{
  pkgs,
  lib,
  sources,
  httpBackend,
}:
let
  # FIXME factor out
  toBash =
    v:
    lib.replaceStrings [ "\"" ] [ "\\\"" ] (
      if lib.isPath v || builtins.isNull v then
        toString v
      else if lib.isString v then
        v
      else
        lib.strings.toJSON v
    );
in
pkgs.writeScriptBin "setup" ''
  set -e
  # calculated pins
  echo '${lib.strings.toJSON sources}' > ./.npins.json
  # generate TF lock for nix's TF providers
  rm -rf .terraform/
  rm -f .terraform.lock.hcl
  # suppress warning on architecture-specific generated lock file:
  # `Warning: Incomplete lock file information for providers`.
  env TF_HTTP_RETRY_MAX=1 TF_HTTP_RETRY_WAIT_MIN=0 \
  ${toString (lib.mapAttrsToList (k: v: "${k}=\"${toBash v}\"") httpBackend)} \
  tofu init -input=false 1>/dev/null
''