diff --git a/pkgs/clan-cli/clan_cli/facts/upload.py b/pkgs/clan-cli/clan_cli/facts/upload.py
index 6cb6bf8be..1df5fb194 100644
--- a/pkgs/clan-cli/clan_cli/facts/upload.py
+++ b/pkgs/clan-cli/clan_cli/facts/upload.py
@@ -31,9 +31,11 @@ def upload_secrets(machine: Machine) -> None:
                     "rsync",
                     "-e",
                     " ".join(["ssh"] + ssh_cmd[2:]),
-                    "-az",
+                    "--recursive",
+                    "--links",
+                    "--times",
+                    "--compress",
                     "--delete",
-                    "--chown=root:root",
                     "--chmod=D700,F600",
                     f"{tempdir!s}/",
                     f"{host.user}@{host.host}:{machine.secrets_upload_directory}/",
diff --git a/pkgs/clan-cli/clan_cli/vars/upload.py b/pkgs/clan-cli/clan_cli/vars/upload.py
index 873fd7ffc..d80af092f 100644
--- a/pkgs/clan-cli/clan_cli/vars/upload.py
+++ b/pkgs/clan-cli/clan_cli/vars/upload.py
@@ -31,9 +31,11 @@ def upload_secrets(machine: Machine) -> None:
                     "rsync",
                     "-e",
                     " ".join(["ssh"] + ssh_cmd[2:]),
-                    "-az",
+                    "--recursive",
+                    "--links",
+                    "--times",
+                    "--compress",
                     "--delete",
-                    "--chown=root:root",
                     "--chmod=D700,F600",
                     f"{tempdir!s}/",
                     f"{host.user}@{host.host}:{machine.secrets_upload_directory}/",
diff --git a/pkgs/clan-cli/tests/helpers/vms.py b/pkgs/clan-cli/tests/helpers/vms.py
index 0661708ce..417b85034 100644
--- a/pkgs/clan-cli/tests/helpers/vms.py
+++ b/pkgs/clan-cli/tests/helpers/vms.py
@@ -46,7 +46,7 @@ def wait_vm_up(machine_name: str, flake_url: str | None = None) -> None:
     if flake_url is None:
         flake_url = str(Path.cwd())
     socket_file = vm_state_dir(flake_url, machine_name) / "qmp.sock"
-    timeout: float = 100
+    timeout: float = 600
     while True:
         if timeout <= 0:
             raise TimeoutError(
diff --git a/pkgs/clan-cli/tests/test_vars_deployment.py b/pkgs/clan-cli/tests/test_vars_deployment.py
new file mode 100644
index 000000000..2b2c361d7
--- /dev/null
+++ b/pkgs/clan-cli/tests/test_vars_deployment.py
@@ -0,0 +1,42 @@
+from pathlib import Path
+
+import pytest
+
+from tests.age_keys import SopsSetup
+from tests.fixtures_flakes import generate_flake
+from tests.helpers import cli
+from tests.helpers.nixos_config import nested_dict
+from tests.helpers.vms import qga_connect, run_vm_in_thread, wait_vm_down
+from tests.root import CLAN_CORE
+
+
+@pytest.mark.impure
+def test_vm_deployment(
+    monkeypatch: pytest.MonkeyPatch,
+    temporary_home: Path,
+    sops_setup: SopsSetup,
+) -> None:
+    config = nested_dict()
+    config["clan"]["virtualisation"]["graphics"] = False
+    config["services"]["getty"]["autologinUser"] = "root"
+    config["services"]["openssh"]["enable"] = True
+    config["networking"]["firewall"]["enable"] = False
+    my_generator = config["clan"]["core"]["vars"]["generators"]["my_generator"]
+    my_generator["files"]["my_secret"]["secret"] = True
+    my_generator["files"]["my_value"]["secret"] = False
+    my_generator["script"] = "echo hello > $out/my_secret && echo hello > $out/my_value"
+    flake = generate_flake(
+        temporary_home,
+        flake_template=CLAN_CORE / "templates" / "minimal",
+        machine_configs=dict(my_machine=config),
+    )
+    monkeypatch.chdir(flake.path)
+    sops_setup.init()
+    cli.run(["vars", "generate", "my_machine"])
+    run_vm_in_thread("my_machine")
+    qga = qga_connect("my_machine")
+    qga.run("ls /run/secrets/my_machine/my_generator/my_secret", check=True)
+    _, out, _ = qga.run("cat /run/secrets/my_machine/my_generator/my_secret")
+    assert out == "hello\n"
+    qga.exec_cmd("poweroff")
+    wait_vm_down("my_machine")