Merge pull request 'Consistently pass nix options to underlying tools' (#1488) from pass-nix-options into main

checks/backups/flake-module.nix

@@ -145,14 +145,14 @@
             machine.succeed("echo testing > /var/test-backups/somefile")
 
             # create
-            machine.succeed("clan --debug --flake ${self} backups create test-backup")
+            machine.succeed("clan backups create --debug --flake ${self} test-backup")
             machine.wait_until_succeeds("! systemctl is-active borgbackup-job-test-backup >&2")
             machine.succeed("test -f /run/mount-external-disk")
             machine.succeed("test -f /run/unmount-external-disk")
 
             # list
             backup_id = json.loads(machine.succeed("borg-job-test-backup list --json"))["archives"][0]["archive"]
-            out = machine.succeed("clan --debug --flake ${self} backups list test-backup").strip()
+            out = machine.succeed("clan backups list --debug --flake ${self} test-backup").strip()
             print(out)
             assert backup_id in out, f"backup {backup_id} not found in {out}"
             localbackup_id = "hdd::/mnt/external-disk/snapshot.0"
@@ -160,14 +160,14 @@
 
             ## borgbackup restore
             machine.succeed("rm -f /var/test-backups/somefile")
-            machine.succeed(f"clan --debug --flake ${self} backups restore test-backup borgbackup 'test-backup::borg@machine:.::{backup_id}' >&2")
+            machine.succeed(f"clan backups restore --debug --flake ${self} test-backup borgbackup 'test-backup::borg@machine:.::{backup_id}' >&2")
             assert machine.succeed("cat /var/test-backups/somefile").strip() == "testing", "restore failed"
             machine.succeed("test -f /var/test-service/pre-restore-command")
             machine.succeed("test -f /var/test-service/post-restore-command")
 
             ## localbackup restore
             machine.succeed("rm -f /var/test-backups/somefile /var/test-service/{pre,post}-restore-command")
-            machine.succeed(f"clan --debug --flake ${self} backups restore test-backup localbackup '{localbackup_id}' >&2")
+            machine.succeed(f"clan backups restore --debug --flake ${self} test-backup localbackup '{localbackup_id}' >&2")
             assert machine.succeed("cat /var/test-backups/somefile").strip() == "testing", "restore failed"
             machine.succeed("test -f /var/test-service/pre-restore-command")
             machine.succeed("test -f /var/test-service/post-restore-command")

checks/flash/flake-module.nix

@@ -1,33 +1,58 @@
-{ ... }:
+{ self, ... }:
 {
   perSystem =
-    { ... }:
     {
-      # checks = pkgs.lib.mkIf (pkgs.stdenv.isLinux) {
+      nodes,
-      #   flash = (import ../lib/test-base.nix) {
+      pkgs,
-      #     name = "flash";
+      lib,
-      #     nodes.target = {
+      ...
-      #       virtualisation.emptyDiskImages = [ 4096 ];
+    }:
-      #       virtualisation.memorySize = 3000;
+    let
-      #       environment.systemPackages = [ self.packages.${pkgs.system}.clan-cli ];
+      dependencies = [
-      #       environment.etc."install-closure".source = "${closureInfo}/store-paths"; 
+        self
+        pkgs.stdenv.drvPath
+        pkgs.jq
+        pkgs.disko
+        pkgs.stdenvNoCC.drvPath
+        pkgs.openssl
+        pkgs.curl
+        self.clanInternals.machines.${pkgs.hostPlatform.system}.test_install_machine.config.system.build.toplevel
+        self.clanInternals.machines.${pkgs.hostPlatform.system}.test_install_machine.config.system.build.diskoScript
+        self.clanInternals.machines.${pkgs.hostPlatform.system}.test_install_machine.config.system.clan.deployment.file
+        self.clanInternals.machines.${pkgs.hostPlatform.system}.test_install_machine.pkgs.disko
+      ] ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
+      closureInfo = pkgs.closureInfo { rootPaths = dependencies; };
+    in
+    {
+      # Currently disabled...
+      checks = pkgs.lib.mkIf (false && pkgs.stdenv.isLinux) {
+        flash = (import ../lib/test-base.nix) {
+          name = "flash";
+          nodes.target = {
+            virtualisation.emptyDiskImages = [ 4096 ];
+            virtualisation.memorySize = 3000;
+            environment.systemPackages = [ self.packages.${pkgs.system}.clan-cli ];
+            environment.etc."install-closure".source = "${closureInfo}/store-paths";
 
-      #       nix.settings = {
+            nix.settings = {
-      #         substituters = lib.mkForce [ ];
+              substituters = lib.mkForce [ ];
-      #         hashed-mirrors = null;
+              hashed-mirrors = null;
-      #         connect-timeout = lib.mkForce 3;
+              connect-timeout = lib.mkForce 3;
-      #         flake-registry = pkgs.writeText "flake-registry" ''{"flakes":[],"version":2}'';
+              flake-registry = pkgs.writeText "flake-registry" ''{"flakes":[],"version":2}'';
-      #         experimental-features = [
+              experimental-features = [
-      #           "nix-command"
+                "nix-command"
-      #           "flakes"
+                "flakes"
-      #         ];
+              ];
-      #       };
+            };
-      #     };
+          };
-      #     testScript = ''
+          testScript = ''
-      #       start_all()
+            start_all()
-      #       machine.succeed("clan --debug --flake ${../..} flash --yes --disk main /dev/vdb test_install_machine")
+            machine.succeed("nix-store --verify-path ${
-      #     '';
+              self.clanInternals.machines.${pkgs.hostPlatform.system}.test_install_machine.config.system.build.diskoScript
-      #   } { inherit pkgs self; };
+            }")
-      # };
+            machine.execute("timeout 30 clan flash --debug --flake ${../..} --yes --disk main /dev/vdb test_install_machine")
+          '';
+        } { inherit pkgs self; };
+      };
     };
 }

checks/installation/flake-module.nix

@@ -2,8 +2,8 @@
 {
   clan.machines.test_install_machine = {
     clan.networking.targetHost = "test_install_machine";
-    fileSystems."/".device = lib.mkDefault "/dev/null";
+    fileSystems."/".device = lib.mkDefault "/dev/vdb";
-    boot.loader.grub.device = lib.mkDefault "/dev/null";
+    boot.loader.grub.device = lib.mkDefault "/dev/vdb";
 
     imports = [ self.nixosModules.test_install_machine ];
   };
@@ -98,7 +98,7 @@
             client.succeed("${pkgs.coreutils}/bin/install -Dm 600 ${../lib/ssh/privkey} /root/.ssh/id_ed25519")
             client.wait_until_succeeds("ssh -o StrictHostKeyChecking=accept-new -v root@target hostname")
 
-            client.succeed("clan --debug --flake ${../..} machines install --yes test_install_machine root@target >&2")
+            client.succeed("clan machines install --debug --flake ${../..} --yes test_install_machine root@target >&2")
             try:
               target.shutdown()
             except BrokenPipeError:

docs/site/getting-started/installer.md

@@ -46,7 +46,7 @@ sudo umount /dev/sdb1
     It also includes the language and keymap currently used into the installer image.
 
     ```bash
-    clan --flake git+https://git.clan.lol/clan/clan-core flash flash-installer --disk main /dev/sd<X>
+    clan flash --flake git+https://git.clan.lol/clan/clan-core flash-installer --disk main /dev/sd<X>
     ```
 
     !!! Danger "Specifying the wrong device can lead to unrecoverable data loss."

pkgs/clan-cli/clan_cli/__init__.py

@@ -51,19 +51,14 @@ class AppendOptionAction(argparse.Action):
         lst.append(values[1])
 
 
-def create_parser(prog: str | None = None) -> argparse.ArgumentParser:
+def flake_path(arg: str) -> str | Path:
-    parser = argparse.ArgumentParser(
+    flake_dir = Path(arg).resolve()
-        prog=prog,
+    if flake_dir.exists() and flake_dir.is_dir():
-        description="The clan cli tool.",
+        return flake_dir
-        epilog=(
+    return arg
-            """
-Online reference for the clan cli tool: https://docs.clan.lol/reference/cli/
-For more detailed information, visit: https://docs.clan.lol
-        """
-        ),
-        formatter_class=argparse.RawTextHelpFormatter,
-    )
 
+
+def add_common_flags(parser: argparse.ArgumentParser) -> None:
     parser.add_argument(
         "--debug",
         help="Enable debug logging",
@@ -80,12 +75,6 @@ For more detailed information, visit: https://docs.clan.lol
         default=[],
     )
 
-    def flake_path(arg: str) -> str | Path:
-        flake_dir = Path(arg).resolve()
-        if flake_dir.exists() and flake_dir.is_dir():
-            return flake_dir
-        return arg
-
     parser.add_argument(
         "--flake",
         help="path to the flake where the clan resides in, can be a remote flake or local, can be set through the [CLAN_DIR] environment variable",
@@ -94,6 +83,30 @@ For more detailed information, visit: https://docs.clan.lol
         type=flake_path,
     )
 
+
+def register_common_flags(parser: argparse.ArgumentParser) -> None:
+    has_subparsers = False
+    for action in parser._actions:
+        if isinstance(action, argparse._SubParsersAction):
+            for choice, child_parser in action.choices.items():
+                has_subparsers = True
+                register_common_flags(child_parser)
+    if not has_subparsers:
+        add_common_flags(parser)
+
+
+def create_parser(prog: str | None = None) -> argparse.ArgumentParser:
+    parser = argparse.ArgumentParser(
+        prog=prog,
+        description="The clan cli tool.",
+        epilog=(
+            """
+Online reference for the clan cli tool: https://docs.clan.lol/reference/cli/
+For more detailed information, visit: https://docs.clan.lol
+        """
+        ),
+        formatter_class=argparse.RawTextHelpFormatter,
+    )
     subparsers = parser.add_subparsers()
 
     parser_backups = subparsers.add_parser(
@@ -208,7 +221,7 @@ For more detailed information, visit: https://docs.clan.lol/getting-started/secr
 
 This subcommand provides an interface to facts of clan machines.
 Facts are artifacts that a service can generate.
-There are public and secret facts. 
+There are public and secret facts.
 Public facts can be referenced by other machines directly.
 Public facts can include: ip addresses, public keys.
 Secret facts can include: passwords, private keys.
@@ -223,7 +236,7 @@ Examples:
 
   $ clan facts generate
   Will generate facts for all machines.
-   
+
   $ clan facts generate --service [SERVICE] --regenerate
   Will regenerate facts, if they are already generated for a specific service.
   This is especially useful for resetting certain passwords while leaving the rest
@@ -250,7 +263,7 @@ Examples:
   List all the machines managed by clan.
 
   $ clan machines update [MACHINES]
-  Will update the specified machine [MACHINE], if [MACHINE] is omitted, the command 
+  Will update the specified machine [MACHINE], if [MACHINE] is omitted, the command
   will attempt to update every configured machine.
 
   $ clan machines install [MACHINES] [TARGET_HOST]
@@ -285,6 +298,8 @@ For more detailed information, visit: https://docs.clan.lol/getting-started/depl
     if argcomplete:
         argcomplete.autocomplete(parser)
 
+    register_common_flags(parser)
+
     return parser
 
 

pkgs/clan-cli/clan_cli/backups/create.py

@@ -33,6 +33,8 @@ def create_backup(machine: Machine, provider: str | None = None) -> None:
 
 
 def create_command(args: argparse.Namespace) -> None:
+    if args.flake is None:
+        raise ClanError("Could not find clan flake toplevel directory")
     machine = Machine(name=args.machine, flake=args.flake)
     create_backup(machine=machine, provider=args.provider)
 

pkgs/clan-cli/clan_cli/backups/list.py

@@ -48,6 +48,8 @@ def list_backups(machine: Machine, provider: str | None = None) -> list[Backup]:
 
 
 def list_command(args: argparse.Namespace) -> None:
+    if args.flake is None:
+        raise ClanError("Could not find clan flake toplevel directory")
     machine = Machine(name=args.machine, flake=args.flake)
     backups = list_backups(machine=machine, provider=args.provider)
     for backup in backups:

pkgs/clan-cli/clan_cli/backups/restore.py

@@ -62,6 +62,8 @@ def restore_backup(
 
 
 def restore_command(args: argparse.Namespace) -> None:
+    if args.flake is None:
+        raise ClanError("Could not find clan flake toplevel directory")
     machine = Machine(name=args.machine, flake=args.flake)
     restore_backup(
         machine=machine,

pkgs/clan-cli/clan_cli/facts/generate.py

@@ -209,9 +209,9 @@ def generate_facts(
 
 def generate_command(args: argparse.Namespace) -> None:
     if len(args.machines) == 0:
-        machines = get_all_machines(args.flake)
+        machines = get_all_machines(args.flake, args.option)
     else:
-        machines = get_selected_machines(args.flake, args.machines)
+        machines = get_selected_machines(args.flake, args.option, args.machines)
     generate_facts(machines, args.service, args.regenerate)
 
 

pkgs/clan-cli/clan_cli/flash.py

@@ -85,7 +85,9 @@ def flash_machine(
     disks: dict[str, str],
     system_config: dict[str, Any],
     dry_run: bool,
+    write_efi_boot_entries: bool,
     debug: bool,
+    extra_args: list[str] = [],
 ) -> None:
     secret_facts_module = importlib.import_module(machine.secret_facts_module)
     secret_facts_store: SecretStoreBase = secret_facts_module.SecretStore(
@@ -112,6 +114,8 @@ def flash_machine(
             disko_install.append("sudo")
 
         disko_install.append("disko-install")
+        if write_efi_boot_entries:
+            disko_install.append("--write-efi-boot-entries")
         if dry_run:
             disko_install.append("--dry-run")
         if debug:
@@ -128,6 +132,8 @@ def flash_machine(
                 json.dumps(system_config),
             ]
         )
+        disko_install.extend(["--option", "dry-run", "true"])
+        disko_install.extend(extra_args)
 
         cmd = nix_shell(
             ["nixpkgs#disko"],
@@ -148,6 +154,8 @@ class FlashOptions:
     mode: str
     language: str
     keymap: str
+    write_efi_boot_entries: bool
+    nix_options: list[str]
 
 
 class AppendDiskAction(argparse.Action):
@@ -178,6 +186,8 @@ def flash_command(args: argparse.Namespace) -> None:
         mode=args.mode,
         language=args.lang,
         keymap=args.keymap,
+        write_efi_boot_entries=args.write_efi_boot_entries,
+        nix_options=args.options,
     )
 
     machine = Machine(opts.machine, flake=opts.flake)
@@ -233,6 +243,8 @@ def flash_command(args: argparse.Namespace) -> None:
         system_config=extra_config,
         dry_run=opts.dry_run,
         debug=opts.debug,
+        write_efi_boot_entries=opts.write_efi_boot_entries,
+        extra_args=opts.nix_options,
     )
 
 
@@ -251,12 +263,14 @@ def register_parser(parser: argparse.ArgumentParser) -> None:
         help="device to flash to",
         default={},
     )
-    mode_help = textwrap.dedent("""\
+    mode_help = textwrap.dedent(
+        """\
         Specify the mode of operation. Valid modes are: format, mount."
         Format will format the disk before installing.
         Mount will mount the disk before installing.
         Mount is useful for updating an existing system without losing data.
-        """)
+        """
+    )
     parser.add_argument(
         "--mode",
         type=str,
@@ -293,4 +307,16 @@ def register_parser(parser: argparse.ArgumentParser) -> None:
         default=False,
         action="store_true",
     )
+    parser.add_argument(
+        "--write-efi-boot-entries",
+        help=textwrap.dedent(
+            """
+          Write EFI boot entries to the NVRAM of the system for the installed system.
+          Specify this option if you plan to boot from this disk on the current machine,
+          but not if you plan to move the disk to another machine.
+        """
+        ).strip(),
+        default=False,
+        action="store_true",
+    )
     parser.set_defaults(func=flash_command)

pkgs/clan-cli/clan_cli/machines/install.py

@@ -26,6 +26,7 @@ def install_nixos(
     debug: bool = False,
     password: str | None = None,
     no_reboot: bool = False,
+    extra_args: list[str] = [],
 ) -> None:
     secret_facts_module = importlib.import_module(machine.secret_facts_module)
     log.info(f"installing {machine.name}")
@@ -56,6 +57,7 @@ def install_nixos(
             f"{machine.flake}#{machine.name}",
             "--extra-files",
             str(tmpdir),
+            *extra_args,
         ]
 
         if no_reboot:
@@ -95,6 +97,7 @@ class InstallOptions:
     debug: bool
     no_reboot: bool
     json_ssh_deploy: dict[str, str] | None
+    nix_options: list[str]
 
 
 def install_command(args: argparse.Namespace) -> None:
@@ -127,6 +130,7 @@ def install_command(args: argparse.Namespace) -> None:
         debug=args.debug,
         no_reboot=args.no_reboot,
         json_ssh_deploy=json_ssh_deploy,
+        nix_options=args.option,
     )
     machine = Machine(opts.machine, flake=opts.flake)
     machine.target_host_address = opts.target_host
@@ -142,6 +146,7 @@ def install_command(args: argparse.Namespace) -> None:
         debug=opts.debug,
         password=password,
         no_reboot=opts.no_reboot,
+        extra_args=opts.nix_options,
     )
 
 

pkgs/clan-cli/clan_cli/machines/inventory.py

@@ -7,7 +7,7 @@ from .machines import Machine
 
 
 # function to speedup eval if we want to evauluate all machines
-def get_all_machines(flake_dir: Path) -> list[Machine]:
+def get_all_machines(flake_dir: Path, nix_options: list[str]) -> list[Machine]:
     config = nix_config()
     system = config["system"]
     json_path = run(
@@ -19,13 +19,20 @@ def get_all_machines(flake_dir: Path) -> list[Machine]:
     machines = []
     for name, machine_data in machines_json.items():
         machines.append(
-            Machine(name=name, flake=flake_dir, deployment_info=machine_data)
+            Machine(
+                name=name,
+                flake=flake_dir,
+                deployment_info=machine_data,
+                nix_options=nix_options,
+            )
         )
     return machines
 
 
-def get_selected_machines(flake_dir: Path, machine_names: list[str]) -> list[Machine]:
+def get_selected_machines(
+    flake_dir: Path, nix_options: list[str], machine_names: list[str]
+) -> list[Machine]:
     machines = []
     for name in machine_names:
-        machines.append(Machine(name=name, flake=flake_dir))
+        machines.append(Machine(name=name, flake=flake_dir, nix_options=nix_options))
     return machines

pkgs/clan-cli/clan_cli/machines/machines.py

@@ -41,9 +41,10 @@ class QMPWrapper:
 
 
 class Machine:
-    flake: str | Path
     name: str
+    flake: str | Path
     data: MachineData
+    nix_options: list[str]
     eval_cache: dict[str, str]
     build_cache: dict[str, Path]
     _flake_path: Path | None
@@ -55,6 +56,7 @@ class Machine:
         name: str,
         flake: Path | str,
         deployment_info: dict | None = None,
+        nix_options: list[str] = [],
         machine: MachineData | None = None,
     ) -> None:
         """
@@ -76,6 +78,7 @@ class Machine:
         self.build_cache: dict[str, Path] = {}
         self._flake_path: Path | None = None
         self._deployment_info: None | dict = deployment_info
+        self.nix_options = nix_options
 
         state_dir = vm_state_dir(flake_url=str(self.flake), vm_name=self.data.name)
 
@@ -242,9 +245,9 @@ class Machine:
                 flake = f"path:{self.flake_dir}"
 
             args += [
-                f'{flake}#clanInternals.machines."{system}".{self.data.name}.{attr}',
+                f'{flake}#clanInternals.machines."{system}".{self.data.name}.{attr}'
-                *nix_options,
             ]
+        args += nix_options + self.nix_options
 
         if method == "eval":
             output = run_no_stdout(nix_eval(args)).stdout.strip()

pkgs/clan-cli/clan_cli/machines/update.py

@@ -110,11 +110,9 @@ def deploy_nixos(machines: MachineGroup) -> None:
 
         ssh_arg += " -i " + host.key if host.key else ""
 
-        extra_args = host.meta.get("extra_args", [])
         cmd = [
             "nixos-rebuild",
             "switch",
-            *extra_args,
             "--fast",
             "--option",
             "keep-going",
@@ -124,6 +122,7 @@ def deploy_nixos(machines: MachineGroup) -> None:
             "true",
             "--build-host",
             "",
+            *machine.nix_options,
             "--flake",
             f"{path}#{machine.name}",
         ]
@@ -143,7 +142,9 @@ def update(args: argparse.Namespace) -> None:
         raise ClanError("Could not find clan flake toplevel directory")
     machines = []
     if len(args.machines) == 1 and args.target_host is not None:
-        machine = Machine(name=args.machines[0], flake=args.flake)
+        machine = Machine(
+            name=args.machines[0], flake=args.flake, nix_options=args.option
+        )
         machine.target_host_address = args.target_host
         machines.append(machine)
 
@@ -153,7 +154,7 @@ def update(args: argparse.Namespace) -> None:
     else:
         if len(args.machines) == 0:
             ignored_machines = []
-            for machine in get_all_machines(args.flake):
+            for machine in get_all_machines(args.flake, args.option):
                 if machine.deployment_info.get("requireExplicitUpdate", False):
                     continue
                 try:
@@ -173,7 +174,7 @@ def update(args: argparse.Namespace) -> None:
                     print(machine, file=sys.stderr)
 
         else:
-            machines = get_selected_machines(args.flake, args.machines)
+            machines = get_selected_machines(args.flake, args.option, args.machines)
 
     deploy_nixos(MachineGroup(machines))
 

pkgs/clan-cli/tests/test_backups.py

@@ -11,10 +11,10 @@ def test_backups(
 
     cli.run(
         [
-            "--flake",
-            str(test_flake_with_core.path),
             "backups",
             "list",
+            "--flake",
+            str(test_flake_with_core.path),
             "vm1",
         ]
     )

pkgs/clan-cli/tests/test_config.py

@@ -39,9 +39,9 @@ def test_set_some_option(
         cli = Cli()
         cli.run(
             [
+                "config",
                 "--flake",
                 str(test_flake.path),
-                "config",
                 "--quiet",
                 "--options-file",
                 example_options,
@@ -64,9 +64,9 @@ def test_configure_machine(
 
     cli.run(
         [
+            "config",
             "--flake",
             str(test_flake.path),
-            "config",
             "-m",
             "machine1",
             "clan.jitsi.enable",
@@ -78,9 +78,9 @@ def test_configure_machine(
     # read a option value
     cli.run(
         [
+            "config",
             "--flake",
             str(test_flake.path),
-            "config",
             "-m",
             "machine1",
             "clan.jitsi.enable",

pkgs/clan-cli/tests/test_flakes_cli.py

@@ -15,10 +15,10 @@ def test_flakes_inspect(
     cli = Cli()
     cli.run(
         [
-            "--flake",
-            str(test_flake_with_core.path),
             "flakes",
             "inspect",
+            "--flake",
+            str(test_flake_with_core.path),
             "--machine",
             "vm1",
         ]

pkgs/clan-cli/tests/test_import_sops_cli.py

@@ -21,55 +21,55 @@ def test_import_sops(
     monkeypatch.setenv("SOPS_AGE_KEY", age_keys[1].privkey)
     cli.run(
         [
-            "--flake",
-            str(test_flake.path),
             "secrets",
             "machines",
             "add",
+            "--flake",
+            str(test_flake.path),
             "machine1",
             age_keys[0].pubkey,
         ]
     )
     cli.run(
         [
-            "--flake",
-            str(test_flake.path),
             "secrets",
             "users",
             "add",
+            "--flake",
+            str(test_flake.path),
             "user1",
             age_keys[1].pubkey,
         ]
     )
     cli.run(
         [
-            "--flake",
-            str(test_flake.path),
             "secrets",
             "users",
             "add",
+            "--flake",
+            str(test_flake.path),
             "user2",
             age_keys[2].pubkey,
         ]
     )
     cli.run(
         [
-            "--flake",
-            str(test_flake.path),
             "secrets",
             "groups",
             "add-user",
+            "--flake",
+            str(test_flake.path),
             "group1",
             "user1",
         ]
     )
     cli.run(
         [
-            "--flake",
-            str(test_flake.path),
             "secrets",
             "groups",
             "add-user",
+            "--flake",
+            str(test_flake.path),
             "group1",
             "user2",
         ]
@@ -78,10 +78,10 @@ def test_import_sops(
     # To edit:
     # SOPS_AGE_KEY=AGE-SECRET-KEY-1U5ENXZQAY62NC78Y2WC0SEGRRMAEEKH79EYY5TH4GPFWJKEAY0USZ6X7YQ sops --age age14tva0txcrl0zes05x7gkx56qd6wd9q3nwecjac74xxzz4l47r44sv3fz62 ./data/secrets.yaml
     cmd = [
-        "--flake",
-        str(test_flake.path),
         "secrets",
         "import-sops",
+        "--flake",
+        str(test_flake.path),
         "--group",
         "group1",
         "--machine",
@@ -91,10 +91,10 @@ def test_import_sops(
 
     cli.run(cmd)
     capsys.readouterr()
-    cli.run(["--flake", str(test_flake.path), "secrets", "users", "list"])
+    cli.run(["secrets", "users", "list", "--flake", str(test_flake.path)])
     users = sorted(capsys.readouterr().out.rstrip().split())
     assert users == ["user1", "user2"]
 
     capsys.readouterr()
-    cli.run(["--flake", str(test_flake.path), "secrets", "get", "secret-key"])
+    cli.run(["secrets", "get", "--flake", str(test_flake.path), "secret-key"])
     assert capsys.readouterr().out == "secret-value"

pkgs/clan-cli/tests/test_machines_cli.py

@@ -9,11 +9,11 @@ def test_machine_subcommands(
 ) -> None:
     cli = Cli()
     cli.run(
-        ["--flake", str(test_flake_with_core.path), "machines", "create", "machine1"]
+        ["machines", "create", "--flake", str(test_flake_with_core.path), "machine1"]
     )
 
     capsys.readouterr()
-    cli.run(["--flake", str(test_flake_with_core.path), "machines", "list"])
+    cli.run(["machines", "list", "--flake", str(test_flake_with_core.path)])
 
     out = capsys.readouterr()
 
@@ -22,11 +22,11 @@ def test_machine_subcommands(
     assert "vm2" in out.out
 
     cli.run(
-        ["--flake", str(test_flake_with_core.path), "machines", "delete", "machine1"]
+        ["machines", "delete", "--flake", str(test_flake_with_core.path), "machine1"]
     )
 
     capsys.readouterr()
-    cli.run(["--flake", str(test_flake_with_core.path), "machines", "list"])
+    cli.run(["machines", "list", "--flake", str(test_flake_with_core.path)])
     out = capsys.readouterr()
 
     assert "machine1" not in out.out

pkgs/clan-cli/tests/test_secrets_cli.py

@@ -27,11 +27,11 @@ def _test_identities(
 
     cli.run(
         [
-            "--flake",
-            str(test_flake.path),
             "secrets",
             what,
             "add",
+            "--flake",
+            str(test_flake.path),
             "foo",
             age_keys[0].pubkey,
         ]
@@ -41,11 +41,11 @@ def _test_identities(
     with pytest.raises(ClanError):  # raises "foo already exists"
         cli.run(
             [
-                "--flake",
-                str(test_flake.path),
                 "secrets",
                 what,
                 "add",
+                "--flake",
+                str(test_flake.path),
                 "foo",
                 age_keys[0].pubkey,
             ]
@@ -54,11 +54,11 @@ def _test_identities(
     # rotate the key
     cli.run(
         [
-            "--flake",
-            str(test_flake.path),
             "secrets",
             what,
             "add",
+            "--flake",
+            str(test_flake.path),
             "-f",
             "foo",
             age_keys[1].privkey,
@@ -68,11 +68,11 @@ def _test_identities(
     capsys.readouterr()  # empty the buffer
     cli.run(
         [
-            "--flake",
-            str(test_flake.path),
             "secrets",
             what,
             "get",
+            "--flake",
+            str(test_flake.path),
             "foo",
         ]
     )
@@ -80,18 +80,18 @@ def _test_identities(
     assert age_keys[1].pubkey in out.out
 
     capsys.readouterr()  # empty the buffer
-    cli.run(["--flake", str(test_flake.path), "secrets", what, "list"])
+    cli.run(["secrets", what, "list", "--flake", str(test_flake.path)])
     out = capsys.readouterr()  # empty the buffer
     assert "foo" in out.out
 
-    cli.run(["--flake", str(test_flake.path), "secrets", what, "remove", "foo"])
+    cli.run(["secrets", what, "remove", "--flake", str(test_flake.path), "foo"])
     assert not (sops_folder / what / "foo" / "key.json").exists()
 
     with pytest.raises(ClanError):  # already removed
-        cli.run(["--flake", str(test_flake.path), "secrets", what, "remove", "foo"])
+        cli.run(["secrets", what, "remove", "--flake", str(test_flake.path), "foo"])
 
     capsys.readouterr()
-    cli.run(["--flake", str(test_flake.path), "secrets", what, "list"])
+    cli.run(["secrets", what, "list", "--flake", str(test_flake.path)])
     out = capsys.readouterr()
     assert "foo" not in out.out
 
@@ -113,17 +113,17 @@ def test_groups(
 ) -> None:
     cli = Cli()
     capsys.readouterr()  # empty the buffer
-    cli.run(["--flake", str(test_flake.path), "secrets", "groups", "list"])
+    cli.run(["secrets", "groups", "list", "--flake", str(test_flake.path)])
     assert capsys.readouterr().out == ""
 
     with pytest.raises(ClanError):  # machine does not exist yet
         cli.run(
             [
-                "--flake",
-                str(test_flake.path),
                 "secrets",
                 "groups",
                 "add-machine",
+                "--flake",
+                str(test_flake.path),
                 "group1",
                 "machine1",
             ]
@@ -131,33 +131,33 @@ def test_groups(
     with pytest.raises(ClanError):  # user does not exist yet
         cli.run(
             [
-                "--flake",
-                str(test_flake.path),
                 "secrets",
                 "groups",
                 "add-user",
+                "--flake",
+                str(test_flake.path),
                 "groupb1",
                 "user1",
             ]
         )
     cli.run(
         [
-            "--flake",
-            str(test_flake.path),
             "secrets",
             "machines",
             "add",
+            "--flake",
+            str(test_flake.path),
             "machine1",
             age_keys[0].pubkey,
         ]
     )
     cli.run(
         [
-            "--flake",
-            str(test_flake.path),
             "secrets",
             "groups",
             "add-machine",
+            "--flake",
+            str(test_flake.path),
             "group1",
             "machine1",
         ]
@@ -166,11 +166,11 @@ def test_groups(
     # Should this fail?
     cli.run(
         [
-            "--flake",
-            str(test_flake.path),
             "secrets",
             "groups",
             "add-machine",
+            "--flake",
+            str(test_flake.path),
             "group1",
             "machine1",
         ]
@@ -178,51 +178,51 @@ def test_groups(
 
     cli.run(
         [
-            "--flake",
-            str(test_flake.path),
             "secrets",
             "users",
             "add",
+            "--flake",
+            str(test_flake.path),
             "user1",
             age_keys[0].pubkey,
         ]
     )
     cli.run(
         [
-            "--flake",
-            str(test_flake.path),
             "secrets",
             "groups",
             "add-user",
+            "--flake",
+            str(test_flake.path),
             "group1",
             "user1",
         ]
     )
 
     capsys.readouterr()  # empty the buffer
-    cli.run(["--flake", str(test_flake.path), "secrets", "groups", "list"])
+    cli.run(["secrets", "groups", "list", "--flake", str(test_flake.path)])
     out = capsys.readouterr().out
     assert "user1" in out
     assert "machine1" in out
 
     cli.run(
         [
-            "--flake",
-            str(test_flake.path),
             "secrets",
             "groups",
             "remove-user",
+            "--flake",
+            str(test_flake.path),
             "group1",
             "user1",
         ]
     )
     cli.run(
         [
-            "--flake",
-            str(test_flake.path),
             "secrets",
             "groups",
             "remove-machine",
+            "--flake",
+            str(test_flake.path),
             "group1",
             "machine1",
         ]
@@ -251,90 +251,90 @@ def test_secrets(
 ) -> None:
     cli = Cli()
     capsys.readouterr()  # empty the buffer
-    cli.run(["--flake", str(test_flake.path), "secrets", "list"])
+    cli.run(["secrets", "list", "--flake", str(test_flake.path)])
     assert capsys.readouterr().out == ""
 
     monkeypatch.setenv("SOPS_NIX_SECRET", "foo")
     monkeypatch.setenv("SOPS_AGE_KEY_FILE", str(test_flake.path / ".." / "age.key"))
-    cli.run(["--flake", str(test_flake.path), "secrets", "key", "generate"])
+    cli.run(["secrets", "key", "generate", "--flake", str(test_flake.path)])
     capsys.readouterr()  # empty the buffer
-    cli.run(["--flake", str(test_flake.path), "secrets", "key", "show"])
+    cli.run(["secrets", "key", "show", "--flake", str(test_flake.path)])
     key = capsys.readouterr().out
     assert key.startswith("age1")
     cli.run(
-        ["--flake", str(test_flake.path), "secrets", "users", "add", "testuser", key]
+        ["secrets", "users", "add", "--flake", str(test_flake.path), "testuser", key]
     )
 
     with pytest.raises(ClanError):  # does not exist yet
-        cli.run(["--flake", str(test_flake.path), "secrets", "get", "nonexisting"])
+        cli.run(["secrets", "get", "--flake", str(test_flake.path), "nonexisting"])
-    cli.run(["--flake", str(test_flake.path), "secrets", "set", "initialkey"])
+    cli.run(["secrets", "set", "--flake", str(test_flake.path), "initialkey"])
     capsys.readouterr()
-    cli.run(["--flake", str(test_flake.path), "secrets", "get", "initialkey"])
+    cli.run(["secrets", "get", "--flake", str(test_flake.path), "initialkey"])
     assert capsys.readouterr().out == "foo"
     capsys.readouterr()
-    cli.run(["--flake", str(test_flake.path), "secrets", "users", "list"])
+    cli.run(["secrets", "users", "list", "--flake", str(test_flake.path)])
     users = capsys.readouterr().out.rstrip().split("\n")
     assert len(users) == 1, f"users: {users}"
     owner = users[0]
 
     monkeypatch.setenv("EDITOR", "cat")
-    cli.run(["--flake", str(test_flake.path), "secrets", "set", "--edit", "initialkey"])
+    cli.run(["secrets", "set", "--edit", "--flake", str(test_flake.path), "initialkey"])
     monkeypatch.delenv("EDITOR")
 
-    cli.run(["--flake", str(test_flake.path), "secrets", "rename", "initialkey", "key"])
+    cli.run(["secrets", "rename", "--flake", str(test_flake.path), "initialkey", "key"])
 
     capsys.readouterr()  # empty the buffer
-    cli.run(["--flake", str(test_flake.path), "secrets", "list"])
+    cli.run(["secrets", "list", "--flake", str(test_flake.path)])
     assert capsys.readouterr().out == "key\n"
 
     capsys.readouterr()  # empty the buffer
-    cli.run(["--flake", str(test_flake.path), "secrets", "list", "nonexisting"])
+    cli.run(["secrets", "list", "--flake", str(test_flake.path), "nonexisting"])
     assert capsys.readouterr().out == ""
 
     capsys.readouterr()  # empty the buffer
-    cli.run(["--flake", str(test_flake.path), "secrets", "list", "key"])
+    cli.run(["secrets", "list", "--flake", str(test_flake.path), "key"])
     assert capsys.readouterr().out == "key\n"
 
     cli.run(
         [
-            "--flake",
-            str(test_flake.path),
             "secrets",
             "machines",
             "add",
+            "--flake",
+            str(test_flake.path),
             "machine1",
             age_keys[1].pubkey,
         ]
     )
     cli.run(
         [
-            "--flake",
-            str(test_flake.path),
             "secrets",
             "machines",
             "add-secret",
+            "--flake",
+            str(test_flake.path),
             "machine1",
             "key",
         ]
     )
     capsys.readouterr()
-    cli.run(["--flake", str(test_flake.path), "secrets", "machines", "list"])
+    cli.run(["secrets", "machines", "list", "--flake", str(test_flake.path)])
     assert capsys.readouterr().out == "machine1\n"
 
     with use_key(age_keys[1].privkey, monkeypatch):
         capsys.readouterr()
-        cli.run(["--flake", str(test_flake.path), "secrets", "get", "key"])
+        cli.run(["secrets", "get", "--flake", str(test_flake.path), "key"])
 
         assert capsys.readouterr().out == "foo"
 
     # rotate machines key
     cli.run(
         [
-            "--flake",
-            str(test_flake.path),
             "secrets",
             "machines",
             "add",
+            "--flake",
+            str(test_flake.path),
             "-f",
             "machine1",
             age_keys[0].privkey,
@@ -344,17 +344,17 @@ def test_secrets(
     # should also rotate the encrypted secret
     with use_key(age_keys[0].privkey, monkeypatch):
         capsys.readouterr()
-        cli.run(["--flake", str(test_flake.path), "secrets", "get", "key"])
+        cli.run(["secrets", "get", "--flake", str(test_flake.path), "key"])
 
         assert capsys.readouterr().out == "foo"
 
     cli.run(
         [
-            "--flake",
-            str(test_flake.path),
             "secrets",
             "machines",
             "remove-secret",
+            "--flake",
+            str(test_flake.path),
             "machine1",
             "key",
         ]
@@ -362,37 +362,37 @@ def test_secrets(
 
     cli.run(
         [
-            "--flake",
-            str(test_flake.path),
             "secrets",
             "users",
             "add",
+            "--flake",
+            str(test_flake.path),
             "user1",
             age_keys[1].pubkey,
         ]
     )
     cli.run(
         [
-            "--flake",
-            str(test_flake.path),
             "secrets",
             "users",
             "add-secret",
+            "--flake",
+            str(test_flake.path),
             "user1",
             "key",
         ]
     )
     capsys.readouterr()
     with use_key(age_keys[1].privkey, monkeypatch):
-        cli.run(["--flake", str(test_flake.path), "secrets", "get", "key"])
+        cli.run(["secrets", "get", "--flake", str(test_flake.path), "key"])
     assert capsys.readouterr().out == "foo"
     cli.run(
         [
-            "--flake",
-            str(test_flake.path),
             "secrets",
             "users",
             "remove-secret",
+            "--flake",
+            str(test_flake.path),
             "user1",
             "key",
         ]
@@ -401,44 +401,44 @@ def test_secrets(
     with pytest.raises(ClanError):  # does not exist yet
         cli.run(
             [
-                "--flake",
-                str(test_flake.path),
                 "secrets",
                 "groups",
                 "add-secret",
+                "--flake",
+                str(test_flake.path),
                 "admin-group",
                 "key",
             ]
         )
     cli.run(
         [
-            "--flake",
-            str(test_flake.path),
             "secrets",
             "groups",
             "add-user",
+            "--flake",
+            str(test_flake.path),
             "admin-group",
             "user1",
         ]
     )
     cli.run(
         [
-            "--flake",
-            str(test_flake.path),
             "secrets",
             "groups",
             "add-user",
+            "--flake",
+            str(test_flake.path),
             "admin-group",
             owner,
         ]
     )
     cli.run(
         [
-            "--flake",
-            str(test_flake.path),
             "secrets",
             "groups",
             "add-secret",
+            "--flake",
+            str(test_flake.path),
             "admin-group",
             "key",
         ]
@@ -447,10 +447,10 @@ def test_secrets(
     capsys.readouterr()  # empty the buffer
     cli.run(
         [
-            "--flake",
-            str(test_flake.path),
             "secrets",
             "set",
+            "--flake",
+            str(test_flake.path),
             "--group",
             "admin-group",
             "key2",
@@ -459,28 +459,28 @@ def test_secrets(
 
     with use_key(age_keys[1].privkey, monkeypatch):
         capsys.readouterr()
-        cli.run(["--flake", str(test_flake.path), "secrets", "get", "key"])
+        cli.run(["secrets", "get", "--flake", str(test_flake.path), "key"])
         assert capsys.readouterr().out == "foo"
 
     # extend group will update secrets
     cli.run(
         [
-            "--flake",
-            str(test_flake.path),
             "secrets",
             "users",
             "add",
+            "--flake",
+            str(test_flake.path),
             "user2",
             age_keys[2].pubkey,
         ]
     )
     cli.run(
         [
-            "--flake",
-            str(test_flake.path),
             "secrets",
             "groups",
             "add-user",
+            "--flake",
+            str(test_flake.path),
             "admin-group",
             "user2",
         ]
@@ -488,16 +488,16 @@ def test_secrets(
 
     with use_key(age_keys[2].privkey, monkeypatch):  # user2
         capsys.readouterr()
-        cli.run(["--flake", str(test_flake.path), "secrets", "get", "key"])
+        cli.run(["secrets", "get", "--flake", str(test_flake.path), "key"])
         assert capsys.readouterr().out == "foo"
 
     cli.run(
         [
-            "--flake",
-            str(test_flake.path),
             "secrets",
             "groups",
             "remove-user",
+            "--flake",
+            str(test_flake.path),
             "admin-group",
             "user2",
         ]
@@ -505,24 +505,24 @@ def test_secrets(
     with pytest.raises(ClanError), use_key(age_keys[2].privkey, monkeypatch):
         # user2 is not in the group anymore
         capsys.readouterr()
-        cli.run(["--flake", str(test_flake.path), "secrets", "get", "key"])
+        cli.run(["secrets", "get", "--flake", str(test_flake.path), "key"])
         print(capsys.readouterr().out)
 
     cli.run(
         [
-            "--flake",
-            str(test_flake.path),
             "secrets",
             "groups",
             "remove-secret",
+            "--flake",
+            str(test_flake.path),
             "admin-group",
             "key",
         ]
     )
 
-    cli.run(["--flake", str(test_flake.path), "secrets", "remove", "key"])
+    cli.run(["secrets", "remove", "--flake", str(test_flake.path), "key"])
-    cli.run(["--flake", str(test_flake.path), "secrets", "remove", "key2"])
+    cli.run(["secrets", "remove", "--flake", str(test_flake.path), "key2"])
 
     capsys.readouterr()  # empty the buffer
-    cli.run(["--flake", str(test_flake.path), "secrets", "list"])
+    cli.run(["secrets", "list", "--flake", str(test_flake.path)])
     assert capsys.readouterr().out == ""

pkgs/clan-cli/tests/test_secrets_generate.py

@@ -24,27 +24,27 @@ def test_generate_secret(
     cli = Cli()
     cli.run(
         [
-            "--flake",
-            str(test_flake_with_core.path),
             "secrets",
             "users",
             "add",
+            "--flake",
+            str(test_flake_with_core.path),
             "user1",
             age_keys[0].pubkey,
         ]
     )
     cli.run(
         [
-            "--flake",
-            str(test_flake_with_core.path),
             "secrets",
             "groups",
             "add-user",
+            "--flake",
+            str(test_flake_with_core.path),
             "admins",
             "user1",
         ]
     )
-    cmd = ["--flake", str(test_flake_with_core.path), "facts", "generate", "vm1"]
+    cmd = ["facts", "generate", "--flake", str(test_flake_with_core.path), "vm1"]
     cli.run(cmd)
     has_secret(test_flake_with_core.path, "vm1-age.key")
     has_secret(test_flake_with_core.path, "vm1-zerotier-identity-secret")
@@ -60,7 +60,7 @@ def test_generate_secret(
     secret1_mtime = identity_secret.lstat().st_mtime_ns
 
     # test idempotency for vm1 and also generate for vm2
-    cli.run(["facts", "generate"])
+    cli.run(["facts", "generate", "--flake", str(test_flake_with_core.path)])
     assert age_key.lstat().st_mtime_ns == age_key_mtime
     assert identity_secret.lstat().st_mtime_ns == secret1_mtime
 

pkgs/clan-cli/tests/test_secrets_upload.py

@@ -23,11 +23,11 @@ def test_secrets_upload(
     cli = Cli()
     cli.run(
         [
-            "--flake",
-            str(test_flake_with_core.path),
             "secrets",
             "users",
             "add",
+            "--flake",
+            str(test_flake_with_core.path),
             "user1",
             age_keys[0].pubkey,
         ]
@@ -35,18 +35,18 @@ def test_secrets_upload(
 
     cli.run(
         [
-            "--flake",
-            str(test_flake_with_core.path),
             "secrets",
             "machines",
             "add",
+            "--flake",
+            str(test_flake_with_core.path),
             "vm1",
             age_keys[1].pubkey,
         ]
     )
     monkeypatch.setenv("SOPS_NIX_SECRET", age_keys[0].privkey)
     cli.run(
-        ["--flake", str(test_flake_with_core.path), "secrets", "set", "vm1-age.key"]
+        ["secrets", "set", "--flake", str(test_flake_with_core.path), "vm1-age.key"]
     )
 
     flake = test_flake_with_core.path.joinpath("flake.nix")
@@ -55,7 +55,7 @@ def test_secrets_upload(
     new_text = flake.read_text().replace("__CLAN_TARGET_ADDRESS__", addr)
 
     flake.write_text(new_text)
-    cli.run(["--flake", str(test_flake_with_core.path), "facts", "upload", "vm1"])
+    cli.run(["facts", "upload", "--flake", str(test_flake_with_core.path), "vm1"])
 
     # the flake defines this path as the location where the sops key should be installed
     sops_key = test_flake_with_core.path.joinpath("key.txt")

pkgs/clan-cli/tests/test_vms_cli.py

@@ -86,7 +86,7 @@ def test_inspect(
     test_flake_with_core: FlakeForTest, capsys: pytest.CaptureFixture
 ) -> None:
     cli = Cli()
-    cli.run(["--flake", str(test_flake_with_core.path), "vms", "inspect", "vm1"])
+    cli.run(["vms", "inspect", "--flake", str(test_flake_with_core.path), "vm1"])
     out = capsys.readouterr()  # empty the buffer
     assert "Cores" in out.out