{ lib, ... }:
{
  perSystem =
    { pkgs, ... }:
    let
      mkTfWrapper =
        {
          tfPlugins,
          cfg,
        }:
        let
          pkg = pkgs.opentofu.withPlugins tfPlugins;
        in
        {
          type = "app";
          program = toString (
            pkgs.writers.writeBash "tf" ''
              set -xeuo pipefail
              ln -snf ${cfg} config.tf.json
              exec ${lib.getExe pkg} "$@"
            ''
          );
        };
    in
    {
      apps = {
        tf = mkTfWrapper {
          cfg = pkgs.adminTerraformCfg;
          tfPlugins = p: [
            p.cloudflare
            p.digitalocean
            p.external
            p.google
            p.keycloak
            p.null
            p.random
            p.secret
          ];
        };
      };
    };
}