From 64905f0b1c9f19b3142ee964f64e901768f42ba3 Mon Sep 17 00:00:00 2001 From: Kiara Grouwstra Date: Tue, 26 Aug 2025 23:31:48 +0200 Subject: [PATCH] restore data model with { resources } wrappers, this time working --- deployment/check/data-model/deployment.nix | 20 ++++++++++++-------- deployment/data-model-test.nix | 22 +++++++++++++--------- deployment/data-model.nix | 19 +++++++++++-------- 3 files changed, 36 insertions(+), 25 deletions(-) diff --git a/deployment/check/data-model/deployment.nix b/deployment/check/data-model/deployment.nix index 76abe204..36f9013b 100644 --- a/deployment/check/data-model/deployment.nix +++ b/deployment/check/data-model/deployment.nix @@ -66,7 +66,9 @@ let requests: let # Filter out requests that need wheel if policy doesn't allow it - validRequests = lib.filterAttrs (_name: req: !req.login-shell.wheel || config.wheel) requests; + validRequests = lib.filterAttrs ( + _name: req: !req.login-shell.wheel || config.wheel + ) requests.resources; in lib.optionalAttrs (validRequests != { }) { ${config.username} = { @@ -91,8 +93,8 @@ let }; implementation = cfg: { input = cfg; - output = lib.optionalAttrs cfg.enable { - "my".login-shell.packages.hello = pkgs.hello; + output.resources = lib.optionalAttrs cfg.enable { + hello.login-shell.packages.hello = pkgs.hello; }; }; }; @@ -123,11 +125,13 @@ let else null; - users.users = environment.config.resources."operator-environment".login-shell.apply ( - lib.filterAttrs (_name: value: value ? login-shell) ( - lib.concatMapAttrs (k': lib.mapAttrs' (k: v: lib.nameValuePair "${k'}.${k}" v)) requests - ) - ); + users.users = environment.config.resources."operator-environment".login-shell.apply { + resources = lib.filterAttrs (_name: value: value ? login-shell) ( + lib.concatMapAttrs ( + k': req: lib.mapAttrs' (k: lib.nameValuePair "${k'}.${k}") req.resources + ) requests + ); + }; }; }; }; diff --git a/deployment/data-model-test.nix b/deployment/data-model-test.nix index 69a4408c..d72baf11 100644 --- a/deployment/data-model-test.nix +++ b/deployment/data-model-test.nix @@ -73,7 +73,9 @@ in requests: let # Filter out requests that need wheel if policy doesn't allow it - validRequests = lib.filterAttrs (_name: req: !req.login-shell.wheel || config.wheel) requests; + validRequests = lib.filterAttrs ( + _name: req: !req.login-shell.wheel || config.wheel + ) requests.resources; in lib.optionalAttrs (validRequests != { }) { ${config.username} = { @@ -98,8 +100,8 @@ in }; implementation = cfg: { input = cfg; - output = lib.optionalAttrs cfg.enable { - "my".login-shell.packages.hello = pkgs.hello; + output.resources = lib.optionalAttrs cfg.enable { + hello.login-shell.packages.hello = pkgs.hello; }; }; }; @@ -123,11 +125,13 @@ in nixos.module = { ... }: { - users.users = config.resources."operator-environment".login-shell.apply ( - lib.filterAttrs (_name: value: value ? login-shell) ( - lib.concatMapAttrs (k': lib.mapAttrs' (k: v: lib.nameValuePair "${k'}.${k}" v)) requests - ) - ); + users.users = config.resources."operator-environment".login-shell.apply { + resources = lib.filterAttrs (_name: value: value ? login-shell) ( + lib.concatMapAttrs ( + k': req: lib.mapAttrs' (k: lib.nameValuePair "${k'}.${k}") req.resources + ) requests + ); + }; }; }; }; @@ -154,7 +158,7 @@ in resources = fediversity.applications.hello.resources fediversity."example-configuration".applications.hello; - hello-shell = resources."my".login-shell; + hello-shell = resources.resources.hello.login-shell; environment = fediversity.environments.single-nixos-vm.resources."operator-environment".login-shell; result = mkDeployment { modules = [ diff --git a/deployment/data-model.nix b/deployment/data-model.nix index 21ad803e..90d3b0d2 100644 --- a/deployment/data-model.nix +++ b/deployment/data-model.nix @@ -18,12 +18,16 @@ let ; functionType = import ./function.nix; - # TODO: maybe transpose, and group the resources by type instead - application-resources = attrsOf ( - attrTag ( - lib.mapAttrs (_name: resource: mkOption { type = submodule resource.request; }) config.resources - ) - ); + application-resources = submodule { + options.resources = mkOption { + # TODO: maybe transpose, and group the resources by type instead + type = attrsOf ( + attrTag ( + lib.mapAttrs (_name: resource: mkOption { type = submodule resource.request; }) config.resources + ) + ); + }; + }; nixos-configuration = mkOption { description = "A NixOS configuration."; type = raw; @@ -89,8 +93,7 @@ in description = "The type of resource this policy configures"; type = types.optionType; }; - # TODO(@fricklerhandwerk): we may want to make the function type explicit here: `attrsOf request -> resource-type` - # and then also rename this to be consistent with the application's resource mapping + # TODO(@fricklerhandwerk): we may want to make the function type explicit here: `application-resources -> resource-type` options.apply = mkOption { description = "Apply the policy to a request"; type = functionTo policy.config.resource-type;