{ config, system, inputs ? (import ../../../default.nix { }).inputs, sources ? import ../../../npins, ... }: let inherit (sources) nixpkgs; pkgs = import nixpkgs { inherit system; }; inherit (pkgs) lib; deployment-config = config; inherit (lib) mkOption types; eval = module: (lib.evalModules { specialArgs = { inherit inputs; }; modules = [ module ../../data-model.nix ]; }).config; fediversity = eval ( { config, ... }: { config = { resources.login-shell = { description = "The operator needs to be able to log into the shell"; request = { ... }: { _class = "fediversity-resource-request"; options = { wheel = mkOption { description = "Whether the login user needs root permissions"; type = types.bool; default = false; }; packages = mkOption { description = "Packages that need to be available in the user environment"; type = with types; attrsOf package; }; }; }; policy = { config, ... }: { _class = "fediversity-resource-policy"; options = { username = mkOption { description = "Username for the operator"; type = types.str; # TODO: use the proper constraints from NixOS }; wheel = mkOption { description = "Whether to allow login with root permissions"; type = types.bool; default = false; }; }; config = { resource-type = types.raw; # TODO: splice out the user type from NixOS apply = requests: let # Filter out requests that need wheel if policy doesn't allow it validRequests = lib.filterAttrs (_name: req: !req.login-shell.wheel || config.wheel) requests; in lib.optionalAttrs (validRequests != { }) { ${config.username} = { isNormalUser = true; packages = with lib; attrValues (concatMapAttrs (_name: request: request.login-shell.packages) validRequests); extraGroups = lib.optional config.wheel "wheel"; }; }; }; }; }; applications.hello = { ... }: { description = ''Command-line tool that will print "Hello, world!" on the terminal''; module = { ... }: { options.enable = lib.mkEnableOption "Hello in the shell"; }; implementation = cfg: { input = cfg; output = lib.optionalAttrs cfg.enable { "my".login-shell.packages.hello = pkgs.hello; }; }; }; environments.single-nixos-vm = environment: { resources."operator-environment".login-shell.username = "operator"; implementation = requests: { input = requests; output.ssh-host = { ssh = { username = "root"; inherit (deployment-config) host; key-file = null; }; nixos-configuration = { ... }: { imports = [ ./options.nix ../common/sharedOptions.nix ../common/targetNode.nix "${nixpkgs}/nixos/modules/profiles/qemu-guest.nix" ]; inherit (deployment-config) enableAcme; acmeNodeIP = if deployment-config.enableAcme then deployment-config.nodes.acme.networking.primaryIPAddress else null; users.users = environment.config.resources."operator-environment".login-shell.apply ( lib.filterAttrs (_name: value: value ? login-shell) ( lib.concatMapAttrs (k': lib.mapAttrs' (k: v: lib.nameValuePair "${k'}.${k}" v)) requests ) ); }; }; }; }; }; options = { "example-configuration" = mkOption { type = config.configuration; default = { enable = true; applications.hello.enable = true; }; }; "example-deployment" = mkOption { default = config.environments.single-nixos-vm.deployment config."example-configuration"; }; }; } ); in fediversity."example-deployment"