machines/nix/packages/bw-opentofu/default.nix

{ pkgs, lib, ... }:
let
  opentofu = pkgs.khscodes.opentofu;
  # TODO: We should figure out a way of passing the secrets map at runtime instead of build time.
  # for now this map just needs to include every secret we could need, which also makes the reading of secrets take way longer than
  # needed.
  secrets = {
    "KHS Openstack" = {
      TF_VAR_openstack_username = "login.username";
      TF_VAR_openstack_password = "login.password";
      TF_VAR_openstack_tenant_name = "Project Name";
      TF_VAR_openstack_auth_url = "Auth URL";
      TF_VAR_openstack_endpoint_type = "Interface";
      TF_VAR_openstack_region = "Region Name";
    };
    "Cloudflare" = {
      TF_VAR_cloudflare_token = "DNS API Token";
      TF_VAR_cloudflare_email = "login.username";
      AWS_ACCESS_KEY_ID = "BW Terraform access key id";
      AWS_SECRET_ACCESS_KEY = "BW Terraform secret access key";
    };
    "Hetzner Cloud" = {
      TF_VAR_hcloud_api_token = "Terraform API Token";
    };
  };
  wrappedScript = pkgs.writeShellApplication {
    name = "bw-opentofu-wrapped";
    runtimeInputs = [
      pkgs.uutils-coreutils-noprefix
      pkgs.bitwarden-cli
      pkgs.khscodes.find-flake-root
      opentofu
    ];
    text = ''
      fqdn="$1"
      config="$2"
      phase="$3"
      flakeRoot="$(find-flake-root)"
      dir="$flakeRoot/.terraform-cache/$fqdn/$phase"
      mkdir -p "$dir"
      cat "''${config}" > "$dir/config.tf.json"
      tofu -chdir="$dir" init
      tofu -chdir="$dir" apply
    '';
  };
in
lib.khscodes.mkBwEnv {
  inherit pkgs;
  name = "bw-opentofu";
  items = secrets;
  exe = lib.getExe wrappedScript;
}