WIP: more type-safe policy application

2025-07-22 12:28:00 +02:00 · 2025-07-22 12:28:00 +02:00 · 243ef4425b
commit 243ef4425b
parent 0f7da57392
2 changed files with 29 additions and 21 deletions
--- a/deployment/data-model-test.nix
+++ b/deployment/data-model-test.nix
@ -82,23 +82,21 @@ in
                        type = types.bool;
                        default = false;
                      };
-                      apply = mkOption {
-                        type = with types; functionTo raw; # TODO: splice out the user type from NixOS
-                        default =
-                          requests:
-                          let
-                            # Filter out requests that need wheel if policy doesn't allow it
-                            validRequests = lib.filterAttrs (_name: req: !req.wheel || config.wheel) requests;
-                          in
-                          lib.optionalAttrs (validRequests != { }) {
-                            ${config.username} = {
-                              isNormalUser = true;
-                              packages = with lib; concatMapAttrs (_name: request: attrValues request.packages) validRequests;
-                              extraGroups = lib.optional config.wheel "wheel";
-                            };
-                          };
-                      };
                    };
+                    config.resource-type = types.any; # TODO: splice out the user type from NixOS
+                    config.apply =
+                      requests:
+                      let
+                        # Filter out requests that need wheel if policy doesn't allow it
+                        validRequests = lib.filterAttrs (_name: req: !req.wheel || config.wheel) requests;
+                      in
+                      lib.optionalAttrs (validRequests != { }) {
+                        ${config.username} = {
+                          isNormalUser = true;
+                          packages = with lib; concatMapAttrs (_name: request: attrValues request.packages) validRequests;
+                          extraGroups = lib.optional config.wheel "wheel";
+                        };
+                      };
                  };
              };
              applications.hello =
@ -164,8 +162,7 @@ in
      {
        inherit (fediversity) example-deployment;
      };
-    expected =
-      {
-      };
+    expected = {
+    };
  };
 }
--- a/deployment/data-model.nix
+++ b/deployment/data-model.nix
@ -53,12 +53,23 @@ in
                description = "Options for configuring the resource policy for the hosting provider, a description of how the resource is made available";
                type = deferredModuleWith {
                  staticModules = [
-                    {
+                    (policy: {
                      _class = "fediversity-resource-policy";
+                      # TODO(@fricklerhandwerk): not sure it can be made
+                      # sensible syntactically, but essentially we want to
+                      # ensure that `apply` is defined, but since its output
+                      # depends on the specific policy we also need to
+                      # determine that somehow.
+                      # hopefully this also helps with correct composition down the line.
+                      options.resource-type = mkOption {
+                        description = "The type of resource this policy configures";
+                        type = types.optionType;
+                      };
                      options.apply = mkOption {
                        description = "Apply the policy to a request";
+                        type = with types; functionTo policy.config.resource-type;
                      };
-                    }
+                    })
                  ];
                };
              };