From 312ca7a48bc2693c6ac65d80bc1d24df0083f733 Mon Sep 17 00:00:00 2001 From: Valentin Gagarin Date: Fri, 25 Jul 2025 12:46:37 +0200 Subject: [PATCH] fix resource mapping for the shell application --- deployment/data-model-test.nix | 45 ++++++++++++++++++++++++---------- deployment/data-model.nix | 1 + 2 files changed, 33 insertions(+), 13 deletions(-) diff --git a/deployment/data-model-test.nix b/deployment/data-model-test.nix index 5b0c4d29..e7af5932 100644 --- a/deployment/data-model-test.nix +++ b/deployment/data-model-test.nix @@ -43,11 +43,9 @@ in extra-config = mkOption { description = "Any options from NixOS"; }; - apply = mkOption { - type = with types; functionTo raw; - default = requests: lib.mkMerge (requests ++ [ config.extra-config ]); - }; }; + config.resource-type = types.raw; # TODO: what's the type of a NixOS configuration? + config.apply = requests: lib.mkMerge (requests ++ [ config.extra-config ]); }; }; resources.login-shell = { @@ -83,17 +81,21 @@ in default = false; }; }; - config.resource-type = types.any; # TODO: splice out the user type from NixOS + config.resource-type = types.raw; # TODO: splice out the user type from NixOS config.apply = requests: let # Filter out requests that need wheel if policy doesn't allow it - validRequests = lib.filterAttrs (_name: req: !req.wheel || config.wheel) requests; + validRequests = lib.filterAttrs ( + _name: req: !req.login-shell.wheel || config.wheel + ) requests.resources; in lib.optionalAttrs (validRequests != { }) { ${config.username} = { isNormalUser = true; - packages = with lib; concatMapAttrs (_name: request: attrValues request.packages) validRequests; + packages = + with lib; + attrValues (concatMapAttrs (_name: request: request.login-shell.packages) validRequests); extraGroups = lib.optional config.wheel "wheel"; }; }; @@ -118,7 +120,7 @@ in environments.single-nixos-vm = { config, ... }: { - resources.shell.login-shell.username = "operator"; + resources.operator-environment.login-shell.username = "operator"; implementation = requests: { input = requests; output = @@ -161,14 +163,25 @@ in }; } ); + resources = fediversity.applications.hello.resources fediversity.example-configuration.applications.hello; + hello-shell = (resources).resources.hello.login-shell; + environment = fediversity.environments.single-nixos-vm.resources.operator-environment.login-shell; in rec { number-of-resources = with lib; length (attrNames fediversity.resources); inherit (fediversity) example-configuration; - hello-package-exists = - (fediversity.applications.hello.resources example-configuration.applications.hello) - .resources.hello.login-shell.packages ? hello; - inherit (fediversity) example-deployment; + hello-package-exists = hello-shell.packages ? hello; + wheel-required = hello-shell.wheel; + wheel-allowed = environment.wheel; + operator-shell = + let + operator = (environment.apply resources).operator; + in + { + inherit (operator) isNormalUser; + packages = with lib; map (p: "${p.pname}") operator.packages; + extraGroups = operator.extraGroups; + }; }; expected = { number-of-resources = 2; @@ -177,7 +190,13 @@ in applications.hello.enable = true; }; hello-package-exists = true; - example-deployment = { }; + wheel-required = false; + wheel-allowed = false; + operator-shell = { + isNormalUser = true; + packages = [ "hello" ]; + extraGroups = [ ]; + }; }; }; } diff --git a/deployment/data-model.nix b/deployment/data-model.nix index d3361f16..cb82346a 100644 --- a/deployment/data-model.nix +++ b/deployment/data-model.nix @@ -74,6 +74,7 @@ in description = "The type of resource this policy configures"; type = types.optionType; }; + # TODO(@fricklerhandwerk): do we need a function type here as well, or is it in the way? options.apply = mkOption { description = "Apply the policy to a request"; type = with types; functionTo policy.config.resource-type;