.envrc

@@ -1 +1,3 @@
-use flake
+source_url "https://raw.githubusercontent.com/cachix/devenv/790c4230a547243a01435fc8c5292cd54abaec74/direnvrc" "sha256-YBzqskFZxmNb3kYVoKD9ZixoPXJh1C9ZvTLGFRkauZ0="
+
+use devenv

.github/workflows/build.yml

@@ -11,69 +11,81 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  build:
+  check:
     runs-on: ubuntu-latest
-    timeout-minutes: 20
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Install Nix
+        uses: cachix/install-nix-action@v31
+        with:
+          nix_path: nixpkgs=channel:nixos-24.11-small
+      - name: Install devenv
+        run: |
+          nix profile install --accept-flake-config nixpkgs#devenv
+          devenv version
+      - name: Run tests
+        run: devenv test
+
+  build:
     strategy:
       matrix:
-        # INFO: This is only a workaround to avoid timeout issues with the CI;
-        # whether it becomes a definitive solution or not will require a
-        # separate discussion with Oscar.
-        cycle:
-          - "all-1.7"
-          - "all-1.6"
-          - "all-1.5"
-          - "all-1.4"
-          - "all-1.3"
-          - "all-1.2"
-          - "all-1.1"
-          - "all-1.0"
+        os:
+          - macos-13      # x86_64-darwin
+          - macos-latest  # aarch64-darwin
+          - ubuntu-latest # x86_64-linux
       fail-fast: false
+    runs-on: ${{ matrix.os }}
+    needs: [check]
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
       - name: Install Nix
-        uses: cachix/install-nix-action@v25
+        uses: cachix/install-nix-action@v31
       - name: Setup Cachix
-        uses: cachix/cachix-action@v14
+        uses: cachix/cachix-action@v15
         with:
           name: nixpkgs-terraform
           authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
-          skipPush: false
+          skipPush: true
       - name: Build packages
         run: |
           if grep -q authToken ~/.config/cachix/cachix.dhall; then
             echo "Cachix token is present"
-            cachix watch-exec nixpkgs-terraform nix -- build .#\"${{ matrix.cycle }}\" --impure
+            cachix watch-exec nixpkgs-terraform nix -- flake check --max-jobs 2
           else
             echo "Cachix token is not present"
-            nix build .#\"${{ matrix.cycle }}\" --impure
+            nix flake check --max-jobs 2
           fi
-        env:
-          NIXPKGS_ALLOW_UNFREE: 1
 
   template:
     runs-on: ubuntu-latest
-    timeout-minutes: 5
+    timeout-minutes: 8
     needs: [build]
     strategy:
       matrix:
-        template: [default, devenv]
+        template:
+          - name: config
+            test: nix flake metadata
+          - name: default
+            test: nix develop --accept-flake-config --impure -c terraform --version
+          - name: devenv
+            test: nix develop --accept-flake-config --impure -c terraform --version
+          - name: terranix
+            test: nix develop --accept-flake-config --impure -c terraform --version
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
       - name: Install Nix
-        uses: cachix/install-nix-action@v25
+        uses: cachix/install-nix-action@v31
       - name: Replace inputs on templates
         run: sed -i 's/github:stackbuilders\/nixpkgs-terraform/github:stackbuilders\/nixpkgs-terraform\/${{ github.sha }}/g' templates/*/flake.nix
       - name: Create a temporary directory
         run: echo "tmpdir=$(mktemp -d)" >> "$GITHUB_OUTPUT"
         id: mktemp
       - name: Scaffold a new project
-        run: nix flake init -t ${{ github.workspace }}#${{ matrix.template }}
+        run: nix flake init -t ${{ github.workspace }}#${{ matrix.template.name }}
         working-directory: ${{ steps.mktemp.outputs.tmpdir }}
-      - name: Run smoke test
-        run: nix develop --accept-flake-config --impure -c terraform --version
+      - name: Run test
+        run: ${{ matrix.template.test }}
         working-directory: ${{ steps.mktemp.outputs.tmpdir }}
-        env:
-          NIXPKGS_ALLOW_UNFREE: 1

.github/workflows/publish.yml

@@ -21,17 +21,19 @@ jobs:
         with:
           ref: ${{ github.ref_name }}
       - name: Install Nix
-        uses: DeterminateSystems/nix-installer-action@v9
+        uses: cachix/install-nix-action@v31
       - name: Publish flake
-        uses: DeterminateSystems/flakehub-push@v3
+        uses: DeterminateSystems/flakehub-push@v5
         with:
           tag: ${{ github.ref_name }}
           visibility: public
 
+  # INFO: The following fork updates the Nix version used by the action to fix
+  # the "lastModified" issue. https://flakehub.com/docs/faq#err-last-modified
   flakestry:
     runs-on: ubuntu-latest
     steps:
       - name: Publish flake
-        uses: flakestry/flakestry-publish@645c2ab3c99b97f5f1abc383370ae5e72c9e7d9b
+        uses: stackbuilders/flakestry-publish@update_install_nix_action
         with:
           version: ${{ github.ref_name }}

.github/workflows/release.yml

@@ -18,12 +18,14 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
       - name: Install Nix
-        uses: DeterminateSystems/nix-installer-action@v9
-      - name: Install tools via Nix
-        run: nix develop --check
-      - name: Install dependencies
-        run: nix develop -c npm ci
+        uses: cachix/install-nix-action@v31
+      - name: Setup Cachix
+        uses: cachix/cachix-action@v15
+        with:
+          name: devenv
+      - name: Install devenv
+        run: nix-env -if https://install.devenv.sh/latest
       - name: Run semantic-release
-        run: nix develop -c npx semantic-release
+        run: devenv shell semantic-release
         env:
           GITHUB_TOKEN: ${{ secrets.BOT_TOKEN }}

.github/workflows/update.yml

@@ -2,42 +2,51 @@
 name: Update
 
 on:
+  workflow_dispatch:
   schedule:
-    - cron: "0 0 * * 0"
+    - cron: "0 0 * * *"
 
 concurrency:
   group: update
   cancel-in-progress: true
 
 jobs:
   update:
-    runs-on: ubuntu-latest
+    runs-on: macos-latest
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
         with:
           ref: main
       - name: Install Nix
-        uses: DeterminateSystems/nix-installer-action@v9
-      - name: Install tools via Nix
-        run: nix develop --impure --check
+        uses: cachix/install-nix-action@v31
+        with:
+          nix_path: nixpkgs=channel:nixos-24.11-small
+      - name: Install devenv
+        run: |
+          nix profile install --accept-flake-config nixpkgs#devenv
+          devenv version
       - name: Update versions
-        run: nix develop --impure --command python3 update-versions.py
+        run: |
+          devenv shell -- go run . update-versions \
+            --versions ../versions.json \
+            --vendor-hash ../vendor-hash.nix
         env:
-          GITHUB_TOKEN: ${{ secrets.BOT_TOKEN }}
+          CLI_GITHUB_TOKEN: ${{ secrets.BOT_TOKEN }}
+        working-directory: cli
       - name: Create pull request
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@v7
         with:
           author: GitHub <noreply@github.com>
           commit-message: Update Terraform versions
-          title: Update Terraform versions
+          title: "feat: Update Terraform versions"
           body: |
             Automatically created pull-request to update Terraform versions.
 
-            This is the result of running:
+            This is the result of configuring a CLI_GITHUB_TOKEN in `.env` and running:
 
             ```
-            env GITHUB_TOKEN=<token> nix develop --impure --command python3 update-versions.py
+            cli update-versions
             ```
           delete-branch: true
           reviewers: |

.gitignore

@@ -1,5 +1,5 @@
+.devenv*
 .direnv
-.env
-node_modules
+.pre-commit-config.yaml
 result
 templates/*/flake.lock

README.md

@@ -6,13 +6,18 @@
 [![Publish](https://github.com/stackbuilders/nixpkgs-terraform/actions/workflows/publish.yml/badge.svg)](https://github.com/stackbuilders/nixpkgs-terraform/actions/workflows/publish.yml)
 
 [![FlakeHub](https://img.shields.io/endpoint?url=https://flakehub.com/f/stackbuilders/nixpkgs-terraform/badge)](https://flakehub.com/flake/stackbuilders/nixpkgs-terraform)
-[![flakestry.dev](https://flakestry.dev/api/badge/flake/github/stackbuilders/nixpkgs-terraform)](https://flakestry.dev/flake/github/stackbuilders/nixpkgs-terraform)
+[![flakestry.dev](https://flakestry.dev/api/badge/flake/github/stackbuilders/nixpkgs-terraform)](https://flakestry.dev/flake/github/stackbuilders/nixpkgs-terraform/)
 
 This [flake](https://nixos.wiki/wiki/Flakes) exposes a collection of Terraform
-[versions](versions.json) as Nix packages, starting with version 1.0.0. The
+[versions](versions.json) as Nix packages, starting with version `1.0.0`. The
 packages provided can be used for creating reproducible development
 environments using a [nix-shell] or [devenv](https://devenv.sh).
 
+**Note:** Starting with version `4.0`, this project enables `allowUnfree` by
+default in order to build Terraform versions with a [BSL
+license][license-change]; however, this flag can be disabled via a
+configuration flake; see [here](templates/config) for more details.
+
 ## How it works
 
 This flake provides a set of Terraform versions in the form of:
@@ -21,6 +26,11 @@ This flake provides a set of Terraform versions in the form of:
 nixpkgs-terraform.packages.${system}.${version}
 ```
 
+Where `version` is a specific `X.Y.Z` version or an alias `X.Y` pointing to the
+latest patch version within the same cycle, for example, `1.5` points to
+`1.5.7`. The [versions.json](./versions.json) file contains a complete list of
+all the available versions and aliases.
+
 Terraform versions are kept up to date via a weekly scheduled [CI
 workflow](.github/workflows/update.yml).
 
@@ -62,6 +72,12 @@ nixConfig = {
 };
 ```
 
+Currently, the binary cache supports the following systems:
+
+- aarch64-darwin
+- x86_64-darwin
+- x86_64-linux
+
 ## Usage
 
 After configuring the inputs from the [Install](#install) section, a common use
@@ -76,14 +92,15 @@ outputs = { self, flake-utils, nixpkgs-terraform, nixpkgs }:
   flake-utils.lib.eachDefaultSystem (system:
     let
       pkgs = nixpkgs.legacyPackages.${system};
-      terraform = nixpkgs-terraform.packages.${system}."1.6.3";
+      terraform = nixpkgs-terraform.packages.${system}."X.Y.Z";
     in
     {
       devShells.default = pkgs.mkShell {
         buildInputs = [ terraform ];
       };
     });
 ```
+where `X.Y.Z` is one of the supported versions in the `versions.json` file.
 
 #### As an overlay
 
@@ -98,10 +115,11 @@ outputs = { self, flake-utils, nixpkgs-terraform, nixpkgs }:
     in
     {
       devShells.default = pkgs.mkShell {
-        buildInputs = [ pkgs.terraform-versions."1.6.3" ];
+        buildInputs = [ pkgs.terraform-versions."X.Y.Z" ];
       };
     });
 ```
+where `X.Y.Z` is one of the supported versions in the `versions.json` file.
 
 Start a new [nix-shell] with Terraform in scope by running the following
 command:
@@ -110,10 +128,9 @@ command:
 env NIXPKGS_ALLOW_UNFREE=1 nix develop --impure
 ```
 
-**Note:** Due to Hashicorp’s most recent [license
-change](https://www.hashicorp.com/blog/hashicorp-adopts-business-source-license),
-the `NIXPKGS_ALLOW_UNFREE` flag is required for Terraform versions `>= 1.6.0`,
-`nix develop` should work out of the box for older versions.
+**Note:** Due to Hashicorp’s most recent [license change][license-change] the
+`NIXPKGS_ALLOW_UNFREE` flag is required for Terraform versions `>= 1.6.0`, `nix
+develop` should work out of the box for older versions.
 
 ### Templates
 
@@ -122,6 +139,7 @@ This flake provides the following templates:
 - [default](templates/default) - Simple nix-shell with Terraform installed via
   nixpkgs-terraform.
 - [devenv](templates/devenv) - Using nixpkgs-terraform with devenv.
+- [terranix](templates/terranix) - Using nixpkgs-terraform with terranix.
 
 Run the following command to scaffold a new project using a template:
 
@@ -159,10 +177,10 @@ to make it easier for maintainers to release new changes.
 
 ---
 
-<img src="https://www.stackbuilders.com/media/images/Sb-supports.original.png"
-alt="Stack Builders" width="50%"></img>  
+<img src="https://cdn.stackbuilders.com/media/images/Sb-supports.original.png" alt="Stack Builders" width="50%"></img>
 [Check out our libraries](https://github.com/stackbuilders/) | [Join our
 team](https://www.stackbuilders.com/join-us/)
 
+[license-change]: https://www.hashicorp.com/blog/hashicorp-adopts-business-source-license
 [nix-shell]: https://nixos.wiki/wiki/Development_environment_with_nix-shell
 [semantic-release]: https://semantic-release.gitbook.io/semantic-release/

cli/.env.example

@@ -0,0 +1 @@
+CLI_GITHUB_TOKEN=

cli/.envrc

@@ -0,0 +1,3 @@
+source_url "https://raw.githubusercontent.com/cachix/devenv/790c4230a547243a01435fc8c5292cd54abaec74/direnvrc" "sha256-YBzqskFZxmNb3kYVoKD9ZixoPXJh1C9ZvTLGFRkauZ0="
+
+use devenv

cli/.gitignore

@@ -0,0 +1,2 @@
+.env
+cli

cli/README.md

@@ -0,0 +1,37 @@
+# CLI
+
+A set of tools for maintainers.
+
+## Requirements
+
+Install [devenv](https://devenv.sh/getting-started/)
+
+## Usage
+
+Change working directory:
+
+```
+cd cli
+```
+
+Spawn a [nix-shell]:
+
+```
+devenv shell
+```
+
+Compile code:
+
+```
+go build
+```
+
+Update versions file:
+
+```
+go run . update-versions \
+  --versions ../versions.json \
+  --vendor-hash ../vendor-hash.nix
+```
+
+[nix-shell]: https://nixos.wiki/wiki/Development_environment_with_nix-shell

cli/cmd/root.go

@@ -0,0 +1,22 @@
+package cmd
+
+import (
+	"os"
+
+	"github.com/spf13/cobra"
+)
+
+var rootCmd = &cobra.Command{
+	Use:   "cli",
+	Short: "A set of tools for maintainers",
+	Long:  "A set of tools for maintainers",
+}
+
+func Execute() {
+	err := rootCmd.Execute()
+	if err != nil {
+		os.Exit(1)
+	}
+}
+
+func init() {}

cli/cmd/updateVersions.go

@@ -0,0 +1,249 @@
+package cmd
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"log"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+
+	"github.com/Masterminds/semver/v3"
+	"github.com/google/go-github/v62/github"
+	"github.com/spf13/cobra"
+)
+
+var owner string
+var repo string
+var vendorHashPath string
+var versionsPath string
+var minVersionStr string
+var maxVersionStr string
+
+type Versions struct {
+	Releases map[semver.Version]Release `json:"releases"`
+	Latest   map[Alias]semver.Version   `json:"latest"`
+}
+
+type Release struct {
+	Hash       string `json:"hash"`
+	VendorHash string `json:"vendorHash"`
+}
+
+type Alias struct {
+	semver.Version
+}
+
+func (a Alias) MarshalText() ([]byte, error) {
+	return []byte(fmt.Sprintf("%d.%d", a.Major(), a.Minor())), nil
+}
+
+var updateVersionsCmd = &cobra.Command{
+	Use:   "update-versions",
+	Short: "Update versions file",
+	Long:  "Look up the most recent Terraform releases and calculate the needed hashes for new versions",
+	Run: func(cmd *cobra.Command, args []string) {
+		token := os.Getenv("CLI_GITHUB_TOKEN")
+		if token == "" {
+			log.Fatal("Environment variable CLI_GITHUB_TOKEN is missing")
+		}
+
+		versionsPath, err := filepath.Abs(versionsPath)
+		if err != nil {
+			log.Fatal("File versions.json not found: ", err)
+		}
+
+		vendorHashPath, err := filepath.Abs(vendorHashPath)
+		if err != nil {
+			log.Fatal("File vendor-hash.nix not found: ", err)
+		}
+
+		minVersion, err := semver.NewVersion(minVersionStr)
+		if err != nil {
+			log.Fatal("Invalid min-version: ", err)
+		}
+
+		var maxVersion *semver.Version
+		if maxVersionStr != "" {
+			maxVersion, err = semver.NewVersion(maxVersionStr)
+			if err != nil {
+				log.Fatal("Invalid max-version: ", err)
+			}
+		}
+
+		err = updateVersions(token, versionsPath, vendorHashPath, minVersion, maxVersion)
+		if err != nil {
+			log.Fatal("Unable to update versions: ", err)
+		}
+	},
+}
+
+func updateVersions(token string, versionsPath string, vendorHashPath string, minVersion *semver.Version, maxVersion *semver.Version) error {
+	nixPrefetchPath, err := exec.LookPath("nix-prefetch")
+	if err != nil {
+		return fmt.Errorf("nix-prefetch not found: %w", err)
+	}
+
+	nixBinaryPath, err := exec.LookPath("nix")
+	if err != nil {
+		return fmt.Errorf("nix not found: %w", err)
+	}
+
+	versions, err := readVersions(versionsPath)
+	if err != nil {
+		return err
+	}
+
+	err = withReleases(token, func(release *github.RepositoryRelease) error {
+		tagName := release.GetTagName()
+		version, err := semver.NewVersion(strings.TrimLeft(tagName, "v"))
+		if err != nil {
+			return err
+		}
+		if version.Compare(minVersion) >= 0 && (maxVersion == nil || version.Compare(maxVersion) <= 0) && version.Prerelease() == "" {
+			if _, ok := versions.Releases[*version]; ok {
+				log.Printf("Version %s found in file\n", version)
+			} else {
+				log.Printf("Computing hashes for %s\n", version)
+				hash, err := computeHash(nixBinaryPath, tagName)
+				if err != nil {
+					return fmt.Errorf("Unable to compute hash: %w", err)
+				}
+				log.Printf("Computed hash: %s\n", hash)
+				vendorHash, err := computeVendorHash(nixPrefetchPath, vendorHashPath, version, hash)
+				if err != nil {
+					return fmt.Errorf("Unable to compute vendor hash: %w", err)
+				}
+				log.Printf("Computed vendor hash: %s\n", vendorHash)
+				versions.Releases[*version] = Release{Hash: hash, VendorHash: vendorHash}
+			}
+		}
+		return nil
+	})
+	if err != nil {
+		return err
+	}
+
+	versions.Latest = make(map[Alias]semver.Version)
+	for version := range versions.Releases {
+		alias := Alias{*semver.New(version.Major(), version.Minor(), 0, "", "")}
+		if latest, ok := versions.Latest[alias]; !ok || version.Compare(&latest) > 0 {
+			versions.Latest[alias] = version
+		}
+	}
+
+	content, err := json.MarshalIndent(versions, "", "  ")
+	if err != nil {
+		log.Fatal("Unable to marshall versions: ", err)
+	}
+
+	err = os.WriteFile(versionsPath, content, 0644)
+	if err != nil {
+		log.Fatal("Unable to write file: ", err)
+	}
+
+	return nil
+}
+
+func readVersions(versionsPath string) (*Versions, error) {
+	content, err := os.ReadFile(versionsPath)
+	if err != nil {
+		return nil, err
+	}
+	var versions *Versions
+	err = json.Unmarshal(content, &versions)
+	if err != nil {
+		return nil, err
+	}
+	return versions, nil
+}
+
+func withReleases(token string, f func(release *github.RepositoryRelease) error) error {
+	client := github.NewClient(nil).WithAuthToken(token)
+	opt := &github.ListOptions{Page: 1}
+	for {
+		releases, resp, err := client.Repositories.ListReleases(context.Background(), owner, repo, opt)
+		if err != nil {
+			return err
+		}
+		for _, release := range releases {
+			err = f(release)
+			if err != nil {
+				return err
+			}
+		}
+		if resp.NextPage == 0 {
+			break
+		}
+		opt.Page = resp.NextPage
+	}
+	return nil
+}
+
+func computeHash(nixBinaryPath string, tagName string) (string, error) {
+	cmd := exec.Command(
+		nixBinaryPath, "flake", "prefetch",
+		"--extra-experimental-features", "nix-command flakes",
+		"--json", fmt.Sprintf("github:%s/%s/%s", owner, repo, tagName),
+	)
+
+	// Redirect stderr to the standard logger
+	cmd.Stderr = log.Writer()
+
+	// Get the output
+	output, err := cmd.Output()
+	if err != nil {
+		return "", fmt.Errorf("command execution failed: %w", err)
+	}
+
+	// Parse JSON output to get hash
+	var result struct {
+		Hash string `json:"hash"`
+	}
+	if err := json.Unmarshal(output, &result); err != nil {
+		return "", fmt.Errorf("failed to parse JSON output: %w", err)
+	}
+
+	return result.Hash, nil
+}
+
+func computeVendorHash(nixPrefetchPath string, vendorHashFile string, version *semver.Version, hash string) (string, error) {
+	vendorHash, err := runNixPrefetch(
+		nixPrefetchPath,
+		"--file",
+		vendorHashFile,
+		"--argstr",
+		"version",
+		version.String(),
+		"--argstr",
+		"hash",
+		hash)
+	if err != nil {
+		return "", err
+	}
+	return vendorHash, nil
+}
+
+func runNixPrefetch(nixPrefetchPath string, extraArgs ...string) (string, error) {
+	args := append([]string{"--option", "extra-experimental-features", "flakes"}, extraArgs...)
+	cmd := exec.Command(nixPrefetchPath, args...)
+	cmd.Stderr = log.Writer()
+	output, err := cmd.Output()
+	if err != nil {
+		return "", err
+	}
+	return strings.TrimRight(string(output), "\n"), nil
+}
+
+func init() {
+	rootCmd.AddCommand(updateVersionsCmd)
+
+	updateVersionsCmd.Flags().StringVarP(&owner, "owner", "", "hashicorp", "The owner name of the repository on GitHub")
+	updateVersionsCmd.Flags().StringVarP(&repo, "repo", "", "terraform", "The repository name on GitHub")
+	updateVersionsCmd.Flags().StringVarP(&vendorHashPath, "vendor-hash", "", "vendor-hash.nix", "Nix file required to compute vendorHash")
+	updateVersionsCmd.Flags().StringVarP(&versionsPath, "versions", "", "versions.json", "The file to be updated")
+	updateVersionsCmd.Flags().StringVarP(&minVersionStr, "min-version", "", "1.0.0", "Min release version")
+	updateVersionsCmd.Flags().StringVarP(&maxVersionStr, "max-version", "", "", "Max release version")
+}

cli/devenv.lock

@@ -0,0 +1,103 @@
+{
+  "nodes": {
+    "devenv": {
+      "locked": {
+        "dir": "src/modules",
+        "lastModified": 1739444039,
+        "owner": "cachix",
+        "repo": "devenv",
+        "rev": "1235cd13f47df6ad19c8a183c6eabc1facb7c399",
+        "type": "github"
+      },
+      "original": {
+        "dir": "src/modules",
+        "owner": "cachix",
+        "repo": "devenv",
+        "type": "github"
+      }
+    },
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1733328505,
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "git-hooks": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "gitignore": "gitignore",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1737465171,
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "rev": "9364dc02281ce2d37a1f55b6e51f7c0f65a75f17",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "type": "github"
+      }
+    },
+    "gitignore": {
+      "inputs": {
+        "nixpkgs": [
+          "git-hooks",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1709087332,
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1739461644,
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "97a719c9f0a07923c957cf51b20b329f9fb9d43f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-24.11-small",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "devenv": "devenv",
+        "git-hooks": "git-hooks",
+        "nixpkgs": "nixpkgs",
+        "pre-commit-hooks": [
+          "git-hooks"
+        ]
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

cli/devenv.nix

@@ -0,0 +1,12 @@
+{ pkgs, ... }:
+
+{
+  dotenv.enable = true;
+
+  packages = [
+    pkgs.cobra-cli
+    pkgs.nix-prefetch
+  ];
+
+  languages.go.enable = true;
+}

cli/devenv.yaml

@@ -0,0 +1,3 @@
+inputs:
+  nixpkgs:
+    url: github:nixos/nixpkgs/nixos-24.11-small

cli/go.mod

@@ -0,0 +1,15 @@
+module github.com/stackbuilders/nixpkgs-terraform/cli
+
+go 1.22.1
+
+require (
+	github.com/Masterminds/semver/v3 v3.2.1
+	github.com/google/go-github/v62 v62.0.0
+	github.com/spf13/cobra v1.8.1
+)
+
+require (
+	github.com/google/go-querystring v1.1.0 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
+)

cli/go.sum

@@ -0,0 +1,20 @@
+github.com/Masterminds/semver/v3 v3.2.1 h1:RN9w6+7QoMeJVGyfmbcgs28Br8cvmnucEXnY0rYXWg0=
+github.com/Masterminds/semver/v3 v3.2.1/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ=
+github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-github/v62 v62.0.0 h1:/6mGCaRywZz9MuHyw9gD1CwsbmBX8GWsbFkwMmHdhl4=
+github.com/google/go-github/v62 v62.0.0/go.mod h1:EMxeUqGJq2xRu9DYBMwel/mr7kZrzUOfQmmpYrZn2a4=
+github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
+github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
+github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
+github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM=
+github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y=
+github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
+github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

cli/main.go

@@ -0,0 +1,7 @@
+package main
+
+import "github.com/stackbuilders/nixpkgs-terraform/cli/cmd"
+
+func main() {
+	cmd.Execute()
+}

devenv.lock

@@ -0,0 +1,103 @@
+{
+  "nodes": {
+    "devenv": {
+      "locked": {
+        "dir": "src/modules",
+        "lastModified": 1739444039,
+        "owner": "cachix",
+        "repo": "devenv",
+        "rev": "1235cd13f47df6ad19c8a183c6eabc1facb7c399",
+        "type": "github"
+      },
+      "original": {
+        "dir": "src/modules",
+        "owner": "cachix",
+        "repo": "devenv",
+        "type": "github"
+      }
+    },
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1733328505,
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "git-hooks": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "gitignore": "gitignore",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1737465171,
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "rev": "9364dc02281ce2d37a1f55b6e51f7c0f65a75f17",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "type": "github"
+      }
+    },
+    "gitignore": {
+      "inputs": {
+        "nixpkgs": [
+          "git-hooks",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1709087332,
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1739461644,
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "97a719c9f0a07923c957cf51b20b329f9fb9d43f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-24.11-small",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "devenv": "devenv",
+        "git-hooks": "git-hooks",
+        "nixpkgs": "nixpkgs",
+        "pre-commit-hooks": [
+          "git-hooks"
+        ]
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

devenv.nix

@@ -0,0 +1,9 @@
+{ pkgs, ... }:
+
+{
+  packages = [
+    pkgs.semantic-release
+  ];
+
+  pre-commit.hooks.nixpkgs-fmt.enable = true;
+}

devenv.yaml

@@ -0,0 +1,3 @@
+inputs:
+  nixpkgs:
+    url: github:nixos/nixpkgs/nixos-24.11-small

flake.nix

@@ -2,79 +2,91 @@
   description = "A collection of Terraform versions that are automatically updated";
 
   inputs = {
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05";
-    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixpkgs-unstable";
-
-    systems.url = "github:nix-systems/default";
+    config.url = "github:stackbuilders/nixpkgs-terraform?dir=templates/config";
     flake-parts.url = "github:hercules-ci/flake-parts";
+    nixpkgs-1_0.url = "github:nixos/nixpkgs/41de143fda10e33be0f47eab2bfe08a50f234267"; # nixos-23.05
+    nixpkgs-1_6.url = "github:nixos/nixpkgs/d6b3ddd253c578a7ab98f8011e59990f21dc3932"; # nixos-24.05
+    nixpkgs-1_9.url = "github:nixos/nixpkgs/af51545ec9a44eadf3fe3547610a5cdd882bc34e"; # nixpkgs-unstable
+    systems.url = "github:nix-systems/default";
   };
 
-  outputs = { self, flake-parts, ... }@inputs: flake-parts.lib.mkFlake { inherit inputs; } {
-    imports = [
-      inputs.flake-parts.flakeModules.easyOverlay
-    ];
-    systems = import inputs.systems;
+  outputs = inputs@{ self, ... }: inputs.flake-parts.lib.mkFlake
+    { inherit inputs; }
+    {
+      imports = [
+        inputs.flake-parts.flakeModules.easyOverlay
+      ];
 
-    perSystem = { config, pkgs, pkgs-unstable, system, ... }: {
-      _module.args = {
-        pkgs-unstable = inputs.nixpkgs-unstable.legacyPackages.${system};
-      };
+      systems = import inputs.systems;
 
-      packages =
+      perSystem = { config, pkgs-1_0, pkgs-1_6, pkgs-1_9, system, ... }:
         let
-          versions = import ./lib/packages.nix { inherit pkgs pkgs-unstable; custom-lib = self.lib; };
-          linkPackagesByCycle = versionsPerCycle: builtins.mapAttrs
-            (cycle: cycleVersions: pkgs.symlinkJoin {
-              name = "terraform-all-${cycle}";
-              paths = builtins.map (version: versions.${version}) cycleVersions;
-            })
-            versionsPerCycle;
-          groupVersionsByCycle = versions: builtins.groupBy
-            (version:
-              let
-                splittedVersion = builtins.splitVersion version;
-              in
-              "all-" + (builtins.concatStringsSep "." [
-                (builtins.elemAt splittedVersion 0)
-                (builtins.elemAt splittedVersion 1)
-              ])
-            )
-            (builtins.attrNames versions);
-          cycles = linkPackagesByCycle (groupVersionsByCycle versions);
+          flakeConfig = import inputs.config;
         in
-        versions // cycles;
+        {
+          _module.args = {
+            pkgs-1_0 = import inputs.nixpkgs-1_0 {
+              inherit system;
+            };
+            pkgs-1_6 = import inputs.nixpkgs-1_6 {
+              inherit system;
+              config = flakeConfig.nixpkgs-unstable;
+            };
+            pkgs-1_9 = import inputs.nixpkgs-1_9 {
+              inherit system;
+              config = flakeConfig.nixpkgs-unstable;
+            };
+          };
 
-      overlayAttrs = {
-        terraform-versions = config.packages;
-      };
+          checks = config.packages;
 
-      devShells.default = pkgs.mkShell {
-        buildInputs = [
-          pkgs-unstable.black
-          (pkgs-unstable.python3.withPackages (ps: [
-            ps.pygithub
-            ps.semver
-          ]))
-          pkgs-unstable.nix-prefetch
-          pkgs.nodejs
-          pkgs.rubyPackages.dotenv
-        ];
-      };
-    };
+          packages =
+            let
+              filteredVersions =
+                let
+                  versions = builtins.fromJSON (builtins.readFile ./versions.json);
+                  allowUnfree = flakeConfig.nixpkgs-unstable.allowUnfree;
+                  versionLessThan1_6 = version: builtins.compareVersions version "1.6.0" < 0;
+                in
+                {
+                  releases = pkgs-1_9.lib.filterAttrs (version: _: allowUnfree || versionLessThan1_6 version) versions.releases;
+                  latest = pkgs-1_9.lib.filterAttrs (_: version: allowUnfree || versionLessThan1_6 version) versions.latest;
+                };
+              releases = import ./lib/releases.nix {
+                inherit pkgs-1_0 pkgs-1_6 pkgs-1_9; custom-lib = self.lib;
+                releases = filteredVersions.releases;
+                silenceWarnings = flakeConfig.nixpkgs-terraform.silenceWarnings;
+              };
+              latestVersions = builtins.mapAttrs (_cycle: version: releases.${version}) filteredVersions.latest;
+            in
+            releases // latestVersions;
 
-    flake = {
-      templates = {
-        default = {
-          description = "Simple nix-shell with Terraform installed via nixpkgs-terraform";
-          path = ./templates/default;
+          overlayAttrs = {
+            terraform-versions = config.packages;
+          };
         };
-        devenv = {
-          description = "Using nixpkgs-terraform with devenv";
-          path = ./templates/devenv;
+
+      flake = {
+        templates = {
+          config = {
+            description = "Template use to override nixpkgs-terraform default configuration";
+            path = ./templates/config;
+          };
+          default = {
+            description = "Simple nix-shell with Terraform installed via nixpkgs-terraform";
+            path = ./templates/default;
+          };
+          devenv = {
+            description = "Using nixpkgs-terraform with devenv";
+            path = ./templates/devenv;
+          };
+          terranix = {
+            description = "Using nixpkgs-terraform with terranix";
+            path = ./templates/terranix;
+          };
         };
-      };
 
-      lib = import ./lib;
+        lib = import ./lib;
+      };
     };
-  };
 }

lib/build-terraform.nix

@@ -1,15 +1,22 @@
-{ pkgs, pkgs-unstable, version, hash, vendorHash }:
+{ pkgs-1_0, pkgs-1_6, pkgs-1_9, version, hash, vendorHash, silenceWarnings ? false }:
 # https://www.hashicorp.com/blog/hashicorp-adopts-business-source-license
-if builtins.compareVersions version "1.6.0" >= 0
+if builtins.compareVersions version "1.9.0" >= 0
 then
-# https://github.com/NixOS/nixpkgs/blob/nixpkgs-unstable/pkgs/applications/networking/cluster/terraform/default.nix
-  (pkgs-unstable.mkTerraform {
+  (pkgs-1_9.lib.warnIf (! silenceWarnings) ("allowUnfree is enabled to build version " + version) pkgs-1_9.mkTerraform
+  {
+    inherit version hash vendorHash;
+    patches = [ ../patches/provider-path-1_9.patch ];
+  })
+else if builtins.compareVersions version "1.6.0" >= 0
+then
+  (pkgs-1_6.lib.warnIf (! silenceWarnings) ("allowUnfree is enabled to build version " + version) pkgs-1_6.mkTerraform
+  {
     inherit version hash vendorHash;
     patches = [ ../patches/provider-path-0_15.patch ];
   })
 else
 # https://github.com/NixOS/nixpkgs/blob/nixos-23.05/pkgs/applications/networking/cluster/terraform/default.nix
-  (pkgs.mkTerraform {
+  (pkgs-1_0.mkTerraform {
     inherit version hash vendorHash;
     patches = [ ../patches/provider-path-0_15.patch ];
   })

lib/releases.nix

@@ -0,0 +1,6 @@
+{ custom-lib, pkgs-1_0, pkgs-1_6, pkgs-1_9, releases, silenceWarnings }:
+builtins.mapAttrs
+  (version: { hash, vendorHash }: custom-lib.buildTerraform {
+    inherit pkgs-1_0 pkgs-1_6 pkgs-1_9 version hash vendorHash silenceWarnings;
+  })
+  releases

patches/provider-path-1_9.patch

@@ -0,0 +1,23 @@
+diff -Naur terraform.old/internal/command/init.go terraform.new/internal/command/init.go
+--- terraform.old/internal/command/init.go
++++ terraform.new/internal/command/init.go
+@@ -7,6 +7,7 @@
+ 	"context"
+ 	"errors"
+ 	"fmt"
++	"os"
+ 	"log"
+ 	"reflect"
+ 	"sort"
+@@ -77,6 +78,11 @@
+ 	// -force-copy implies -migrate-state
+ 	if c.forceInitCopy {
+ 		c.migrateState = true
++	}
++
++	val, ok := os.LookupEnv("NIX_TERRAFORM_PLUGIN_DIR")
++	if ok {
++		initArgs.PluginPath = append(initArgs.PluginPath, val)
+ 	}
+
+ 	if len(initArgs.PluginPath) > 0 {

templates/config/README.md

@@ -0,0 +1,61 @@
+# nixpkgs-terraform - config
+
+This flake stores the default configuration for `nixpkgs-terraform`.
+
+## Usage
+
+To override the default configuration, create a new flake project and follow
+the steps described below:
+
+Create an empty directory:
+
+```sh
+mkdir config
+```
+
+Scaffold a new flake project using the `config` template:
+
+```sh
+cd config
+nix flake init -t github:stackbuilders/nixpkgs-terraform#config
+```
+
+After modifying the default configuration in the `default.nix` file, create a
+new input for the configuration flake and override the `config` input for
+`nixpkgs-terraform` as follows:
+
+```nix
+inputs = {
+  nixpkgs-terraform-config.url = "./config";
+  nixpkgs-terraform.url = "github:stackbuilders/nixpkgs-terraform";
+  nixpkgs-terraform.inputs.config.follows = "nixpkgs-terraform-config";
+};
+```
+
+The relative path `./config` provided in the example above could be replaced
+with a full path or a git URL; look at the [URL-like
+syntax](https://nixos.org/manual/nix/stable/command-ref/new-cli/nix3-flake.html#url-like-syntax)
+for more details.
+
+## Overview
+
+The following section provides an overview of all the available options
+supported by `nixpkgs-terraform`.
+
+### `nixpkgs-unstable.allowUnfree` (default `true`)
+
+Control whether Terraform versions after the [HashiCorp license
+change](https://www.hashicorp.com/blog/hashicorp-adopts-business-source-license)
+are available or not; if set to `true`, all free and non-free versions are
+available; otherwise, only free versions are available.
+
+### `nixpkgs-terraform.silenceWarnings` (default `true`)
+
+Starting with version `4.0`, the flag `allowUnfree` is enabled by default; to
+notify users of this change, a warning message is printed whenever a non-free
+package is evaluated. If set to `true`, the warning message is silence.
+
+## References
+
+This configuration flake has the same structure as
+[nix-systems/default](https://github.com/nix-systems/default).

templates/config/default.nix

@@ -0,0 +1,4 @@
+{
+  nixpkgs-unstable.allowUnfree = true;
+  nixpkgs-terraform.silenceWarnings = false;
+}

templates/config/flake.nix

@@ -0,0 +1,5 @@
+{
+  description = "Template use to override nixpkgs-terraform default configuration";
+
+  outputs = _: { };
+}

templates/default/flake.nix

@@ -1,24 +1,30 @@
 {
   inputs = {
-    flake-utils.url = "github:numtide/flake-utils";
     nixpkgs-terraform.url = "github:stackbuilders/nixpkgs-terraform";
     nixpkgs.url = "github:nixos/nixpkgs/nixpkgs-unstable";
+    systems.url = "github:nix-systems/default";
   };
 
   nixConfig = {
     extra-substituters = "https://nixpkgs-terraform.cachix.org";
     extra-trusted-public-keys = "nixpkgs-terraform.cachix.org-1:8Sit092rIdAVENA3ZVeH9hzSiqI/jng6JiCrQ1Dmusw=";
   };
 
-  outputs = { self, flake-utils, nixpkgs-terraform, nixpkgs }:
-    flake-utils.lib.eachDefaultSystem (system:
-      let
-        pkgs = nixpkgs.legacyPackages.${system};
-        terraform = nixpkgs-terraform.packages.${system}."1.7.2";
-      in
-      {
-        devShells.default = pkgs.mkShell {
-          buildInputs = [ terraform ];
-        };
-      });
+  outputs = { self, nixpkgs-terraform, nixpkgs, systems }:
+    let
+      forEachSystem = nixpkgs.lib.genAttrs (import systems);
+    in
+    {
+      devShells = forEachSystem
+        (system:
+          let
+            pkgs = nixpkgs.legacyPackages.${system};
+            terraform = nixpkgs-terraform.packages.${system}."1.8.1";
+          in
+          {
+            default = pkgs.mkShell {
+              buildInputs = [ terraform ];
+            };
+          });
+    };
 }

templates/devenv/flake.nix

@@ -1,31 +1,36 @@
 {
   inputs = {
     devenv.url = "github:cachix/devenv";
-    flake-utils.url = "github:numtide/flake-utils";
     nixpkgs-terraform.url = "github:stackbuilders/nixpkgs-terraform";
     nixpkgs.url = "github:nixos/nixpkgs/nixpkgs-unstable";
+    systems.url = "github:nix-systems/default";
   };
 
   nixConfig = {
     extra-substituters = "https://nixpkgs-terraform.cachix.org";
     extra-trusted-public-keys = "nixpkgs-terraform.cachix.org-1:8Sit092rIdAVENA3ZVeH9hzSiqI/jng6JiCrQ1Dmusw=";
   };
 
-  outputs = inputs@{ self, devenv, flake-utils, nixpkgs-terraform, nixpkgs }:
-    flake-utils.lib.eachDefaultSystem (system:
-      let
-        pkgs = nixpkgs.legacyPackages.${system};
-        terraform = nixpkgs-terraform.packages.${system}."1.7.2";
-      in
-      {
-        devShells.default = devenv.lib.mkShell {
-          inherit inputs pkgs;
-          modules = [
-            ({ pkgs, config, ... }: {
-              languages.terraform.enable = true;
-              languages.terraform.package = terraform;
-            })
-          ];
-        };
-      });
+  outputs = inputs@{ self, devenv, nixpkgs-terraform, nixpkgs, systems }:
+    let
+      forEachSystem = nixpkgs.lib.genAttrs (import systems);
+    in
+    {
+      devShells = forEachSystem
+        (system:
+          let
+            pkgs = nixpkgs.legacyPackages.${system};
+          in
+          {
+            default = devenv.lib.mkShell {
+              inherit inputs pkgs;
+              modules = [
+                ({ pkgs, config, ... }: {
+                  languages.terraform.enable = true;
+                  languages.terraform.version = "1.9";
+                })
+              ];
+            };
+          });
+    };
 }

templates/terranix/config.nix

@@ -0,0 +1,17 @@
+# Example config.nix from https://terranix.org/documentation/getting-started.html, 
+# Make sure to update it with your own resources before applying.
+{ ... }:
+{
+  resource.hcloud_server.nginx = {
+    name = "terranix.nginx";
+    image = "debian-10";
+    server_type = "cx11";
+    backups = false;
+  };
+  resource.hcloud_server.test = {
+    name = "terranix.test";
+    image = "debian-9";
+    server_type = "cx11";
+    backups = true;
+  };
+}

templates/terranix/flake.nix

@@ -0,0 +1,37 @@
+{
+  inputs = {
+    nixpkgs-terraform.url = "github:stackbuilders/nixpkgs-terraform";
+    nixpkgs.url = "github:nixos/nixpkgs/nixpkgs-unstable";
+    systems.url = "github:nix-systems/default";
+    terranix.url = "github:terranix/terranix";
+  };
+
+  nixConfig = {
+    extra-substituters = "https://nixpkgs-terraform.cachix.org";
+    extra-trusted-public-keys = "nixpkgs-terraform.cachix.org-1:8Sit092rIdAVENA3ZVeH9hzSiqI/jng6JiCrQ1Dmusw=";
+  };
+
+  outputs = { self, nixpkgs-terraform, nixpkgs, systems, terranix }:
+    let
+      forEachSystem = nixpkgs.lib.genAttrs (import systems);
+    in
+    {
+      packages = forEachSystem (system: {
+        default = terranix.lib.terranixConfiguration {
+          inherit system;
+          modules = [ ./config.nix ];
+        };
+      });
+      devShells = forEachSystem
+        (system:
+          let
+            pkgs = nixpkgs.legacyPackages.${system};
+            terraform = nixpkgs-terraform.packages.${system}."1.9";
+          in
+          {
+            default = pkgs.mkShell {
+              buildInputs = [ terraform pkgs.terranix ];
+            };
+          });
+    };
+}

vendor-hash.nix

@@ -3,11 +3,12 @@ let
   flake = builtins.getFlake (toString ./.);
   system = builtins.currentSystem;
 
-  pkgs = flake.inputs.nixpkgs.legacyPackages.${system};
-  pkgs-unstable = flake.inputs.nixpkgs-unstable.legacyPackages.${system};
+  pkgs-1_0 = flake.inputs.nixpkgs-1_0.legacyPackages.${system};
+  pkgs-1_6 = flake.inputs.nixpkgs-1_6.legacyPackages.${system};
+  pkgs-1_9 = flake.inputs.nixpkgs-1_9.legacyPackages.${system};
 
   terraform = flake.lib.buildTerraform {
-    inherit pkgs pkgs-unstable version hash;
+    inherit pkgs-1_0 pkgs-1_6 pkgs-1_9 version hash;
     vendorHash = sha256;
   };
 in