23 files changed, 60 insertions, 111 deletions
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 6baab68..1d662ce 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -6,9 +6,3 @@ updates:
       interval: "weekly"
     commit-message:
       prefix: "actions"
-  - package-ecosystem: "terraform"
-    directory: "/"
-    schedule:
-      interval: "weekly"
-    commit-message:
-      prefix: "tf"
diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml
index b43dff5..fbb54b4 100644
--- a/.github/workflows/deploy.yaml
+++ b/.github/workflows/deploy.yaml
@@ -18,7 +18,7 @@ jobs:
     runs-on: ubuntu-latest
 
     concurrency:
-      group: deploy
+      group: nixos
       cancel-in-progress: true
 
     steps:
@@ -54,8 +54,9 @@ jobs:
     name: Apply OpenTofu plan
     runs-on: ubuntu-latest
 
+    environment: terranix
     concurrency:
-      group: tofu
+      group: terranix
       cancel-in-progress: true
 
     steps:
@@ -85,20 +86,12 @@ jobs:
           }
           EOF
 
-      - name: Generate configuration
-        run: nix run .#gen-tf
-
-      - name: Init workspace
-        run: |
-          nix run --inputs-from . \
-            nixpkgs#opentofu -- init
-
-      - name: Validate plan
-        run: |
-          nix run --inputs-from . \
-            nixpkgs#opentofu -- validate
-
-      - name: Apply
+      - name: Apply configuration
+        env:
+          CLOUDFLARE_API_KEY: ${{ secrets.CLOUDFLARE_API_KEY }}
+          CLOUDFLARE_EMAIL: ${{ secrets.CLOUDFLARE_EMAIL }}
+          TAILSCALE_API_KEY: ${{ secrets.TAILSCALE_API_KEY }}
         run: |
-          nix run --inputs-from . \
-            nixpkgs#opentofu -- apply -auto-approve
+          nix develop .#terranix \
+            --command bash -c \
+            'tofu init && tofu validate && tofu apply -auto-approve && just clean'
diff --git a/.gitignore b/.gitignore
index e45066e..c546a18 100644
--- a/.gitignore
+++ b/.gitignore
@@ -9,6 +9,7 @@ repl-result-out*
 !.envrc
 !.env.template
 
-# opentofu
-.terraform/
+# terranix
 config.tf.json
+.terraform/
+.terraform.*
diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl
deleted file mode 100644
index 4b6a93c..0000000
--- a/.terraform.lock.hcl
+++ /dev/null
@@ -1,47 +0,0 @@
-# This file is maintained automatically by "tofu init".
-# Manual edits may be lost in future updates.
-
-provider "registry.terraform.io/cloudflare/cloudflare" {
-  version     = "4.20.0"
-  constraints = "~> 4.0"
-  hashes = [
-    "h1:KH92fiFCIurqU/qxsafm3mdnZSiXpr3fq9eoiLKiogo=",
-    "zh:22b06f598d4dac4131f69ca1c1e1ea5fd02d25019ccc99566d4ae8bf78e3996a",
-    "zh:29a85cf96a04f217a548a5e91c4e8eddd52563ce48872c44a449b2ade3a21260",
-    "zh:2ce0e98181c5a6b65a8ac930b816b94124fd7aee0ec4c5109a0a9acd28c3cf7b",
-    "zh:564f6396cf85b37a6a101d202bcc9e54590dbef27217c089c9f32a144f0a2b03",
-    "zh:618e2c40bc87bef36f12de8ec039faf973861d55c47bd125890737fbcb91fbee",
-    "zh:6e624f21eea8eeb25a13d96516a62f8879fd21ea21f17c0e933bccbc96da438e",
-    "zh:81ab073984a20c0a9480d98bf306d7f70bd781217bbaa68abd4ca1caab75db7d",
-    "zh:890df766e9b839623b1f0437355032a3c006226a6c200cd911e15ee1a9014e9f",
-    "zh:9506a65591cc8cb0869f4023beb07ba6d02ddda073e17560867253d064cea308",
-    "zh:a4f9c859065ed8d626a479c68542153cd262d70551ae54bfe418092dc7e8d675",
-    "zh:a577841b5f33d556e2f1b2c453c78e7fa0c468edcad36b31d334f5671ce074cf",
-    "zh:ad17294bdfa79d117bda06cb21eb0a48f3785e45f2d4182a64f193466a34247a",
-    "zh:bb448bce29cb890b11fb48803d60367a34462bbe8954622e5424bedbcdf1477d",
-    "zh:e0749d864455a7b66953364371d715c94e44734cf8978a8c03ca2c73e212e88a",
-    "zh:e302c5222be4d5a1fcc59bff9e69c8f6dd7dff086b305af9b4fc9cbd2fd2c01c",
-  ]
-}
-
-provider "registry.terraform.io/tailscale/tailscale" {
-  version     = "0.13.13"
-  constraints = "0.13.13"
-  hashes = [
-    "h1:Fh799APNn48Jj2D29gcHh+HwLcA7wfAVIfMdkWyMoWw=",
-    "zh:07ee590ab8b568d65d52b401d15639ab0c23bda05e7b90f445a4159d7f9cecf8",
-    "zh:1bf72d550904475fbfc211295277d6afe0f3d0c98b89db7f718e2182febb0cd0",
-    "zh:26ef6e6f3a42cf5783d7aa5e1774b2fb86e0b01742349d4a5dee1164015163d9",
-    "zh:29c28fb821f6910cec4df54215b7338e180e44c0218ad16c63a0a8ecbb6307ab",
-    "zh:337d7548b8aeeeb7d6cd874601b237bb1db149c642fec416f2cb93513ac37070",
-    "zh:529f4fb1f54b3091ba32319ea766bfb7d49b7fb113d71bc89703155d8a1d5bdc",
-    "zh:541fafbe0124ceda9cf619d8248f6c1e7d5a45210604356f7896d447666f06ab",
-    "zh:5e1a66df1b891780a8aef54522ef1017952ca4f25103633d51b81bbe4b56b56a",
-    "zh:acdd72771d4cc7bb5465ea5d3eed56d86ee2b0b83b74549e8cd6dc4153222ef7",
-    "zh:beedd644c2db69829ec3850cd1aa3953c8c822820df16d97cf0c5b4891c03a2d",
-    "zh:c17fe2e6fe06f104d5150278500419f471d5d3b061dcd5673a6f6c915cc1cec0",
-    "zh:cc5805ae3f7f2495f7cf81655227fb68e18fc02d7fcc16896b57758a0f8611ae",
-    "zh:f18db5c7bf6707a5d358243a7dddfc69adf9b39ba0630206af5da6d89813b205",
-    "zh:f88f5b1e4c015b20a1bdf696df94f57bdfa69171ac0de149a586f89b17166010",
-  ]
-}
diff --git a/.terraformignore b/.terraformignore
deleted file mode 100644
index c70390f..0000000
--- a/.terraformignore
+++ /dev/null
@@ -1,11 +0,0 @@
-result*
-repl-result-out*
-
-.pre-commit-config.yaml
-.direnv/
-.env*
-!.envrc
-!.env.template
-
-.terraform/
-.git/
diff --git a/dev/checks.nix b/dev/checks.nix
index 386e122..cf2b732 100644
--- a/dev/checks.nix
+++ b/dev/checks.nix
@@ -1,9 +1,9 @@
 {
-  perSystem = {config, ...}: {
+  perSystem = {self', ...}: {
     pre-commit = {
       settings.hooks = {
         actionlint.enable = true;
-        ${config.formatter.pname}.enable = true;
+        ${self'.formatter.pname}.enable = true;
         deadnix.enable = true;
         nil.enable = true;
         statix.enable = true;
diff --git a/dev/shell.nix b/dev/shell.nix
index c0c9d20..b187c53 100644
--- a/dev/shell.nix
+++ b/dev/shell.nix
@@ -3,6 +3,7 @@
     pkgs,
     config,
     inputs',
+    opentofu',
     ...
   }: {
     devShells = {
@@ -23,7 +24,7 @@
             fzf
             just
             jq
-            opentofu
+            opentofu' # see ../terranix/
           ]
           ++ lib.optional stdenv.isLinux inputs'.agenix.packages.agenix;
       };
diff --git a/flake.nix b/flake.nix
index aaac59d..09d59dc 100644
--- a/flake.nix
+++ b/flake.nix
@@ -146,7 +146,7 @@
         ./modules
         ./overlay
         ./systems
-        ./tf
+        ./terranix
         ./users
       ];
 
diff --git a/justfile b/justfile
index b8af071..2c1edd2 100644
--- a/justfile
+++ b/justfile
@@ -33,13 +33,6 @@ build:
 check:
     nix flake check
 
-clean:
-    rm -rf \
-      result* \
-      repl-result-out* \
-      config.tf.json \
-      .terraform/
-
 [linux]
 [macos]
 dry-run:
@@ -66,3 +59,10 @@ update-input input:
       --update-input {{ input }} \
       --commit-lock-file \
       --commit-lockfile-summary "flake: update {{ input }}"
+
+clean:
+    rm -rf \
+      result* \
+      repl-result-out* \
+      config.tf.json \
+      .terraform*
diff --git a/tf/cloud.nix b/terranix/cloud.nix
index 5ee0113..5ee0113 100644
--- a/tf/cloud.nix
+++ b/terranix/cloud.nix
diff --git a/tf/cloudflare/default.nix b/terranix/cloudflare/default.nix
index 80e8e39..80e8e39 100644
--- a/tf/cloudflare/default.nix
+++ b/terranix/cloudflare/default.nix
diff --git a/tf/cloudflare/dns.nix b/terranix/cloudflare/dns.nix
index 9618019..9618019 100644
--- a/tf/cloudflare/dns.nix
+++ b/terranix/cloudflare/dns.nix
diff --git a/tf/cloudflare/ruleset.nix b/terranix/cloudflare/ruleset.nix
index 1be98aa..1be98aa 100644
--- a/tf/cloudflare/ruleset.nix
+++ b/terranix/cloudflare/ruleset.nix
diff --git a/tf/cloudflare/tunnels.nix b/terranix/cloudflare/tunnels.nix
index bea9811..bea9811 100644
--- a/tf/cloudflare/tunnels.nix
+++ b/terranix/cloudflare/tunnels.nix
diff --git a/tf/default.nix b/terranix/default.nix
index 0112339..aa499a3 100644
--- a/tf/default.nix
+++ b/terranix/default.nix
@@ -3,9 +3,11 @@
     lib,
     pkgs,
     system,
+    self',
+    opentofu',
     ...
   }: let
-    tfConfig = inputs.terranix.lib.terranixConfiguration {
+    terranixConfig = inputs.terranix.lib.terranixConfiguration {
       inherit system;
       modules = [
         ./cloudflare
@@ -16,7 +18,13 @@
       ];
     };
   in {
-    apps.gen-tf = {
+    _module.args.opentofu' = pkgs.opentofu.withPlugins (plugins:
+      with plugins; [
+        cloudflare
+        tailscale
+      ]);
+
+    apps.gen-terranix = {
       type = "app";
 
       program = pkgs.writeShellApplication {
@@ -25,9 +33,17 @@
         text = ''
           config_file="config.tf.json"
           [ -e "$config_file" ] && rm -f "$config_file"
-          cp ${tfConfig} "$config_file"
+          cp ${terranixConfig} "$config_file"
         '';
       };
     };
+
+    devShells.terranix = pkgs.mkShell {
+      shellHook = ''
+        ${self'.apps.gen-terranix.program}
+      '';
+
+      packages = [pkgs.just opentofu'];
+    };
   };
 }
diff --git a/tf/tailscale/acl.nix b/terranix/tailscale/acl.nix
index d27d3e1..d27d3e1 100644
--- a/tf/tailscale/acl.nix
+++ b/terranix/tailscale/acl.nix
diff --git a/tf/tailscale/default.nix b/terranix/tailscale/default.nix
index 2225fd5..2225fd5 100644
--- a/tf/tailscale/default.nix
+++ b/terranix/tailscale/default.nix
diff --git a/tf/tailscale/devices.nix b/terranix/tailscale/devices.nix
index 44ee3f1..44ee3f1 100644
--- a/tf/tailscale/devices.nix
+++ b/terranix/tailscale/devices.nix
diff --git a/tf/tailscale/dns.nix b/terranix/tailscale/dns.nix
index 320a24b..320a24b 100644
--- a/tf/tailscale/dns.nix
+++ b/terranix/tailscale/dns.nix
diff --git a/tf/tailscale/tags.nix b/terranix/tailscale/tags.nix
index c519a25..c519a25 100644
--- a/tf/tailscale/tags.nix
+++ b/terranix/tailscale/tags.nix
diff --git a/tf/vars.nix b/terranix/vars.nix
index 2f640c2..2f640c2 100644
--- a/tf/vars.nix
+++ b/terranix/vars.nix
diff --git a/terranix/versions.nix b/terranix/versions.nix
new file mode 100644
index 0000000..53bb5c6
--- /dev/null
+++ b/terranix/versions.nix
@@ -0,0 +1,15 @@
+{lib, ...}: {
+  terraform.required_providers = let
+    registry = "registry.terraform.io";
+
+    fmtSource = _: value:
+      lib.recursiveUpdate value {
+        source = "${registry}/${value.source}";
+      };
+  in
+    lib.mapAttrs fmtSource {
+      cloudflare.source = "cloudflare/cloudflare";
+
+      tailscale.source = "tailscale/tailscale";
+    };
+}
diff --git a/tf/versions.nix b/tf/versions.nix
deleted file mode 100644
index d4b6713..0000000
--- a/tf/versions.nix
+++ /dev/null
@@ -1,13 +0,0 @@
-{
-  terraform.required_providers = {
-    cloudflare = {
-      source = "registry.terraform.io/cloudflare/cloudflare";
-      version = "~> 4";
-    };
-
-    tailscale = {
-      source = "registry.terraform.io/tailscale/tailscale";
-      version = "0.13.13";
-    };
-  };
-}