infra/machines/fedi201/fedipanel.nix

@@ -1,5 +1,6 @@
 {
   config,
+  lib,
   ...
 }:
 let
@@ -54,10 +55,12 @@ in
         CSRF_TRUSTED_ORIGINS = [ "https://${cfg.domain}" ];
         COMPRESS_OFFLINE = true;
         LIBSASS_OUTPUT_STYLE = "compressed";
-        ENV_VARS = {
-          ssh_private_key_file = config.age.secrets.panel-ssh-key.path;
-        };
       };
+    environment = {
+      TF_VARS = lib.strings.toJSON {
+        ssh_private_key_file = config.age.secrets.panel-ssh-key.path;
+      };
+    };
     secrets = {
       SECRET_KEY = config.age.secrets.panel-secret-key.path;
     };

panel/env.nix

@@ -13,4 +13,5 @@
     pkgs.gnugrep # used in terraform-nixos
     (import ../launch/tf.nix { inherit lib pkgs; })
   ];
+  TF_VARS = lib.strings.toJSON { };
 }

panel/src/panel/settings.py

@@ -14,6 +14,7 @@ import re
 import sys
 import subprocess
 import os
+import json
 import importlib.util
 import dj_database_url
 
@@ -257,3 +258,6 @@ bin_path=env['BIN_PATH']
 # path of the root flake to trigger nixops from, see #94.
 # to deploy this should be specified, for dev just use a relative path.
 repo_dir = env["REPO_DIR"]
+
+ENV_VARS = json.loads(env["TF_VARS"]) | {
+}