diff --git a/deployment/data-model-test.nix b/deployment/data-model-test.nix
index 2bb5de55..24d5cd6c 100644
--- a/deployment/data-model-test.nix
+++ b/deployment/data-model-test.nix
@@ -68,24 +68,26 @@ in
                         default = false;
                       };
                     };
-                    config.resource-type = types.raw; # TODO: splice out the user type from NixOS
-                    config.apply =
-                      requests:
-                      let
-                        # Filter out requests that need wheel if policy doesn't allow it
-                        validRequests = lib.filterAttrs (
-                          _name: req: !req.login-shell.wheel || config.wheel
-                        ) requests.resources;
-                      in
-                      lib.optionalAttrs (validRequests != { }) {
-                        ${config.username} = {
-                          isNormalUser = true;
-                          packages =
-                            with lib;
-                            attrValues (concatMapAttrs (_name: request: request.login-shell.packages) validRequests);
-                          extraGroups = lib.optional config.wheel "wheel";
+                    config = {
+                      resource-type = types.raw; # TODO: splice out the user type from NixOS
+                      apply =
+                        requests:
+                        let
+                          # Filter out requests that need wheel if policy doesn't allow it
+                          validRequests = lib.filterAttrs (
+                            _name: req: !req.login-shell.wheel || config.wheel
+                          ) requests.resources;
+                        in
+                        lib.optionalAttrs (validRequests != { }) {
+                          ${config.username} = {
+                            isNormalUser = true;
+                            packages =
+                              with lib;
+                              attrValues (concatMapAttrs (_name: request: request.login-shell.packages) validRequests);
+                            extraGroups = lib.optional config.wheel "wheel";
+                          };
                         };
-                      };
+                    };
                   };
               };
               applications.hello =
@@ -151,7 +153,7 @@ in
           }
         );
         resources = fediversity.applications.hello.resources fediversity.example-configuration.applications.hello;
-        hello-shell = (resources).resources.hello.login-shell;
+        hello-shell = resources.resources.hello.login-shell;
         environment = fediversity.environments.single-nixos-vm.resources.operator-environment.login-shell;
         result = mkDeployment {
           modules = [
@@ -160,7 +162,7 @@ in
         };
 
       in
-      rec {
+      {
         number-of-resources = with lib; length (attrNames fediversity.resources);
         inherit (fediversity) example-configuration;
         hello-package-exists = hello-shell.packages ? hello;
@@ -172,7 +174,7 @@ in
           in
           {
             inherit (operator) isNormalUser;
-            packages = with lib; map (p: "${p.pname}") operator.packages;
+            packages = map (p: "${p.pname}") operator.packages;
             extraGroups = operator.extraGroups;
           };
         deployment = {
diff --git a/deployment/data-model.nix b/deployment/data-model.nix
index f005084b..abe37e5e 100644
--- a/deployment/data-model.nix
+++ b/deployment/data-model.nix
@@ -73,7 +73,7 @@ in
                       # and then also rename this to be consistent with the application's resource mapping
                       options.apply = mkOption {
                         description = "Apply the policy to a request";
-                        type = with types; functionTo policy.config.resource-type;
+                        type = functionTo policy.config.resource-type;
                       };
                     })
                   ];