diff --git a/deployment/check/data-model/deployment.nix b/deployment/check/data-model/deployment.nix
index 27de537b..76abe204 100644
--- a/deployment/check/data-model/deployment.nix
+++ b/deployment/check/data-model/deployment.nix
@@ -66,9 +66,7 @@ let
                   requests:
                   let
                     # Filter out requests that need wheel if policy doesn't allow it
-                    validRequests = lib.filterAttrs (
-                      _name: req: !req.login-shell.wheel || config.wheel
-                    ) requests.resources;
+                    validRequests = lib.filterAttrs (_name: req: !req.login-shell.wheel || config.wheel) requests;
                   in
                   lib.optionalAttrs (validRequests != { }) {
                     ${config.username} = {
@@ -94,7 +92,7 @@ let
             implementation = cfg: {
               input = cfg;
               output = lib.optionalAttrs cfg.enable {
-                resources.hello.login-shell.packages.hello = pkgs.hello;
+                "my".login-shell.packages.hello = pkgs.hello;
               };
             };
           };
@@ -125,9 +123,11 @@ let
                     else
                       null;
 
-                  users.users = environment.config.resources."operator-environment".login-shell.apply {
-                    resources = lib.filterAttrs (_name: value: value ? login-shell) requests;
-                  };
+                  users.users = environment.config.resources."operator-environment".login-shell.apply (
+                    lib.filterAttrs (_name: value: value ? login-shell) (
+                      lib.concatMapAttrs (k': lib.mapAttrs' (k: v: lib.nameValuePair "${k'}.${k}" v)) requests
+                    )
+                  );
                 };
             };
           };
diff --git a/deployment/data-model-test.nix b/deployment/data-model-test.nix
index 16111ad1..2235189a 100644
--- a/deployment/data-model-test.nix
+++ b/deployment/data-model-test.nix
@@ -73,9 +73,7 @@ in
                         requests:
                         let
                           # Filter out requests that need wheel if policy doesn't allow it
-                          validRequests = lib.filterAttrs (
-                            _name: req: !req.login-shell.wheel || config.wheel
-                          ) requests.resources;
+                          validRequests = lib.filterAttrs (_name: req: !req.login-shell.wheel || config.wheel) requests;
                         in
                         lib.optionalAttrs (validRequests != { }) {
                           ${config.username} = {
@@ -101,7 +99,7 @@ in
                   implementation =
                     cfg:
                     lib.optionalAttrs cfg.enable {
-                      resources.hello.login-shell.packages.hello = pkgs.hello;
+                      "my".login-shell.packages.hello = pkgs.hello;
                     };
                 };
               environments.single-nixos-vm =
@@ -123,9 +121,11 @@ in
                           nixos.module =
                             { ... }:
                             {
-                              users.users = config.resources."operator-environment".login-shell.apply {
-                                resources = lib.filterAttrs (_name: value: value ? login-shell) requests;
-                              };
+                              users.users = config.resources."operator-environment".login-shell.apply (
+                                lib.filterAttrs (_name: value: value ? login-shell) (
+                                  lib.concatMapAttrs (k': lib.mapAttrs' (k: v: lib.nameValuePair "${k'}.${k}" v)) requests
+                                )
+                              );
                             };
                         };
                       }
@@ -153,7 +153,7 @@ in
         resources =
           fediversity.applications.hello.resources
             fediversity."example-configuration".applications.hello;
-        hello-shell = resources.resources.hello.login-shell;
+        hello-shell = resources."my".login-shell;
         environment = fediversity.environments.single-nixos-vm.resources."operator-environment".login-shell;
         result = mkDeployment {
           modules = [
diff --git a/deployment/data-model.nix b/deployment/data-model.nix
index 89bcdc6c..330acd84 100644
--- a/deployment/data-model.nix
+++ b/deployment/data-model.nix
@@ -18,16 +18,12 @@ let
     ;
 
   functionType = submodule ./function.nix;
-  application-resources = submodule {
-    options.resources = mkOption {
-      # TODO: maybe transpose, and group the resources by type instead
-      type = attrsOf (
-        attrTag (
-          lib.mapAttrs (_name: resource: mkOption { type = submodule resource.request; }) config.resources
-        )
-      );
-    };
-  };
+  # TODO: maybe transpose, and group the resources by type instead
+  application-resources = attrsOf (
+    attrTag (
+      lib.mapAttrs (_name: resource: mkOption { type = submodule resource.request; }) config.resources
+    )
+  );
   nixos-configuration = mkOption {
     description = "A NixOS configuration.";
     type = raw;
@@ -93,7 +89,7 @@ in
                         description = "The type of resource this policy configures";
                         type = types.optionType;
                       };
-                      # TODO(@fricklerhandwerk): we may want to make the function type explict here: `request -> resource-type`
+                      # TODO(@fricklerhandwerk): we may want to make the function type explicit here: `attrsOf request -> resource-type`
                       # and then also rename this to be consistent with the application's resource mapping
                       options.apply = mkOption {
                         description = "Apply the policy to a request";