        Internal name of the host, e.g. test01
+      '';
+    };
+    initialUser = mkOption {
+      description = ''
+        Some services require an initial user to access them.
+        This option sets the credentials for such an initial user.
+      '';
+      type = submodule {
+        options = {
+          displayName = mkOption {
+            type = str;
+            description = "Display name of the user";
+          };
+          username = mkOption {
+            type = str;
+            description = "Username for login";
+          };
+          email = mkOption {
+            type = str;
+            description = "User's email address";
+          };
+          password = mkOption {
+            type = str;
+            description = "Password for login";
+          };
+        };
+      };
+    };
+  };
+}

launch/shared.nix

@@ -1,10 +1,10 @@
 {
   pkgs,
-  terraform,
+  config,
   ...
 }:
 let
-  inherit (terraform) hostname;
+  inherit (config.terraform) hostname domain initialUser;
 in
 {
   imports = [
@@ -12,17 +12,15 @@ in
     <agenix/modules/age.nix>
     ../services/fediversity
     ./resource.nix
-    # FIXME: get VM details from TF
-    ../infra/test-machines/${hostname}
   ];
   fediversityVm.name = hostname;
   fediversity = {
-    inherit (terraform) domain;
+    inherit domain;
     temp.initialUser = {
-      inherit (terraform.initialUser) username email displayName;
+      inherit (initialUser) username email displayName;
       # FIXME: disgusting, but nvm, this is going to be replaced by
       # proper central authentication at some point
-      passwordFile = pkgs.writeText "password" terraform.initialUser.password;
+      passwordFile = pkgs.writeText "password" initialUser.password;
     };
   };
 }