Exports POC

2025-10-30 16:13:31 +01:00
37 changed files with 783 additions and 454 deletions
--- a/checks/flash/flake-module.nix
+++ b/checks/flash/flake-module.nix
@@ -58,53 +58,51 @@
        pkgs.buildPackages.xorg.lndir
        pkgs.glibcLocales
        pkgs.kbd.out
-        self.nixosConfigurations."test-flash-machine-${pkgs.stdenv.hostPlatform.system}".pkgs.perlPackages.ConfigIniFiles
+        self.nixosConfigurations."test-flash-machine-${pkgs.hostPlatform.system}".pkgs.perlPackages.ConfigIniFiles
-        self.nixosConfigurations."test-flash-machine-${pkgs.stdenv.hostPlatform.system}".pkgs.perlPackages.FileSlurp
+        self.nixosConfigurations."test-flash-machine-${pkgs.hostPlatform.system}".pkgs.perlPackages.FileSlurp
        pkgs.bubblewrap
-        self.nixosConfigurations."test-flash-machine-${pkgs.stdenv.hostPlatform.system}".config.system.build.toplevel
+        self.nixosConfigurations."test-flash-machine-${pkgs.hostPlatform.system}".config.system.build.toplevel
-        self.nixosConfigurations."test-flash-machine-${pkgs.stdenv.hostPlatform.system}".config.system.build.diskoScript
+        self.nixosConfigurations."test-flash-machine-${pkgs.hostPlatform.system}".config.system.build.diskoScript
-        self.nixosConfigurations."test-flash-machine-${pkgs.stdenv.hostPlatform.system}".config.system.build.diskoScript.drvPath
+        self.nixosConfigurations."test-flash-machine-${pkgs.hostPlatform.system}".config.system.build.diskoScript.drvPath
      ]
      ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
      closureInfo = pkgs.closureInfo { rootPaths = dependencies; };
    in
    {
      # Skip flash test on aarch64-linux for now as it's too slow
-      checks =
+      checks = lib.optionalAttrs (pkgs.stdenv.isLinux && pkgs.hostPlatform.system != "aarch64-linux") {
-        lib.optionalAttrs (pkgs.stdenv.isLinux && pkgs.stdenv.hostPlatform.system != "aarch64-linux")
+        nixos-test-flash = self.clanLib.test.baseTest {
-          {
+          name = "flash";
-            nixos-test-flash = self.clanLib.test.baseTest {
+          nodes.target = {
-              name = "flash";
+            virtualisation.emptyDiskImages = [ 4096 ];
-              nodes.target = {
+            virtualisation.memorySize = 4096;
                virtualisation.emptyDiskImages = [ 4096 ];
                virtualisation.memorySize = 4096;
-                virtualisation.useNixStoreImage = true;
+            virtualisation.useNixStoreImage = true;
-                virtualisation.writableStore = true;
+            virtualisation.writableStore = true;
-                environment.systemPackages = [ self.packages.${pkgs.system}.clan-cli ];
+            environment.systemPackages = [ self.packages.${pkgs.system}.clan-cli ];
-                environment.etc."install-closure".source = "${closureInfo}/store-paths";
+            environment.etc."install-closure".source = "${closureInfo}/store-paths";
-                nix.settings = {
+            nix.settings = {
-                  substituters = lib.mkForce [ ];
+              substituters = lib.mkForce [ ];
-                  hashed-mirrors = null;
+              hashed-mirrors = null;
-                  connect-timeout = lib.mkForce 3;
+              connect-timeout = lib.mkForce 3;
-                  flake-registry = "";
+              flake-registry = "";
-                  experimental-features = [
+              experimental-features = [
-                    "nix-command"
+                "nix-command"
-                    "flakes"
+                "flakes"
-                  ];
+              ];
-                };
+            };
              };
              testScript = ''
                start_all()
                machine.succeed("echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRWUusawhlIorx7VFeQJHmMkhl9X3QpnvOdhnV/bQNG root@target' > ./test_id_ed25519.pub")
                # Some distros like to automount disks with spaces
                machine.succeed('mkdir -p "/mnt/with spaces" && mkfs.ext4 /dev/vdc && mount /dev/vdc "/mnt/with spaces"')
                machine.succeed("clan flash write --ssh-pubkey ./test_id_ed25519.pub --keymap de --language de_DE.UTF-8 --debug --flake ${self.checks.x86_64-linux.clan-core-for-checks} --yes --disk main /dev/vdc test-flash-machine-${pkgs.stdenv.hostPlatform.system}")
              '';
            } { inherit pkgs self; };
          };
          testScript = ''
            start_all()
            machine.succeed("echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRWUusawhlIorx7VFeQJHmMkhl9X3QpnvOdhnV/bQNG root@target' > ./test_id_ed25519.pub")
            # Some distros like to automount disks with spaces
            machine.succeed('mkdir -p "/mnt/with spaces" && mkfs.ext4 /dev/vdc && mount /dev/vdc "/mnt/with spaces"')
            machine.succeed("clan flash write --ssh-pubkey ./test_id_ed25519.pub --keymap de --language de_DE.UTF-8 --debug --flake ${self.checks.x86_64-linux.clan-core-for-checks} --yes --disk main /dev/vdc test-flash-machine-${pkgs.hostPlatform.system}")
          '';
        } { inherit pkgs self; };
      };
    };
 }
--- a/checks/installation/flake-module.nix
+++ b/checks/installation/flake-module.nix
@@ -160,9 +160,9 @@
          closureInfo = pkgs.closureInfo {
            rootPaths = [
              privateInputs.clan-core-for-checks
-              self.nixosConfigurations."test-install-machine-${pkgs.stdenv.hostPlatform.system}".config.system.build.toplevel
+              self.nixosConfigurations."test-install-machine-${pkgs.hostPlatform.system}".config.system.build.toplevel
-              self.nixosConfigurations."test-install-machine-${pkgs.stdenv.hostPlatform.system}".config.system.build.initialRamdisk
+              self.nixosConfigurations."test-install-machine-${pkgs.hostPlatform.system}".config.system.build.initialRamdisk
-              self.nixosConfigurations."test-install-machine-${pkgs.stdenv.hostPlatform.system}".config.system.build.diskoScript
+              self.nixosConfigurations."test-install-machine-${pkgs.hostPlatform.system}".config.system.build.diskoScript
              pkgs.stdenv.drvPath
              pkgs.bash.drvPath
              pkgs.buildPackages.xorg.lndir
@@ -215,7 +215,7 @@
                  # Prepare test flake and Nix store
                  flake_dir = prepare_test_flake(
                      temp_dir,
-                      "${self.checks.${pkgs.stdenv.hostPlatform.system}.clan-core-for-checks}",
+                      "${self.checks.${pkgs.hostPlatform.system}.clan-core-for-checks}",
                      "${closureInfo}"
                  )
@@ -296,7 +296,7 @@
                  # Prepare test flake and Nix store
                  flake_dir = prepare_test_flake(
                      temp_dir,
-                      "${self.checks.${pkgs.stdenv.hostPlatform.system}.clan-core-for-checks}",
+                      "${self.checks.${pkgs.hostPlatform.system}.clan-core-for-checks}",
                      "${closureInfo}"
                  )
--- a/checks/llm/default.nix
+++ b/checks/llm/default.nix
@@ -2,7 +2,7 @@
 let
-  cli = self.packages.${pkgs.stdenv.hostPlatform.system}.clan-cli-full;
+  cli = self.packages.${pkgs.hostPlatform.system}.clan-cli-full;
  ollama-model = pkgs.callPackage ./qwen3-4b-instruct.nix { };
 in
@@ -53,7 +53,7 @@ in
              pytest
              pytest-xdist
              (cli.pythonRuntime.pkgs.toPythonModule cli)
-              self.legacyPackages.${pkgs.stdenv.hostPlatform.system}.nixosTestLib
+              self.legacyPackages.${pkgs.hostPlatform.system}.nixosTestLib
            ]
          ))
        ];
--- a/checks/systemd-abstraction/default.nix
+++ b/checks/systemd-abstraction/default.nix
@@ -2,7 +2,7 @@
 let
-  cli = self.packages.${pkgs.stdenv.hostPlatform.system}.clan-cli-full;
+  cli = self.packages.${pkgs.hostPlatform.system}.clan-cli-full;
 in
 {
  name = "systemd-abstraction";
--- a/checks/update/flake-module.nix
+++ b/checks/update/flake-module.nix
@@ -115,9 +115,9 @@
              let
                closureInfo = pkgs.closureInfo {
                  rootPaths = [
-                    self.packages.${pkgs.stdenv.hostPlatform.system}.clan-cli
+                    self.packages.${pkgs.hostPlatform.system}.clan-cli
-                    self.checks.${pkgs.stdenv.hostPlatform.system}.clan-core-for-checks
+                    self.checks.${pkgs.hostPlatform.system}.clan-core-for-checks
-                    self.clanInternals.machines.${pkgs.stdenv.hostPlatform.system}.test-update-machine.config.system.build.toplevel
+                    self.clanInternals.machines.${pkgs.hostPlatform.system}.test-update-machine.config.system.build.toplevel
                    pkgs.stdenv.drvPath
                    pkgs.bash.drvPath
                    pkgs.buildPackages.xorg.lndir
@@ -132,7 +132,7 @@
                  imports = [ self.nixosModules.test-update-machine ];
                };
                extraPythonPackages = _p: [
-                  self.legacyPackages.${pkgs.stdenv.hostPlatform.system}.nixosTestLib
+                  self.legacyPackages.${pkgs.hostPlatform.system}.nixosTestLib
                ];
                testScript = ''
@@ -154,7 +154,7 @@
                      # Prepare test flake and Nix store
                      flake_dir = prepare_test_flake(
                          temp_dir,
-                          "${self.checks.${pkgs.stdenv.hostPlatform.system}.clan-core-for-checks}",
+                          "${self.checks.${pkgs.hostPlatform.system}.clan-core-for-checks}",
                          "${closureInfo}"
                      )
                      (flake_dir / ".clan-flake").write_text("")  # Ensure .clan-flake exists
@@ -226,7 +226,7 @@
                            "--to",
                            "ssh://root@192.168.1.1",
                            "--no-check-sigs",
-                            f"${self.packages.${pkgs.stdenv.hostPlatform.system}.clan-cli}",
+                            f"${self.packages.${pkgs.hostPlatform.system}.clan-cli}",
                            "--extra-experimental-features", "nix-command flakes",
                        ],
                        check=True,
@@ -242,7 +242,7 @@
                          "-o", "UserKnownHostsFile=/dev/null",
                          "-o", "StrictHostKeyChecking=no",
                          f"root@192.168.1.1",
-                          "${self.packages.${pkgs.stdenv.hostPlatform.system}.clan-cli}/bin/clan",
+                          "${self.packages.${pkgs.hostPlatform.system}.clan-cli}/bin/clan",
                          "machines",
                          "update",
                          "--debug",
@@ -270,7 +270,7 @@
                      # Run clan update command
                      subprocess.run([
-                          "${self.packages.${pkgs.stdenv.hostPlatform.system}.clan-cli-full}/bin/clan",
+                          "${self.packages.${pkgs.hostPlatform.system}.clan-cli-full}/bin/clan",
                          "machines",
                          "update",
                          "--debug",
@@ -297,7 +297,7 @@
                      # Run clan update command with --build-host
                      subprocess.run([
-                          "${self.packages.${pkgs.stdenv.hostPlatform.system}.clan-cli-full}/bin/clan",
+                          "${self.packages.${pkgs.hostPlatform.system}.clan-cli-full}/bin/clan",
                          "machines",
                          "update",
                          "--debug",
--- a/clanServices/certificates/README.md
+++ b/clanServices/certificates/README.md
@@ -1,6 +1,3 @@
 !!! Danger "Experimental"
    This service is experimental and will change in the future.
 This service sets up a certificate authority (CA) that can issue certificates to
 other machines in your clan. For this the `ca` role is used.
 It additionally provides a `default` role, that can be applied to all machines
--- a/clanServices/coredns/README.md
+++ b/clanServices/coredns/README.md
@@ -1,6 +1,3 @@
 !!! Danger "Experimental"
    This service is experimental and will change in the future.
 This module enables hosting clan-internal services easily, which can be resolved
 inside your VPN. This allows defining a custom top-level domain (e.g. `.clan`)
 and exposing endpoints from a machine to others, which will be
--- a/clanServices/hello-world/README.md
+++ b/clanServices/hello-world/README.md
@@ -1,83 +1 @@
-!!! Danger "Experimental"
+This a test README just to appease the eval warnings if we don't have one
    This service is for demonstration purpose only and may change in the future.
 The Hello-World Clan Service is a minimal example showing how to build and register your own service.
 It serves as a reference implementation and is used in clan-core CI tests to ensure compatibility.
 ## What it demonstrates
 - How to define a basic Clan-compatible service.
 - How to structure your service for discovery and configuration.
 - How Clan services interact with nixos.
 ## Testing
 This service demonstrates two levels of testing to ensure quality and stability across releases:
 1. **Unit & Integration Testing** — via [`nix-unit`](https://github.com/nix-community/nix-unit)
 2. **End-to-End Testing** — via **NixOS VM tests**, which we extended to support **container virtualization** for better performance.
 We highly advocate following the [Practical Testing Pyramid](https://martinfowler.com/articles/practical-test-pyramid.html):
 * Write **unit tests** for core logic and invariants.
 * Add **one or two end-to-end (E2E)** tests to confirm your service starts and behaves correctly in a real NixOS environment.
 NixOS is **untyped** and frequently changes; tests are the safest way to ensure long-term stability of services.
 ```
               / \
              /   \
             / E2E \
            /-------\
           /         \
          /Integration\
         /-------------\
        /               \
       /    Unit Tests   \
       -------------------
 ```
 ### nix-unit
 We highly advocate the usage of
 [nix-unit](https://github.com/nix-community/nix-unit)
 Example in: tests/eval-tests.nix
 If you use flake-parts you can use the [native integration](https://flake.parts/options/nix-unit.html)
 If nix-unit succeeds you'r nixos evaluation should be mostly correct.
 !!! Tip
    - Ensure most used 'settings' and variants are tested.
    - Think about some important edge-cases your system should handle.
 ### NixOS VM / Container Test
 !!! Warning "Early Vars & clanTest"
    The testing system around vars is experimental
    `clanTest` is still experimental and enables container virtualization by default.
    This is still early and might have some limitations.
 Some minimal boilerplate is needed to use `clanTest`
 ```nix
 nixosLib = import (inputs.nixpkgs + "/nixos/lib") { }
 nixosLib.runTest (
    { ... }:
    {
        imports = [
            self.modules.nixosTest.clanTest
            # Example in tests/vm/default.nix
            testModule
        ];
        hostPkgs = pkgs;
        # Uncomment if you don't want or cannot use containers
        # test.useContainers = false;
    }
 )
 ```
--- a/clanServices/hello-world/default.nix
+++ b/clanServices/hello-world/default.nix
@@ -8,7 +8,7 @@
 {
  _class = "clan.service";
  manifest.name = "clan-core/hello-word";
-  manifest.description = "Minimal example clan service that greets the world";
+  manifest.description = "This is a test";
  manifest.readme = builtins.readFile ./README.md;
  # This service provides two roles: "morning" and "evening". Roles can be
--- a/clanServices/hello-world/flake-module.nix
+++ b/clanServices/hello-world/flake-module.nix
@@ -26,7 +26,7 @@ in
            # The hello-world service being tested
            ../../clanServices/hello-world
            # Required modules
-            ../../nixosModules
+            ../../nixosModules/clanCore
          ];
          testName = "hello-world";
          tests = ./tests/eval-tests.nix;
--- a/clanServices/hello-world/tests/eval-tests.nix
+++ b/clanServices/hello-world/tests/eval-tests.nix
@@ -4,7 +4,7 @@
  ...
 }:
 let
-  testClan = clanLib.clan {
+  testFlake = clanLib.clan {
    self = { };
    # Point to the folder of the module
    # TODO: make this optional
@@ -33,20 +33,10 @@ let
  };
 in
 {
  /**
    We highly advocate the usage of:
    https://github.com/nix-community/nix-unit
    If you use flake-parts you can use the native integration: https://flake.parts/options/nix-unit.html
  */
  test_simple = {
-    # Allows inspection via the nix-repl
+    config = testFlake.config;
    # Ignored by nix-unit; it only looks at 'expr' and 'expected'
    inherit testClan;
-    # Assert that jon has the
+    expr = { };
-    # configured greeting in 'environment.etc.hello.text'
+    expected = { };
    expr = testClan.config.nixosConfigurations.jon.config.environment.etc."hello".text;
    expected = "Good evening World!";
  };
 }
--- a/clanServices/internet/README.md
+++ b/clanServices/internet/README.md
@@ -1,5 +1,8 @@
-!!! Danger "Experimental"
+🚧🚧🚧 Experimental 🚧🚧🚧
-    This service is experimental and will change in the future.
+
 Use at your own risk.
 We are still refining its interfaces, instability and breakages are expected.
 ---
--- a/clanServices/monitoring/README.md
+++ b/clanServices/monitoring/README.md
@@ -1,6 +1,3 @@
 !!! Danger "Experimental"
    This service is experimental and will change in the future.
 ## Usage
 ```
--- a/clanServices/tor/README.md
+++ b/clanServices/tor/README.md
@@ -1,5 +1,8 @@
-!!! Danger "Experimental"
+🚧🚧🚧 Experimental 🚧🚧🚧
-    This service is experimental and will change in the future.
+
 Use at your own risk.
 We are still refining its interfaces, instability and breakages are expected.
 ---
--- a/clanServices/yggdrasil/README.md
+++ b/clanServices/yggdrasil/README.md
@@ -1,9 +1,12 @@
-!!! Danger "Experimental"
+🚧🚧🚧 Experimental 🚧🚧🚧
-    This service is experimental and will change in the future.
+
 Use at your own risk.
 We are still refining its interfaces, instability and breakages are expected.
 ---
-This module sets up [yggdrasil](https://yggdrasil-network.github.io/) across your clan.
+This module sets up [yggdrasil](https://yggdrasil-network.github.io/) across your clan. 
 Yggdrasil is designed to be a future-proof and decentralised alternative to the
 structured routing protocols commonly used today on the internet. Inside your
--- a/devFlake/flake.lock
+++ b/devFlake/flake.lock
@@ -105,11 +105,11 @@
    },
    "nixpkgs-dev": {
      "locked": {
-        "lastModified": 1762168314,
+        "lastModified": 1761748483,
-        "narHash": "sha256-+DX6mIF47gRGoK0mqkTg1Jmcjcup0CAXJFHVkdUx8YA=",
+        "narHash": "sha256-v7fttCB5lJ22Ok7+N7ZbLhDeM89QIz9YWtQP4XN7xgA=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "94fc102d2c15d9c1a861e59de550807c65358e1b",
+        "rev": "061c55856b29b8b9360e14231a0986c7f85f1130",
        "type": "github"
      },
      "original": {
--- a/docs/site/getting-started/creating-your-first-clan.md
+++ b/docs/site/getting-started/creating-your-first-clan.md
@@ -51,7 +51,7 @@ Make sure you have the following:
    **Note:** This creates a new directory in your current location
    ```shellSession
-    nix run "https://git.clan.lol/clan/clan-core/archive/main.tar.gz#clan-cli" --refresh -- flakes create
+    nix run https://git.clan.lol/clan/clan-core/archive/main.tar.gz#clan-cli --refresh -- flakes create
    ```
 3. Enter a **name** in the prompt:
--- a/docs/site/guides/contributing/testing.md
+++ b/docs/site/guides/contributing/testing.md
@@ -150,61 +150,10 @@ Those are very similar to NixOS VM tests, as in they run virtualized nixos machi
 As of now the container test driver is a downstream development in clan-core.
 Basically everything stated under the NixOS VM tests sections applies here, except some limitations.
-### Using Container Tests vs VM Tests
+Limitations:
-Container tests are **enabled by default** for all tests using the clan testing framework.
+- Cannot run in interactive mode, however while the container test runs, it logs a nsenter command that can be used to log into each of the container.
-They offer significant performance advantages over VM tests:
+- setuid binaries don't work
 - **Faster startup**
 - **Lower resource usage**: No full kernel boot or hardware emulation overhead
 To control whether a test uses containers or VMs, use the `clan.test.useContainers` option:
 ```nix
 {
  clan = {
    directory = ./.;
    test.useContainers = true;  # Use containers (default)
    # test.useContainers = false;  # Use VMs instead
  };
 }
 ```
 **When to use VM tests instead of container tests:**
 - Testing kernel features, modules, or boot processes
 - Testing hardware-specific features
 - When you need full system isolation
 ### System Requirements for Container Tests
 Container tests require the **`uid-range`** system feature** in the Nix sandbox.
 This feature allows Nix to allocate a range of UIDs for containers to use, enabling `systemd-nspawn` containers to run properly inside the Nix build sandbox.
 **Configuration:**
 The `uid-range` feature requires the `auto-allocate-uids` setting to be enabled in your Nix configuration.
 To verify or enable it, add to your `/etc/nix/nix.conf` or NixOS configuration:
 ```nix
 settings.experimental-features = [
    "auto-allocate-uids"
 ];
 nix.settings.auto-allocate-uids = true;
 nix.settings.system-features = [ "uid-range" ];
 ```
 **Technical details:**
 - Container tests set `requiredSystemFeatures = [ "uid-range" ];` in their derivation (see `lib/test/container-test-driver/driver-module.nix:98`)
 - Without this feature, containers cannot properly manage user namespaces and will fail to start
 ### Limitations
 - Cannot run in interactive mode, however while the container test runs, it logs a nsenter command that can be used to log into each of the containers.
 - Early implementation and limited by features.
 ### Where to find examples for NixOS container tests
--- a/flake.lock
+++ b/flake.lock
@@ -31,11 +31,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1761899396,
+        "lastModified": 1760701190,
-        "narHash": "sha256-XOpKBp6HLzzMCbzW50TEuXN35zN5WGQREC7n34DcNMM=",
+        "narHash": "sha256-y7UhnWlER8r776JsySqsbTUh2Txf7K30smfHlqdaIQw=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "6f4cf5abbe318e4cd1e879506f6eeafd83f7b998",
+        "rev": "3a9450b26e69dcb6f8de6e2b07b3fc1c288d85f5",
        "type": "github"
      },
      "original": {
@@ -51,11 +51,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1762040540,
+        "lastModified": 1760948891,
-        "narHash": "sha256-z5PlZ47j50VNF3R+IMS9LmzI5fYRGY/Z5O5tol1c9I4=",
+        "narHash": "sha256-TmWcdiUUaWk8J4lpjzu4gCGxWY6/Ok7mOK4fIFfBuU4=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "0010412d62a25d959151790968765a70c436598b",
+        "rev": "864599284fc7c0ba6357ed89ed5e2cd5040f0c04",
        "type": "github"
      },
      "original": {
@@ -71,11 +71,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1762039661,
+        "lastModified": 1761339987,
-        "narHash": "sha256-oM5BwAGE78IBLZn+AqxwH/saqwq3e926rNq5HmOulkc=",
+        "narHash": "sha256-IUaawVwItZKi64IA6kF6wQCLCzpXbk2R46dHn8sHkig=",
        "owner": "nix-darwin",
        "repo": "nix-darwin",
-        "rev": "c3c8c9f2a5ed43175ac4dc030308756620e6e4e4",
+        "rev": "7cd9aac79ee2924a85c211d21fafd394b06a38de",
        "type": "github"
      },
      "original": {
@@ -115,10 +115,10 @@
    "nixpkgs": {
      "locked": {
        "lastModified": 315532800,
-        "narHash": "sha256-LDT9wuUZtjPfmviCcVWif5+7j4kBI2mWaZwjNNeg4eg=",
+        "narHash": "sha256-yDxtm0PESdgNetiJN5+MFxgubBcLDTiuSjjrJiyvsvM=",
-        "rev": "a7fc11be66bdfb5cdde611ee5ce381c183da8386",
+        "rev": "d7f52a7a640bc54c7bb414cca603835bf8dd4b10",
        "type": "tarball",
-        "url": "https://releases.nixos.org/nixpkgs/nixpkgs-25.11pre887438.a7fc11be66bd/nixexprs.tar.xz"
+        "url": "https://releases.nixos.org/nixpkgs/nixpkgs-25.11pre871443.d7f52a7a640b/nixexprs.tar.xz"
      },
      "original": {
        "type": "tarball",
--- a/lib/default.nix
+++ b/lib/default.nix
@@ -40,6 +40,9 @@ lib.fix (
      # TODO: Flatten our lib functions like this:
      resolveModule = clanLib.callLib ./resolve-module { };
      # Functions to help define exports
      exports = clanLib.callLib ./exports.nix { };
      fs = {
        inherit (builtins) pathExists readDir;
      };
--- a/lib/exports.nix
+++ b/lib/exports.nix
@@ -0,0 +1,88 @@
 { lib }:
 let
  /**
    Creates a scope string for global exports
    At least one of serviceName or machineName must be set.
    The scope string has the format:
    "/SERVICE/INSTANCE/ROLE/MACHINE"
    If the parameter is not set, the corresponding part is left empty.
    Semantically this means "all".
    Examples:
    mkScope { serviceName = "A"; }
    -> "/A///"
    mkScope { machineName = "jon"; }
    -> "///jon"
    mkScope { serviceName = "A"; instanceName = "i1"; roleName = "peer"; machineName = "jon"; }
    -> "/A/i1/peer/jon"
  */
  mkScope =
    {
      serviceName ? "",
      instanceName ? "",
      roleName ? "",
      machineName ? "",
    }:
    let
      parts = [
        serviceName
        instanceName
        roleName
        machineName
      ];
      checkedParts = lib.map (
        part:
        lib.throwIf (builtins.match ".?/.?" part != null) ''
          clanLib.exports.mkScope: ${part} cannot contain the "/" character
        ''
      ) parts;
    in
    lib.throwIf ((serviceName == "" && machineName == "")) ''
      clanLib.exports.mkScope requires at least 'serviceName' or 'machineName' to be set
      In case your use case requires neither
    '' (lib.join "/" checkedParts);
  /**
    Parses a scope string into its components
    Returns an attribute set with the keys:
    - serviceName
    - instanceName
    - roleName
    - machineName
    Example:
    parseScope "A/i1/peer/jon"
    ->
    {
      serviceName = "A";
      instanceName = "i1";
      roleName = "peer";
      machineName = "jon";
    }
  */
  parseScope =
    scopeStr:
    let
      parts = lib.splitString "/" scopeStr;
      checkedParts = lib.throwIf (lib.length parts != 4) ''
        clanLib.exports.parseScope: invalid scope string format, expected 4 parts separated by 3 "/"
      '' (parts);
    in
    {
      serviceName = lib.elemAt 0 checkedParts;
      instanceName = lib.elemAt 1 checkedParts;
      roleName = lib.elemAt 2 checkedParts;
      machineName = lib.elemAt 3 checkedParts;
    };
 in
 {
  inherit mkScope parseScope;
 }
--- a/lib/flake-module.nix
+++ b/lib/flake-module.nix
@@ -103,6 +103,11 @@ rec {
        inherit lib;
        clan-core = self;
      };
      # Run: nix-unit --extra-experimental-features flakes --flake .#legacyPackages.x86_64-linux.evalTests-build-clan
      legacyPackages.eval-exports = import ./new_exports.nix {
        inherit lib;
        clan-core = self;
      };
      checks = {
        eval-lib-build-clan = pkgs.runCommand "tests" { nativeBuildInputs = [ pkgs.nix-unit ]; } ''
          export HOME="$(realpath .)"
--- a/lib/inventory/distributed-service/all-services-wrapper.nix
+++ b/lib/inventory/distributed-service/all-services-wrapper.nix
@@ -2,6 +2,7 @@
 {
  # TODO: consume directly from clan.config
  directory,
  exports,
 }:
 {
  lib,
@@ -17,10 +18,10 @@ in
 {
  # TODO: merge these options into clan options
  options = {
-    exportsModule = mkOption {
+    # exportsModule = mkOption {
-      type = types.deferredModule;
+    #   type = types.deferredModule;
-      readOnly = true;
+    #   readOnly = true;
-    };
+    # };
    mappedServices = mkOption {
      visible = false;
      type = attrsWith {
@@ -28,9 +29,11 @@ in
        elemType = submoduleWith {
          class = "clan.service";
          specialArgs = {
            directory = directory;
            clanLib = specialArgs.clanLib;
-            exports = config.exports;
+            inherit
              exports
              directory
              ;
          };
          modules = [
            (
@@ -51,34 +54,13 @@ in
      default = { };
    };
    exports = mkOption {
-      type = submoduleWith {
+      type = types.lazyAttrsOf types.deferredModule;
-        modules = [
+
-          {
+      # collect exports from all services
-            options = {
+      # zipAttrs is needed until we use the record type.
-              instances = lib.mkOption {
+      default = lib.zipAttrsWith (_name: values: { imports = values; }) (
-                default = { };
+        lib.mapAttrsToList (_name: service: service.exports) config.mappedServices
-                # instances.<instanceName>...
+      );
                type = types.attrsOf (submoduleWith {
                  modules = [
                    config.exportsModule
                  ];
                });
              };
              # instances.<machineName>...
              machines = lib.mkOption {
                default = { };
                type = types.attrsOf (submoduleWith {
                  modules = [
                    config.exportsModule
                  ];
                });
              };
            };
          }
        ]
        ++ lib.mapAttrsToList (_: service: service.exports) config.mappedServices;
      };
      default = { };
    };
  };
 }
--- a/lib/inventory/distributed-service/service-module.nix
+++ b/lib/inventory/distributed-service/service-module.nix
@@ -504,7 +504,7 @@ in
                    staticModules = [
                      ({
                        options.exports = mkOption {
-                          type = types.deferredModule;
+                          type = types.lazyAttrsOf types.deferredModule;
                          default = { };
                          description = ''
                            !!! Danger "Experimental Feature"
@@ -634,8 +634,16 @@ in
      type = types.deferredModuleWith {
        staticModules = [
          ({
            # exports."///".generator.name = { _file ... import = []; _type = }
            # exports."///".networking = { _file ... import = []; }
            # generators."///".name = { name, ...}: { _file ... import = [];}
            # networks."///" = { _file ... import = []; }
            # { _file ... import = []; }
            # { _file ... import = []; }
            options.exports = mkOption {
-              type = types.deferredModule;
+              type = types.lazyAttrsOf types.deferredModule;
              default = { };
              description = ''
                !!! Danger "Experimental Feature"
@@ -767,79 +775,38 @@ in
        ```
      '';
      default = { };
-      type = types.submoduleWith {
+      type = types.lazyAttrsOf (
-        # Static modules
+        types.deferredModuleWith {
-        modules = [
+          # staticModules = [];
-          {
+          # lib.concatLists (
-            options.instances = mkOption {
+          #   lib.concatLists (
-              type = types.attrsOf types.deferredModule;
+          #     lib.mapAttrsToList (
-              description = ''
+          #       _roleName: role:
-                export modules defined in 'perInstance'
+          #       lib.mapAttrsToList (
-                mapped to their instance name
+          #         _instanceName: instance: lib.mapAttrsToList (_machineName: v: v.exports) instance.allMachines
-
+          #       ) role.allInstances
-                Example
+          #     ) config.result.allRoles
-
+          #   )
-                with instances:
+          # )
-
+          # ++
-                ```nix
+        }
-                instances.A = { ... };
+      );
-                instances.B= { ... };
+      #     # Lazy default via imports
-
+      #     # should probably be moved to deferredModuleWith { staticModules = [ ]; }
-                roles.peer.perInstance = { instanceName, machine, ... }:
+      #     imports =
-                {
+      #       if config._docs_rendering then
-                  exports.foo = 1;
+      #         [ ]
-                }
+      #       else
-
+      #         lib.mapAttrsToList (_roleName: role: {
-                This yields all other services can access these exports
+      #           instances = lib.mapAttrs (_instanceName: instance: {
-                =>
+      #             imports = lib.mapAttrsToList (_machineName: v: v.exports) instance.allMachines;
-                exports.instances.A.foo = 1;
+      #           }) role.allInstances;
-                exports.instances.B.foo = 1;
+      #         }) config.result.allRoles
-                ```
+      #         ++ lib.mapAttrsToList (machineName: machine: {
-              '';
+      #           machines.${machineName} = machine.exports;
-            };
+      #         }) config.result.allMachines;
-            options.machines = mkOption {
+      #   }
-              type = types.attrsOf types.deferredModule;
+      # ];
              description = ''
                export modules defined in 'perMachine'
                mapped to their machine name
                Example
                with machines:
                ```nix
                instances.A = { roles.peer.machines.jon = ... };
                instances.B = { roles.peer.machines.jon = ... };
                perMachine = { machine, ... }:
                {
                  exports.foo = 1;
                }
                This yields all other services can access these exports
                =>
                exports.machines.jon.foo = 1;
                exports.machines.sara.foo = 1;
                ```
              '';
            };
            # Lazy default via imports
            # should probably be moved to deferredModuleWith { staticModules = [ ]; }
            imports =
              if config._docs_rendering then
                [ ]
              else
                lib.mapAttrsToList (_roleName: role: {
                  instances = lib.mapAttrs (_instanceName: instance: {
                    imports = lib.mapAttrsToList (_machineName: v: v.exports) instance.allMachines;
                  }) role.allInstances;
                }) config.result.allRoles
                ++ lib.mapAttrsToList (machineName: machine: {
                  machines.${machineName} = machine.exports;
                }) config.result.allMachines;
          }
        ];
      };
    };
    # ---
    # Place the result in _module.result to mark them as "internal" and discourage usage/overrides
@@ -1024,5 +991,39 @@ in
        }
      ) config.result.allMachines;
    };
    debug = mkOption {
      default = lib.zipAttrsWith (_name: values: { imports = values; }) (
        lib.mapAttrsToList (_machineName: machine: machine.exports) config.result.allMachines
      );
    };
  };
  imports = [
    {
      # collect exports from all machines
      # zipAttrs is needed until we use the record type.
      exports = lib.zipAttrsWith (_name: values: { imports = values; }) (
        lib.mapAttrsToList (_machineName: machine: machine.exports) config.result.allMachines
      );
    }
    {
      # collect exports from all instances, roles and machines
      # zipAttrs is needed until we use the record type.
      exports = lib.zipAttrsWith (_name: values: { imports = values; }) (
        lib.concatLists (
          lib.concatLists (
            lib.mapAttrsToList (
              _roleName: role:
              lib.mapAttrsToList (
                _instanceName: instance: lib.mapAttrsToList (_machineName: v: v.exports) instance.allMachines
              ) role.allInstances
            ) config.result.allRoles
          )
        )
      );
    }
  ];
 }
--- a/lib/new_exports.nix
+++ b/lib/new_exports.nix
@@ -0,0 +1,221 @@
 {
  clan-core,
  lib,
 }:
 # TODO: TEST: define a clan without machines
 {
  test_simple =
    let
      eval = clan-core.clanLib.clan {
        exports."///".foo = lib.mkForce eval.config.exports."///".bar;
        directory = ./.;
        self = {
          clan = eval.config;
          inputs = { };
        };
        machines.jon = { };
        machines.sara = { };
        exportsModule =
          { lib, ... }:
          {
            options.foo = lib.mkOption {
              type = lib.types.number;
              default = 0;
            };
            options.bar = lib.mkOption {
              type = lib.types.number;
              default = 0;
            };
          };
        ####### Service module "A"
        modules.service-A =
          { ... }:
          {
            # config.exports
            manifest.name = "A";
            roles.default = {
              # TODO: Remove automapping
              # Currently exports are automapped
              # scopes "/service=A/instance=hello/role=default/machine=jon"
              # perInstance.exports.foo = 7;
              # New style:
              # Explizit scope
              # perInstance.exports."service=A/instance=hello/role=default/machine=jon".foo = 7;
              perInstance =
                { instanceName, machine, exports, ... }:
                {
                  exports."A/${instanceName}/default/${machine.name}" = {
                    foo = 7;
                    # define export depending on B
                    bar = exports."B/B/default/${machine.name}".foo + 35;
                  };
                  # exports."A/${instanceName}/default/${machine.name}".
                  # default behavior
                  # exports = scope.mkExports { foo = 7; };
                  # We want to export things for different scopes from this scope;
                  # If this scope is used.
                  #
                  # Explicit scope; different from the function scope above
                  # exports = clanLib.scopedExport {
                  #   # Different role export
                  #   role = "peer";
                  #   serviceName = config.manifest.name;
                  #   inherit instanceName machineName;
                  # } { foo = 7; };
                };
            };
            perMachine =
              { ... }:
              {
                #
                # exports = scope.mkExports { foo = 7; };
                # exports."A///${machine.name}".foo = 42;
                # exports."B///".foo = 42;
              };
            # scope "/service=A/instance=??/role=??/machine=jon"
            # perMachine.exports.foo = 42;
            # scope "/service=A/instance=??/role=??/machine=??"
            # exports."///".foo = 10;
          };
        ####### Service module "A"
        modules.service-B =
          { exports, ... }:
          {
            # config.exports
            manifest.name = "B";
            roles.default = {
              # TODO: Remove automapping
              # Currently exports are automapped
              # scopes "/service=A/instance=hello/role=default/machine=jon"
              # perInstance.exports.foo = 7;
              # New style:
              # Explizit scope
              # perInstance.exports."service=A/instance=hello/role=default/machine=jon".foo = 7;
              perInstance =
                { instanceName, machine, ... }:
                {
                  # TODO: Test non-existing scope
                  # define export depending on A
                  exports."B/${instanceName}/default/${machine.name}".foo = exports."///".foo + exports."A/A/default/${machine.name}".foo;
                  # exports."B/B/default/jon".foo = exports."A/A/default/jon".foo;
                  # default behavior
                  # exports = scope.mkExports { foo = 7; };
                  # We want to export things for different scopes from this scope;
                  # If this scope is used.
                  #
                  # Explicit scope; different from the function scope above
                  # exports = clanLib.scopedExport {
                  #   # Different role export
                  #   role = "peer";
                  #   serviceName = config.manifest.name;
                  #   inherit instanceName machineName;
                  # } { foo = 7; };
                };
            };
            perMachine =
              { ... }:
              {
                # exports = scope.mkExports { foo = 7; };
                # exports."A///${machine.name}".foo = 42;
                # exports."B///".foo = 42;
              };
            # scope "/service=A/instance=??/role=??/machine=jon"
            # perMachine.exports.foo = 42;
            # scope "/service=A/instance=??/role=??/machine=??"
            exports."///".foo = 10;
          };
        #######
        inventory = {
          instances.A = {
            module.name = "service-A";
            module.input = "self";
            roles.default.tags = [ "all" ];
          };
          instances.B = {
            module.name = "service-B";
            module.input = "self";
            roles.default.tags = [ "all" ];
          };
        };
        # <- inventory
        #
        # -> exports
        /**
          Current state
          {
            instances = {
              hello = { networking = null; };
            };
            machines = {
              jon = { networking = null; };
            };
          }
        */
        /**
          Target state: (Flat attribute set)
          tdlr;
          # roles / instance level definitions may not exist on their own
          # role and instance names are completely arbitrary.
          # For example what does it mean: this is a export for all "peer" roles of all service-instances? That would be magic on the roleName.
          # Or exports for all instances with name "ifoo" ? That would be magic on the instanceName.
          # Practical combinations
          # always include either the service name or the machine name
          exports = {
            # Clan level (1)
            "///" networks generators
            # Service anchored (8) : min 1 instance is needed ; machines may not exist
            "A///" <- service specific
            "A/instance//" <- instance of a service
            "A//peer/" <- role of a service
            "A/instance/peer/" <- instance+role of a service
            "A///machine" <- machine of a service
            "A/instance//machine" <- machine + instance of a service
            "A//role/machine" <- machine + role of a service
            "A/instance/role/machine" <- machine + role + instance of a service
            # Machine anchored (1 or 2)
            "///jon" <- this machine
            "A///jon" <- role on a machine (dupped with service anchored)
            # Unpractical; probably not needed (5)
            "//peer/jon" <- role on a machine
            "/instance//jon" <- role on a machine
            "/instance//" <- instance: All "foo" instances everywhere?
            "//role/" <- role: All "peer" roles everywhere?
            "/instance/role/" <- instance role: Applies to all services, whose instance name has "ifoo" and role is "peer" (double magic)
            # TODO: lazyattrs poc
          }
        */
      };
    in
    {
      inherit eval;
      expr = eval;
      expected = 42;
    };
 }
--- a/lib/types/default.nix
+++ b/lib/types/default.nix
@@ -1,4 +1,21 @@
 { lib, ... }:
 let
  inherit (lib)
    mapAttrs
    attrNames
    showOption
    setDefaultModuleLocation
    mkOptionType
    isAttrs
    filterAttrs
    intersectAttrs
    mapAttrsToList
    mkOptionDefault
    zipAttrsWith
    seq
    fix
    ;
 in
 {
  /**
    A custom type for deferred modules that guarantee to be JSON serializable.
@@ -12,7 +29,7 @@
    - Enforces that the definition is JSON serializable
    - Disallows nested imports
  */
-  uniqueDeferredSerializableModule = lib.fix (
+  uniqueDeferredSerializableModule = fix (
    self:
    let
      checkDef =
@@ -23,19 +40,18 @@
          def;
    in
    # Essentially the "raw" type, but with a custom name and check
-    lib.mkOptionType {
+    mkOptionType {
      name = "deferredModule";
      description = "deferred custom module. Must be JSON serializable.";
      descriptionClass = "noun";
      # Unfortunately, tryEval doesn't catch JSON errors
-      check = value: lib.seq (builtins.toJSON value) (lib.isAttrs value);
+      check = value: seq (builtins.toJSON value) (isAttrs value);
      merge = lib.options.mergeUniqueOption {
        message = "------";
        merge = loc: defs: {
          imports = map (
            def:
-            lib.seq (checkDef loc def) lib.setDefaultModuleLocation
+            seq (checkDef loc def) setDefaultModuleLocation "${def.file}, via option ${showOption loc}"
              "${def.file}, via option ${lib.showOption loc}"
              def.value
          ) defs;
        };
@@ -48,4 +64,113 @@
      };
    }
  );
  /**
    New submodule type that allows merging at the attribute level.
    :::note
    'record' type adopted from https://github.com/NixOS/nixpkgs/pull/334680
    :::
    It applies additional constraints to immediate child options:
    - No support for 'readOnly'
    - No support for 'apply'
    - No support for type-merging: That means the modules options must be pre-declared directly.
  */
  record =
    {
      optional ? { },
      required ? { },
      wildcardType ? null,
    }:
    mkOptionType {
      name = "record";
      description =
        if wildcardType == null then "record" else "open record of ${wildcardType.description}";
      descriptionClass = if wildcardType == null then "noun" else "composite";
      check = isAttrs;
      merge.v2 =
        { loc, defs }:
        let
          pushPositions = map (
            def:
            mapAttrs (_n: v: {
              inherit (def) file;
              value = v;
            }) def.value
          );
          # Checks
          intersection = intersectAttrs optional required;
          optionalDefault = filterAttrs (_: opt: opt ? default) optional;
          # Definitions + option defaults
          allDefs =
            defs
            ++ (mapAttrsToList (name: opt: {
              file = (builtins.unsafeGetAttrPos name required).file or "<unknown-file>";
              value = {
                ${name} = mkOptionDefault opt.default;
              };
            }) (filterAttrs (_n: opt: opt ? default) required));
          merged = zipAttrsWith (
            name: defs:
            let
              elemType = optional.${name}.type or required.${name}.type or wildcardType;
            in
            lib.modules.mergeDefinitions (loc ++ [ name ]) elemType defs
          ) (pushPositions allDefs);
        in
        {
          headError =
            if intersection != { } then
              {
                message = "The following attributes of '${showOption loc}' are both declared in 'optional' and in 'required': ${lib.concatStringsSep ", " (attrNames intersection)}";
              }
            else if optionalDefault != { } then
              {
                message = "The following attributes of '${showOption loc}' are declared in 'optional' cannot have a default value: ${lib.concatStringsSep ", " (attrNames optionalDefault)}";
              }
            else
              null;
          # TODO: expose fields, fieldValues and extraValues
          valueMeta = {
            attrs = mapAttrs (_n: v: v.checkedAndMerged.valueMeta) merged;
          };
          value = mapAttrs (
            name: v:
            let
              elemType = optional.${name}.type or required.${name}.type or wildcardType;
            in
            if required ? ${name} then
              # Non-optional, lazy ?
              v.mergedValue
            else
              # Optional, lazy
              v.optionalValue.value or elemType.emptyValue.value or v.mergedValue
          ) merged;
        };
      nestedTypes = lib.optionalAttrs (wildcardType != null) {
        inherit wildcardType;
      };
      getSubOptions =
        prefix:
        # Since this type doesn't support type merging, we can safely use the original attrs to display documentation.
        mapAttrs (
          name: opt:
          (
            opt
            // {
              loc = prefix ++ [ name ];
              inherit name;
              declarations = [
                (builtins.unsafeGetAttrPos name optional).file or (builtins.unsafeGetAttrPos name required).file
                  or "<unknown-file>"
              ];
            }
          )
        ) (optional // required);
    };
 }
--- a/lib/types/record_tests.nix
+++ b/lib/types/record_tests.nix
@@ -0,0 +1,44 @@
 { lib, clanLib, ... }:
 let
  inherit (lib) evalModules mkOption;
  inherit (clanLib.types) record;
 in
 {
  test_simple =
    let
      eval = evalModules {
        modules = [
          {
            options.foo = mkOption {
              type = record { };
              default = { };
            };
          }
        ];
      };
    in
    {
      inherit eval;
      expr = eval.config.foo;
      expected = { };
    };
  test_wildcard =
    let
      eval = evalModules {
        modules = [
          {
            options.foo = mkOption {
              type = record { };
              default = { };
            };
          }
        ];
      };
    in
    {
      inherit eval;
      expr = eval.config.foo;
      expected = { };
    };
 }
--- a/lib/types/tests.nix
+++ b/lib/types/tests.nix
@@ -1,92 +1,5 @@
 { lib, clanLib, ... }:
 let
  evalSettingsModule =
    m:
    lib.evalModules {
      modules = [
        {
          options.foo = lib.mkOption {
            type = clanLib.types.uniqueDeferredSerializableModule;
          };
        }
        m
      ];
    };
 in
 {
-  test_simple =
+  unique = import ./unique_tests.nix { inherit lib clanLib; };
-    let
+  record = import ./record_tests.nix { inherit lib clanLib; };
      eval = evalSettingsModule {
        foo = { };
      };
    in
    {
      inherit eval;
      expr = eval.config.foo;
      expected = {
        # Foo has imports
        # This can only ever be one module due to the type of foo
        imports = [
          {
            # This is the result of 'setDefaultModuleLocation'
            # Which also returns exactly one module
            _file = "<unknown-file>, via option foo";
            imports = [
              { }
            ];
          }
        ];
      };
    };
  test_no_nested_imports =
    let
      eval = evalSettingsModule {
        foo = {
          imports = [ ];
        };
      };
    in
    {
      inherit eval;
      expr = eval.config.foo;
      expectedError = {
        type = "ThrownError";
        message = "*nested imports";
      };
    };
  test_no_function_modules =
    let
      eval = evalSettingsModule {
        foo =
          { ... }:
          {
          };
      };
    in
    {
      inherit eval;
      expr = eval.config.foo;
      expectedError = {
        type = "TypeError";
        message = "cannot convert a function to JSON";
      };
    };
  test_non_attrs_module =
    let
      eval = evalSettingsModule {
        foo = "foo.nix";
      };
    in
    {
      inherit eval;
      expr = eval.config.foo;
      expectedError = {
        type = "ThrownError";
        message = ".*foo.* is not of type";
      };
    };
 }
--- a/lib/types/unique_tests.nix
+++ b/lib/types/unique_tests.nix
@@ -0,0 +1,92 @@
 { lib, clanLib, ... }:
 let
  evalSettingsModule =
    m:
    lib.evalModules {
      modules = [
        {
          options.foo = lib.mkOption {
            type = clanLib.types.uniqueDeferredSerializableModule;
          };
        }
        m
      ];
    };
 in
 {
  test_not_defined =
    let
      eval = evalSettingsModule {
        foo = { };
      };
    in
    {
      inherit eval;
      expr = eval.config.foo;
      expected = {
        # Foo has imports
        # This can only ever be one module due to the type of foo
        imports = [
          {
            # This is the result of 'setDefaultModuleLocation'
            # Which also returns exactly one module
            _file = "<unknown-file>, via option foo";
            imports = [
              { }
            ];
          }
        ];
      };
    };
  test_no_nested_imports =
    let
      eval = evalSettingsModule {
        foo = {
          imports = [ ];
        };
      };
    in
    {
      inherit eval;
      expr = eval.config.foo;
      expectedError = {
        type = "ThrownError";
        message = "*nested imports";
      };
    };
  test_no_function_modules =
    let
      eval = evalSettingsModule {
        foo =
          { ... }:
          {
          };
      };
    in
    {
      inherit eval;
      expr = eval.config.foo;
      expectedError = {
        type = "TypeError";
        message = "cannot convert a function to JSON";
      };
    };
  test_non_attrs_module =
    let
      eval = evalSettingsModule {
        foo = "foo.nix";
      };
    in
    {
      inherit eval;
      expr = eval.config.foo;
      expectedError = {
        type = "ThrownError";
        message = ".*foo.* is not of type";
      };
    };
 }
--- a/modules/clan/distributed-services.nix
+++ b/modules/clan/distributed-services.nix
@@ -111,11 +111,11 @@ in
      };
      modules = [
        (import ../../lib/inventory/distributed-service/all-services-wrapper.nix {
-          inherit (clanConfig) directory;
+          inherit (clanConfig) directory exports;
        })
        # Dependencies
        {
-          exportsModule = clanConfig.exportsModule;
+          # exportsModule = clanConfig.exportsModule;
        }
        {
          # TODO: Rename to "allServices"
--- a/modules/clan/top-level-interface.nix
+++ b/modules/clan/top-level-interface.nix
@@ -110,9 +110,7 @@ in
    # TODO: make this writable by moving the options from inventoryClass into clan.
    exports = lib.mkOption {
-      readOnly = true;
+      type = types.lazyAttrsOf (types.submoduleWith { modules = [ config.exportsModule ]; });
      visible = false;
      internal = true;
    };
    exportsModule = lib.mkOption {
--- a/nixosModules/flake-module.nix
+++ b/nixosModules/flake-module.nix
@@ -18,7 +18,7 @@ let
        inputs.data-mesher.nixosModules.data-mesher
      ];
      config = {
-        clan.core.clanPkgs = lib.mkDefault self.packages.${pkgs.stdenv.hostPlatform.system};
+        clan.core.clanPkgs = lib.mkDefault self.packages.${pkgs.hostPlatform.system};
      };
    };
 in
--- a/nixosModules/installer/zfs-latest.nix
+++ b/nixosModules/installer/zfs-latest.nix
@@ -30,5 +30,5 @@ let
 in
 {
  # Note this might jump back and worth as kernel get added or removed.
-  boot.kernelPackages = lib.mkIf (lib.meta.availableOn pkgs.stdenv.hostPlatform pkgs.zfs) latestKernelPackage;
+  boot.kernelPackages = lib.mkIf (lib.meta.availableOn pkgs.hostPlatform pkgs.zfs) latestKernelPackage;
 }
--- a/pkgs/clan-cli/clan_cli/vars/secret_modules/password_store.py
+++ b/pkgs/clan-cli/clan_cli/vars/secret_modules/password_store.py
@@ -245,7 +245,7 @@ class SecretStore(StoreBase):
                            output_dir / "activation" / generator.name / file.name
                        )
                        out_file.parent.mkdir(parents=True, exist_ok=True)
-                        out_file.write_bytes(file.value)
+                        out_file.write_bytes(self.get(generator, file.name))
        if "partitioning" in phases:
            for generator in vars_generators:
                for file in generator.files:
@@ -254,7 +254,7 @@ class SecretStore(StoreBase):
                            output_dir / "partitioning" / generator.name / file.name
                        )
                        out_file.parent.mkdir(parents=True, exist_ok=True)
-                        out_file.write_bytes(file.value)
+                        out_file.write_bytes(self.get(generator, file.name))
        hash_data = self.generate_hash(machine)
        if hash_data:
--- a/pkgs/clan-cli/clan_cli/vars/secret_modules/sops.py
+++ b/pkgs/clan-cli/clan_cli/vars/secret_modules/sops.py
@@ -246,7 +246,7 @@ class SecretStore(StoreBase):
                        )
                        # chmod after in case it doesn't have u+w
                        target_path.touch(mode=0o600)
-                        target_path.write_bytes(file.value)
+                        target_path.write_bytes(self.get(generator, file.name))
                        target_path.chmod(file.mode)
        if "partitioning" in phases:
@@ -260,7 +260,7 @@ class SecretStore(StoreBase):
                        )
                        # chmod after in case it doesn't have u+w
                        target_path.touch(mode=0o600)
-                        target_path.write_bytes(file.value)
+                        target_path.write_bytes(self.get(generator, file.name))
                        target_path.chmod(file.mode)
    @override
--- a/pkgs/clan-cli/clan_lib/flake/flake.py
+++ b/pkgs/clan-cli/clan_lib/flake/flake.py
@@ -211,7 +211,7 @@ class ClanSelectError(ClanError):
    def __str__(self) -> str:
        if self.description:
-            return f"{self.msg}  Reason: {self.description}. Use flag '--debug' to see full nix trace."
+            return f"{self.msg}  Reason: {self.description}"
        return self.msg
    def __repr__(self) -> str:
--- a/pkgs/clan-cli/clan_lib/machines/update.py
+++ b/pkgs/clan-cli/clan_lib/machines/update.py
@@ -59,7 +59,9 @@ def upload_sources(machine: Machine, ssh: Host, upload_inputs: bool) -> str:
    if not has_path_inputs and not upload_inputs:
        # Just copy the flake to the remote machine, we can substitute other inputs there.
        path = flake_data["path"]
-        remote_url = f"ssh-ng://{remote_url_base}"
+        if machine._class_ == "darwin":
            remote_program_params = "?remote-program=bash -lc 'exec nix-daemon --stdio'"
        remote_url = f"ssh-ng://{remote_url_base}{remote_program_params}"
        cmd = nix_command(
            [
                "copy",