From f90e8d0932490771af3f632aa80848b5f3ee81e2 Mon Sep 17 00:00:00 2001 From: Valentin Gagarin Date: Tue, 22 Jul 2025 12:28:00 +0200 Subject: [PATCH] more type-safe policy application --- deployment/data-model-test.nix | 38 +++++++++++++++++----------------- deployment/data-model.nix | 23 ++++++++++++++++---- 2 files changed, 38 insertions(+), 23 deletions(-) diff --git a/deployment/data-model-test.nix b/deployment/data-model-test.nix index fbcac3b2..4edec009 100644 --- a/deployment/data-model-test.nix +++ b/deployment/data-model-test.nix @@ -45,10 +45,10 @@ in extra-config = mkOption { description = "Any options from NixOS"; }; - apply = mkOption { - type = with types; functionTo raw; - default = policy: requests: lib.mkMerge (requests ++ [ policy.extra-config ]); - }; + }; + config = { + resource-type = types.raw; # TODO: what's the type of a NixOS configuration? + apply = policy: requests: lib.mkMerge (requests ++ [ policy.extra-config ]); }; }; }; @@ -85,22 +85,22 @@ in type = types.bool; default = false; }; - apply = mkOption { - type = with types; functionTo raw; # TODO: splice out the user type from NixOS - default = - policy: requests: - let - # Filter out requests that need wheel if policy doesn't allow it - validRequests = lib.filterAttrs (_name: req: !req.wheel || policy.wheel) requests; - in - lib.optionalAttrs (validRequests != { }) { - ${policy.username} = { - isNormalUser = true; - packages = with lib; concatMap (request: attrValues request.packages) (attrValues validRequests); - extraGroups = lib.optional policy.wheel "wheel"; - }; + }; + config = { + resource-type = types.raw; # TODO: splice out the user type from NixOS + apply = + policy: requests: + let + # Filter out requests that need wheel if policy doesn't allow it + validRequests = lib.filterAttrs (_name: req: !req.wheel || policy.wheel) requests; + in + lib.optionalAttrs (validRequests != { }) { + ${policy.username} = { + isNormalUser = true; + packages = with lib; concatMap (request: attrValues request.packages) (attrValues validRequests); + extraGroups = lib.optional policy.wheel "wheel"; }; - }; + }; }; }; }; diff --git a/deployment/data-model.nix b/deployment/data-model.nix index 794a76e2..f18223b4 100644 --- a/deployment/data-model.nix +++ b/deployment/data-model.nix @@ -73,11 +73,26 @@ in type = submoduleWith { class = "fediversity-resource-policy"; modules = [ - { - options.apply = mkOption { - description = "Apply the policy to a request"; + (policy: { + _class = "fediversity-resource-policy"; + options = { + # TODO(@fricklerhandwerk): not sure it can be made + # sensible syntactically, but essentially we want to + # ensure that `apply` is defined, but since its output + # depends on the specific policy we also need to + # determine that somehow. + # hopefully this also helps with correct composition down the line. + resource-type = mkOption { + description = "The type of resource this policy configures"; + type = types.optionType; + }; + # TODO(@fricklerhandwerk): do we need a function type here as well, or is it in the way? + apply = mkOption { + description = "Apply the policy to a request"; + type = functionTo policy.config.resource-type; + }; }; - } + }) ]; }; };