forked from Fediversity/Fediversity
WIP: more type-safe policy application
This commit is contained in:
parent
0f7da57392
commit
243ef4425b
2 changed files with 29 additions and 21 deletions
|
@ -82,23 +82,21 @@ in
|
|||
type = types.bool;
|
||||
default = false;
|
||||
};
|
||||
apply = mkOption {
|
||||
type = with types; functionTo raw; # TODO: splice out the user type from NixOS
|
||||
default =
|
||||
requests:
|
||||
let
|
||||
# Filter out requests that need wheel if policy doesn't allow it
|
||||
validRequests = lib.filterAttrs (_name: req: !req.wheel || config.wheel) requests;
|
||||
in
|
||||
lib.optionalAttrs (validRequests != { }) {
|
||||
${config.username} = {
|
||||
isNormalUser = true;
|
||||
packages = with lib; concatMapAttrs (_name: request: attrValues request.packages) validRequests;
|
||||
extraGroups = lib.optional config.wheel "wheel";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
config.resource-type = types.any; # TODO: splice out the user type from NixOS
|
||||
config.apply =
|
||||
requests:
|
||||
let
|
||||
# Filter out requests that need wheel if policy doesn't allow it
|
||||
validRequests = lib.filterAttrs (_name: req: !req.wheel || config.wheel) requests;
|
||||
in
|
||||
lib.optionalAttrs (validRequests != { }) {
|
||||
${config.username} = {
|
||||
isNormalUser = true;
|
||||
packages = with lib; concatMapAttrs (_name: request: attrValues request.packages) validRequests;
|
||||
extraGroups = lib.optional config.wheel "wheel";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
applications.hello =
|
||||
|
@ -164,8 +162,7 @@ in
|
|||
{
|
||||
inherit (fediversity) example-deployment;
|
||||
};
|
||||
expected =
|
||||
{
|
||||
};
|
||||
expected = {
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -53,12 +53,23 @@ in
|
|||
description = "Options for configuring the resource policy for the hosting provider, a description of how the resource is made available";
|
||||
type = deferredModuleWith {
|
||||
staticModules = [
|
||||
{
|
||||
(policy: {
|
||||
_class = "fediversity-resource-policy";
|
||||
# TODO(@fricklerhandwerk): not sure it can be made
|
||||
# sensible syntactically, but essentially we want to
|
||||
# ensure that `apply` is defined, but since its output
|
||||
# depends on the specific policy we also need to
|
||||
# determine that somehow.
|
||||
# hopefully this also helps with correct composition down the line.
|
||||
options.resource-type = mkOption {
|
||||
description = "The type of resource this policy configures";
|
||||
type = types.optionType;
|
||||
};
|
||||
options.apply = mkOption {
|
||||
description = "Apply the policy to a request";
|
||||
type = with types; functionTo policy.config.resource-type;
|
||||
};
|
||||
}
|
||||
})
|
||||
];
|
||||
};
|
||||
};
|
||||
|
|
Loading…
Add table
Reference in a new issue