# FIXME: use overlays so this gets imported just once?
{
  pkgs,
}:
# FIXME centralize overlays
# XXX using recent revision for https://github.com/NixOS/nixpkgs/pull/447849
let
  sources = import ../../../npins;
  mkProvider =
    args:
    pkgs.terraform-providers.mkProvider (
      { mkProviderFetcher = { repo, ... }: sources.${repo}; } // args
    );
in
(
  (pkgs.callPackage "${sources.nixpkgs-unstable}/pkgs/by-name/op/opentofu/package.nix" { })
  .overrideAttrs
  (old: rec {
    patches = (old.patches or [ ]) ++ [
      # TF with back-end poses a problem for nix: initialization involves both
      # mutation (nix: only inside build) and a network call (nix: not inside build)
      ../../check/data-model-tf/02-opentofu-sandboxed-init.patch
    ];
    # versions > 1.9.0 need go 1.24+
    version = "1.9.0";
    src = pkgs.fetchFromGitHub {
      owner = "opentofu";
      repo = "opentofu";
      tag = "v${version}";
      hash = "sha256-e0ZzbQdex0DD7Bj9WpcVI5roh0cMbJuNr5nsSVaOSu4=";
    };
    vendorHash = "sha256-fMTbLSeW+pw6GK8/JLZzG2ER90ss2g1FSDX5+f292do=";
  })
).withPlugins
  (p: [
    # p.external
    # p.null
    (mkProvider {
      owner = "e-breuninger";
      repo = "terraform-provider-netbox";
      rev = "v5.0.0";
      spdx = "MPL-2.0";
      # hash = null;
      hash = "sha256-iCaCt8ZbkxCk43QEyj3PeHYuKPCPVU2oQ78aumH/l6k=";
      vendorHash = "sha256-Q3H/6mpkWn1Gw0NRMtKtkBRGHjPJZGBFdGwfalyQ4Z0=";
      homepage = "https://registry.terraform.io/providers/e-breuninger/netbox";
      provider-source-address = "registry.opentofu.org/e-breuninger/netbox";
    })
  ])