From 28d3cee649cba9dbbf9cfcc48ac521c4e6214c01 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Tue, 17 Jun 2025 18:38:49 +0200
Subject: [PATCH 01/22] introduce flake parts module for clan nixos tests

---
 clanServices/wifi/flake-module.nix     | 18 ++----
 clanServices/wifi/tests/vm/default.nix | 55 ++++++----------
 flake.nix                              |  1 +
 lib/flake-parts/clan-nixos-test.nix    | 90 ++++++++++++++++++++++++++
 4 files changed, 116 insertions(+), 48 deletions(-)
 create mode 100644 lib/flake-parts/clan-nixos-test.nix

diff --git a/clanServices/wifi/flake-module.nix b/clanServices/wifi/flake-module.nix
index 525b9a2e7..0faea677e 100644
--- a/clanServices/wifi/flake-module.nix
+++ b/clanServices/wifi/flake-module.nix
@@ -1,6 +1,5 @@
 {
   self,
-  inputs,
   lib,
   ...
 }:
@@ -14,7 +13,7 @@ in
     wifi = module;
   };
   perSystem =
-    { pkgs, ... }:
+    { ... }:
     {
       /**
         1. Prepare the test vars
@@ -23,15 +22,10 @@ in
         2. To run the test
         nix build .#checks.x86_64-linux.hello-service
       */
-      checks =
-        # Currently we don't support nixos-integration tests on darwin
-        lib.optionalAttrs (pkgs.stdenv.isLinux) {
-          wifi-service = import ./tests/vm/default.nix {
-            inherit module;
-            inherit inputs pkgs;
-            clan-core = self;
-            nixosLib = import (self.inputs.nixpkgs + "/nixos/lib") { };
-          };
-        };
+      clan.nixosTests.wifi-service = {
+        imports = [ ./tests/vm/default.nix ];
+
+        clan.modules."@clan/wifi" = module;
+      };
     };
 }
diff --git a/clanServices/wifi/tests/vm/default.nix b/clanServices/wifi/tests/vm/default.nix
index dec7743e0..0efd5e315 100644
--- a/clanServices/wifi/tests/vm/default.nix
+++ b/clanServices/wifi/tests/vm/default.nix
@@ -1,46 +1,29 @@
 {
-  pkgs,
-  nixosLib,
-  clan-core,
-  module,
-  ...
-}:
-nixosLib.runTest (
-  { ... }:
-  {
-    imports = [
-      clan-core.modules.nixosVmTest.clanTest
-    ];
+  name = "wifi-service";
 
-    hostPkgs = pkgs;
+  clan = {
+    directory = ./.;
+    test.useContainers = false;
+    inventory = {
 
-    name = "wifi-service";
+      machines.test = { };
 
-    clan = {
-      directory = ./.;
-      test.useContainers = false;
-      modules."@clan/wifi" = module;
-      inventory = {
+      instances = {
+        wg-test-one = {
+          module.name = "@clan/wifi";
 
-        machines.test = { };
-
-        instances = {
-          wg-test-one = {
-            module.name = "@clan/wifi";
-
-            roles.default.machines = {
-              test.settings.networks.one = { };
-            };
+          roles.default.machines = {
+            test.settings.networks.one = { };
           };
         };
       };
     };
+  };
 
-    testScript = ''
-      start_all()
-      test.wait_for_unit("NetworkManager.service")
-      psk = test.succeed("cat /run/NetworkManager/system-connections/one.nmconnection")
-      assert "password-eins" in psk, "Password is incorrect"
-    '';
-  }
-)
+  testScript = ''
+    start_all()
+    test.wait_for_unit("NetworkManager.service")
+    psk = test.succeed("cat /run/NetworkManager/system-connections/one.nmconnection")
+    assert "password-eins" in psk, "Password is incorrect"
+  '';
+}
diff --git a/flake.nix b/flake.nix
index e490d5b85..7907da570 100644
--- a/flake.nix
+++ b/flake.nix
@@ -71,6 +71,7 @@
             ./flakeModules/demo_iso.nix
             ./lib/filter-clan-core/flake-module.nix
             ./lib/flake-module.nix
+            ./lib/flake-parts/clan-nixos-test.nix
             ./nixosModules/clanCore/vars/flake-module.nix
             ./nixosModules/flake-module.nix
             ./pkgs/flake-module.nix
diff --git a/lib/flake-parts/clan-nixos-test.nix b/lib/flake-parts/clan-nixos-test.nix
new file mode 100644
index 000000000..7125a3838
--- /dev/null
+++ b/lib/flake-parts/clan-nixos-test.nix
@@ -0,0 +1,90 @@
+{
+  lib,
+  flake-parts-lib,
+  self,
+  inputs,
+  ...
+}:
+let
+  inherit (lib)
+    mkOption
+    types
+    ;
+  inherit (flake-parts-lib)
+    mkPerSystemOption
+    ;
+  nixosLib = import (inputs.nixpkgs + "/nixos/lib") { };
+in
+{
+  options = {
+    perSystem = mkPerSystemOption (
+      { config, pkgs, ... }:
+      let
+        cfg = config.clan.nixosTests;
+      in
+      {
+        options.clan.nixosTests = mkOption {
+          description = "Clan NixOS tests configuration";
+          type = types.attrsOf types.unspecified;
+          default = { };
+        };
+
+        config.checks = lib.optionalAttrs (pkgs.stdenv.isLinux) (
+          let
+            # Build all individual vars-check derivations
+            varsChecks = lib.mapAttrs' (
+              name: testModule:
+              lib.nameValuePair "vars-check-${name}" (
+                let
+                  test = nixosLib.runTest (
+                    { ... }:
+                    {
+                      imports = [
+                        self.modules.nixosVmTest.clanTest
+                        testModule
+                      ];
+                      
+                      hostPkgs = pkgs;
+                    }
+                  );
+                in
+                test.config.result.vars-check
+              )
+            ) cfg;
+          in
+          lib.mkMerge [
+            # Add the VM tests as checks
+            (lib.mapAttrs (
+              _name: testModule:
+              nixosLib.runTest (
+                { ... }:
+                {
+                  imports = [
+                    self.modules.nixosVmTest.clanTest
+                    testModule
+                  ];
+                  
+                  hostPkgs = pkgs;
+                }
+              )
+            ) cfg)
+
+            # Add a single vars-check that depends on all others XXX if we ever
+            # optimize buildbot to perform better with many builds we can
+            # remove this and just run the individual vars-checks to speed up
+            # parallel evaluation.
+            (lib.optionalAttrs (varsChecks != {}) {
+              vars-check = pkgs.runCommand "vars-check-all" {
+                buildInputs = lib.attrValues varsChecks;
+              } ''
+                echo "All vars checks passed:"
+                ${lib.concatMapStringsSep "\n" (name: "echo '  ✓ ${name}'") (lib.attrNames varsChecks)}
+                touch $out
+              '';
+            })
+          ]
+        );
+      }
+    );
+  };
+}

From 29b2c51391c486be378ee56e765c31f87f667be4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Tue, 17 Jun 2025 18:49:13 +0200
Subject: [PATCH 02/22] clan-nixos-test: add individual vars-checks back

The consolidated vars-check was too slow to eval. Individual vars-checks allow for better parallelization.
---
 lib/flake-parts/clan-nixos-test.nix | 14 +-------------
 1 file changed, 1 insertion(+), 13 deletions(-)

diff --git a/lib/flake-parts/clan-nixos-test.nix b/lib/flake-parts/clan-nixos-test.nix
index 7125a3838..9ee4fee58 100644
--- a/lib/flake-parts/clan-nixos-test.nix
+++ b/lib/flake-parts/clan-nixos-test.nix
@@ -69,19 +69,7 @@ in
               )
             ) cfg)
 
-            # Add a single vars-check that depends on all others XXX if we ever
-            # optimize buildbot to perform better with many builds we can
-            # remove this and just run the individual vars-checks to speed up
-            # parallel evaluation.
-            (lib.optionalAttrs (varsChecks != {}) {
-              vars-check = pkgs.runCommand "vars-check-all" {
-                buildInputs = lib.attrValues varsChecks;
-              } ''
-                echo "All vars checks passed:"
-                ${lib.concatMapStringsSep "\n" (name: "echo '  ✓ ${name}'") (lib.attrNames varsChecks)}
-                touch $out
-              '';
-            })
+            varsChecks
           ]
         );
       }

From 3a1b2aede877925e4fd95bc340ec116fadff6e88 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Tue, 17 Jun 2025 18:49:26 +0200
Subject: [PATCH 03/22] admin: migrate to clan.nixosTests module

---
 clanServices/admin/flake-module.nix     | 19 ++++---
 clanServices/admin/tests/vm/default.nix | 73 ++++++++++---------------
 2 files changed, 38 insertions(+), 54 deletions(-)

diff --git a/clanServices/admin/flake-module.nix b/clanServices/admin/flake-module.nix
index 154d41e43..bedd498e3 100644
--- a/clanServices/admin/flake-module.nix
+++ b/clanServices/admin/flake-module.nix
@@ -1,17 +1,18 @@
-{ lib, self, ... }:
+{ lib, ... }:
+let
+  module = lib.modules.importApply ./default.nix { };
+in
 {
   clan.modules = {
-    admin = lib.modules.importApply ./default.nix { };
+    admin = module;
   };
   perSystem =
-    { pkgs, ... }:
+    { ... }:
     {
-      checks = lib.optionalAttrs (pkgs.stdenv.isLinux) {
-        admin = import ./tests/vm/default.nix {
-          inherit pkgs;
-          clan-core = self;
-          nixosLib = import (self.inputs.nixpkgs + "/nixos/lib") { };
-        };
+      clan.nixosTests.admin = {
+        imports = [ ./tests/vm/default.nix ];
+
+        clan.modules."@clan/admin" = module;
       };
     };
 }
diff --git a/clanServices/admin/tests/vm/default.nix b/clanServices/admin/tests/vm/default.nix
index 1cff69cff..1e8233cc2 100644
--- a/clanServices/admin/tests/vm/default.nix
+++ b/clanServices/admin/tests/vm/default.nix
@@ -1,62 +1,45 @@
-{
-  pkgs,
-  nixosLib,
-  clan-core,
-  ...
-}:
-
 let
   public-key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII6zj7ubTg6z/aDwRNwvM/WlQdUocMprQ8E92NWxl6t+ test@test";
 in
-nixosLib.runTest (
-  { ... }:
-  {
-    imports = [
-      clan-core.modules.nixosVmTest.clanTest
-    ];
+{
+  name = "admin";
 
-    hostPkgs = pkgs;
+  clan = {
+    directory = ./.;
+    inventory = {
 
-    name = "admin";
+      machines.client = { };
+      machines.server = { };
 
-    clan = {
-      directory = ./.;
-      modules."@clan/admin" = ../../default.nix;
-      inventory = {
-
-        machines.client = { };
-        machines.server = { };
-
-        instances = {
-          ssh-test-one = {
-            module.name = "@clan/admin";
-            roles.default.machines."server".settings = {
-              allowedKeys.testkey = public-key;
-            };
+      instances = {
+        ssh-test-one = {
+          module.name = "@clan/admin";
+          roles.default.machines."server".settings = {
+            allowedKeys.testkey = public-key;
           };
         };
       };
     };
+  };
 
-    nodes = {
-      client.environment.etc.private-test-key.source = ./private-test-key;
+  nodes = {
+    client.environment.etc.private-test-key.source = ./private-test-key;
 
-      server = {
-        services.openssh.enable = true;
-      };
+    server = {
+      services.openssh.enable = true;
     };
+  };
 
-    testScript = ''
-      start_all()
+  testScript = ''
+    start_all()
 
-      machines = [client, server]
-      for m in machines:
-          m.systemctl("start network-online.target")
+    machines = [client, server]
+    for m in machines:
+        m.systemctl("start network-online.target")
 
-      for m in machines:
-          m.wait_for_unit("network-online.target")
+    for m in machines:
+        m.wait_for_unit("network-online.target")
 
-      client.succeed(f"ssh -F /dev/null -i /etc/private-test-key -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o BatchMode=yes root@server true &>/dev/null")
-    '';
-  }
-)
+    client.succeed(f"ssh -F /dev/null -i /etc/private-test-key -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o BatchMode=yes root@server true &>/dev/null")
+  '';
+}

From 268a95f2e46717dfe7b1543817f9faebc53892d7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Tue, 17 Jun 2025 19:04:17 +0200
Subject: [PATCH 04/22] clan-nixos-test: pass clan-core to test nodes via
 module args

This allows tests that need access to clan-core (e.g. for clan-cli or
dependencies) to use it within their node configurations.
---
 lib/flake-parts/clan-nixos-test.nix | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/lib/flake-parts/clan-nixos-test.nix b/lib/flake-parts/clan-nixos-test.nix
index 9ee4fee58..3c5267b47 100644
--- a/lib/flake-parts/clan-nixos-test.nix
+++ b/lib/flake-parts/clan-nixos-test.nix
@@ -43,8 +43,16 @@ in
                         self.modules.nixosVmTest.clanTest
                         testModule
                       ];
-                      
+
                       hostPkgs = pkgs;
+
+                      defaults = {
+                        imports = [
+                          {
+                            _module.args.clan-core = self;
+                          }
+                        ];
+                      };
                     }
                   );
                 in
@@ -63,8 +71,16 @@ in
                     self.modules.nixosVmTest.clanTest
                     testModule
                   ];
-                  
+
                   hostPkgs = pkgs;
+
+                  defaults = {
+                    imports = [
+                      {
+                        _module.args.clan-core = self;
+                      }
+                    ];
+                  };
                 }
               )
             ) cfg)

From 065c697e0b3b901aa002aed5b46245eb918a03e8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Tue, 17 Jun 2025 19:04:34 +0200
Subject: [PATCH 05/22] borgbackup: migrate to clan.nixosTests module

---
 clanServices/borgbackup/flake-module.nix     |  19 +-
 clanServices/borgbackup/tests/vm/default.nix | 178 +++++++++----------
 2 files changed, 96 insertions(+), 101 deletions(-)

diff --git a/clanServices/borgbackup/flake-module.nix b/clanServices/borgbackup/flake-module.nix
index 92c4fc46b..78066d14d 100644
--- a/clanServices/borgbackup/flake-module.nix
+++ b/clanServices/borgbackup/flake-module.nix
@@ -1,17 +1,18 @@
-{ lib, self, ... }:
+{ lib, ... }:
+let
+  module = lib.modules.importApply ./default.nix { };
+in
 {
   clan.modules = {
-    borgbackup = lib.modules.importApply ./default.nix { };
+    borgbackup = module;
   };
   perSystem =
-    { pkgs, ... }:
+    { ... }:
     {
-      checks = lib.optionalAttrs (pkgs.stdenv.isLinux) {
-        borgbackup = import ./tests/vm/default.nix {
-          inherit pkgs;
-          clan-core = self;
-          nixosLib = import (self.inputs.nixpkgs + "/nixos/lib") { };
-        };
+      clan.nixosTests.borgbackup = {
+        imports = [ ./tests/vm/default.nix ];
+
+        clan.modules."@clan/borgbackup" = module;
       };
     };
 }
diff --git a/clanServices/borgbackup/tests/vm/default.nix b/clanServices/borgbackup/tests/vm/default.nix
index d8ed40e7b..3b703066c 100644
--- a/clanServices/borgbackup/tests/vm/default.nix
+++ b/clanServices/borgbackup/tests/vm/default.nix
@@ -1,118 +1,112 @@
 {
+  module,
   pkgs,
-  nixosLib,
-  clan-core,
   ...
 }:
-nixosLib.runTest (
-  { ... }:
-  {
-    imports = [
-      clan-core.modules.nixosVmTest.clanTest
-    ];
+{
+  name = "borgbackup";
 
-    hostPkgs = pkgs;
+  clan = {
+    directory = ./.;
+    test.useContainers = true;
+    inventory = {
 
-    name = "borgbackup";
+      machines.clientone = { };
+      machines.serverone = { };
 
-    clan = {
-      directory = ./.;
-      test.useContainers = true;
-      modules."@clan/borgbackup" = ../../default.nix;
-      inventory = {
+      instances = {
+        borgone = {
 
-        machines.clientone = { };
-        machines.serverone = { };
+          module.name = "@clan/borgbackup";
 
-        instances = {
-          borgone = {
-
-            module.name = "@clan/borgbackup";
-
-            roles.client.machines."clientone" = { };
-            roles.server.machines."serverone".settings.directory = "/tmp/borg-test";
-          };
+          roles.client.machines."clientone" = { };
+          roles.server.machines."serverone".settings.directory = "/tmp/borg-test";
         };
       };
     };
+  };
 
-    nodes = {
+  nodes = {
+
+    serverone = {
+      services.openssh.enable = true;
+      # Needed so PAM doesn't see the user as locked
+      users.users.borg.password = "borg";
+    };
+
+    clientone =
+      {
+        config,
+        pkgs,
+        clan-core,
+        ...
+      }:
+      let
+        dependencies = [
+          clan-core
+          pkgs.stdenv.drvPath
+        ] ++ builtins.map (i: i.outPath) (builtins.attrValues clan-core.inputs);
+        closureInfo = pkgs.closureInfo { rootPaths = dependencies; };
+
+      in
+      {
 
-      serverone = {
         services.openssh.enable = true;
-        # Needed so PAM doesn't see the user as locked
-        users.users.borg.password = "borg";
+
+        users.users.root.openssh.authorizedKeys.keyFiles = [ ../../../../checks/assets/ssh/pubkey ];
+
+        clan.core.networking.targetHost = config.networking.hostName;
+
+        environment.systemPackages = [ clan-core.packages.${pkgs.system}.clan-cli ];
+
+        environment.etc.install-closure.source = "${closureInfo}/store-paths";
+        nix.settings = {
+          substituters = pkgs.lib.mkForce [ ];
+          hashed-mirrors = null;
+          connect-timeout = pkgs.lib.mkForce 3;
+          flake-registry = pkgs.writeText "flake-registry" ''{"flakes":[],"version":2}'';
+        };
+        system.extraDependencies = dependencies;
+
+        clan.core.state.test-backups.folders = [ "/var/test-backups" ];
       };
 
-      clientone =
-        { config, pkgs, ... }:
-        let
-          dependencies = [
-            clan-core
-            pkgs.stdenv.drvPath
-          ] ++ builtins.map (i: i.outPath) (builtins.attrValues clan-core.inputs);
-          closureInfo = pkgs.closureInfo { rootPaths = dependencies; };
+  };
 
-        in
-        {
+  testScript = ''
+    import json
+    start_all()
 
-          services.openssh.enable = true;
+    machines = [clientone, serverone]
 
-          users.users.root.openssh.authorizedKeys.keyFiles = [ ../../../../checks/assets/ssh/pubkey ];
+    for m in machines:
+        m.systemctl("start network-online.target")
 
-          clan.core.networking.targetHost = config.networking.hostName;
+    for m in machines:
+        m.wait_for_unit("network-online.target")
 
-          environment.systemPackages = [ clan-core.packages.${pkgs.system}.clan-cli ];
+    # dummy data
+    clientone.succeed("mkdir -p /var/test-backups /var/test-service")
+    clientone.succeed("echo testing > /var/test-backups/somefile")
 
-          environment.etc.install-closure.source = "${closureInfo}/store-paths";
-          nix.settings = {
-            substituters = pkgs.lib.mkForce [ ];
-            hashed-mirrors = null;
-            connect-timeout = pkgs.lib.mkForce 3;
-            flake-registry = pkgs.writeText "flake-registry" ''{"flakes":[],"version":2}'';
-          };
-          system.extraDependencies = dependencies;
+    clientone.succeed("${pkgs.coreutils}/bin/install -Dm 600 ${../../../../checks/assets/ssh/privkey} /root/.ssh/id_ed25519")
+    clientone.succeed("${pkgs.coreutils}/bin/touch /root/.ssh/known_hosts")
+    clientone.wait_until_succeeds("timeout 2 ssh -o StrictHostKeyChecking=accept-new localhost hostname")
+    clientone.wait_until_succeeds("timeout 2 ssh -o StrictHostKeyChecking=accept-new $(hostname) hostname")
 
-          clan.core.state.test-backups.folders = [ "/var/test-backups" ];
-        };
+    # create
+    clientone.succeed("borgbackup-create >&2")
+    clientone.wait_until_succeeds("! systemctl is-active borgbackup-job-serverone >&2")
 
-    };
+    # list
+    backup_id = json.loads(clientone.succeed("borg-job-serverone list --json"))["archives"][0]["archive"]
+    out = clientone.succeed("borgbackup-list").strip()
+    print(out)
+    assert backup_id in out, f"backup {backup_id} not found in {out}"
 
-    testScript = ''
-      import json
-      start_all()
-
-      machines = [clientone, serverone]
-
-      for m in machines:
-          m.systemctl("start network-online.target")
-
-      for m in machines:
-          m.wait_for_unit("network-online.target")
-
-      # dummy data
-      clientone.succeed("mkdir -p /var/test-backups /var/test-service")
-      clientone.succeed("echo testing > /var/test-backups/somefile")
-
-      clientone.succeed("${pkgs.coreutils}/bin/install -Dm 600 ${../../../../checks/assets/ssh/privkey} /root/.ssh/id_ed25519")
-      clientone.succeed("${pkgs.coreutils}/bin/touch /root/.ssh/known_hosts")
-      clientone.wait_until_succeeds("timeout 2 ssh -o StrictHostKeyChecking=accept-new localhost hostname")
-      clientone.wait_until_succeeds("timeout 2 ssh -o StrictHostKeyChecking=accept-new $(hostname) hostname")
-
-      # create
-      clientone.succeed("borgbackup-create >&2")
-      clientone.wait_until_succeeds("! systemctl is-active borgbackup-job-serverone >&2")
-
-      # list
-      backup_id = json.loads(clientone.succeed("borg-job-serverone list --json"))["archives"][0]["archive"]
-      out = clientone.succeed("borgbackup-list").strip()
-      print(out)
-      assert backup_id in out, f"backup {backup_id} not found in {out}"
-
-      # borgbackup restore
-      clientone.succeed("rm -f /var/test-backups/somefile")
-      clientone.succeed(f"NAME='serverone::borg@serverone:.::{backup_id}' borgbackup-restore >&2")
-      assert clientone.succeed("cat /var/test-backups/somefile").strip() == "testing", "restore failed"
-    '';
-  }
-)
+    # borgbackup restore
+    clientone.succeed("rm -f /var/test-backups/somefile")
+    clientone.succeed(f"NAME='serverone::borg@serverone:.::{backup_id}' borgbackup-restore >&2")
+    assert clientone.succeed("cat /var/test-backups/somefile").strip() == "testing", "restore failed"
+  '';
+}

From e9cded4fd8ad72664adf572d64288ac7395f2d54 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Tue, 17 Jun 2025 19:13:25 +0200
Subject: [PATCH 06/22] deltachat: migrate to clan.nixosTests module

---
 clanServices/deltachat/flake-module.nix     | 19 ++++---
 clanServices/deltachat/tests/vm/default.nix | 63 +++++++++------------
 2 files changed, 36 insertions(+), 46 deletions(-)

diff --git a/clanServices/deltachat/flake-module.nix b/clanServices/deltachat/flake-module.nix
index 0fad43bfd..c81973e0c 100644
--- a/clanServices/deltachat/flake-module.nix
+++ b/clanServices/deltachat/flake-module.nix
@@ -1,17 +1,18 @@
-{ lib, self, ... }:
+{ lib, ... }:
+let
+  module = lib.modules.importApply ./default.nix { };
+in
 {
   clan.modules = {
-    deltachat = lib.modules.importApply ./default.nix { };
+    deltachat = module;
   };
   perSystem =
-    { pkgs, ... }:
+    { ... }:
     {
-      checks = lib.optionalAttrs (pkgs.stdenv.isLinux) {
-        deltachat = import ./tests/vm/default.nix {
-          inherit pkgs;
-          clan-core = self;
-          nixosLib = import (self.inputs.nixpkgs + "/nixos/lib") { };
-        };
+      clan.nixosTests.deltachat = {
+        imports = [ ./tests/vm/default.nix ];
+
+        clan.modules."@clan/deltachat" = module;
       };
     };
 }
diff --git a/clanServices/deltachat/tests/vm/default.nix b/clanServices/deltachat/tests/vm/default.nix
index 7b25c41f4..b8f9604e7 100644
--- a/clanServices/deltachat/tests/vm/default.nix
+++ b/clanServices/deltachat/tests/vm/default.nix
@@ -1,50 +1,39 @@
 {
+  module,
   pkgs,
-  nixosLib,
-  clan-core,
   ...
 }:
-nixosLib.runTest (
-  { ... }:
-  {
-    imports = [
-      clan-core.modules.nixosVmTest.clanTest
-    ];
+{
+  name = "deltachat";
 
-    hostPkgs = pkgs;
+  clan = {
+    directory = ./.;
+    inventory = {
+      machines.server = { };
 
-    name = "deltachat";
-
-    clan = {
-      directory = ./.;
-      modules."@clan/deltachat" = ../../default.nix;
-      inventory = {
-        machines.server = { };
-
-        instances = {
-          deltachat-test = {
-            module.name = "@clan/deltachat";
-            roles.default.machines."server".settings = { };
-          };
+      instances = {
+        deltachat-test = {
+          module.name = "@clan/deltachat";
+          roles.default.machines."server".settings = { };
         };
       };
     };
+  };
 
-    nodes = {
-      server = { };
-    };
+  nodes = {
+    server = { };
+  };
 
-    testScript = ''
-      start_all()
+  testScript = ''
+    start_all()
 
-      server.wait_for_unit("maddy")
+    server.wait_for_unit("maddy")
 
-      # imap
-      server.succeed("${pkgs.netcat}/bin/nc -z -v ::1 143")
-      # smtp submission
-      server.succeed("${pkgs.netcat}/bin/nc -z -v ::1 587")
-      # smtp
-      server.succeed("${pkgs.netcat}/bin/nc -z -v ::1 25")
-    '';
-  }
-)
+    # imap
+    server.succeed("${pkgs.netcat}/bin/nc -z -v ::1 143")
+    # smtp submission
+    server.succeed("${pkgs.netcat}/bin/nc -z -v ::1 587")
+    # smtp
+    server.succeed("${pkgs.netcat}/bin/nc -z -v ::1 25")
+  '';
+}

From 12cdc279e85c8dda45213ed0778da2230f7c2038 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Tue, 17 Jun 2025 19:18:04 +0200
Subject: [PATCH 07/22] deltachat: make test more robust with
 wait_until_succeeds

Use wait_until_succeeds for the first network check to ensure the
service is fully ready before testing connectivity.
---
 clanServices/deltachat/tests/vm/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/clanServices/deltachat/tests/vm/default.nix b/clanServices/deltachat/tests/vm/default.nix
index b8f9604e7..b763adf68 100644
--- a/clanServices/deltachat/tests/vm/default.nix
+++ b/clanServices/deltachat/tests/vm/default.nix
@@ -30,7 +30,7 @@
     server.wait_for_unit("maddy")
 
     # imap
-    server.succeed("${pkgs.netcat}/bin/nc -z -v ::1 143")
+    server.wait_until_succeeds("${pkgs.netcat}/bin/nc -z -v ::1 143")
     # smtp submission
     server.succeed("${pkgs.netcat}/bin/nc -z -v ::1 587")
     # smtp

From 88e935f7c90813dca76f4ea64a6c9783d3449529 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Tue, 17 Jun 2025 19:24:09 +0200
Subject: [PATCH 08/22] ergochat: migrate to clan.nixosTests module

---
 clanServices/ergochat/flake-module.nix     | 19 +++----
 clanServices/ergochat/tests/vm/default.nix | 62 +++++++++-------------
 2 files changed, 36 insertions(+), 45 deletions(-)

diff --git a/clanServices/ergochat/flake-module.nix b/clanServices/ergochat/flake-module.nix
index c0dde306a..ae9bb8d58 100644
--- a/clanServices/ergochat/flake-module.nix
+++ b/clanServices/ergochat/flake-module.nix
@@ -1,17 +1,18 @@
-{ lib, self, ... }:
+{ lib, ... }:
+let
+  module = lib.modules.importApply ./default.nix { };
+in
 {
   clan.modules = {
-    ergochat = lib.modules.importApply ./default.nix { };
+    ergochat = module;
   };
   perSystem =
-    { pkgs, ... }:
+    { ... }:
     {
-      checks = lib.optionalAttrs (pkgs.stdenv.isLinux) {
-        ergochat = import ./tests/vm/default.nix {
-          inherit pkgs;
-          clan-core = self;
-          nixosLib = import (self.inputs.nixpkgs + "/nixos/lib") { };
-        };
+      clan.nixosTests.ergochat = {
+        imports = [ ./tests/vm/default.nix ];
+
+        clan.modules."@clan/ergochat" = module;
       };
     };
 }
diff --git a/clanServices/ergochat/tests/vm/default.nix b/clanServices/ergochat/tests/vm/default.nix
index f474bd40e..405756b69 100644
--- a/clanServices/ergochat/tests/vm/default.nix
+++ b/clanServices/ergochat/tests/vm/default.nix
@@ -1,51 +1,41 @@
 {
+  module,
   pkgs,
-  nixosLib,
-  clan-core,
   ...
 }:
-nixosLib.runTest (
-  { ... }:
-  {
-    imports = [
-      clan-core.modules.nixosVmTest.clanTest
-    ];
+{
+  name = "ergochat";
 
-    hostPkgs = pkgs;
-    name = "ergochat";
+  clan = {
+    directory = ./.;
+    inventory = {
+      machines.server = { };
 
-    clan = {
-      directory = ./.;
-      modules."@clan/ergochat" = ../../default.nix;
-      inventory = {
-        machines.server = { };
-
-        instances = {
-          ergochat-test = {
-            module.name = "@clan/ergochat";
-            roles.default.machines."server".settings = { };
-          };
+      instances = {
+        ergochat-test = {
+          module.name = "@clan/ergochat";
+          roles.default.machines."server".settings = { };
         };
       };
     };
+  };
 
-    nodes = {
-      server = { };
-    };
+  nodes = {
+    server = { };
+  };
 
-    testScript = ''
-      start_all()
+  testScript = ''
+    start_all()
 
-      server.wait_for_unit("ergochat")
+    server.wait_for_unit("ergochat")
 
-      # Check that ergochat is running
-      server.succeed("systemctl status ergochat")
+    # Check that ergochat is running
+    server.succeed("systemctl status ergochat")
 
-      # Check that the data directory exists
-      server.succeed("test -d /var/lib/ergo")
+    # Check that the data directory exists
+    server.succeed("test -d /var/lib/ergo")
 
-      # Check that the server is listening on the correct ports
-      server.succeed("${pkgs.netcat}/bin/nc -z -v ::1 6667")
-    '';
-  }
-)
+    # Check that the server is listening on the correct ports
+    server.succeed("${pkgs.netcat}/bin/nc -z -v ::1 6667")
+  '';
+}

From a6f0f27f02a88411dfb11b4b983325290823f427 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Tue, 17 Jun 2025 19:26:25 +0200
Subject: [PATCH 09/22] garage: migrate to clan.nixosTests module

---
 clanServices/garage/flake-module.nix     |  19 ++--
 clanServices/garage/tests/vm/default.nix | 129 +++++++++++------------
 2 files changed, 69 insertions(+), 79 deletions(-)

diff --git a/clanServices/garage/flake-module.nix b/clanServices/garage/flake-module.nix
index 515018419..21c34d0de 100644
--- a/clanServices/garage/flake-module.nix
+++ b/clanServices/garage/flake-module.nix
@@ -1,18 +1,19 @@
-{ lib, self, ... }:
+{ lib, ... }:
+let
+  module = lib.modules.importApply ./default.nix { };
+in
 {
   clan.modules = {
-    garage = lib.modules.importApply ./default.nix { };
+    garage = module;
   };
 
   perSystem =
-    { pkgs, ... }:
+    { ... }:
     {
-      checks = lib.optionalAttrs (pkgs.stdenv.isLinux) {
-        garage = import ./tests/vm/default.nix {
-          inherit pkgs;
-          clan-core = self;
-          nixosLib = import (self.inputs.nixpkgs + "/nixos/lib") { };
-        };
+      clan.nixosTests.garage = {
+        imports = [ ./tests/vm/default.nix ];
+
+        clan.modules."@clan/garage" = module;
       };
     };
 }
diff --git a/clanServices/garage/tests/vm/default.nix b/clanServices/garage/tests/vm/default.nix
index 7df983a19..deeca4ca7 100644
--- a/clanServices/garage/tests/vm/default.nix
+++ b/clanServices/garage/tests/vm/default.nix
@@ -1,87 +1,76 @@
 {
+  module,
   pkgs,
-  nixosLib,
-  clan-core,
   ...
 }:
-nixosLib.runTest (
-  { ... }:
-  {
-    imports = [
-      clan-core.modules.nixosVmTest.clanTest
-    ];
+{
+  name = "garage";
 
-    hostPkgs = pkgs;
+  clan = {
+    directory = ./.;
+    inventory = {
+      machines.server = { };
 
-    name = "garage";
+      instances = {
+        garage-test = {
+          module.name = "@clan/garage";
+          roles.default.machines."server".settings = { };
+        };
+      };
+    };
+  };
 
-    clan = {
-      directory = ./.;
-      modules."@clan/garage" = ../../default.nix;
-      inventory = {
-        machines.server = { };
+  nodes = {
+    server = {
+      services.garage = {
+        enable = true;
+        package = pkgs.garage;
+        settings = {
 
-        instances = {
-          garage-test = {
-            module.name = "@clan/garage";
-            roles.default.machines."server".settings = { };
+          metadata_dir = "/var/lib/garage/meta";
+          data_dir = "/var/lib/garage/data";
+          db_engine = "sqlite";
+
+          replication_factor = 1;
+
+          rpc_bind_addr = "127.0.0.1:3901";
+
+          s3_api = {
+            api_bind_addr = "127.0.0.1:3900";
+            s3_region = "garage";
+            root_domain = ".s3.garage";
+          };
+
+          s3_web = {
+            bind_addr = "127.0.0.1:3902";
+            root_domain = ".web.garage";
+          };
+
+          admin = {
+            api_bind_addr = "127.0.0.1:3903";
           };
         };
       };
     };
+  };
 
-    nodes = {
-      server = {
-        services.garage = {
-          enable = true;
-          package = pkgs.garage;
-          settings = {
+  testScript = ''
+    start_all()
 
-            metadata_dir = "/var/lib/garage/meta";
-            data_dir = "/var/lib/garage/data";
-            db_engine = "sqlite";
+    server.wait_for_unit("network-online.target")
+    server.wait_for_unit("garage")
 
-            replication_factor = 1;
+    # Check that garage is running
+    server.succeed("systemctl status garage")
 
-            rpc_bind_addr = "127.0.0.1:3901";
+    # Check that the data directories exist
+    server.succeed("test -d /var/lib/garage/meta")
+    server.succeed("test -d /var/lib/garage/data")
 
-            s3_api = {
-              api_bind_addr = "127.0.0.1:3900";
-              s3_region = "garage";
-              root_domain = ".s3.garage";
-            };
-
-            s3_web = {
-              bind_addr = "127.0.0.1:3902";
-              root_domain = ".web.garage";
-            };
-
-            admin = {
-              api_bind_addr = "127.0.0.1:3903";
-            };
-          };
-        };
-      };
-    };
-
-    testScript = ''
-      start_all()
-
-      server.wait_for_unit("network-online.target")
-      server.wait_for_unit("garage")
-
-      # Check that garage is running
-      server.succeed("systemctl status garage")
-
-      # Check that the data directories exist
-      server.succeed("test -d /var/lib/garage/meta")
-      server.succeed("test -d /var/lib/garage/data")
-
-      # Check that the ports are open to confirm that garage is running
-      server.wait_until_succeeds("${pkgs.netcat}/bin/nc -z -v 127.0.0.1 3901")
-      server.succeed("${pkgs.netcat}/bin/nc -z -v 127.0.0.1 3900")
-      server.succeed("${pkgs.netcat}/bin/nc -z -v 127.0.0.1 3902")
-      server.succeed("${pkgs.netcat}/bin/nc -z -v 127.0.0.1 3903")
-    '';
-  }
-)
+    # Check that the ports are open to confirm that garage is running
+    server.wait_until_succeeds("${pkgs.netcat}/bin/nc -z -v 127.0.0.1 3901")
+    server.succeed("${pkgs.netcat}/bin/nc -z -v 127.0.0.1 3900")
+    server.succeed("${pkgs.netcat}/bin/nc -z -v 127.0.0.1 3902")
+    server.succeed("${pkgs.netcat}/bin/nc -z -v 127.0.0.1 3903")
+  '';
+}

From 4459899fb6331e7f07697efc6b39cff7c0884ee1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Tue, 17 Jun 2025 19:27:15 +0200
Subject: [PATCH 10/22] heisenbridge: migrate to clan.nixosTests module

---
 clanServices/heisenbridge/flake-module.nix    | 19 ++---
 .../heisenbridge/tests/vm/default.nix         | 80 ++++++++-----------
 2 files changed, 44 insertions(+), 55 deletions(-)

diff --git a/clanServices/heisenbridge/flake-module.nix b/clanServices/heisenbridge/flake-module.nix
index a262b7672..e45df32b0 100644
--- a/clanServices/heisenbridge/flake-module.nix
+++ b/clanServices/heisenbridge/flake-module.nix
@@ -1,17 +1,18 @@
-{ lib, self, ... }:
+{ lib, ... }:
+let
+  module = lib.modules.importApply ./default.nix { };
+in
 {
   clan.modules = {
-    heisenbridge = lib.modules.importApply ./default.nix { };
+    heisenbridge = module;
   };
   perSystem =
-    { pkgs, ... }:
+    { ... }:
     {
-      checks = lib.optionalAttrs (pkgs.stdenv.isLinux) {
-        heisenbridge = import ./tests/vm/default.nix {
-          inherit pkgs;
-          clan-core = self;
-          nixosLib = import (self.inputs.nixpkgs + "/nixos/lib") { };
-        };
+      clan.nixosTests.heisenbridge = {
+        imports = [ ./tests/vm/default.nix ];
+
+        clan.modules."@clan/heisenbridge" = module;
       };
     };
 }
diff --git a/clanServices/heisenbridge/tests/vm/default.nix b/clanServices/heisenbridge/tests/vm/default.nix
index 32046f93c..e9234706f 100644
--- a/clanServices/heisenbridge/tests/vm/default.nix
+++ b/clanServices/heisenbridge/tests/vm/default.nix
@@ -1,65 +1,53 @@
 {
+  module,
   pkgs,
-  nixosLib,
-  clan-core,
   ...
 }:
+{
+  name = "heisenbridge";
 
-nixosLib.runTest (
-  { ... }:
-  {
-    imports = [
-      clan-core.modules.nixosVmTest.clanTest
-    ];
+  clan = {
+    directory = ./.;
+    inventory = {
+      machines.server = { };
 
-    hostPkgs = pkgs;
-
-    name = "heisenbridge";
-
-    clan = {
-      directory = ./.;
-      modules."@clan/heisenbridge" = ../../default.nix;
-      inventory = {
-        machines.server = { };
-
-        instances = {
-          heisenbridge-test = {
-            module.name = "@clan/heisenbridge";
-            roles.default.machines."server".settings = {
-              homeserver = "http://127.0.0.1:8008";
-            };
+      instances = {
+        heisenbridge-test = {
+          module.name = "@clan/heisenbridge";
+          roles.default.machines."server".settings = {
+            homeserver = "http://127.0.0.1:8008";
           };
         };
       };
     };
+  };
 
-    nodes = {
-      server = {
-        # Setup a minimal matrix-synapse to test with
-        services.matrix-synapse = {
-          enable = true;
-          settings.server_name = "example.com";
-          settings.database = {
-            name = "sqlite3";
-          };
+  nodes = {
+    server = {
+      # Setup a minimal matrix-synapse to test with
+      services.matrix-synapse = {
+        enable = true;
+        settings.server_name = "example.com";
+        settings.database = {
+          name = "sqlite3";
         };
       };
     };
+  };
 
-    testScript = ''
-      start_all()
+  testScript = ''
+    start_all()
 
-      server.wait_for_unit("matrix-synapse")
-      server.wait_for_unit("heisenbridge")
+    server.wait_for_unit("matrix-synapse")
+    server.wait_for_unit("heisenbridge")
 
-      # Check that heisenbridge is running
-      server.succeed("systemctl status heisenbridge")
+    # Check that heisenbridge is running
+    server.succeed("systemctl status heisenbridge")
 
-      # Wait for the bridge to initialize
-      server.wait_until_succeeds("journalctl -u heisenbridge | grep -q 'bridge is now running'")
+    # Wait for the bridge to initialize
+    server.wait_until_succeeds("journalctl -u heisenbridge | grep -q 'bridge is now running'")
 
-      # Check that heisenbridge is listening on the default port
-      server.succeed("${pkgs.netcat}/bin/nc -z -v 127.0.0.1 9898")
-    '';
-  }
-)
+    # Check that heisenbridge is listening on the default port
+    server.succeed("${pkgs.netcat}/bin/nc -z -v 127.0.0.1 9898")
+  '';
+}

From 3535350cb6c012f51b4736ac8c0530ab653c7c38 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Tue, 17 Jun 2025 19:28:12 +0200
Subject: [PATCH 11/22] hello-world: migrate to clan.nixosTests module

---
 clanServices/hello-world/flake-module.nix     | 17 +++---
 clanServices/hello-world/tests/vm/default.nix | 53 +++++++------------
 2 files changed, 25 insertions(+), 45 deletions(-)

diff --git a/clanServices/hello-world/flake-module.nix b/clanServices/hello-world/flake-module.nix
index b3d8d6394..239078ec5 100644
--- a/clanServices/hello-world/flake-module.nix
+++ b/clanServices/hello-world/flake-module.nix
@@ -14,7 +14,7 @@ in
     hello-world = module;
   };
   perSystem =
-    { pkgs, ... }:
+    { ... }:
     let
       # Module that contains the tests
       # This module adds:
@@ -41,15 +41,10 @@ in
         2. To run the test
         nix build .#checks.x86_64-linux.hello-service
       */
-      checks =
-        # Currently we don't support nixos-integration tests on darwin
-        lib.optionalAttrs (pkgs.stdenv.isLinux) {
-          hello-service = import ./tests/vm/default.nix {
-            inherit module;
-            inherit self inputs pkgs;
-            nixosLib = import (self.inputs.nixpkgs + "/nixos/lib") { };
-            clan-core = self;
-          };
-        };
+      clan.nixosTests.hello-service = {
+        imports = [ ./tests/vm/default.nix ];
+
+        clan.modules.hello-service = module;
+      };
     };
 }
diff --git a/clanServices/hello-world/tests/vm/default.nix b/clanServices/hello-world/tests/vm/default.nix
index bddf8a808..8fb4f7b3f 100644
--- a/clanServices/hello-world/tests/vm/default.nix
+++ b/clanServices/hello-world/tests/vm/default.nix
@@ -1,44 +1,29 @@
 {
-  pkgs,
-  nixosLib,
-  clan-core,
   module,
   ...
 }:
-nixosLib.runTest (
-  { ... }:
-  {
-    imports = [
-      clan-core.modules.nixosVmTest.clanTest
-    ];
+{
+  name = "hello-service";
 
-    hostPkgs = pkgs;
+  clan = {
+    directory = ./.;
+    inventory = {
+      machines.peer1 = { };
 
-    name = "hello-service";
-
-    clan = {
-      directory = ./.;
-      modules = {
-        hello-service = module;
-      };
-      inventory = {
-        machines.peer1 = { };
-
-        instances."test" = {
-          module.name = "hello-service";
-          roles.peer.machines.peer1 = { };
-        };
+      instances."test" = {
+        module.name = "hello-service";
+        roles.peer.machines.peer1 = { };
       };
     };
+  };
 
-    testScript =
-      { nodes, ... }:
-      ''
-        start_all()
+  testScript =
+    { nodes, ... }:
+    ''
+      start_all()
 
-        # peer1 should have the 'hello' file
-        value = peer1.succeed("cat ${nodes.peer1.clan.core.vars.generators.hello.files.hello.path}")
-        assert value.strip() == "Hello world from peer1", value
-      '';
-  }
-)
+      # peer1 should have the 'hello' file
+      value = peer1.succeed("cat ${nodes.peer1.clan.core.vars.generators.hello.files.hello.path}")
+      assert value.strip() == "Hello world from peer1", value
+    '';
+}

From 509b18647c560ae7508998d5e73dea6cb5c928b7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Tue, 17 Jun 2025 19:29:08 +0200
Subject: [PATCH 12/22] localsend: migrate to clan.nixosTests module

---
 clanServices/localsend/flake-module.nix     | 19 ++++---
 clanServices/localsend/tests/vm/default.nix | 63 ++++++++-------------
 2 files changed, 35 insertions(+), 47 deletions(-)

diff --git a/clanServices/localsend/flake-module.nix b/clanServices/localsend/flake-module.nix
index 71cd5752d..330a9e9ed 100644
--- a/clanServices/localsend/flake-module.nix
+++ b/clanServices/localsend/flake-module.nix
@@ -1,18 +1,19 @@
-{ lib, self, ... }:
+{ lib, ... }:
+let
+  module = lib.modules.importApply ./default.nix { };
+in
 {
   clan.modules = {
-    localsend = lib.modules.importApply ./default.nix { };
+    localsend = module;
   };
 
   perSystem =
-    { pkgs, ... }:
+    { ... }:
     {
-      checks = lib.optionalAttrs (pkgs.stdenv.isLinux) {
-        localsend = import ./tests/vm/default.nix {
-          inherit pkgs;
-          clan-core = self;
-          nixosLib = import (self.inputs.nixpkgs + "/nixos/lib") { };
-        };
+      clan.nixosTests.localsend = {
+        imports = [ ./tests/vm/default.nix ];
+
+        clan.modules."@clan/localsend" = module;
       };
     };
 }
diff --git a/clanServices/localsend/tests/vm/default.nix b/clanServices/localsend/tests/vm/default.nix
index f9de82499..466e436ec 100644
--- a/clanServices/localsend/tests/vm/default.nix
+++ b/clanServices/localsend/tests/vm/default.nix
@@ -1,51 +1,38 @@
 {
-  pkgs,
-  nixosLib,
-  clan-core,
+  module,
   ...
 }:
+{
+  name = "localsend";
 
-nixosLib.runTest (
-  { ... }:
-  {
-    imports = [
-      clan-core.modules.nixosVmTest.clanTest
-    ];
+  clan = {
+    directory = ./.;
+    inventory = {
+      machines.server = { };
 
-    hostPkgs = pkgs;
-
-    name = "localsend";
-
-    clan = {
-      directory = ./.;
-      modules."@clan/localsend" = ../../default.nix;
-      inventory = {
-        machines.server = { };
-
-        instances = {
-          localsend-test = {
-            module.name = "@clan/localsend";
-            roles.default.machines."server".settings = {
-              displayName = "Test Instance";
-              ipv4Addr = "192.168.56.2/24";
-            };
+      instances = {
+        localsend-test = {
+          module.name = "@clan/localsend";
+          roles.default.machines."server".settings = {
+            displayName = "Test Instance";
+            ipv4Addr = "192.168.56.2/24";
           };
         };
       };
     };
+  };
 
-    nodes = {
-      server = { };
-    };
+  nodes = {
+    server = { };
+  };
 
-    testScript = ''
-      start_all()
+  testScript = ''
+    start_all()
 
-      # Check that the localsend wrapper script is available
-      server.succeed("command -v localsend")
+    # Check that the localsend wrapper script is available
+    server.succeed("command -v localsend")
 
-      # Verify the 09-zerotier network is configured with the specified IP address
-      server.succeed("grep -q 'Address=192.168.56.2/24' /etc/systemd/network/09-zerotier.network")
-    '';
-  }
-)
+    # Verify the 09-zerotier network is configured with the specified IP address
+    server.succeed("grep -q 'Address=192.168.56.2/24' /etc/systemd/network/09-zerotier.network")
+  '';
+}

From b2a587021f00e408cdd3a70dcdc35979db71f62e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Tue, 17 Jun 2025 19:30:21 +0200
Subject: [PATCH 13/22] mycelium: migrate to clan.nixosTests module

---
 clanServices/mycelium/flake-module.nix     | 19 ++++---
 clanServices/mycelium/tests/vm/default.nix | 65 +++++++++-------------
 2 files changed, 37 insertions(+), 47 deletions(-)

diff --git a/clanServices/mycelium/flake-module.nix b/clanServices/mycelium/flake-module.nix
index a95c8a106..0c475d590 100644
--- a/clanServices/mycelium/flake-module.nix
+++ b/clanServices/mycelium/flake-module.nix
@@ -1,17 +1,18 @@
-{ lib, self, ... }:
+{ lib, ... }:
+let
+  module = lib.modules.importApply ./default.nix { };
+in
 {
   clan.modules = {
-    mycelium = lib.modules.importApply ./default.nix { };
+    mycelium = module;
   };
   perSystem =
-    { pkgs, ... }:
+    { ... }:
     {
-      checks = lib.optionalAttrs (pkgs.stdenv.isLinux) {
-        mycelium = import ./tests/vm/default.nix {
-          inherit pkgs;
-          clan-core = self;
-          nixosLib = import (self.inputs.nixpkgs + "/nixos/lib") { };
-        };
+      clan.nixosTests.mycelium = {
+        imports = [ ./tests/vm/default.nix ];
+
+        clan.modules."@clan/mycelium" = module;
       };
     };
 }
diff --git a/clanServices/mycelium/tests/vm/default.nix b/clanServices/mycelium/tests/vm/default.nix
index 223e428eb..a69da9c05 100644
--- a/clanServices/mycelium/tests/vm/default.nix
+++ b/clanServices/mycelium/tests/vm/default.nix
@@ -1,53 +1,42 @@
 {
+  module,
   pkgs,
-  nixosLib,
-  clan-core,
   ...
 }:
-nixosLib.runTest (
-  { ... }:
-  {
-    imports = [
-      clan-core.modules.nixosVmTest.clanTest
-    ];
+{
+  name = "mycelium";
 
-    hostPkgs = pkgs;
+  clan = {
 
-    name = "mycelium";
+    test.useContainers = false;
+    directory = ./.;
+    inventory = {
+      machines.server = { };
 
-    clan = {
-
-      test.useContainers = false;
-      directory = ./.;
-      modules."@clan/mycelium" = ../../default.nix;
-      inventory = {
-        machines.server = { };
-
-        instances = {
-          mycelium-test = {
-            module.name = "@clan/mycelium";
-            roles.peer.machines."server".settings = {
-              openFirewall = true;
-              addHostedPublicNodes = true;
-            };
+      instances = {
+        mycelium-test = {
+          module.name = "@clan/mycelium";
+          roles.peer.machines."server".settings = {
+            openFirewall = true;
+            addHostedPublicNodes = true;
           };
         };
       };
     };
+  };
 
-    nodes = {
-      server = { };
-    };
+  nodes = {
+    server = { };
+  };
 
-    testScript = ''
-      start_all()
+  testScript = ''
+    start_all()
 
-      # Check that mycelium service is running
-      server.wait_for_unit("mycelium")
-      server.succeed("systemctl status mycelium")
+    # Check that mycelium service is running
+    server.wait_for_unit("mycelium")
+    server.succeed("systemctl status mycelium")
 
-      # Check that mycelium is listening on its default port
-      server.wait_until_succeeds("${pkgs.iproute2}/bin/ss -tulpn | grep -q 'mycelium'", 10)
-    '';
-  }
-)
+    # Check that mycelium is listening on its default port
+    server.wait_until_succeeds("${pkgs.iproute2}/bin/ss -tulpn | grep -q 'mycelium'", 10)
+  '';
+}

From e5d6d6e7f9cb23b95289bdc5bbe265222e27c066 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Tue, 17 Jun 2025 19:31:09 +0200
Subject: [PATCH 14/22] packages: migrate to clan.nixosTests module

---
 clanServices/packages/flake-module.nix     | 19 +++++----
 clanServices/packages/tests/vm/default.nix | 49 ++++++++--------------
 2 files changed, 28 insertions(+), 40 deletions(-)

diff --git a/clanServices/packages/flake-module.nix b/clanServices/packages/flake-module.nix
index b27fc1621..f03bc2b6f 100644
--- a/clanServices/packages/flake-module.nix
+++ b/clanServices/packages/flake-module.nix
@@ -1,18 +1,19 @@
-{ lib, self, ... }:
+{ lib, ... }:
+let
+  module = lib.modules.importApply ./default.nix { };
+in
 {
   clan.modules = {
-    packages = lib.modules.importApply ./default.nix { };
+    packages = module;
   };
 
   perSystem =
-    { pkgs, ... }:
+    { ... }:
     {
-      checks = lib.optionalAttrs (pkgs.stdenv.isLinux) {
-        packages = import ./tests/vm/default.nix {
-          inherit pkgs;
-          clan-core = self;
-          nixosLib = import (self.inputs.nixpkgs + "/nixos/lib") { };
-        };
+      clan.nixosTests.packages = {
+        imports = [ ./tests/vm/default.nix ];
+
+        clan.modules."@clan/packages" = module;
       };
     };
 
diff --git a/clanServices/packages/tests/vm/default.nix b/clanServices/packages/tests/vm/default.nix
index 3448b2376..b33b3466b 100644
--- a/clanServices/packages/tests/vm/default.nix
+++ b/clanServices/packages/tests/vm/default.nix
@@ -1,41 +1,28 @@
 {
-  pkgs,
-  nixosLib,
-  clan-core,
+  module,
   ...
 }:
+{
+  name = "packages";
 
-nixosLib.runTest (
-  { ... }:
-  {
-    imports = [
-      clan-core.modules.nixosVmTest.clanTest
-    ];
+  clan = {
+    directory = ./.;
+    inventory = {
+      machines.server = { };
 
-    hostPkgs = pkgs;
-
-    name = "packages";
-
-    clan = {
-      directory = ./.;
-      modules."@clan/packages" = ../../default.nix;
-      inventory = {
-        machines.server = { };
-
-        instances.default = {
-          module.name = "@clan/packages";
-          roles.default.machines."server".settings = {
-            packages = [ "cbonsai" ];
-          };
+      instances.default = {
+        module.name = "@clan/packages";
+        roles.default.machines."server".settings = {
+          packages = [ "cbonsai" ];
         };
       };
     };
+  };
 
-    nodes.server = { };
+  nodes.server = { };
 
-    testScript = ''
-      start_all()
-      server.succeed("cbonsai")
-    '';
-  }
-)
+  testScript = ''
+    start_all()
+    server.succeed("cbonsai")
+  '';
+}

From 41513e6a703a95447aa5e393775c82fd0273fc79 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Tue, 17 Jun 2025 19:32:04 +0200
Subject: [PATCH 15/22] sshd: migrate to clan.nixosTests module

---
 clanServices/sshd/flake-module.nix     | 19 +++---
 clanServices/sshd/tests/vm/default.nix | 80 +++++++++++---------------
 2 files changed, 44 insertions(+), 55 deletions(-)

diff --git a/clanServices/sshd/flake-module.nix b/clanServices/sshd/flake-module.nix
index 0c44a0fbc..f1a981541 100644
--- a/clanServices/sshd/flake-module.nix
+++ b/clanServices/sshd/flake-module.nix
@@ -1,18 +1,19 @@
-{ lib, self, ... }:
+{ lib, ... }:
+let
+  module = lib.modules.importApply ./default.nix { };
+in
 {
   clan.modules = {
-    sshd = lib.modules.importApply ./default.nix { };
+    sshd = module;
   };
 
   perSystem =
-    { pkgs, ... }:
+    { ... }:
     {
-      checks = lib.optionalAttrs (pkgs.stdenv.isLinux) {
-        sshd = import ./tests/vm/default.nix {
-          inherit pkgs;
-          clan-core = self;
-          nixosLib = import (self.inputs.nixpkgs + "/nixos/lib") { };
-        };
+      clan.nixosTests.sshd = {
+        imports = [ ./tests/vm/default.nix ];
+
+        clan.modules."@clan/sshd" = module;
       };
     };
 
diff --git a/clanServices/sshd/tests/vm/default.nix b/clanServices/sshd/tests/vm/default.nix
index ec097780e..498eaa59c 100644
--- a/clanServices/sshd/tests/vm/default.nix
+++ b/clanServices/sshd/tests/vm/default.nix
@@ -1,62 +1,50 @@
 {
+  module,
   pkgs,
-  nixosLib,
-  clan-core,
   ...
 }:
+{
+  name = "sshd";
 
-nixosLib.runTest (
-  { ... }:
-  {
-    imports = [
-      clan-core.modules.nixosVmTest.clanTest
-    ];
+  clan = {
+    directory = ./.;
+    inventory = {
+      machines.server = { };
+      machines.client = { };
 
-    hostPkgs = pkgs;
-
-    name = "sshd";
-
-    clan = {
-      directory = ./.;
-      modules."@clan/sshd" = ../../default.nix;
-      inventory = {
-        machines.server = { };
-        machines.client = { };
-
-        instances = {
-          sshd-test = {
-            module.name = "@clan/sshd";
-            roles.server.machines."server".settings = {
-              certificate.searchDomains = [ "example.com" ];
-              hostKeys.rsa.enable = true;
-            };
-            roles.client.machines."client".settings = {
-              certificate.searchDomains = [ "example.com" ];
-            };
+      instances = {
+        sshd-test = {
+          module.name = "@clan/sshd";
+          roles.server.machines."server".settings = {
+            certificate.searchDomains = [ "example.com" ];
+            hostKeys.rsa.enable = true;
+          };
+          roles.client.machines."client".settings = {
+            certificate.searchDomains = [ "example.com" ];
           };
         };
       };
     };
+  };
 
-    nodes = {
-      server = { };
-      client = { };
-    };
+  nodes = {
+    server = { };
+    client = { };
+  };
 
-    testScript = ''
-      start_all()
+  testScript = ''
+    start_all()
 
-      # Check that sshd port is open on the server
-      server.succeed("${pkgs.netcat}/bin/nc -z -v 127.0.0.1 22")
+    # Check that sshd port is open on the server
+    server.succeed("${pkgs.netcat}/bin/nc -z -v 127.0.0.1 22")
 
-      # Check that /etc/ssh/ssh_known_hosts contains the required CA string on the server
-      server.succeed("grep '^@cert-authority ssh-ca,\*.example.com ssh-ed25519 ' /etc/ssh/ssh_known_hosts")
+    # Check that /etc/ssh/ssh_known_hosts contains the required CA string on the server
+    server.succeed("grep '^@cert-authority ssh-ca,\*.example.com ssh-ed25519 ' /etc/ssh/ssh_known_hosts")
 
-      # Check that server contains a line starting with 'localhost,server ssh-ed25519'
-      server.succeed("grep '^localhost,server ssh-ed25519 ' /etc/ssh/ssh_known_hosts")
+    # Check that server contains a line starting with 'localhost,server ssh-ed25519'
+    server.succeed("grep '^localhost,server ssh-ed25519 ' /etc/ssh/ssh_known_hosts")
 
-      # Check that /etc/ssh/ssh_known_hosts contains the required CA string on the client
-      client.succeed("grep '^.cert-authority ssh-ca.*example.com ssh-ed25519 ' /etc/ssh/ssh_known_hosts")
-    '';
-  }
-)
+    # Check that /etc/ssh/ssh_known_hosts contains the required CA string on the client
+    client.succeed("grep '^.cert-authority ssh-ca.*example.com ssh-ed25519 ' /etc/ssh/ssh_known_hosts")
+  '';
+}

From 8e2fc1056f60c48904b9ed1f3a50d66f36c1da7d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Tue, 17 Jun 2025 19:33:29 +0200
Subject: [PATCH 16/22] state-version: migrate to clan.nixosTests module

---
 clanServices/state-version/flake-module.nix   | 23 +++++-----
 .../state-version/tests/vm/default.nix        | 45 ++++++-------------
 2 files changed, 24 insertions(+), 44 deletions(-)

diff --git a/clanServices/state-version/flake-module.nix b/clanServices/state-version/flake-module.nix
index 4f848476b..c4ff9d633 100644
--- a/clanServices/state-version/flake-module.nix
+++ b/clanServices/state-version/flake-module.nix
@@ -1,19 +1,16 @@
-{ lib, self, ... }:
+{ lib, ... }:
+let
+  module = lib.modules.importApply ./default.nix { };
+in
 {
-  clan.modules = {
-    state-version = lib.modules.importApply ./default.nix { };
-  };
-
+  clan.modules.state-version = module;
   perSystem =
-    { pkgs, ... }:
+    { ... }:
     {
-      checks = lib.optionalAttrs (pkgs.stdenv.isLinux) {
-        state-version = import ./tests/vm/default.nix {
-          inherit pkgs;
-          clan-core = self;
-          nixosLib = import (self.inputs.nixpkgs + "/nixos/lib") { };
-        };
+      clan.nixosTests.state-version = {
+        imports = [ ./tests/vm/default.nix ];
+
+        clan.modules."@clan/state-version" = module;
       };
     };
-
 }
diff --git a/clanServices/state-version/tests/vm/default.nix b/clanServices/state-version/tests/vm/default.nix
index 15497fee2..9ad1774a4 100644
--- a/clanServices/state-version/tests/vm/default.nix
+++ b/clanServices/state-version/tests/vm/default.nix
@@ -1,37 +1,20 @@
 {
-  pkgs,
-  nixosLib,
-  clan-core,
-  ...
-}:
+  name = "state-version";
 
-nixosLib.runTest (
-  { ... }:
-  {
-    imports = [
-      clan-core.modules.nixosVmTest.clanTest
-    ];
-
-    hostPkgs = pkgs;
-
-    name = "state-version";
-
-    clan = {
-      directory = ./.;
-      modules."@clan/state-version" = ../../default.nix;
-      inventory = {
-        machines.server = { };
-        instances.default = {
-          module.name = "@clan/state-version";
-          roles.default.machines."server" = { };
-        };
+  clan = {
+    directory = ./.;
+    inventory = {
+      machines.server = { };
+      instances.default = {
+        module.name = "@clan/state-version";
+        roles.default.machines."server" = { };
       };
     };
+  };
 
-    nodes.server = { };
+  nodes.server = { };
 
-    testScript = ''
-      start_all()
-    '';
-  }
-)
+  testScript = ''
+    start_all()
+  '';
+}

From d31c9d15379475b338836747090a27d4e9b1cb26 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Tue, 17 Jun 2025 19:34:19 +0200
Subject: [PATCH 17/22] trusted-nix-caches: migrate to clan.nixosTests module

---
 .../trusted-nix-caches/flake-module.nix       | 21 ++++----
 .../trusted-nix-caches/tests/vm/default.nix   | 48 +++++++------------
 2 files changed, 26 insertions(+), 43 deletions(-)

diff --git a/clanServices/trusted-nix-caches/flake-module.nix b/clanServices/trusted-nix-caches/flake-module.nix
index 81c2dc33c..a1cb3ca60 100644
--- a/clanServices/trusted-nix-caches/flake-module.nix
+++ b/clanServices/trusted-nix-caches/flake-module.nix
@@ -1,17 +1,16 @@
-{ lib, self, ... }:
+{ lib, ... }:
+let
+  module = lib.modules.importApply ./default.nix { };
+in
 {
-  clan.modules = {
-    trusted-nix-caches = lib.modules.importApply ./default.nix { };
-  };
+  clan.modules.trusted-nix-caches = module;
   perSystem =
-    { pkgs, ... }:
+    { ... }:
     {
-      checks = lib.optionalAttrs (pkgs.stdenv.isLinux) {
-        trusted-nix-caches = import ./tests/vm/default.nix {
-          inherit pkgs;
-          clan-core = self;
-          nixosLib = import (self.inputs.nixpkgs + "/nixos/lib") { };
-        };
+      clan.nixosTests.trusted-nix-caches = {
+        imports = [ ./tests/vm/default.nix ];
+
+        clan.modules."@clan/trusted-nix-caches" = module;
       };
     };
 }
diff --git a/clanServices/trusted-nix-caches/tests/vm/default.nix b/clanServices/trusted-nix-caches/tests/vm/default.nix
index df7245aed..97adbfd60 100644
--- a/clanServices/trusted-nix-caches/tests/vm/default.nix
+++ b/clanServices/trusted-nix-caches/tests/vm/default.nix
@@ -1,40 +1,24 @@
 {
-  pkgs,
-  nixosLib,
-  clan-core,
-  ...
-}:
-nixosLib.runTest (
-  { ... }:
-  {
-    imports = [
-      clan-core.modules.nixosVmTest.clanTest
-    ];
+  name = "trusted-nix-caches";
 
-    hostPkgs = pkgs;
+  clan = {
+    directory = ./.;
+    inventory = {
+      machines.server = { };
 
-    name = "trusted-nix-caches";
-
-    clan = {
-      directory = ./.;
-      modules."@clan/trusted-nix-caches" = ../../default.nix;
-      inventory = {
-        machines.server = { };
-
-        instances = {
-          trusted-nix-caches = {
-            module.name = "@clan/trusted-nix-caches";
-            roles.default.machines."server" = { };
-          };
+      instances = {
+        trusted-nix-caches = {
+          module.name = "@clan/trusted-nix-caches";
+          roles.default.machines."server" = { };
         };
       };
     };
+  };
 
-    nodes.server = { };
+  nodes.server = { };
 
-    testScript = ''
-      start_all()
-      server.succeed("grep -q 'cache.clan.lol' /etc/nix/nix.conf")
-    '';
-  }
-)
+  testScript = ''
+    start_all()
+    server.succeed("grep -q 'cache.clan.lol' /etc/nix/nix.conf")
+  '';
+}

From 9cefd70bf8d67303f4a4bfaa930462a9ec0f88a6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Tue, 17 Jun 2025 19:35:16 +0200
Subject: [PATCH 18/22] users: migrate to clan.nixosTests module

---
 clanServices/users/flake-module.nix     | 22 +++----
 clanServices/users/tests/vm/default.nix | 87 ++++++++++---------------
 2 files changed, 45 insertions(+), 64 deletions(-)

diff --git a/clanServices/users/flake-module.nix b/clanServices/users/flake-module.nix
index 04f431028..adf40791d 100644
--- a/clanServices/users/flake-module.nix
+++ b/clanServices/users/flake-module.nix
@@ -1,18 +1,16 @@
-{ lib, self, ... }:
+{ lib, ... }:
+let
+  module = lib.modules.importApply ./default.nix { };
+in
 {
-  clan.modules = {
-    users = lib.modules.importApply ./default.nix { };
-  };
+  clan.modules.users = module;
   perSystem =
-    { pkgs, ... }:
+    { ... }:
     {
-      checks = lib.optionalAttrs (pkgs.stdenv.isLinux) {
-        users = import ./tests/vm/default.nix {
-          inherit pkgs;
-          clan-core = self;
-          nixosLib = import (self.inputs.nixpkgs + "/nixos/lib") { };
-        };
+      clan.nixosTests.users = {
+        imports = [ ./tests/vm/default.nix ];
+
+        clan.modules."@clan/users" = module;
       };
     };
-
 }
diff --git a/clanServices/users/tests/vm/default.nix b/clanServices/users/tests/vm/default.nix
index 4be9f8c73..002fe6946 100644
--- a/clanServices/users/tests/vm/default.nix
+++ b/clanServices/users/tests/vm/default.nix
@@ -1,67 +1,50 @@
 {
-  pkgs,
-  nixosLib,
-  clan-core,
-  ...
-}:
+  name = "users";
 
-nixosLib.runTest (
-  { ... }:
-  {
-    imports = [
-      clan-core.modules.nixosVmTest.clanTest
-    ];
+  clan = {
+    directory = ./.;
+    inventory = {
+      machines.server = { };
 
-    hostPkgs = pkgs;
-
-    name = "users";
-
-    clan = {
-      directory = ./.;
-      modules."@clan/users" = ../../default.nix;
-      inventory = {
-        machines.server = { };
-
-        instances = {
-          root-password-test = {
-            module.name = "@clan/users";
-            roles.default.machines."server".settings = {
-              user = "root";
-              prompt = false;
-            };
+      instances = {
+        root-password-test = {
+          module.name = "@clan/users";
+          roles.default.machines."server".settings = {
+            user = "root";
+            prompt = false;
           };
-          user-password-test = {
-            module.name = "@clan/users";
-            roles.default.machines."server".settings = {
-              user = "testuser";
-              prompt = false;
-            };
+        };
+        user-password-test = {
+          module.name = "@clan/users";
+          roles.default.machines."server".settings = {
+            user = "testuser";
+            prompt = false;
           };
         };
       };
     };
+  };
 
-    nodes = {
-      server = {
-        users.users.testuser.group = "testuser";
-        users.groups.testuser = { };
-        users.users.testuser.isNormalUser = true;
-      };
+  nodes = {
+    server = {
+      users.users.testuser.group = "testuser";
+      users.groups.testuser = { };
+      users.users.testuser.isNormalUser = true;
     };
+  };
 
-    testScript = ''
-      start_all()
+  testScript = ''
+    start_all()
 
-      server.wait_for_unit("multi-user.target")
+    server.wait_for_unit("multi-user.target")
 
-      # Check that the testuser account exists
-      server.succeed("id testuser")
+    # Check that the testuser account exists
+    server.succeed("id testuser")
 
-      # Try to log in as the user using the generated password
-      # TODO: fix
-      # password = server.succeed("cat /run/clan/vars/user-password/user-password").strip()
-      # server.succeed(f"echo '{password}' | su - testuser -c 'echo Login successful'")
+    # Try to log in as the user using the generated password
+    # TODO: fix
+    # password = server.succeed("cat /run/clan/vars/user-password/user-password").strip()
+    # server.succeed(f"echo '{password}' | su - testuser -c 'echo Login successful'")
 
-    '';
-  }
-)
+  '';
+}

From be760704eb04e893f45f070142e74c648eab40d8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Tue, 17 Jun 2025 19:36:35 +0200
Subject: [PATCH 19/22] wifi: migrate to clan.nixosTests module

---
 clanServices/wifi/flake-module.nix     | 13 ++-----------
 clanServices/wifi/tests/vm/default.nix |  2 +-
 2 files changed, 3 insertions(+), 12 deletions(-)

diff --git a/clanServices/wifi/flake-module.nix b/clanServices/wifi/flake-module.nix
index 0faea677e..a2b885bcd 100644
--- a/clanServices/wifi/flake-module.nix
+++ b/clanServices/wifi/flake-module.nix
@@ -9,20 +9,11 @@ let
   };
 in
 {
-  clan.modules = {
-    wifi = module;
-  };
+  clan.modules.wifi = module;
   perSystem =
     { ... }:
     {
-      /**
-        1. Prepare the test vars
-        nix run .#generate-test-vars -- clanServices/hello-world/tests/vm hello-service
-
-        2. To run the test
-        nix build .#checks.x86_64-linux.hello-service
-      */
-      clan.nixosTests.wifi-service = {
+      clan.nixosTests.wifi = {
         imports = [ ./tests/vm/default.nix ];
 
         clan.modules."@clan/wifi" = module;
diff --git a/clanServices/wifi/tests/vm/default.nix b/clanServices/wifi/tests/vm/default.nix
index 0efd5e315..8d257c9a6 100644
--- a/clanServices/wifi/tests/vm/default.nix
+++ b/clanServices/wifi/tests/vm/default.nix
@@ -1,5 +1,5 @@
 {
-  name = "wifi-service";
+  name = "wifi";
 
   clan = {
     directory = ./.;

From c03fda1b84d519dcd4c653956bdf1143e6ad1ed6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Tue, 17 Jun 2025 19:37:37 +0200
Subject: [PATCH 20/22] zerotier: migrate to clan.nixosTests module

---
 clanServices/zerotier/flake-module.nix        | 16 +++---
 clanServices/zerotier/tests/vm/default.nix    | 52 +++++++------------
 .../tests/vm/sops/machines/test/key.json      |  6 ---
 .../tests/vm/sops/secrets/test-age.key/secret | 15 ------
 .../vm/sops/secrets/test-age.key/users/admin  |  1 -
 .../wifi.one/network-name/machines/test       |  1 -
 .../vars/shared/wifi.one/network-name/secret  | 19 -------
 .../shared/wifi.one/network-name/users/admin  |  1 -
 .../shared/wifi.one/password/machines/test    |  1 -
 .../vm/vars/shared/wifi.one/password/secret   | 19 -------
 .../vars/shared/wifi.one/password/users/admin |  1 -
 11 files changed, 25 insertions(+), 107 deletions(-)
 delete mode 100755 clanServices/zerotier/tests/vm/sops/machines/test/key.json
 delete mode 100644 clanServices/zerotier/tests/vm/sops/secrets/test-age.key/secret
 delete mode 120000 clanServices/zerotier/tests/vm/sops/secrets/test-age.key/users/admin
 delete mode 120000 clanServices/zerotier/tests/vm/vars/shared/wifi.one/network-name/machines/test
 delete mode 100644 clanServices/zerotier/tests/vm/vars/shared/wifi.one/network-name/secret
 delete mode 120000 clanServices/zerotier/tests/vm/vars/shared/wifi.one/network-name/users/admin
 delete mode 120000 clanServices/zerotier/tests/vm/vars/shared/wifi.one/password/machines/test
 delete mode 100644 clanServices/zerotier/tests/vm/vars/shared/wifi.one/password/secret
 delete mode 120000 clanServices/zerotier/tests/vm/vars/shared/wifi.one/password/users/admin

diff --git a/clanServices/zerotier/flake-module.nix b/clanServices/zerotier/flake-module.nix
index 4aaa0ab3d..e1f691fcd 100644
--- a/clanServices/zerotier/flake-module.nix
+++ b/clanServices/zerotier/flake-module.nix
@@ -8,9 +8,7 @@ let
   module = lib.modules.importApply ./default.nix { };
 in
 {
-  clan.modules = {
-    zerotier = module;
-  };
+  clan.modules.zerotier = module;
   perSystem =
     { ... }:
     let
@@ -28,11 +26,11 @@ in
       imports = [
         unit-test-module
       ];
-      # zerotier = import ./tests/vm/default.nix {
-      #   inherit module;
-      #   inherit inputs pkgs;
-      #   clan-core = self;
-      #   nixosLib = import (self.inputs.nixpkgs + "/nixos/lib") { };
-      # };
+
+      clan.nixosTests.zerotier = {
+        imports = [ ./tests/vm/default.nix ];
+
+        clan.modules.zerotier = module;
+      };
     };
 }
diff --git a/clanServices/zerotier/tests/vm/default.nix b/clanServices/zerotier/tests/vm/default.nix
index 52961d336..531539c7f 100644
--- a/clanServices/zerotier/tests/vm/default.nix
+++ b/clanServices/zerotier/tests/vm/default.nix
@@ -1,43 +1,27 @@
 {
-  pkgs,
-  nixosLib,
-  clan-core,
-  module,
-  ...
-}:
-nixosLib.runTest (
-  { ... }:
-  {
-    imports = [
-      clan-core.modules.nixosVmTest.clanTest
-    ];
+  name = "zerotier";
 
-    hostPkgs = pkgs;
+  clan = {
+    directory = ./.;
+    inventory = {
 
-    name = "zerotier";
+      machines.jon = { };
+      machines.sara = { };
+      machines.bam = { };
 
-    clan = {
-      directory = ./.;
-      modules."zerotier" = module;
-      inventory = {
+      instances = {
+        "zerotier" = {
+          module.name = "zerotier";
 
-        machines.jon = { };
-        machines.sara = { };
-        machines.bam = { };
-
-        instances = {
-          "zerotier" = {
-            module.name = "zerotier";
-
-            roles.peer.tags.all = { };
-            roles.controller.machines.bam = { };
-          };
+          roles.peer.tags.all = { };
+          roles.controller.machines.bam = { };
+          roles.moon.machines = { };
         };
       };
     };
+  };
 
-    # This is not an actual vm test, this is a workaround to
-    # generate the needed vars for the eval test.
-    testScript = '''';
-  }
-)
+  # This is not an actual vm test, this is a workaround to
+  # generate the needed vars for the eval test.
+  testScript = "";
+}
diff --git a/clanServices/zerotier/tests/vm/sops/machines/test/key.json b/clanServices/zerotier/tests/vm/sops/machines/test/key.json
deleted file mode 100755
index e8dcc2dc3..000000000
--- a/clanServices/zerotier/tests/vm/sops/machines/test/key.json
+++ /dev/null
@@ -1,6 +0,0 @@
-[
-  {
-    "publickey": "age13ahclyps97532zt2sfta5zrfx976d3r2jmctj8d36vj9x5v5ffqq304fqf",
-    "type": "age"
-  }
-]
diff --git a/clanServices/zerotier/tests/vm/sops/secrets/test-age.key/secret b/clanServices/zerotier/tests/vm/sops/secrets/test-age.key/secret
deleted file mode 100644
index 89db73364..000000000
--- a/clanServices/zerotier/tests/vm/sops/secrets/test-age.key/secret
+++ /dev/null
@@ -1,15 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:AGYme1x1pE7SVk6HowmIYMN3EHNaZglW97geihpDCkKqArq/zD2IHxbgo8OtXmaNws16i0R6LehWJTL21fVmnAEA9GNZQOE/Y4Q=,iv:Kc3bDcOwJmxHnnlBweUbqDE77VVFZFelEGpmpfBSct8=,tag:m4kzx3nOtexD91kisQafFw==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTc2Q5NTY1ejl5ODhSOXhv\nVUFrb0xvblErWEY1R0k3UXNBQk5Ja1MwaERVCmdISk1RSGFUL2FRMWlPSFdERjB6\nalltcHZLd21XOVFuaExSRUNQc1VmdjAKLS0tIGg0ZGdvbm9wbC9Jd255cHNmVWxP\nWStOQS9EQW9WQUtLZVp5SDBmM1ByaEEKzviyWc0yLbDMwk/CHhTwntrjA5LX44Wu\nNdlsQG/yfRaqRL1TKZztT9RnX0293gOEZFvoYZasEJJAIeBoZvN6VQ==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-05-29T13:14:51Z",
-		"mac": "ENC[AES256_GCM,data:uCk2e5aFHZhttLkIdvDU3KARN7PiHKLtXsqxmuLkZP903XhDTCuj1GH6S0C9UN5LftlaVjCEaqlgx68cCNwTc9bTUnhSdVVjMWy0gjxKZ1Y25YzOMlEmOAk/TZqUvnMn/cUL8KOeBnymPbAeqLm8yATjwsyx5+GrFrIVxwGQzUA=,iv:UMX2Ik0xlcljMZyBhjOpvYcsJCC5Wb6d/rgbTFb+6oM=,tag:HH05tFDzOcRrQ8TTXxrDyw==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}
diff --git a/clanServices/zerotier/tests/vm/sops/secrets/test-age.key/users/admin b/clanServices/zerotier/tests/vm/sops/secrets/test-age.key/users/admin
deleted file mode 120000
index 9e21a9938..000000000
--- a/clanServices/zerotier/tests/vm/sops/secrets/test-age.key/users/admin
+++ /dev/null
@@ -1 +0,0 @@
-../../../users/admin
\ No newline at end of file
diff --git a/clanServices/zerotier/tests/vm/vars/shared/wifi.one/network-name/machines/test b/clanServices/zerotier/tests/vm/vars/shared/wifi.one/network-name/machines/test
deleted file mode 120000
index 8adbdc900..000000000
--- a/clanServices/zerotier/tests/vm/vars/shared/wifi.one/network-name/machines/test
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../sops/machines/test
\ No newline at end of file
diff --git a/clanServices/zerotier/tests/vm/vars/shared/wifi.one/network-name/secret b/clanServices/zerotier/tests/vm/vars/shared/wifi.one/network-name/secret
deleted file mode 100644
index fa59b60ac..000000000
--- a/clanServices/zerotier/tests/vm/vars/shared/wifi.one/network-name/secret
+++ /dev/null
@@ -1,19 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:iNOb,iv:24+bKY5u61JYsvLHV8TIUBVmJPV1aX/BJr//c7le68o=,tag:ANCOrzvnukvqyKGf+L8gFQ==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age13ahclyps97532zt2sfta5zrfx976d3r2jmctj8d36vj9x5v5ffqq304fqf",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxN2EwVHN3SENVTjdjZGRi\nQmJOWlNGYmpmM1BnZnpYWGhaSlRaUVJIODFRCkhhMUhyZzVWWk53SDBwSVBVZGVY\nVUpMTm9qWTIzc3VwdGJHcUVWVzFlV0UKLS0tIDBBVXdlS1FFbzNPSnlZWWtEaDJi\nK215OWQvMVRCRUZyQjFZckJFbHBZeDQK2cqgDnGM5uIm834dbQ3bi3nQA5nPq6Bf\n0+sezXuY55GdFS6OxIgI5/KcitHzDE0WHOvklIGDCSysoXIQ3QXanA==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0NDB5SVcrU0V6akYwbDlv\na1BuSm5XbjYwN2ZkZWtIcnhBVHBTWGFxd24wCnZTVGlPRm5uZEd3QXYwdFRMS09K\nWWw5N2RJZ3d4N0VDMWZmM2lkYVM4VncKLS0tIGplTDVka1VoUVdXMU9VS3hYSlZ1\nRjZGL25hQWxHWEx3OXdQamJiNG9KaDgKk94uXPuCE/M4Hz/7hVKJPHuzQfbOQi/9\nVfR2i17Hjcq08l68Xzn+DllQEAFdts2fS96Pu4FFKfiLK7INl/fUOg==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-05-29T13:15:02Z",
-		"mac": "ENC[AES256_GCM,data:4beXC5ONY5RLChluoVkklpDnaf/KCjlUzpQkFVSp7vauQmMKeTK40xqfvY5d+64u/OKRTIdc38KQTwhZ0pYzOv1LcJOWbHrGu7XadlALKgyUqKOZy03G2O8y0IF6t/LUK8TaNFnNvNteFsfD36/+wkRaxPJe7MKXGqPhWf6RC78=,iv:FR/PQUZqL3HnyVbW+H1QlZMmgFxA5juSb88wuatIlHM=,tag:parvZw3y9ZHieZ8pmUjCZQ==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}
diff --git a/clanServices/zerotier/tests/vm/vars/shared/wifi.one/network-name/users/admin b/clanServices/zerotier/tests/vm/vars/shared/wifi.one/network-name/users/admin
deleted file mode 120000
index f14859ae0..000000000
--- a/clanServices/zerotier/tests/vm/vars/shared/wifi.one/network-name/users/admin
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../sops/users/admin
\ No newline at end of file
diff --git a/clanServices/zerotier/tests/vm/vars/shared/wifi.one/password/machines/test b/clanServices/zerotier/tests/vm/vars/shared/wifi.one/password/machines/test
deleted file mode 120000
index 8adbdc900..000000000
--- a/clanServices/zerotier/tests/vm/vars/shared/wifi.one/password/machines/test
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../sops/machines/test
\ No newline at end of file
diff --git a/clanServices/zerotier/tests/vm/vars/shared/wifi.one/password/secret b/clanServices/zerotier/tests/vm/vars/shared/wifi.one/password/secret
deleted file mode 100644
index 2353f2d36..000000000
--- a/clanServices/zerotier/tests/vm/vars/shared/wifi.one/password/secret
+++ /dev/null
@@ -1,19 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:HHWyM9d6StpKc6uTxg==,iv:blDyfL/xSThCt+dhxeR5eOLa11OsIkbe+w4ReLBv754=,tag:qGHcDXS4DWdUIXUvtLc5XQ==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age13ahclyps97532zt2sfta5zrfx976d3r2jmctj8d36vj9x5v5ffqq304fqf",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPdkQyYnQ1UzlCWEFtdnJh\nMWlBK0RGcENTMmRITWM5SSs2Mkt2N0ZKdm5VClNTS0NuR05OVHY3QkFLZWt6bTUx\nMzJLc2Vib1ZUbW1VM0lhYXFFeEhOaEEKLS0tIHVoODVOK3BUU2JDZkJkN2I2Wm1L\nMWM0TUNQazljZS9uWXRKRFlxWmd0clUKg1YhJoRea05c24hCuZKYvqyvjuu965KD\nr4GLtyqQ6wt9sn50Rzx5cAY/Ac684DNFJVZ1RwG1NTB2kmXcVP8SJA==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoZTA5QXpsOXR3L2FKcnJD\neUxzNVp3M2VQMFFaUUxwNXQ4UTlXa01rR0IwCjkyU2hmdlVYbWY4WUpVK0J1ZC9Q\nRjVkYWlGTlh1MFY3R3FxMEZHODZXMmcKLS0tIFV3bGdvUEtnT21wRWJveEQwdTBV\nbGFUUExBZWR1enQ0c0l0dUY3TnErM3cKutl5cv8dSlpQA7SXUYWJq1M0yLmko/Bx\nUvxxGGLQaK0Mp81Z5mOsjNhcVQrY160AyVnWJ0z39cqOJq9PpXRP+A==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-05-29T13:15:02Z",
-		"mac": "ENC[AES256_GCM,data:Y2FFQevNHSJrEtCmGHQXcpfyof0v2IF8ey79g7EfGj13An4ylhvogsVjRtfMkQvKD5GZykswZgmh+PmKUIzRoc+cvnMLu0iBzleYv+KzpYqtvUpdK0+NQn/4cKOoafajwNV7EuCQh+SkJgSGjNSbMs8xtIb4q9DmJyTcTbG0JQ4=,iv:xmA/cEhl/J0Z+8QR2GFiGWRw4aH/C4HmO+Qd4e25utw=,tag:/hG5S/EmRt8CjAy8DfBoqg==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}
diff --git a/clanServices/zerotier/tests/vm/vars/shared/wifi.one/password/users/admin b/clanServices/zerotier/tests/vm/vars/shared/wifi.one/password/users/admin
deleted file mode 120000
index f14859ae0..000000000
--- a/clanServices/zerotier/tests/vm/vars/shared/wifi.one/password/users/admin
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../sops/users/admin
\ No newline at end of file

From 80a0f668096825c7669d89da903de52b723901a5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Tue, 17 Jun 2025 19:39:58 +0200
Subject: [PATCH 21/22] no longer make test derivation depends on vars-check

this triggers more builds than necessary.
---
 lib/clanTest/flake-module.nix | 2 --
 1 file changed, 2 deletions(-)

diff --git a/lib/clanTest/flake-module.nix b/lib/clanTest/flake-module.nix
index 220ac7df8..174cd8f56 100644
--- a/lib/clanTest/flake-module.nix
+++ b/lib/clanTest/flake-module.nix
@@ -277,8 +277,6 @@ in
             #     Harder to handle advanced setups (like TPM, LUKS, or LVM-on-LUKS) but not needed since we are in a test
             #     No systemd journal logs from initrd.
             boot.initrd.systemd.enable = false;
-            # make the test depend on its vars-check derivation
-            environment.variables.CLAN_VARS_CHECK = "${vars-check}";
           }
         );
 

From a260083919632535ab4639c30ba1ad5a30da8617 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Tue, 17 Jun 2025 21:07:15 +0200
Subject: [PATCH 22/22] fix(vars-check): include generator scripts in test
 closure

The vars-check test was failing because it only included the
runtimeInputs of generators but not the actual generator scripts
themselves. This caused the test to fail when trying to execute
generators that reference local files (like generate.py).

Added allGeneratorScripts to the closureInfo to ensure all generator
scripts and their dependencies are available in the test environment.
---
 lib/clanTest/flake-module.nix | 31 +++++++++++++++++++++----------
 1 file changed, 21 insertions(+), 10 deletions(-)

diff --git a/lib/clanTest/flake-module.nix b/lib/clanTest/flake-module.nix
index 174cd8f56..39449b047 100644
--- a/lib/clanTest/flake-module.nix
+++ b/lib/clanTest/flake-module.nix
@@ -99,10 +99,18 @@ in
         machine:
         flip mapAttrsToList machine.clan.core.vars.generators (_name: generator: generator.runtimeInputs);
 
+      generatorScripts =
+        machine:
+        flip mapAttrsToList machine.clan.core.vars.generators (_name: generator: generator.finalScript);
+
       generatorRuntimeInputs = unique (
         flatten (flip mapAttrsToList config.nodes (_machineName: machine: inputsForMachine machine))
       );
 
+      allGeneratorScripts = unique (
+        flatten (flip mapAttrsToList config.nodes (_machineName: machine: generatorScripts machine))
+      );
+
       vars-check =
         hostPkgs.runCommand "update-vars-check-${testName}"
           {
@@ -114,16 +122,19 @@ in
               hostPkgs.bubblewrap
             ];
             closureInfo = hostPkgs.closureInfo {
-              rootPaths = generatorRuntimeInputs ++ [
-                hostPkgs.bash
-                hostPkgs.coreutils
-                hostPkgs.jq.dev
-                hostPkgs.stdenv
-                hostPkgs.stdenvNoCC
-                hostPkgs.shellcheck-minimal
-                hostPkgs.age
-                hostPkgs.sops
-              ];
+              rootPaths =
+                generatorRuntimeInputs
+                ++ allGeneratorScripts
+                ++ [
+                  hostPkgs.bash
+                  hostPkgs.coreutils
+                  hostPkgs.jq.dev
+                  hostPkgs.stdenv
+                  hostPkgs.stdenvNoCC
+                  hostPkgs.shellcheck-minimal
+                  hostPkgs.age
+                  hostPkgs.sops
+                ];
             };
           }
           ''