vars: add test for deployment

Merge pull request 'clan-cli/vms: add option --publish to forward ports from host to guest' (#1847 ) from DavHau/clan-core:DavHau-vars into main
clan-cli/vms: add option --publish to forward ports from host to guest
2024-08-04 15:33:16 +07:00 · 2024-08-04 08:32:02 +00:00 · 2024-08-04 15:28:51 +07:00 · 2024-08-04 06:43:44 +00:00 · 2024-08-04 13:40:12 +07:00 · 2024-08-04 06:10:37 +00:00
465 changed files with 19481 additions and 3668 deletions
--- a/.envrc
+++ b/.envrc
@@ -1,11 +1,13 @@
 # shellcheck shell=bash
 if ! has nix_direnv_version || ! nix_direnv_version 3.0.4; then
  source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/3.0.4/direnvrc" "sha256-DzlYZ33mWF/Gs8DDeyjr8mnVmQGx7ASYqA5WlxwvBG4="
 fi
 watch_file .direnv/selected-shell 
 watch_file formatter.nix
 if [ -e .direnv/selected-shell ]; then
-  use flake .#$(cat .direnv/selected-shell)
+  use flake ".#$(cat .direnv/selected-shell)"
 else
  use flake
 fi
--- a/.gitea/workflows/deploy.yaml
+++ b/.gitea/workflows/deploy.yaml
@@ -1,6 +1,6 @@
 name: deploy
 on:
- push:
+  push:
    branches:
      - main
 jobs:
--- a/.gitignore
+++ b/.gitignore
@@ -1,8 +1,10 @@
 .direnv
 **/.nixos-test-history
 ***/.hypothesis
 out.log
 .coverage.*
 **/qubeclan
 pkgs/repro-hook
 **/testdir
 democlan
 example_clan
@@ -13,6 +15,7 @@ nixos.qcow2
 **/*.glade~
 /docs/out
 # dream2nix
 .dream2nix
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -19,3 +19,5 @@ Run a local server:
 ```shell-session
 mkdocs serve
 ```
 Open http://localhost:8000/ in your browser.
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
-# Clan Core Repository
+# Clan core repository
-Welcome to the Clan Core Repository, the heart of the [clan.lol](https://clan.lol/) project! This monorepo is the foundation of Clan, a revolutionary open-source project aimed at restoring fun, freedom, and functionality to computing. Here, you'll find all the essential packages, NixOS modules, CLI tools, and tests needed to contribute to and work with the Clan project. Clan leverages the Nix system to ensure reliability, security, and seamless management of digital environments, putting the power back into the hands of users.
+Welcome to the Clan core repository, the heart of the [clan.lol](https://clan.lol/) project! This monorepo is the foundation of Clan, a revolutionary open-source project aimed at restoring fun, freedom, and functionality to computing. Here, you'll find all the essential packages, NixOS modules, CLI tools, and tests needed to contribute to and work with the Clan project. Clan leverages the Nix system to ensure reliability, security, and seamless management of digital environments, putting the power back into the hands of users.
 ## Why Clan?
@@ -14,13 +14,13 @@ Our mission is simple: to democratize computing by providing tools that empower
 - **Robust Backup Management:** Long-term, self-hosted data preservation.
 - **Intuitive Secret Management:** Simplified encryption and password management processes.
-## Getting Started with Clan
+## Getting started with Clan
 If you're new to Clan and eager to dive in, start with our quickstart guide and explore the core functionalities that Clan offers:
 - **Quickstart Guide**: Check out [getting started](https://docs.clan.lol/#starting-with-a-new-clan-project)<!-- [docs/site/index.md](docs/site/index.md) --> to get up and running with Clan in no time.
-### Managing Secrets
+### Managing secrets
 In the Clan ecosystem, security is paramount. Learn how to handle secrets effectively:
@@ -32,14 +32,14 @@ The Clan project thrives on community contributions. We welcome everyone to cont
 - **Contribution Guidelines**: Make a meaningful impact by following the steps in [contributing](https://docs.clan.lol/contributing/contributing/)<!-- [contributing.md](docs/CONTRIBUTING.md) -->.
-## Join the Revolution
+## Join the revolution
 Clan is more than a tool; it's a movement towards a better digital future. By contributing to the Clan project, you're part of changing technology for the better, together.
-### Community and Support
+### Community and support
 Connect with us and the Clan community for support and discussion:
- [Matrix channel](https://matrix.to/#/#clan:lassul.us) for live discussions.
+- [Matrix channel](https://matrix.to/#/#clan:clan.lol) for live discussions.
 - IRC bridges (coming soon) for real-time chat support.
--- a/checks/backups/flake-module.nix
+++ b/checks/backups/flake-module.nix
@@ -27,7 +27,7 @@
          self.clanModules.localbackup
          self.clanModules.sshd
        ];
-        clan.networking.targetHost = "machine";
+        clan.core.networking.targetHost = "machine";
        networking.hostName = "machine";
        services.openssh.settings.UseDns = false;
@@ -68,17 +68,9 @@
            };
          };
        };
-        clanCore.facts.secretStore = "vm";
+        clan.core.facts.secretStore = "vm";
-        environment.systemPackages = [
+        environment.systemPackages = [ self.packages.${pkgs.system}.clan-cli ];
          self.packages.${pkgs.system}.clan-cli
          (pkgs.writeShellScriptBin "pre-restore-command" ''
            touch /var/test-service/pre-restore-command
          '')
          (pkgs.writeShellScriptBin "post-restore-command" ''
            touch /var/test-service/post-restore-command
          '')
        ];
        environment.etc.install-closure.source = "${closureInfo}/store-paths";
        nix.settings = {
          substituters = lib.mkForce [ ];
@@ -87,11 +79,18 @@
          flake-registry = pkgs.writeText "flake-registry" ''{"flakes":[],"version":2}'';
        };
        system.extraDependencies = dependencies;
-        clanCore.state.test-backups.folders = [ "/var/test-backups" ];
+        clan.core.state.test-backups.folders = [ "/var/test-backups" ];
-        clanCore.state.test-service = {
+        clan.core.state.test-service = {
-          preRestoreCommand = "pre-restore-command";
+          preBackupScript = ''
-          postRestoreCommand = "post-restore-command";
+            touch /var/test-service/pre-backup-command
          '';
          preRestoreScript = ''
            touch /var/test-service/pre-restore-command
          '';
          postRestoreScript = ''
            touch /var/test-service/post-restore-command
          '';
          folders = [ "/var/test-service" ];
        };
        clan.borgbackup.destinations.test-backup.repo = "borg@machine:.";
@@ -145,14 +144,14 @@
            machine.succeed("echo testing > /var/test-backups/somefile")
            # create
-            machine.succeed("clan --debug --flake ${self} backups create test-backup")
+            machine.succeed("clan backups create --debug --flake ${self} test-backup")
            machine.wait_until_succeeds("! systemctl is-active borgbackup-job-test-backup >&2")
            machine.succeed("test -f /run/mount-external-disk")
            machine.succeed("test -f /run/unmount-external-disk")
            # list
            backup_id = json.loads(machine.succeed("borg-job-test-backup list --json"))["archives"][0]["archive"]
-            out = machine.succeed("clan --debug --flake ${self} backups list test-backup").strip()
+            out = machine.succeed("clan backups list --debug --flake ${self} test-backup").strip()
            print(out)
            assert backup_id in out, f"backup {backup_id} not found in {out}"
            localbackup_id = "hdd::/mnt/external-disk/snapshot.0"
@@ -160,17 +159,19 @@
            ## borgbackup restore
            machine.succeed("rm -f /var/test-backups/somefile")
-            machine.succeed(f"clan --debug --flake ${self} backups restore test-backup borgbackup 'test-backup::borg@machine:.::{backup_id}' >&2")
+            machine.succeed(f"clan backups restore --debug --flake ${self} test-backup borgbackup 'test-backup::borg@machine:.::{backup_id}' >&2")
            assert machine.succeed("cat /var/test-backups/somefile").strip() == "testing", "restore failed"
            machine.succeed("test -f /var/test-service/pre-restore-command")
            machine.succeed("test -f /var/test-service/post-restore-command")
            machine.succeed("test -f /var/test-service/pre-backup-command")
            ## localbackup restore
-            machine.succeed("rm -f /var/test-backups/somefile /var/test-service/{pre,post}-restore-command")
+            machine.succeed("rm -rf /var/test-backups/somefile /var/test-service/ && mkdir -p /var/test-service")
-            machine.succeed(f"clan --debug --flake ${self} backups restore test-backup localbackup '{localbackup_id}' >&2")
+            machine.succeed(f"clan backups restore --debug --flake ${self} test-backup localbackup '{localbackup_id}' >&2")
            assert machine.succeed("cat /var/test-backups/somefile").strip() == "testing", "restore failed"
            machine.succeed("test -f /var/test-service/pre-restore-command")
            machine.succeed("test -f /var/test-service/post-restore-command")
            machine.succeed("test -f /var/test-service/pre-backup-command")
          '';
        } { inherit pkgs self; };
      };
--- a/checks/borgbackup/default.nix
+++ b/checks/borgbackup/default.nix
@@ -16,9 +16,9 @@
            };
          }
          {
-            clanCore.machineName = "machine";
+            clan.core.machineName = "machine";
-            clanCore.clanDir = ./.;
+            clan.core.clanDir = ./.;
-            clanCore.state.testState.folders = [ "/etc/state" ];
+            clan.core.state.testState.folders = [ "/etc/state" ];
            environment.etc.state.text = "hello world";
            systemd.tmpfiles.settings."vmsecrets" = {
              "/etc/secrets/borgbackup.ssh" = {
@@ -36,7 +36,7 @@
                };
              };
            };
-            clanCore.facts.secretStore = "vm";
+            clan.core.facts.secretStore = "vm";
            clan.borgbackup.destinations.test.repo = "borg@localhost:.";
          }
--- a/checks/deltachat/default.nix
+++ b/checks/deltachat/default.nix
@@ -10,8 +10,8 @@
          self.clanModules.deltachat
          self.nixosModules.clanCore
          {
-            clanCore.machineName = "machine";
+            clan.core.machineName = "machine";
-            clanCore.clanDir = ./.;
+            clan.core.clanDir = ./.;
          }
        ];
      };
--- a/checks/devshell/flake-module.nix
+++ b/checks/devshell/flake-module.nix
@@ -0,0 +1,22 @@
 { ... }:
 {
  perSystem =
    { self', pkgs, ... }:
    {
      checks.devshell =
        pkgs.runCommand "check-devshell-not-depends-on-clan-cli"
          {
            exportReferencesGraph = [
              "graph"
              self'.devShells.default
            ];
          }
          ''
            if grep -q "${self'.packages.clan-cli}" ./graph; then
              echo "devshell depends on clan-cli, which is not allowed";
              exit 1;
            fi
            mkdir $out
          '';
    };
 }
--- a/checks/flake-module.nix
+++ b/checks/flake-module.nix
@@ -1,10 +1,11 @@
 { self, ... }:
 {
  imports = [
    ./impure/flake-module.nix
    ./backups/flake-module.nix
-    ./installation/flake-module.nix
+    ./devshell/flake-module.nix
    ./flash/flake-module.nix
    ./impure/flake-module.nix
    ./installation/flake-module.nix
  ];
  perSystem =
    {
@@ -23,7 +24,7 @@
                options =
                  (pkgs.nixos {
                    imports = [ self.nixosModules.clanCore ];
-                    clanCore.clanDir = ./.;
+                    clan.core.clanDir = ./.;
                  }).options;
                warningsAreErrors = false;
              };
@@ -40,10 +41,12 @@
            secrets = import ./secrets nixosTestArgs;
            container = import ./container nixosTestArgs;
            deltachat = import ./deltachat nixosTestArgs;
            matrix-synapse = import ./matrix-synapse nixosTestArgs;
            zt-tcp-relay = import ./zt-tcp-relay nixosTestArgs;
            borgbackup = import ./borgbackup nixosTestArgs;
            matrix-synapse = import ./matrix-synapse nixosTestArgs;
            mumble = import ./mumble nixosTestArgs;
            syncthing = import ./syncthing nixosTestArgs;
            zt-tcp-relay = import ./zt-tcp-relay nixosTestArgs;
            postgresql = import ./postgresql nixosTestArgs;
            wayland-proxy-virtwl = import ./wayland-proxy-virtwl nixosTestArgs;
          };
--- a/checks/flash/flake-module.nix
+++ b/checks/flash/flake-module.nix
@@ -1,33 +1,50 @@
-{ ... }:
+{ self, ... }:
 {
  perSystem =
    { ... }:
    {
-      # checks = pkgs.lib.mkIf (pkgs.stdenv.isLinux) {
+      nodes,
-      #   flash = (import ../lib/test-base.nix) {
+      pkgs,
-      #     name = "flash";
+      lib,
-      #     nodes.target = {
+      ...
-      #       virtualisation.emptyDiskImages = [ 4096 ];
+    }:
-      #       virtualisation.memorySize = 3000;
+    let
-      #       environment.systemPackages = [ self.packages.${pkgs.system}.clan-cli ];
+      dependencies = [
-      #       environment.etc."install-closure".source = "${closureInfo}/store-paths"; 
+        pkgs.disko
        self.clanInternals.machines.${pkgs.hostPlatform.system}.test_install_machine.config.system.build.toplevel
        self.clanInternals.machines.${pkgs.hostPlatform.system}.test_install_machine.config.system.build.diskoScript
        self.clanInternals.machines.${pkgs.hostPlatform.system}.test_install_machine.config.system.build.diskoScript.drvPath
        self.clanInternals.machines.${pkgs.hostPlatform.system}.test_install_machine.config.system.clan.deployment.file
      ] ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
      closureInfo = pkgs.closureInfo { rootPaths = dependencies; };
    in
    {
      # Currently disabled...
      checks = pkgs.lib.mkIf (pkgs.stdenv.isLinux) {
        flash = (import ../lib/test-base.nix) {
          name = "flash";
          nodes.target = {
            virtualisation.emptyDiskImages = [ 4096 ];
            virtualisation.memorySize = 3000;
            environment.systemPackages = [ self.packages.${pkgs.system}.clan-cli ];
            environment.etc."install-closure".source = "${closureInfo}/store-paths";
-      #       nix.settings = {
+            nix.settings = {
-      #         substituters = lib.mkForce [ ];
+              substituters = lib.mkForce [ ];
-      #         hashed-mirrors = null;
+              hashed-mirrors = null;
-      #         connect-timeout = lib.mkForce 3;
+              connect-timeout = lib.mkForce 3;
-      #         flake-registry = pkgs.writeText "flake-registry" ''{"flakes":[],"version":2}'';
+              flake-registry = pkgs.writeText "flake-registry" ''{"flakes":[],"version":2}'';
-      #         experimental-features = [
+              experimental-features = [
-      #           "nix-command"
+                "nix-command"
-      #           "flakes"
+                "flakes"
-      #         ];
+              ];
-      #       };
+            };
-      #     };
+          };
-      #     testScript = ''
+          testScript = ''
-      #       start_all()
+            start_all()
-      #       machine.succeed("clan --debug --flake ${../..} flash --yes --disk main /dev/vdb test_install_machine")
+
-      #     '';
+            machine.succeed("clan flash --debug --flake ${../..} --yes --disk main /dev/vdb test_install_machine")
-      #   } { inherit pkgs self; };
+          '';
-      # };
+        } { inherit pkgs self; };
      };
    };
 }
--- a/checks/impure/flake-module.nix
+++ b/checks/impure/flake-module.nix
@@ -1,6 +1,11 @@
 {
  perSystem =
-    { pkgs, lib, ... }:
+    {
      pkgs,
      lib,
      self',
      ...
    }:
    {
      # a script that executes all other checks
      packages.impure-checks = pkgs.writeShellScriptBin "impure-checks" ''
@@ -10,14 +15,21 @@
        unset CLAN_DIR
        export PATH="${
-          lib.makeBinPath [
+          lib.makeBinPath (
-            pkgs.gitMinimal
+            [
-            pkgs.nix
+              pkgs.gitMinimal
-            pkgs.rsync # needed to have rsync installed on the dummy ssh server
+              pkgs.nix
-          ]
+              pkgs.rsync # needed to have rsync installed on the dummy ssh server
            ]
            ++ self'.packages.clan-cli-full.runtimeDependencies
          )
        }"
        ROOT=$(git rev-parse --show-toplevel)
        cd "$ROOT/pkgs/clan-cli"
        # this disables dynamic dependency loading in clan-cli
        export CLAN_NO_DYNAMIC_DEPS=1
        nix develop "$ROOT#clan-cli" -c bash -c "TMPDIR=/tmp python -m pytest -s -m impure ./tests $@"
      '';
    };
--- a/checks/installation/flake-module.nix
+++ b/checks/installation/flake-module.nix
@@ -1,9 +1,9 @@
 { self, lib, ... }:
 {
  clan.machines.test_install_machine = {
-    clan.networking.targetHost = "test_install_machine";
+    clan.core.networking.targetHost = "test_install_machine";
-    fileSystems."/".device = lib.mkDefault "/dev/null";
+    fileSystems."/".device = lib.mkDefault "/dev/vdb";
-    boot.loader.grub.device = lib.mkDefault "/dev/null";
+    boot.loader.grub.device = lib.mkDefault "/dev/vdb";
    imports = [ self.nixosModules.test_install_machine ];
  };
@@ -12,7 +12,7 @@
      { lib, modulesPath, ... }:
      {
        imports = [
-          self.clanModules.disk-layouts
+          "${self}/nixosModules/disk-layouts"
          (modulesPath + "/testing/test-instrumentation.nix") # we need these 2 modules always to be able to run the tests
          (modulesPath + "/profiles/qemu-guest.nix")
        ];
@@ -98,7 +98,7 @@
            client.succeed("${pkgs.coreutils}/bin/install -Dm 600 ${../lib/ssh/privkey} /root/.ssh/id_ed25519")
            client.wait_until_succeeds("ssh -o StrictHostKeyChecking=accept-new -v root@target hostname")
-            client.succeed("clan --debug --flake ${../..} machines install --yes test_install_machine root@target >&2")
+            client.succeed("clan machines install --debug --flake ${../..} --yes test_install_machine root@target >&2")
            try:
              target.shutdown()
            except BrokenPipeError:
--- a/checks/lib/container-driver/test_driver/init.py
+++ b/checks/lib/container-driver/test_driver/init.py
@@ -151,7 +151,7 @@ class Machine:
        """
        # Always run command with shell opts
-        command = f"set -euo pipefail; {command}"
+        command = f"set -eo pipefail; source /etc/profile; set -u; {command}"
        proc = subprocess.run(
            [
--- a/checks/lib/container-test.nix
+++ b/checks/lib/container-test.nix
@@ -10,6 +10,7 @@ in
    hostPkgs = pkgs;
    # speed-up evaluation
    defaults = {
      nix.package = pkgs.nixVersions.latest;
      documentation.enable = lib.mkDefault false;
      boot.isContainer = true;
--- a/checks/lib/test-base.nix
+++ b/checks/lib/test-base.nix
@@ -10,6 +10,7 @@ in
  defaults = {
    documentation.enable = lib.mkDefault false;
    nix.settings.min-free = 0;
    nix.package = pkgs.nixVersions.latest;
  };
  # to accept external dependencies such as disko
--- a/checks/matrix-synapse/default.nix
+++ b/checks/matrix-synapse/default.nix
@@ -4,26 +4,61 @@
    name = "matrix-synapse";
    nodes.machine =
-      { self, lib, ... }:
+      {
        config,
        self,
        lib,
        ...
      }:
      {
        imports = [
          self.clanModules.matrix-synapse
          self.nixosModules.clanCore
          {
-            clanCore.machineName = "machine";
+            clan.core.machineName = "machine";
-            clanCore.clanDir = ./.;
+            clan.core.clanDir = ./.;
-            clan.matrix-synapse = {
+
              enable = true;
              domain = "clan.test";
            };
          }
          {
            # secret override
            clanCore.facts.services.matrix-synapse.secret.synapse-registration_shared_secret.path = "${./synapse-registration_shared_secret}";
            services.nginx.virtualHosts."matrix.clan.test" = {
              enableACME = lib.mkForce false;
              forceSSL = lib.mkForce false;
            };
            clan.matrix-synapse.domain = "clan.test";
            clan.matrix-synapse.users.admin.admin = true;
            clan.matrix-synapse.users.someuser = { };
            clan.core.facts.secretStore = "vm";
            # because we use systemd-tmpfiles to copy the secrets, we need to a seperate systemd-tmpfiles call to provison them.
            boot.postBootCommands = "${config.systemd.package}/bin/systemd-tmpfiles --create /etc/tmpfiles.d/00-vmsecrets.conf";
            systemd.tmpfiles.settings."00-vmsecrets" = {
              # run before 00-nixos.conf
              "/etc/secrets" = {
                d.mode = "0700";
                z.mode = "0700";
              };
              "/etc/secrets/synapse-registration_shared_secret" = {
                f.argument = "supersecret";
                z = {
                  mode = "0400";
                  user = "root";
                };
              };
              "/etc/secrets/matrix-password-admin" = {
                f.argument = "matrix-password1";
                z = {
                  mode = "0400";
                  user = "root";
                };
              };
              "/etc/secrets/matrix-password-someuser" = {
                f.argument = "matrix-password2";
                z = {
                  mode = "0400";
                  user = "root";
                };
              };
            };
          }
        ];
      };
@@ -32,6 +67,12 @@
      machine.wait_for_unit("matrix-synapse")
      machine.succeed("${pkgs.netcat}/bin/nc -z -v ::1 8008")
      machine.succeed("${pkgs.curl}/bin/curl -Ssf -L http://localhost/_matrix/static/ -H 'Host: matrix.clan.test'")
      machine.systemctl("restart matrix-synapse >&2") # check if user creation is idempotent
      machine.execute("journalctl -u matrix-synapse --no-pager >&2")
      machine.wait_for_unit("matrix-synapse")
      machine.succeed("${pkgs.netcat}/bin/nc -z -v ::1 8008")
      machine.succeed("${pkgs.curl}/bin/curl -Ssf -L http://localhost/_matrix/static/ -H 'Host: matrix.clan.test'")
    '';
  }
 )
--- a/checks/mumble/default.nix
+++ b/checks/mumble/default.nix
@@ -0,0 +1,146 @@
 (import ../lib/test-base.nix) (
  { ... }:
  let
    common =
      { self, pkgs, ... }:
      {
        imports = [
          self.clanModules.mumble
          self.nixosModules.clanCore
          (self.inputs.nixpkgs + "/nixos/tests/common/x11.nix")
          {
            clan.core.clanDir = ./.;
            environment.systemPackages = [ pkgs.killall ];
            services.murmur.sslKey = "/etc/mumble-key";
            services.murmur.sslCert = "/etc/mumble-cert";
            clan.core.facts.services.mumble.secret."mumble-key".path = "/etc/mumble-key";
            clan.core.facts.services.mumble.public."mumble-cert".path = "/etc/mumble-cert";
          }
        ];
      };
  in
  {
    name = "mumble";
    enableOCR = true;
    nodes.peer1 =
      { ... }:
      {
        imports = [
          common
          {
            clan.core.machineName = "peer1";
            environment.etc = {
              "mumble-key".source = ./peer_1/peer_1_test_key;
              "mumble-cert".source = ./peer_1/peer_1_test_cert;
            };
            systemd.tmpfiles.settings."vmsecrets" = {
              "/etc/secrets/mumble-key" = {
                C.argument = "${./peer_1/peer_1_test_key}";
                z = {
                  mode = "0400";
                  user = "murmur";
                };
              };
              "/etc/secrets/mumble-cert" = {
                C.argument = "${./peer_1/peer_1_test_cert}";
                z = {
                  mode = "0400";
                  user = "murmur";
                };
              };
            };
            services.murmur.sslKey = "/etc/mumble-key";
            services.murmur.sslCert = "/etc/mumble-cert";
            clan.core.facts.services.mumble.secret."mumble-key".path = "/etc/mumble-key";
            clan.core.facts.services.mumble.public."mumble-cert".path = "/etc/mumble-cert";
          }
        ];
      };
    nodes.peer2 =
      { ... }:
      {
        imports = [
          common
          {
            clan.core.machineName = "peer2";
            environment.etc = {
              "mumble-key".source = ./peer_2/peer_2_test_key;
              "mumble-cert".source = ./peer_2/peer_2_test_cert;
            };
            systemd.tmpfiles.settings."vmsecrets" = {
              "/etc/secrets/mumble-key" = {
                C.argument = "${./peer_2/peer_2_test_key}";
                z = {
                  mode = "0400";
                  user = "murmur";
                };
              };
              "/etc/secrets/mumble-cert" = {
                C.argument = "${./peer_2/peer_2_test_cert}";
                z = {
                  mode = "0400";
                  user = "murmur";
                };
              };
            };
          }
        ];
      };
    testScript = ''
      start_all()
      with subtest("Waiting for x"):
        peer1.wait_for_x()
        peer2.wait_for_x()
      with subtest("Waiting for murmur"):
        peer1.wait_for_unit("murmur.service")
        peer2.wait_for_unit("murmur.service")
      with subtest("Starting Mumble"):
        # starting mumble is blocking
        peer1.execute("mumble >&2 &")
        peer2.execute("mumble >&2 &")
      with subtest("Wait for Mumble"):
        peer1.wait_for_window(r"^Mumble$")
        peer2.wait_for_window(r"^Mumble$")
      with subtest("Wait for certificate creation"):
        peer1.wait_for_window(r"^Mumble$")
        peer1.sleep(3) # mumble is slow to register handlers
        peer1.send_chars("\n") 
        peer1.send_chars("\n") 
        peer2.wait_for_window(r"^Mumble$")
        peer2.sleep(3) # mumble is slow to register handlers
        peer2.send_chars("\n") 
        peer2.send_chars("\n") 
      with subtest("Wait for server connect"):
        peer1.wait_for_window(r"^Mumble Server Connect$")
        peer2.wait_for_window(r"^Mumble Server Connect$")
      with subtest("Check validity of server certificates"):
        peer1.execute("killall .mumble-wrapped")
        peer1.sleep(1)
        peer1.execute("mumble mumble://peer2 >&2 &")
        peer1.wait_for_window(r"^Mumble$")
        peer1.sleep(3) # mumble is slow to register handlers
        peer1.send_chars("\n") 
        peer1.send_chars("\n") 
        peer1.wait_for_text("Connected.")
        peer2.execute("killall .mumble-wrapped")
        peer2.sleep(1)
        peer2.execute("mumble mumble://peer1 >&2 &")
        peer2.wait_for_window(r"^Mumble$")
        peer2.sleep(3) # mumble is slow to register handlers
        peer2.send_chars("\n") 
        peer2.send_chars("\n") 
        peer2.wait_for_text("Connected.")
    '';
  }
 )
--- a/checks/mumble/machines/peer1/facts/mumble-cert
+++ b/checks/mumble/machines/peer1/facts/mumble-cert
@@ -0,0 +1,22 @@
 -----BEGIN CERTIFICATE-----
 MIIDazCCAlOgAwIBAgIUCUjfNkF0CDhTKbO3nNczcsCW4qEwDQYJKoZIhvcNAQEL
 BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
 GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNDA2MjcwOTM2NDZaFw0yNDA3
 MjcwOTM2NDZaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
 HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
 AQUAA4IBDwAwggEKAoIBAQDCcdZEJvXJIeOKO5pF5XUFvUeJtCCiwfWvWS662bxc
 R/5MZucRLqfTNYo9aBv4NITw5kxZsTaaubmS4zSGQoTEAVzqzVdi3a/gNvsdVLb+
 7CivpmweLllX/OGsTL0kHPEI+74AYiTBjXfdWV1Y5T1tuwc3G8ATrguQ33Uo5vvF
 vcqsbTKcRZC0pB9O/nn4q03GsRdvlpaKakIhjMpRG/uZ3u7wtbyZ+WqjsjxZNfnY
 aMyPoaipFqX1v+L7GKlOj2NpyEZFVVwa2ZqhVSYXyDfpAWQFznwKGzD5mjtcyKym
 gnv/5LwrpH4Xj+JMt48hN+rPnu5vfXT8Y4KnID30OQW7AgMBAAGjUzBRMB0GA1Ud
 DgQWBBQBBO8Wp975pAGioMjkaxANAVInfzAfBgNVHSMEGDAWgBQBBO8Wp975pAGi
 oMjkaxANAVInfzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAg
 F40MszTZXpR/A1z9B1CcXH47tNK67f8bCMR2dhvXODbpatwSihyxhQjtLb5R6kYH
 5Yq/B4yrh303j0CXaobCQ4nQH7zI7fhViww+TzW7vDhgM7ueEyyXrqCXt6JY8avg
 TuvIRtJSeWSQJ5aLNaYqmiwMf/tj9W3BMDpctGyLqu1WTSrbpYa9mA5Vudud70Yz
 DgZ/aqHilB07cVNqzVYZzRZ56WJlTjGzVevRgnHZqPiZNVrU13H6gtWa3r8aV4Gj
 i4F663eRAttj166cRgfl1QqpSG2IprNyV9UfuS2LlUaVNT3y0idawiJ4HhaA8pGB
 ZqMUUkA4DSucb6xxEcTK
 -----END CERTIFICATE-----
--- a/checks/mumble/machines/peer1/key.age
+++ b/checks/mumble/machines/peer1/key.age
@@ -0,0 +1 @@
 AGE-SECRET-KEY-1UCXEUJH6JXF8LFKWFHDM4N9AQE2CCGQZGXLUNV4TKR5KY0KC8FDQ2TY4NX
--- a/checks/mumble/machines/peer1/peer_1_test_cert
+++ b/checks/mumble/machines/peer1/peer_1_test_cert
@@ -0,0 +1,14 @@
 -----BEGIN CERTIFICATE-----
 MIICHTCCAaKgAwIBAgIIT2gZuvqVFP0wCgYIKoZIzj0EAwIwSjESMBAGA1UEChMJ
 U3luY3RoaW5nMSAwHgYDVQQLExdBdXRvbWF0aWNhbGx5IEdlbmVyYXRlZDESMBAG
 A1UEAxMJc3luY3RoaW5nMB4XDTIzMTIwNjAwMDAwMFoXDTQzMTIwMTAwMDAwMFow
 SjESMBAGA1UEChMJU3luY3RoaW5nMSAwHgYDVQQLExdBdXRvbWF0aWNhbGx5IEdl
 bmVyYXRlZDESMBAGA1UEAxMJc3luY3RoaW5nMHYwEAYHKoZIzj0CAQYFK4EEACID
 YgAEBAr1CsciwCa0vi7eC6xxuSGijY3txbjtsyFanec/fge4oJBD3rVpaLKFETb3
 TvHHsuvblzElcP483MEVq6FMUoxwuL9CzTtpJrRhtwSmAs8AHLFu8irVn8sZjgkL
 sXMho1UwUzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
 AQUFBwMCMAwGA1UdEwEB/wQCMAAwFAYDVR0RBA0wC4IJc3luY3RoaW5nMAoGCCqG
 SM49BAMCA2kAMGYCMQDbrtLgfcyMMIkNQn+PJe9DHYAqj8C47LQcWuIY/nekhOu0
 aUfKctEAwyBtI60Y5zcCMQCEdgD/6CNBh7Qqq3z3CKPhlrpxHtCO5tNw17k0jfdH
 haCwJInHZvZgclHk4EtFpTw=
 -----END CERTIFICATE-----
--- a/checks/mumble/machines/peer1/peer_1_test_key
+++ b/checks/mumble/machines/peer1/peer_1_test_key
@@ -0,0 +1,6 @@
 -----BEGIN EC PRIVATE KEY-----
 MIGkAgEBBDA14Nqo17Xs/xRLGH2KLuyzjKp4eW9iWFobVNM93RZZbECT++W3XcQc
 cEc5WVtiPmWgBwYFK4EEACKhZANiAAQECvUKxyLAJrS+Lt4LrHG5IaKNje3FuO2z
 IVqd5z9+B7igkEPetWlosoURNvdO8cey69uXMSVw/jzcwRWroUxSjHC4v0LNO2km
 tGG3BKYCzwAcsW7yKtWfyxmOCQuxcyE=
 -----END EC PRIVATE KEY-----
--- a/checks/mumble/machines/peer2/facts/mumble-cert
+++ b/checks/mumble/machines/peer2/facts/mumble-cert
@@ -0,0 +1,22 @@
 -----BEGIN CERTIFICATE-----
 MIIDazCCAlOgAwIBAgIUfENbTtH5nr7giuawwQpDYqUpWJswDQYJKoZIhvcNAQEL
 BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
 GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNDA2MjcwOTQxNDNaFw0yNDA3
 MjcwOTQxNDNaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
 HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
 AQUAA4IBDwAwggEKAoIBAQCfP6cZhCs9jOnWqyQP12vrOOxlBrWofYZFf9amUA24
 AfE7oGcSfkylanmkxzvGqQkhgLAvkHZj/GEvHujKyy8PgcEGP+pwmsfWNQMvU0Dz
 j3syjWOTi3eIC/3DoUnHlWCT2qCil/bjqxgU1l7fO/OXUlq5kyvIjln7Za4sUHun
 ixe/m96Er6l8a4Mh2pxh2C5pkLCvulkQhjjGG+R6MccH8wwQwmLg5oVBkFEZrnRE
 pnRKBI0DvA+wk1aJFAPOI4d8Q5T7o/MyxH3f8TYGHqbeMQFCKwusnlWPRtrNdaIc
 gaLvSpR0LVlroXGu8tYmRpvHPByoKGDbgVvO0Bwx8fmRAgMBAAGjUzBRMB0GA1Ud
 DgQWBBR7r+mQWNUZ0TpQNwrwjgxgngvOjTAfBgNVHSMEGDAWgBR7r+mQWNUZ0TpQ
 NwrwjgxgngvOjTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCO
 7B4s6uQEGE8jg3CQgy76oU/D8sazGcP8+/E4JLHSc0Nj49w4ztSpkOVk2HyEtzbm
 uR3TreIw+SfqpbiOI/ivVNDbEBsb/vEeq7qPzDH1Bi72plHZNRVhNGGV5rd7ibga
 TkfXHKPM9yt8ffffHHiu1ROvb8gg2B6JbQwboU4hvvmmorW7onyTFSYEzZVdNSpv
 pUtKPldxYjTnLlbsJdXC4xyCC4PrJt2CC0n0jsWfICJ77LMxIxTODh8oZNjbPg6r
 RdI7U/DsD+R072DjbIcrivvigotJM+jihzz5inZwbO8o0WQOHAbJLIG3C3BnRW3A
 Ek4u3+HXZMl5a0LGJ76u
 -----END CERTIFICATE-----
--- a/checks/mumble/machines/peer2/peer_2_test_cert
+++ b/checks/mumble/machines/peer2/peer_2_test_cert
@@ -0,0 +1,14 @@
 -----BEGIN CERTIFICATE-----
 MIICHjCCAaOgAwIBAgIJAKbMWefkf1rVMAoGCCqGSM49BAMCMEoxEjAQBgNVBAoT
 CVN5bmN0aGluZzEgMB4GA1UECxMXQXV0b21hdGljYWxseSBHZW5lcmF0ZWQxEjAQ
 BgNVBAMTCXN5bmN0aGluZzAeFw0yMzEyMDYwMDAwMDBaFw00MzEyMDEwMDAwMDBa
 MEoxEjAQBgNVBAoTCVN5bmN0aGluZzEgMB4GA1UECxMXQXV0b21hdGljYWxseSBH
 ZW5lcmF0ZWQxEjAQBgNVBAMTCXN5bmN0aGluZzB2MBAGByqGSM49AgEGBSuBBAAi
 A2IABFZTMt4RfsfBue0va7QuNdjfXMI4HfZzJCEcG+b9MtV7FlDmwMKX5fgGykD9
 FBbC7yiza3+xCobdMb5bakz1qYJ7nUFCv1mwSDo2eNM+/XE+rJmlre8NwkwGmvzl
 h1uhyqNVMFMwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
 BgEFBQcDAjAMBgNVHRMBAf8EAjAAMBQGA1UdEQQNMAuCCXN5bmN0aGluZzAKBggq
 hkjOPQQDAgNpADBmAjEAwzhsroN6R4/quWeXj6dO5gt5CfSTLkLee6vrcuIP5i1U
 rZvJ3OKQVmmGG6IWYe7iAjEAyuq3X2wznaqiw2YK3IDI4qVeYWpCUap0fwRNq7/x
 4dC4k+BOzHcuJOwNBIY/bEuK
 -----END CERTIFICATE-----
--- a/checks/mumble/machines/peer2/peer_2_test_key
+++ b/checks/mumble/machines/peer2/peer_2_test_key
@@ -0,0 +1,6 @@
 -----BEGIN EC PRIVATE KEY-----
 MIGkAgEBBDCXHGpvumKjjDRxB6SsjZOb7duw3w+rdlGQCJTIvRThLjD6zwjnyImi
 7c3PD5nWtLqgBwYFK4EEACKhZANiAARWUzLeEX7HwbntL2u0LjXY31zCOB32cyQh
 HBvm/TLVexZQ5sDCl+X4BspA/RQWwu8os2t/sQqG3TG+W2pM9amCe51BQr9ZsEg6
 NnjTPv1xPqyZpa3vDcJMBpr85Ydboco=
 -----END EC PRIVATE KEY-----
--- a/checks/mumble/peer_1/key.age
+++ b/checks/mumble/peer_1/key.age
@@ -0,0 +1 @@
 AGE-SECRET-KEY-1UCXEUJH6JXF8LFKWFHDM4N9AQE2CCGQZGXLUNV4TKR5KY0KC8FDQ2TY4NX
--- a/checks/mumble/peer_1/peer_1_test_cert
+++ b/checks/mumble/peer_1/peer_1_test_cert
@@ -0,0 +1,22 @@
 -----BEGIN CERTIFICATE-----
 MIIDazCCAlOgAwIBAgIUCUjfNkF0CDhTKbO3nNczcsCW4qEwDQYJKoZIhvcNAQEL
 BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
 GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNDA2MjcwOTM2NDZaFw0yNDA3
 MjcwOTM2NDZaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
 HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
 AQUAA4IBDwAwggEKAoIBAQDCcdZEJvXJIeOKO5pF5XUFvUeJtCCiwfWvWS662bxc
 R/5MZucRLqfTNYo9aBv4NITw5kxZsTaaubmS4zSGQoTEAVzqzVdi3a/gNvsdVLb+
 7CivpmweLllX/OGsTL0kHPEI+74AYiTBjXfdWV1Y5T1tuwc3G8ATrguQ33Uo5vvF
 vcqsbTKcRZC0pB9O/nn4q03GsRdvlpaKakIhjMpRG/uZ3u7wtbyZ+WqjsjxZNfnY
 aMyPoaipFqX1v+L7GKlOj2NpyEZFVVwa2ZqhVSYXyDfpAWQFznwKGzD5mjtcyKym
 gnv/5LwrpH4Xj+JMt48hN+rPnu5vfXT8Y4KnID30OQW7AgMBAAGjUzBRMB0GA1Ud
 DgQWBBQBBO8Wp975pAGioMjkaxANAVInfzAfBgNVHSMEGDAWgBQBBO8Wp975pAGi
 oMjkaxANAVInfzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAg
 F40MszTZXpR/A1z9B1CcXH47tNK67f8bCMR2dhvXODbpatwSihyxhQjtLb5R6kYH
 5Yq/B4yrh303j0CXaobCQ4nQH7zI7fhViww+TzW7vDhgM7ueEyyXrqCXt6JY8avg
 TuvIRtJSeWSQJ5aLNaYqmiwMf/tj9W3BMDpctGyLqu1WTSrbpYa9mA5Vudud70Yz
 DgZ/aqHilB07cVNqzVYZzRZ56WJlTjGzVevRgnHZqPiZNVrU13H6gtWa3r8aV4Gj
 i4F663eRAttj166cRgfl1QqpSG2IprNyV9UfuS2LlUaVNT3y0idawiJ4HhaA8pGB
 ZqMUUkA4DSucb6xxEcTK
 -----END CERTIFICATE-----
--- a/checks/mumble/peer_1/peer_1_test_key
+++ b/checks/mumble/peer_1/peer_1_test_key
@@ -0,0 +1,28 @@
 -----BEGIN PRIVATE KEY-----
 MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDCcdZEJvXJIeOK
 O5pF5XUFvUeJtCCiwfWvWS662bxcR/5MZucRLqfTNYo9aBv4NITw5kxZsTaaubmS
 4zSGQoTEAVzqzVdi3a/gNvsdVLb+7CivpmweLllX/OGsTL0kHPEI+74AYiTBjXfd
 WV1Y5T1tuwc3G8ATrguQ33Uo5vvFvcqsbTKcRZC0pB9O/nn4q03GsRdvlpaKakIh
 jMpRG/uZ3u7wtbyZ+WqjsjxZNfnYaMyPoaipFqX1v+L7GKlOj2NpyEZFVVwa2Zqh
 VSYXyDfpAWQFznwKGzD5mjtcyKymgnv/5LwrpH4Xj+JMt48hN+rPnu5vfXT8Y4Kn
 ID30OQW7AgMBAAECggEAGVKn+/Iy+kG+l2cRvV6XseqnoWhjA69M5swviMgIfuAl
 Xx/boeI4mwoS+dJQKi/0zEbB1MB+gwIDB/0s/vs0vS4MQswBQG/skr+2TmiU+Hgb
 CF0dIYUZv5rAbScFTumx/mCCqxwc+1QIMzyLKqOYL203EFc92ZJGEVT4th321haZ
 8Wd+dllcYAb7BbEeBhCrTqRe9T3zt5reZgtZTquTF5hGm8EAyBp6rLjZK7dyZ9dd
 gyIsDbWgPC9vkRc6x/eANn70hgDbYOuoXwAP/qIFnWLL1Zzy8LKUyOsSgQ91S3S3
 Il4Lt6lEyU3+61MsCYss7jDoP/7REEjz5h6gfxlFSQKBgQD9u8nhHuwte4/d9VNU
 rhSBW9h8IJzwPif/eS8vh9VaS2SjR2dDCcHg6rGYKnexeEzUcx56aQMA+p3nRJwy
 Uwnx5BfEWs9FO6yPR8VEI0a2sBp+hoWKJX/Lvat+QCs6IFuGmlQpczD7/RYAkhG4
 mwyt/ymqzjukb9mFaeYIltOfPwKBgQDELnkH1ChTUH5u3HgDoelFbzR18okz6dxH
 urMbfZMAl8W5h2zAvHsAX5qxyHHankOUsiH2y3BrAgqQtTuIA2a5W7j+yHBkYiEZ
 EUNeI9YNA0KU+wwZpVVvRGUsRB5SUBo5LlcSYmX/V32f0oU5Np44i0vjl3Ju8esx
 2MLfj1A2hQKBgQDCxtZZZ0h8Pb8Z7wpSFfQNvXi5CLwQvFYuClQLk6VXVErkAJsn
 XiUjyGYeXnNVm/i2mcyKwXQZ20k90HBrPU2ED8mi5Ob5ya5Uqw6mmMHe2d7sw81d
 WB37RBWSrCXC0DYSZQQ4cYHn3sd2Fqtd4EBijV7qDLjCKU582OdKLqYzNwKBgH31
 UKQkJZgIkIThbPT4GewI0GgCRvFb76DmUGUQJTg2Oi86siq1WUwOFiabie5RuxZX
 oNLyH8W008/BbO2RMX1FVOvRCciJ8LJFkTl6TM6iDzfUUBqPOuFryoG3Yrh60btw
 81rMbqyZIgFhi0QGu2OWnC0Oadyt2tJwV/5t55R5AoGBAPspZttDmOzVkAJDSn9Z
 iByYt1KmwBQ6l7LpFg33a7ds9zWqW4+i6r0PzXvSewf/z69L0cAywSk5CaJJjDso
 dTlNMqwux01wd6V+nQGR871xnsOg+qzgJ565TJZelWgRmNRUooi4DMp5POJA33xp
 rqAISUfW0w2S+q7/5Lm0QiJE
 -----END PRIVATE KEY-----
--- a/checks/mumble/peer_2/peer_2_test_cert
+++ b/checks/mumble/peer_2/peer_2_test_cert
@@ -0,0 +1,22 @@
 -----BEGIN CERTIFICATE-----
 MIIDazCCAlOgAwIBAgIUfENbTtH5nr7giuawwQpDYqUpWJswDQYJKoZIhvcNAQEL
 BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
 GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNDA2MjcwOTQxNDNaFw0yNDA3
 MjcwOTQxNDNaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
 HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
 AQUAA4IBDwAwggEKAoIBAQCfP6cZhCs9jOnWqyQP12vrOOxlBrWofYZFf9amUA24
 AfE7oGcSfkylanmkxzvGqQkhgLAvkHZj/GEvHujKyy8PgcEGP+pwmsfWNQMvU0Dz
 j3syjWOTi3eIC/3DoUnHlWCT2qCil/bjqxgU1l7fO/OXUlq5kyvIjln7Za4sUHun
 ixe/m96Er6l8a4Mh2pxh2C5pkLCvulkQhjjGG+R6MccH8wwQwmLg5oVBkFEZrnRE
 pnRKBI0DvA+wk1aJFAPOI4d8Q5T7o/MyxH3f8TYGHqbeMQFCKwusnlWPRtrNdaIc
 gaLvSpR0LVlroXGu8tYmRpvHPByoKGDbgVvO0Bwx8fmRAgMBAAGjUzBRMB0GA1Ud
 DgQWBBR7r+mQWNUZ0TpQNwrwjgxgngvOjTAfBgNVHSMEGDAWgBR7r+mQWNUZ0TpQ
 NwrwjgxgngvOjTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCO
 7B4s6uQEGE8jg3CQgy76oU/D8sazGcP8+/E4JLHSc0Nj49w4ztSpkOVk2HyEtzbm
 uR3TreIw+SfqpbiOI/ivVNDbEBsb/vEeq7qPzDH1Bi72plHZNRVhNGGV5rd7ibga
 TkfXHKPM9yt8ffffHHiu1ROvb8gg2B6JbQwboU4hvvmmorW7onyTFSYEzZVdNSpv
 pUtKPldxYjTnLlbsJdXC4xyCC4PrJt2CC0n0jsWfICJ77LMxIxTODh8oZNjbPg6r
 RdI7U/DsD+R072DjbIcrivvigotJM+jihzz5inZwbO8o0WQOHAbJLIG3C3BnRW3A
 Ek4u3+HXZMl5a0LGJ76u
 -----END CERTIFICATE-----
--- a/checks/mumble/peer_2/peer_2_test_key
+++ b/checks/mumble/peer_2/peer_2_test_key
@@ -0,0 +1,28 @@
 -----BEGIN PRIVATE KEY-----
 MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCfP6cZhCs9jOnW
 qyQP12vrOOxlBrWofYZFf9amUA24AfE7oGcSfkylanmkxzvGqQkhgLAvkHZj/GEv
 HujKyy8PgcEGP+pwmsfWNQMvU0Dzj3syjWOTi3eIC/3DoUnHlWCT2qCil/bjqxgU
 1l7fO/OXUlq5kyvIjln7Za4sUHunixe/m96Er6l8a4Mh2pxh2C5pkLCvulkQhjjG
 G+R6MccH8wwQwmLg5oVBkFEZrnREpnRKBI0DvA+wk1aJFAPOI4d8Q5T7o/MyxH3f
 8TYGHqbeMQFCKwusnlWPRtrNdaIcgaLvSpR0LVlroXGu8tYmRpvHPByoKGDbgVvO
 0Bwx8fmRAgMBAAECggEACAkjOnNj5zA0IIP0RuRc6rqtmw9ynTTwUJN51lyVxKI8
 dQDMEq/S2En+J2VyS7z92/XtbgkBIFx83u7VWl5UWpj2j4UsJFB7IwD7zyiJT4D+
 +3cM/kX8Wx4XyQZbfbm47N0MXAgFCkn45hxHH0acLReXwmN9wxoDyl7AIjZRdwvG
 Qq0rnOnIc8kkkew7L6AiFwQS8b77eyzua3d6moKXN9hU/kfiJ6YUFG/WLe0pmQA1
 HbF27YghfeLnYUt50oDuX6jF6CzQhflchWVq/wn8/cxEpg/RMicWE8ulrTk7o27l
 JwCrHrhYEBsPuZO4mxX/DHrAMmhTeFjLaV5bQlz0PQKBgQDgRPSOEixYnKz9iPs/
 EDTlji5LA3Rm6TytRCNsjYY6Trw60KcvYqwyDUCiEjruvOQ9mqgBiQm1VHSalrG3
 RcbVfpEMouyZbEwmTjS8KdOi5x4Z6AX+4yWDN31jX3b8sktgbxV/HRdg3sA3q7MJ
 vExTUuoXg57W+FepIZ+XlhSoQwKBgQC1x6UMAlAeW45/yUUm/LFRcCgb/bdCQx+e
 hSb8w3jdvVoNWgx1j7RsjjFKaZUnseK3qQvVfCm4Qjvlz6MpKDxslaUYuR162Ku0
 e153z/xc7XRoXyPyPLdGZFlWii30jirB7ZqPdyz6mwlWwqdImNerbUqdFt9R8bId
 pYsyHB5zmwKBgBjYCq9iW/9E+/TqI8sMpI95fK9app5v4AThs3rnAqOa7Ucmrh6V
 s7Wnui06D8U6r54Tb+EbqTOpM3Gcl/tRg4FLEA5yTfuA/76Ok1D04Tj+mVsNVPyz
 dQhgMUe835WGusroA12df2V/x5NjNeYyMdJZMQ2ByyrNQAjAbMmCGq+5AoGBAIj8
 ERFysMOfxUvg9b7CkDFJrsAhOzew86P2vYGfIHchGTqUkG0LRTDFGrnzxNXsBGjY
 +DUB40Kajx7IkTETxC0jvA1ceq23l/VjPrZVQt0YiC+a+rCyNn7SYkyHxsfTVr9b
 ea0BZyDXMntyJrPbkjL6Ik8tDE9pLwuOU84ISJ5fAoGAZ2+Ams/VhdZj/wpRpMky
 K4jtS4nzbCmJzzTa6vdVV7Kjer5kFxSFFqMrS/FtJ/RxHeHvxdze9dfGu9jIdTKK
 vSzbyQdHFfZgRkmAKfcoN9u567z7Oc74AQ9UgFEGdEVFQUbfWOevmr8KIPt8nDQK
 J9HuVfILi1kH0jzDd/64TvA=
 -----END PRIVATE KEY-----
--- a/checks/postgresql/default.nix
+++ b/checks/postgresql/default.nix
@@ -0,0 +1,72 @@
 (import ../lib/container-test.nix) ({
  name = "postgresql";
  nodes.machine =
    { self, config, ... }:
    {
      imports = [
        self.nixosModules.clanCore
        self.clanModules.postgresql
        self.clanModules.localbackup
      ];
      clan.postgresql.users.test = { };
      clan.postgresql.databases.test.create.options.OWNER = "test";
      clan.postgresql.databases.test.restore.stopOnRestore = [ "sample-service" ];
      clan.localbackup.targets.hdd.directory = "/mnt/external-disk";
      systemd.services.sample-service = {
        wantedBy = [ "multi-user.target" ];
        script = ''
          while true; do
            echo "Hello, world!"
            sleep 5
          done
        '';
      };
      environment.systemPackages = [ config.services.postgresql.package ];
    };
  testScript =
    { nodes, ... }:
    ''
      start_all()
      machine.wait_for_unit("postgresql")
      machine.wait_for_unit("sample-service")
      # Create a test table
      machine.succeed("runuser -u postgres -- /run/current-system/sw/bin/psql -c 'CREATE TABLE test (id serial PRIMARY KEY);' test")
      machine.succeed("/run/current-system/sw/bin/localbackup-create >&2")
      timestamp_before = int(machine.succeed("systemctl show --property=ExecMainStartTimestampMonotonic sample-service | cut -d= -f2").strip())
      machine.succeed("test -e /mnt/external-disk/snapshot.0/machine/var/backup/postgres/test/pg-dump || { echo 'pg-dump not found'; exit 1; }")
      machine.succeed("runuser -u postgres -- /run/current-system/sw/bin/psql -d test -c 'INSERT INTO test DEFAULT VALUES;'")
      machine.succeed("runuser -u postgres -- /run/current-system/sw/bin/psql -d test -c 'DROP TABLE test;'")
      machine.succeed("test -e /var/backup/postgres/test/pg-dump || { echo 'pg-dump not found'; exit 1; }")
      machine.succeed("rm -rf /var/backup/postgres")
      machine.succeed("NAME=/mnt/external-disk/snapshot.0 FOLDERS=/var/backup/postgres/test /run/current-system/sw/bin/localbackup-restore >&2")
      machine.succeed("test -e /var/backup/postgres/test/pg-dump || { echo 'pg-dump not found'; exit 1; }")
      machine.succeed("""
      set -x
      ${nodes.machine.clan.core.state.test.postRestoreCommand}
      """)
      machine.succeed("runuser -u postgres -- /run/current-system/sw/bin/psql -l >&2")
      machine.succeed("runuser -u postgres -- /run/current-system/sw/bin/psql -d test -c '\dt' >&2")
      timestamp_after = int(machine.succeed("systemctl show --property=ExecMainStartTimestampMonotonic sample-service | cut -d= -f2").strip())
      assert timestamp_before < timestamp_after, f"{timestamp_before} >= {timestamp_after}: expected sample-service to be restarted after restore"
      # Check that the table is still there
      machine.succeed("runuser -u postgres -- /run/current-system/sw/bin/psql -d test -c 'SELECT * FROM test;'")
      output = machine.succeed("runuser -u postgres -- /run/current-system/sw/bin/psql --csv -c \"SELECT datdba::regrole FROM pg_database WHERE datname = 'test'\"")
      owner = output.split("\n")[1]
      assert owner == "test", f"Expected database owner to be 'test', got '{owner}'"
      # check if restore works if the database does not exist
      machine.succeed("runuser -u postgres -- dropdb test")
      machine.succeed("${nodes.machine.clan.core.state.test.postRestoreCommand}")
      machine.succeed("runuser -u postgres -- /run/current-system/sw/bin/psql -d test -c '\dt' >&2")
    '';
 })
--- a/checks/secrets/default.nix
+++ b/checks/secrets/default.nix
@@ -10,8 +10,8 @@
      environment.etc."group-secret".source = config.sops.secrets.group-secret.path;
      sops.age.keyFile = "/etc/privkey.age";
-      clanCore.clanDir = "${./.}";
+      clan.core.clanDir = "${./.}";
-      clanCore.machineName = "machine";
+      clan.core.machineName = "machine";
      networking.hostName = "machine";
    };
--- a/checks/syncthing/default.nix
+++ b/checks/syncthing/default.nix
@@ -12,14 +12,14 @@
          self.clanModules.syncthing
          self.nixosModules.clanCore
          {
-            clanCore.machineName = "introducer";
+            clan.core.machineName = "introducer";
-            clanCore.clanDir = ./.;
+            clan.core.clanDir = ./.;
            environment.etc = {
              "syncthing.pam".source = ./introducer/introducer_test_cert;
              "syncthing.key".source = ./introducer/introducer_test_key;
              "syncthing.api".source = ./introducer/introducer_test_api;
            };
-            clanCore.facts.services.syncthing.secret."syncthing.api".path = "/etc/syncthing.api";
+            clan.core.facts.services.syncthing.secret."syncthing.api".path = "/etc/syncthing.api";
            services.syncthing.cert = "/etc/syncthing.pam";
            services.syncthing.key = "/etc/syncthing.key";
            # Doesn't test zerotier!
@@ -53,8 +53,8 @@
          self.clanModules.syncthing
          self.nixosModules.clanCore
          {
-            clanCore.machineName = "peer1";
+            clan.core.machineName = "peer1";
-            clanCore.clanDir = ./.;
+            clan.core.clanDir = ./.;
            clan.syncthing.introducer = lib.strings.removeSuffix "\n" (
              builtins.readFile ./introducer/introducer_device_id
            );
@@ -75,8 +75,8 @@
          self.clanModules.syncthing
          self.nixosModules.clanCore
          {
-            clanCore.machineName = "peer2";
+            clan.core.machineName = "peer2";
-            clanCore.clanDir = ./.;
+            clan.core.clanDir = ./.;
            clan.syncthing.introducer = lib.strings.removeSuffix "\n" (
              builtins.readFile ./introducer/introducer_device_id
            );
--- a/checks/wayland-proxy-virtwl/default.nix
+++ b/checks/wayland-proxy-virtwl/default.nix
@@ -14,8 +14,8 @@ import ../lib/test-base.nix (
        imports = [
          self.nixosModules.clanCore
          {
-            clanCore.machineName = "machine";
+            clan.core.machineName = "machine";
-            clanCore.clanDir = ./.;
+            clan.core.clanDir = ./.;
          }
        ];
        services.wayland-proxy-virtwl.enable = true;
--- a/checks/zt-tcp-relay/default.nix
+++ b/checks/zt-tcp-relay/default.nix
@@ -10,8 +10,8 @@
          self.nixosModules.clanCore
          self.clanModules.zt-tcp-relay
          {
-            clanCore.machineName = "machine";
+            clan.core.machineName = "machine";
-            clanCore.clanDir = ./.;
+            clan.core.clanDir = ./.;
          }
        ];
      };
--- a/clanModules/borgbackup-static/README.md
+++ b/clanModules/borgbackup-static/README.md
@@ -0,0 +1,11 @@
 ---
 description = "Statically configure borgbackup with sane defaults."
 ---
 This module implements the `borgbackup` backend and implements sane defaults
 for backup management through `borgbackup` for members of the clan.
 Configure target machines where the backups should be sent to through `targets`.
 Configure machines that should be backuped either through `includeMachines`
 which will exclusively add the included machines to be backuped, or through
 `excludeMachines`, which will add every machine except the excluded machine to the backup.
--- a/clanModules/borgbackup-static/default.nix
+++ b/clanModules/borgbackup-static/default.nix
@@ -0,0 +1,101 @@
 { lib, config, ... }:
 let
  clanDir = config.clan.core.clanDir;
  machineDir = clanDir + "/machines/";
 in
 lib.warn "This module is deprecated use the service via the inventory interface instead." {
  imports = [ ../borgbackup ];
  options.clan.borgbackup-static = {
    excludeMachines = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      example = [ config.clan.core.machineName ];
      default = [ ];
      description = ''
        Machines that should not be backuped.
        Mutually exclusive with includeMachines.
        If this is not empty, every other machine except the targets in the clan will be backuped by this module.
        If includeMachines is set, only the included machines will be backuped.
      '';
    };
    includeMachines = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      example = [ config.clan.core.machineName ];
      default = [ ];
      description = ''
        Machines that should be backuped.
        Mutually exclusive with excludeMachines.
      '';
    };
    targets = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      default = [ ];
      description = ''
        Machines that should act as target machines for backups.
      '';
    };
  };
  config.services.borgbackup.repos =
    let
      machines = builtins.readDir machineDir;
      borgbackupIpMachinePath = machines: machineDir + machines + "/facts/borgbackup.ssh.pub";
      filteredMachines =
        if ((builtins.length config.clan.borgbackup-static.includeMachines) != 0) then
          lib.filterAttrs (name: _: (lib.elem name config.clan.borgbackup-static.includeMachines)) machines
        else
          lib.filterAttrs (name: _: !(lib.elem name config.clan.borgbackup-static.excludeMachines)) machines;
      machinesMaybeKey = lib.mapAttrsToList (
        machine: _:
        let
          fullPath = borgbackupIpMachinePath machine;
        in
        if builtins.pathExists fullPath then machine else null
      ) filteredMachines;
      machinesWithKey = lib.filter (x: x != null) machinesMaybeKey;
      hosts = builtins.map (machine: {
        name = machine;
        value = {
          path = "/var/lib/borgbackup/${machine}";
          authorizedKeys = [ (builtins.readFile (borgbackupIpMachinePath machine)) ];
        };
      }) machinesWithKey;
    in
    lib.mkIf
      (builtins.any (
        target: target == config.clan.core.machineName
      ) config.clan.borgbackup-static.targets)
      (if (builtins.listToAttrs hosts) != null then builtins.listToAttrs hosts else { });
  config.clan.borgbackup.destinations =
    let
      destinations = builtins.map (d: {
        name = d;
        value = {
          repo = "borg@${d}:/var/lib/borgbackup/${config.clan.core.machineName}";
        };
      }) config.clan.borgbackup-static.targets;
    in
    lib.mkIf (builtins.any (
      target: target == config.clan.core.machineName
    ) config.clan.borgbackup-static.includeMachines) (builtins.listToAttrs destinations);
  config.assertions = [
    {
      assertion =
        !(
          ((builtins.length config.clan.borgbackup-static.excludeMachines) != 0)
          && ((builtins.length config.clan.borgbackup-static.includeMachines) != 0)
        );
      message = ''
        The options:
        config.clan.borgbackup-static.excludeMachines = [${builtins.toString config.clan.borgbackup-static.excludeMachines}]
        and
        config.clan.borgbackup-static.includeMachines = [${builtins.toString config.clan.borgbackup-static.includeMachines}]
        are mutually exclusive.
        Use excludeMachines to exclude certain machines and backup the other clan machines.
        Use include machines to only backup certain machines.
      '';
    }
  ];
 }
--- a/clanModules/borgbackup/README.md
+++ b/clanModules/borgbackup/README.md
@@ -1,2 +1,13 @@
 Efficient, deduplicating backup program with optional compression and secure encryption.
 ---
 description = "Efficient, deduplicating backup program with optional compression and secure encryption."
 categories = ["backup"]
 ---
 BorgBackup (short: Borg) gives you:
 - Space efficient storage of backups.
 - Secure, authenticated encryption.
 - Compression: lz4, zstd, zlib, lzma or none.
 - Mountable backups with FUSE.
 - Easy installation on multiple platforms: Linux, macOS, BSD, ...
 - Free software (BSD license).
 - Backed by a large and active open source community.
--- a/clanModules/borgbackup/default.nix
+++ b/clanModules/borgbackup/default.nix
@@ -6,8 +6,73 @@
 }:
 let
  cfg = config.clan.borgbackup;
  preBackupScript = ''
    declare -A preCommandErrors
    ${lib.concatMapStringsSep "\n" (
      state:
      lib.optionalString (state.preBackupCommand != null) ''
        echo "Running pre-backup command for ${state.name}"
        if ! /run/current-system/sw/bin/${state.preBackupCommand}; then
          preCommandErrors["${state.name}"]=1
        fi
      ''
    ) (lib.attrValues config.clan.core.state)}
    if [[ ''${#preCommandErrors[@]} -gt 0 ]]; then
      echo "pre-backup commands failed for the following services:"
      for state in "''${!preCommandErrors[@]}"; do
        echo "  $state"
      done
      exit 1
    fi
  '';
 in
 # Each .nix file in the roles directory is a role
 # TODO: Helper function to set available roles within module meta.
 # roles =
 #   if builtins.pathExists ./roles then
 #     lib.pipe ./roles [
 #       builtins.readDir
 #       (lib.filterAttrs (_n: v: v == "regular"))
 #       lib.attrNames
 #       (map (fileName: lib.removeSuffix ".nix" fileName))
 #     ]
 #   else
 #     null;
 # TODO: make this an interface of every module
 # Maybe load from readme.md
 # metaInfoOption = lib.mkOption {
 #   readOnly = true;
 #   description = ''
 #     Meta is used to retrieve information about this module.
 #     - `availableRoles` is a list of roles that can be assigned via the inventory.
 #     - `category` is used to group services in the clan marketplace.
 #     - `description` is a short description of the service for the clan marketplace.
 #   '';
 #   default = {
 #     description = "Borgbackup is a backup program. Optionally, it supports compression and authenticated encryption.";
 #     availableRoles = roles;
 #     category = "backup";
 #   };
 #   type = lib.types.submodule {
 #     options = {
 #       description = lib.mkOption { type = lib.types.str; };
 #       availableRoles = lib.mkOption { type = lib.types.nullOr (lib.types.listOf lib.types.str); };
 #       category = lib.mkOption {
 #         description = "A category for the service. This is used to group services in the clan ui";
 #         type = lib.types.enum [
 #           "backup"
 #           "network"
 #         ];
 #       };
 #     };
 #   };
 # };
 {
  # options.clan.borgbackup.meta = metaInfoOption;
  options.clan.borgbackup.destinations = lib.mkOption {
    type = lib.types.attrsOf (
      lib.types.submodule (
@@ -26,9 +91,9 @@ in
            rsh = lib.mkOption {
              type = lib.types.str;
              default = "ssh -i ${
-                config.clanCore.facts.services.borgbackup.secret."borgbackup.ssh".path
+                config.clan.core.facts.services.borgbackup.secret."borgbackup.ssh".path
-              } -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null";
+              } -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o IdentitiesOnly=Yes";
-              defaultText = "ssh -i \${config.clanCore.facts.services.borgbackup.secret.\"borgbackup.ssh\".path} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null";
+              defaultText = "ssh -i \${config.clan.core.facts.services.borgbackup.secret.\"borgbackup.ssh\".path} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null";
              description = "the rsh to use for the backup";
            };
          };
@@ -41,6 +106,16 @@ in
    '';
  };
  options.clan.borgbackup.exclude = lib.mkOption {
    type = lib.types.listOf lib.types.str;
    example = [ "*.pyc" ];
    default = [ ];
    description = ''
      Directories/Files to exclude from the backup.
      Use * as a wildcard.
    '';
  };
  imports = [
    (lib.mkRemovedOptionModule [
      "clan"
@@ -50,21 +125,30 @@ in
  ];
  config = lib.mkIf (cfg.destinations != { }) {
    systemd.services = lib.mapAttrs' (
      _: dest:
      lib.nameValuePair "borgbackup-job-${dest.name}" {
        # since borgbackup mounts the system read-only, we need to run in a ExecStartPre script, so we can generate additional files.
        serviceConfig.ExecStartPre = [
          ''+${pkgs.writeShellScript "borgbackup-job-${dest.name}-pre-backup-commands" preBackupScript}''
        ];
      }
    ) cfg.destinations;
    services.borgbackup.jobs = lib.mapAttrs (_: dest: {
-      paths = lib.flatten (map (state: state.folders) (lib.attrValues config.clanCore.state));
+      paths = lib.unique (
-      exclude = [ "*.pyc" ];
+        lib.flatten (map (state: state.folders) (lib.attrValues config.clan.core.state))
      );
      exclude = cfg.exclude;
      repo = dest.repo;
      environment.BORG_RSH = dest.rsh;
      compression = "auto,zstd";
      startAt = "*-*-* 01:00:00";
      persistentTimer = true;
      preHook = ''
        set -x
      '';
      encryption = {
        mode = "repokey";
-        passCommand = "cat ${config.clanCore.facts.services.borgbackup.secret."borgbackup.repokey".path}";
+        passCommand = "cat ${config.clan.core.facts.services.borgbackup.secret."borgbackup.repokey".path}";
      };
      prune.keep = {
@@ -75,7 +159,7 @@ in
      };
    }) cfg.destinations;
-    clanCore.facts.services.borgbackup = {
+    clan.core.facts.services.borgbackup = {
      public."borgbackup.ssh.pub" = { };
      secret."borgbackup.ssh" = { };
      secret."borgbackup.repokey" = { };
@@ -111,7 +195,7 @@ in
      (pkgs.writeShellScriptBin "borgbackup-restore" ''
        set -efux
        cd /
-        IFS=';' read -ra FOLDER <<< "$FOLDERS"
+        IFS=':' read -ra FOLDER <<< "$FOLDERS"
        job_name=$(echo "$NAME" | ${pkgs.gawk}/bin/awk -F'::' '{print $1}')
        backup_name=''${NAME#"$job_name"::}
        if ! command -v borg-job-"$job_name" &> /dev/null; then
@@ -122,7 +206,7 @@ in
      '')
    ];
-    clanCore.backups.providers.borgbackup = {
+    clan.core.backups.providers.borgbackup = {
      list = "borgbackup-list";
      create = "borgbackup-create";
      restore = "borgbackup-restore";
--- a/clanModules/borgbackup/roles/client.nix
+++ b/clanModules/borgbackup/roles/client.nix
@@ -0,0 +1,30 @@
 { config, lib, ... }:
 let
  instances = config.clan.inventory.services.borgbackup;
  # roles = { ${role_name} :: { machines :: [string] } }
  allServers = lib.foldlAttrs (
    acc: _instanceName: instanceConfig:
    acc
    ++ (
      if builtins.elem machineName instanceConfig.roles.client.machines then
        instanceConfig.roles.server.machines
      else
        [ ]
    )
  ) [ ] instances;
  inherit (config.clan.core) machineName;
 in
 {
  config.clan.borgbackup.destinations =
    let
      destinations = builtins.map (serverName: {
        name = serverName;
        value = {
          repo = "borg@${serverName}:/var/lib/borgbackup/${machineName}";
        };
      }) allServers;
    in
    (builtins.listToAttrs destinations);
 }
--- a/clanModules/borgbackup/roles/server.nix
+++ b/clanModules/borgbackup/roles/server.nix
@@ -0,0 +1,51 @@
 { config, lib, ... }:
 let
  clanDir = config.clan.core.clanDir;
  machineDir = clanDir + "/machines/";
  inherit (config.clan.core) machineName;
  instances = config.clan.inventory.services.borgbackup;
  # roles = { ${role_name} :: { machines :: [string] } }
  allClients = lib.foldlAttrs (
    acc: _instanceName: instanceConfig:
    acc
    ++ (
      if (builtins.elem machineName instanceConfig.roles.server.machines) then
        instanceConfig.roles.client.machines
      else
        [ ]
    )
  ) [ ] instances;
 in
 {
  config.services.borgbackup.repos =
    let
      borgbackupIpMachinePath = machines: machineDir + machines + "/facts/borgbackup.ssh.pub";
      machinesMaybeKey = builtins.map (
        machine:
        let
          fullPath = borgbackupIpMachinePath machine;
        in
        if builtins.pathExists fullPath then
          machine
        else
          lib.warn ''
            Machine ${machine} does not have a borgbackup key at ${fullPath},
            run `clan facts generate ${machine}` to generate it.
          '' null
      ) allClients;
      machinesWithKey = lib.filter (x: x != null) machinesMaybeKey;
      hosts = builtins.map (machine: {
        name = machine;
        value = {
          path = "/var/lib/borgbackup/${machine}";
          authorizedKeys = [ (builtins.readFile (borgbackupIpMachinePath machine)) ];
        };
      }) machinesWithKey;
    in
    if (builtins.listToAttrs hosts) != [ ] then builtins.listToAttrs hosts else { };
 }
--- a/clanModules/deltachat/README.md
+++ b/clanModules/deltachat/README.md
@@ -1,4 +1,5 @@
-Email-based instant messaging for Desktop.
+---
 description = "Email-based instant messaging for Desktop."
 ---
 !!! warning "Under construction"
--- a/clanModules/deltachat/default.nix
+++ b/clanModules/deltachat/default.nix
@@ -5,7 +5,7 @@
  services.maddy =
    let
-      domain = "${config.clanCore.machineName}.local";
+      domain = "${config.clan.core.machineName}.local";
    in
    {
      enable = true;
--- a/clanModules/disk-layouts/README.md
+++ b/clanModules/disk-layouts/README.md
@@ -1,2 +0,0 @@
 Automatically format a disk drive on clan installation
 ---
--- a/clanModules/ergochat/README.md
+++ b/clanModules/ergochat/README.md
@@ -1,2 +1,3 @@
-A modern IRC server
+---
 description = "A modern IRC server"
 ---
--- a/clanModules/ergochat/default.nix
+++ b/clanModules/ergochat/default.nix
@@ -10,5 +10,5 @@ _: {
    };
  };
-  clanCore.state.ergochat.folders = [ "/var/lib/ergo" ];
+  clan.core.state.ergochat.folders = [ "/var/lib/ergo" ];
 }
--- a/clanModules/flake-module.nix
+++ b/clanModules/flake-module.nix
@@ -1,21 +1,24 @@
 { ... }:
 {
  flake.clanModules = {
    disk-layouts = {
      imports = [ ./disk-layouts ];
    };
    borgbackup = ./borgbackup;
    borgbackup-static = ./borgbackup-static;
    deltachat = ./deltachat;
    ergochat = ./ergochat;
    localbackup = ./localbackup;
    localsend = ./localsend;
    single-disk = ./single-disk;
    matrix-synapse = ./matrix-synapse;
    moonlight = ./moonlight;
    packages = ./packages;
    mumble = ./mumble;
    postgresql = ./postgresql;
    root-password = ./root-password;
    sshd = ./sshd;
    sunshine = ./sunshine;
    static-hosts = ./static-hosts;
    syncthing = ./syncthing;
    syncthing-static-peers = ./syncthing-static-peers;
    thelounge = ./thelounge;
    trusted-nix-caches = ./trusted-nix-caches;
    user-password = ./user-password;
--- a/clanModules/localbackup/README.md
+++ b/clanModules/localbackup/README.md
@@ -1,2 +1,3 @@
-Automatically backups current machine to local directory.
+---
 description = "Automatically backups current machine to local directory."
 ---
--- a/clanModules/localbackup/default.nix
+++ b/clanModules/localbackup/default.nix
@@ -6,7 +6,10 @@
 }:
 let
  cfg = config.clan.localbackup;
-  rsnapshotConfig = target: states: ''
+  uniqueFolders = lib.unique (
    lib.flatten (lib.mapAttrsToList (_name: state: state.folders) config.clan.core.state)
  );
  rsnapshotConfig = target: ''
    config_version	1.2
    snapshot_root	${target.directory}
    sync_first	1
@@ -17,12 +20,6 @@ let
    cmd_logger	${pkgs.inetutils}/bin/logger
    cmd_du	${pkgs.coreutils}/bin/du
    cmd_rsnapshot_diff	${pkgs.rsnapshot}/bin/rsnapshot-diff
    ${lib.optionalString (target.preBackupHook != null) ''
      cmd_preexec	${pkgs.writeShellScript "preexec.sh" ''
        set -efu -o pipefail
        ${target.preBackupHook}
      ''}
    ''}
    ${lib.optionalString (target.postBackupHook != null) ''
      cmd_postexec	${pkgs.writeShellScript "postexec.sh" ''
@@ -31,11 +28,9 @@ let
      ''}
    ''}
    retain	snapshot	${builtins.toString config.clan.localbackup.snapshots}
-    ${lib.concatMapStringsSep "\n" (state: ''
+    ${lib.concatMapStringsSep "\n" (folder: ''
-      ${lib.concatMapStringsSep "\n" (folder: ''
+      backup	${folder}	${config.networking.hostName}/
-        backup	${folder}	${config.networking.hostName}/
+    '') uniqueFolders}
      '') state.folders}
    '') states}
  '';
 in
 {
@@ -129,14 +124,29 @@ in
              ]
            }
            ${lib.concatMapStringsSep "\n" (target: ''
-              (
+              ${mountHook target}
-                ${mountHook target}
+              echo "Creating backup '${target.name}'"
-                echo "Creating backup '${target.name}'"
+
-                rsnapshot -c "${pkgs.writeText "rsnapshot.conf" (rsnapshotConfig target (lib.attrValues config.clanCore.state))}" sync
+              ${lib.optionalString (target.preBackupHook != null) ''
-                rsnapshot -c "${pkgs.writeText "rsnapshot.conf" (rsnapshotConfig target (lib.attrValues config.clanCore.state))}" snapshot
+                (
-              )
+                  ${target.preBackupHook}
-            '') (builtins.attrValues cfg.targets)}
+                )
-          '')
+              ''}
              declare -A preCommandErrors
              ${lib.concatMapStringsSep "\n" (
                state:
                lib.optionalString (state.preBackupCommand != null) ''
                  echo "Running pre-backup command for ${state.name}"
                  if ! /run/current-system/sw/bin/${state.preBackupCommand}; then
                    preCommandErrors["${state.name}"]=1
                  fi
                ''
              ) (builtins.attrValues config.clan.core.state)}
              rsnapshot -c "${pkgs.writeText "rsnapshot.conf" (rsnapshotConfig target)}" sync
              rsnapshot -c "${pkgs.writeText "rsnapshot.conf" (rsnapshotConfig target)}" snapshot
            '') (builtins.attrValues cfg.targets)}'')
          (pkgs.writeShellScriptBin "localbackup-list" ''
            set -efu -o pipefail
            export PATH=${
@@ -167,6 +177,14 @@ in
                pkgs.gawk
              ]
            }
            if [[ "''${NAME:-}" == "" ]]; then
              echo "No backup name given via NAME environment variable"
              exit 1
            fi
            if [[ "''${FOLDERS:-}" == "" ]]; then
              echo "No folders given via FOLDERS environment variable"
              exit 1
            fi
            name=$(awk -F'::' '{print $1}' <<< $NAME)
            backupname=''${NAME#$name::}
@@ -182,8 +200,9 @@ in
              exit 1
            fi
-            IFS=';' read -ra FOLDER <<< "$FOLDERS"
+            IFS=':' read -ra FOLDER <<< "''$FOLDERS"
            for folder in "''${FOLDER[@]}"; do
              mkdir -p "$folder"
              rsync -a "$backupname/${config.networking.hostName}$folder/" "$folder"
            done
          '')
@@ -213,7 +232,7 @@ in
          ''
        ) cfg.targets;
-      clanCore.backups.providers.localbackup = {
+      clan.core.backups.providers.localbackup = {
        # TODO list needs to run locally or on the remote machine
        list = "localbackup-list";
        create = "localbackup-create";
--- a/clanModules/localsend/README.md
+++ b/clanModules/localsend/README.md
@@ -1,2 +1,3 @@
-Securely sharing files and messages over a local network without internet connectivity.
+---
 description = "Securely sharing files and messages over a local network without internet connectivity."
 ---
--- a/clanModules/localsend/default.nix
+++ b/clanModules/localsend/default.nix
@@ -9,7 +9,7 @@
  # - cli frontend: https://github.com/localsend/localsend/issues/11
  # - ipv6 support: https://github.com/localsend/localsend/issues/549
  options.clan.localsend = {
-    enable = lib.mkEnableOption (lib.mdDoc "enable the localsend module");
+    enable = lib.mkEnableOption "enable the localsend module";
    defaultLocation = lib.mkOption {
      type = lib.types.str;
      description = "The default download location";
@@ -18,7 +18,7 @@
  };
  config = lib.mkIf config.clan.localsend.enable {
-    clanCore.state.localsend.folders = [
+    clan.core.state.localsend.folders = [
      "/var/localsend"
      config.clan.localsend.defaultLocation
    ];
--- a/clanModules/matrix-synapse/README.md
+++ b/clanModules/matrix-synapse/README.md
@@ -1,2 +1,3 @@
-A federated messaging server with end-to-end encryption.
+---
 description = "A federated messaging server with end-to-end encryption."
 ---
--- a/clanModules/matrix-synapse/default.nix
+++ b/clanModules/matrix-synapse/default.nix
@@ -6,16 +6,65 @@
 }:
 let
  cfg = config.clan.matrix-synapse;
  nginx-vhost = "matrix.${config.clan.matrix-synapse.domain}";
  element-web =
    pkgs.runCommand "element-web-with-config" { nativeBuildInputs = [ pkgs.buildPackages.jq ]; }
      ''
        cp -r ${pkgs.element-web} $out
        chmod -R u+w $out
        jq '."default_server_config"."m.homeserver" = { "base_url": "https://${nginx-vhost}:443", "server_name": "${config.clan.matrix-synapse.domain}" }' \
          > $out/config.json < ${pkgs.element-web}/config.json
        ln -s $out/config.json $out/config.${nginx-vhost}.json
      '';
 in
 # FIXME: This was taken from upstream. Drop this when our patch is upstream
 {
  options.services.matrix-synapse.package = lib.mkOption { readOnly = false; };
  options.clan.matrix-synapse = {
    enable = lib.mkEnableOption "Enable matrix-synapse";
    domain = lib.mkOption {
      type = lib.types.str;
      description = "The domain name of the matrix server";
      example = "example.com";
    };
    users = lib.mkOption {
      default = { };
      type = lib.types.attrsOf (
        lib.types.submodule (
          { name, ... }:
          {
            options = {
              name = lib.mkOption {
                type = lib.types.str;
                default = name;
                description = "The name of the user";
              };
              admin = lib.mkOption {
                type = lib.types.bool;
                default = false;
                description = "Whether the user should be an admin";
              };
            };
          }
        )
      );
      description = "A list of users. Not that only new users will be created and existing ones are not modified.";
      example.alice = {
        admin = true;
      };
    };
  };
-  config = lib.mkIf cfg.enable {
+  imports = [
    ../postgresql
    (lib.mkRemovedOptionModule [
      "clan"
      "matrix-synapse"
      "enable"
    ] "Importing the module will already enable the service.")
    ../postgresql
  ];
  config = {
    services.matrix-synapse = {
      enable = true;
      settings = {
@@ -29,6 +78,7 @@ in
          "turn:turn.matrix.org?transport=udp"
          "turn:turn.matrix.org?transport=tcp"
        ];
        registration_shared_secret_path = "/run/synapse-registration-shared-secret";
        listeners = [
          {
            port = 8008;
@@ -49,45 +99,76 @@ in
          }
        ];
      };
      extraConfigFiles = [ "/var/lib/matrix-synapse/registration_shared_secret.yaml" ];
    };
    systemd.services.matrix-synapse.serviceConfig.ExecStartPre = [
      "+${pkgs.writeScript "copy_registration_shared_secret" ''
        #!/bin/sh
        cp ${config.clanCore.facts.services.matrix-synapse.secret.synapse-registration_shared_secret.path} /var/lib/matrix-synapse/registration_shared_secret.yaml
        chown matrix-synapse:matrix-synapse /var/lib/matrix-synapse/registration_shared_secret.yaml
        chmod 600 /var/lib/matrix-synapse/registration_shared_secret.yaml
      ''}"
    ];
    clanCore.facts.services."matrix-synapse" = {
      secret."synapse-registration_shared_secret" = { };
      generator.path = with pkgs; [
        coreutils
        pwgen
      ];
      generator.script = ''
        echo "registration_shared_secret: $(pwgen -s 32 1)" > "$secrets"/synapse-registration_shared_secret
      '';
    };
-    services.postgresql.enable = true;
+    systemd.tmpfiles.settings."01-matrix" = {
-    # we need to use both ensusureDatabases and initialScript, because the former runs everytime but with the wrong collation
+      "/run/synapse-registration-shared-secret" = {
-    services.postgresql = {
+        C.argument =
-      ensureDatabases = [ "matrix-synapse" ];
+          config.clan.core.facts.services.matrix-synapse.secret.synapse-registration_shared_secret.path;
-      ensureUsers = [
+        z = {
-        {
+          mode = "0400";
-          name = "matrix-synapse";
+          user = "matrix-synapse";
-          ensureDBOwnership = true;
+        };
      };
    };
    clan.postgresql.users.matrix-synapse = { };
    clan.postgresql.databases.matrix-synapse.create.options = {
      TEMPLATE = "template0";
      LC_COLLATE = "C";
      LC_CTYPE = "C";
      ENCODING = "UTF8";
      OWNER = "matrix-synapse";
    };
    clan.postgresql.databases.matrix-synapse.restore.stopOnRestore = [ "matrix-synapse" ];
    clan.core.facts.services =
      {
        "matrix-synapse" = {
          secret."synapse-registration_shared_secret" = { };
          generator.path = with pkgs; [
            coreutils
            pwgen
          ];
          generator.script = ''
            echo -n "$(pwgen -s 32 1)" > "$secrets"/synapse-registration_shared_secret
          '';
        };
      }
      // lib.mapAttrs' (
        name: user:
        lib.nameValuePair "matrix-password-${user.name}" {
          secret."matrix-password-${user.name}" = { };
          generator.path = with pkgs; [ xkcdpass ];
          generator.script = ''
            xkcdpass -n 4 -d - > "$secrets"/${lib.escapeShellArg "matrix-password-${user.name}"}
          '';
        }
-      ];
+      ) cfg.users;
-      initialScript = pkgs.writeText "synapse-init.sql" ''
+
-        CREATE DATABASE "matrix-synapse"
+    systemd.services.matrix-synapse =
-          TEMPLATE template0
+      let
-          LC_COLLATE = "C"
+        usersScript =
-          LC_CTYPE = "C";
+          ''
-      '';
+            while ! ${pkgs.netcat}/bin/nc -z -v ::1 8008; do
-    };
+              if ! kill -0 "$MAINPID"; then exit 1; fi
              sleep 1;
            done
          ''
          + lib.concatMapStringsSep "\n" (user: ''
            # only create user if it doesn't exist
            /run/current-system/sw/bin/matrix-synapse-register_new_matrix_user --exists-ok --password-file ${
              config.clan.core.facts.services."matrix-password-${user.name}".secret."matrix-password-${user.name}".path
            } --user "${user.name}" ${if user.admin then "--admin" else "--no-admin"}
          '') (lib.attrValues cfg.users);
      in
      {
        path = [ pkgs.curl ];
        serviceConfig.ExecStartPost = [
          (''+${pkgs.writeShellScript "matrix-synapse-create-users" usersScript}'')
        ];
      };
    services.nginx = {
      enable = true;
      virtualHosts = {
@@ -102,7 +183,7 @@ in
            return 200 '${
              builtins.toJSON {
                "m.homeserver" = {
-                  "base_url" = "https://matrix.${cfg.domain}";
+                  "base_url" = "https://${nginx-vhost}";
                };
                "m.identity_server" = {
                  "base_url" = "https://vector.im";
@@ -111,15 +192,12 @@ in
            }';
          '';
        };
-        "matrix.${cfg.domain}" = {
+        ${nginx-vhost} = {
          forceSSL = true;
          enableACME = true;
-          locations."/_matrix" = {
+          locations."/_matrix".proxyPass = "http://localhost:8008";
-            proxyPass = "http://localhost:8008";
+          locations."/_synapse".proxyPass = "http://localhost:8008";
-          };
+          locations."/".root = element-web;
          locations."/test".extraConfig = ''
            return 200 "Hello, world!";
          '';
        };
      };
    };
--- a/clanModules/moonlight/README.md
+++ b/clanModules/moonlight/README.md
@@ -1,2 +1,3 @@
-A desktop streaming client optimized for remote gaming and synchronized movie viewing.
+---
 description = "A desktop streaming client optimized for remote gaming and synchronized movie viewing."
 ---
--- a/clanModules/moonlight/default.nix
+++ b/clanModules/moonlight/default.nix
@@ -13,10 +13,10 @@ in
  systemd.tmpfiles.rules = [
    "d '/var/lib/moonlight' 0770 'user' 'users' - -"
    "C '/var/lib/moonlight/moonlight.cert' 0644 'user' 'users' - ${
-      config.clanCore.facts.services.moonlight.secret."moonlight.cert".path or ""
+      config.clan.core.facts.services.moonlight.secret."moonlight.cert".path or ""
    }"
    "C '/var/lib/moonlight/moonlight.key' 0644 'user' 'users' - ${
-      config.clanCore.facts.services.moonlight.secret."moonlight.key".path or ""
+      config.clan.core.facts.services.moonlight.secret."moonlight.key".path or ""
    }"
  ];
@@ -45,7 +45,7 @@ in
  systemd.user.services.moonlight-join = {
    description = "Join sunshine hosts";
    script = ''${ms-accept}/bin/moonlight-sunshine-accept moonlight join --port ${builtins.toString defaultPort} --cert '${
-      config.clanCore.facts.services.moonlight.public."moonlight.cert".value or ""
+      config.clan.core.facts.services.moonlight.public."moonlight.cert".value or ""
    }' --host fd2e:25da:6035:c98f:cd99:93e0:b9b8:9ca1'';
    serviceConfig = {
      Type = "oneshot";
@@ -68,7 +68,7 @@ in
    };
  };
-  clanCore.facts.services.moonlight = {
+  clan.core.facts.services.moonlight = {
    secret."moonlight.key" = { };
    secret."moonlight.cert" = { };
    public."moonlight.cert" = { };
--- a/clanModules/mumble/README.md
+++ b/clanModules/mumble/README.md
@@ -0,0 +1,14 @@
 ---
 description = "Open Source, Low Latency, High Quality Voice Chat."
 categories = ["chat", "voice"]
 ---
 The mumble clan module gives you:
 - True low latency voice communication.
 - Secure, authenticated encryption.
 - Free software.
 - Backed by a large and active open-source community.
 This all set up in a way that allows peer-to-peer hosting.
 Every machine inside the clan can be a host for mumble, 
 and thus it doesn't matter who in the network is online - as long as two people are online they are able to chat with each other.
--- a/clanModules/mumble/default.nix
+++ b/clanModules/mumble/default.nix
@@ -0,0 +1,105 @@
 {
  lib,
  config,
  pkgs,
  ...
 }:
 let
  clanDir = lib.trace config.clan.core.clanDir config.clan.core.clanDir;
  machineDir = clanDir + "/machines/";
  machinesFileSet = builtins.readDir machineDir;
  machines = lib.mapAttrsToList (name: _: name) machinesFileSet;
  machineJson = builtins.toJSON (lib.trace machines machines);
  certificateMachinePath = machines: machineDir + "/${machines}" + "/facts/mumble-cert";
  certificatesUnchecked = builtins.map (
    machine:
    let
      fullPath = certificateMachinePath machine;
    in
    if builtins.pathExists (lib.trace fullPath fullPath) then machine else null
  ) machines;
  certificate = lib.filter (machine: machine != null) certificatesUnchecked;
  machineCert = builtins.map (
    machine:
    lib.trace machine (lib.nameValuePair machine (builtins.readFile (certificateMachinePath machine)))
  ) certificate;
  machineCertJson = builtins.toJSON (lib.trace machineCert machineCert);
 in
 {
  options.clan.services.mumble = {
    user = lib.mkOption {
      type = lib.types.string;
      default = "alice";
      description = "The user mumble should be set up for.";
    };
  };
  config = {
    services.murmur = {
      enable = true;
      logDays = -1;
      registerName = config.clan.core.machineName;
      openFirewall = true;
      bonjour = true;
      sslKey = config.clan.core.facts.services.mumble.secret.mumble-key.path;
      sslCert = config.clan.core.facts.services.mumble.public.mumble-cert.path;
    };
    clan.core.state.mumble.folders = [
      "/var/lib/mumble"
      "/var/lib/murmur"
    ];
    systemd.tmpfiles.rules = [
      "d '/var/lib/mumble' 0770 '${config.clan.services.mumble.user}' 'users' - -"
    ];
    environment.systemPackages =
      let
        mumbleCfgDir = "/var/lib/mumble";
        mumbleDatabasePath = "${mumbleCfgDir}/mumble.sqlite";
        mumbleCfgPath = "/var/lib/mumble/mumble_settings.json";
        populate-channels = pkgs.writers.writePython3 "mumble-populate-channels" {
          libraries = [
            pkgs.python3Packages.cryptography
            pkgs.python3Packages.pyopenssl
          ];
          flakeIgnore = [
            # We don't live in the dark ages anymore.
            # Languages like Python that are whitespace heavy will overrun
            # 79 characters..
            "E501"
          ];
        } (builtins.readFile ./mumble-populate-channels.py);
        mumble = pkgs.writeShellScriptBin "mumble" ''
          set -xeu
          mkdir -p ${mumbleCfgDir}
          pushd "${mumbleCfgDir}"
          XDG_DATA_HOME=${mumbleCfgDir}
          XDG_DATA_DIR=${mumbleCfgDir}
          ${populate-channels} --ensure-config '${mumbleCfgPath}' --db-location ${mumbleDatabasePath}
          echo ${machineCertJson}
          ${populate-channels} --machines '${machineJson}' --username ${config.clan.core.machineName} --db-location ${mumbleDatabasePath}
          ${populate-channels} --servers '${machineCertJson}' --username ${config.clan.core.machineName} --db-location ${mumbleDatabasePath} --cert True
          ${pkgs.mumble}/bin/mumble --config ${mumbleCfgPath} "$@"
          popd
        '';
      in
      [ mumble ];
    clan.core.facts.services.mumble = {
      secret.mumble-key = { };
      public.mumble-cert = { };
      generator.path = [
        pkgs.coreutils
        pkgs.openssl
      ];
      generator.script = ''
        openssl genrsa -out $secrets/mumble-key 2048
        openssl req -new -x509 -key $secrets/mumble-key -out $facts/mumble-cert
      '';
    };
  };
 }
--- a/clanModules/mumble/mumble-populate-channels.py
+++ b/clanModules/mumble/mumble-populate-channels.py
@@ -0,0 +1,249 @@
 import argparse
 import json
 import os
 import sqlite3
 def ensure_config(path: str, db_path: str) -> None:
    # Default JSON structure if the file doesn't exist
    default_json = {
        "misc": {
            "audio_wizard_has_been_shown": True,
            "database_location": db_path,
            "viewed_server_ping_consent_message": True,
        },
        "settings_version": 1,
    }
    # Check if the file exists
    if os.path.exists(path):
        with open(path) as file:
            data = json.load(file)
    else:
        data = default_json
        # Create the file with default JSON structure
        with open(path, "w") as file:
            json.dump(data, file, indent=4)
    # TODO: make sure to only update the diff
    updated_data = {**default_json, **data}
    # Write the modified JSON object back to the file
    with open(path, "w") as file:
        json.dump(updated_data, file, indent=4)
 def initialize_database(db_location: str) -> None:
    """
    Initializes the database. If the database or the servers table does not exist, it creates them.
    :param db_location: The path to the SQLite database
    """
    conn = sqlite3.connect(db_location)
    try:
        cursor = conn.cursor()
        # Create the servers table if it doesn't exist
        cursor.execute("""
        CREATE TABLE IF NOT EXISTS servers (
            id INTEGER PRIMARY KEY AUTOINCREMENT,
            name TEXT NOT NULL,
            hostname TEXT NOT NULL,
            port INTEGER NOT NULL,
            username TEXT NOT NULL,
            password TEXT NOT NULL,
            url TEXT
        )
        """)
        # Commit the changes
        conn.commit()
    except sqlite3.Error as e:
        print(f"An error occurred while initializing the database: {e}")
    finally:
        conn.close()
 def initialize_certificates(
    db_location: str, hostname: str, port: str, digest: str
 ) -> None:
    # Connect to the SQLite database
    conn = sqlite3.connect(db_location)
    try:
        # Create a cursor object
        cursor = conn.cursor()
        # TODO: check if cert already there
        # if server_check(cursor, name, hostname):
        #     print(
        #         f"Server with name '{name}' and hostname '{hostname}' already exists."
        #     )
        #     return
        # SQL command to insert data into the servers table
        insert_query = """
        INSERT INTO cert (hostname, port, digest)
        VALUES (?, ?, ?)
        """
        # Data to be inserted
        data = (hostname, port, digest)
        # Execute the insert command with the provided data
        cursor.execute(insert_query, data)
        # Commit the changes
        conn.commit()
        print("Data has been successfully inserted.")
    except sqlite3.Error as e:
        print(f"An error occurred: {e}")
    finally:
        # Close the connection
        conn.close()
    pass
 def calculate_digest(cert: str) -> str:
    from cryptography import x509
    from cryptography.hazmat.backends import default_backend
    from cryptography.hazmat.primitives import hashes
    cert = cert.strip()
    cert = cert.encode("utf-8")
    cert = x509.load_pem_x509_certificate(cert, default_backend())
    digest = cert.fingerprint(hashes.SHA1()).hex()
    return digest
 def server_check(cursor: str, name: str, hostname: str) -> bool:
    """
    Check if a server with the given name and hostname already exists.
    :param cursor: The database cursor
    :param name: The name of the server
    :param hostname: The hostname of the server
    :return: True if the server exists, False otherwise
    """
    check_query = """
    SELECT 1 FROM servers WHERE name = ? AND hostname = ?
    """
    cursor.execute(check_query, (name, hostname))
    return cursor.fetchone() is not None
 def insert_server(
    name: str,
    hostname: str,
    port: str,
    username: str,
    password: str,
    url: str,
    db_location: str,
 ) -> None:
    """
    Inserts a new server record into the servers table.
    :param name: The name of the server
    :param hostname: The hostname of the server
    :param port: The port number
    :param username: The username
    :param password: The password
    :param url: The URL
    """
    # Connect to the SQLite database
    conn = sqlite3.connect(db_location)
    try:
        # Create a cursor object
        cursor = conn.cursor()
        if server_check(cursor, name, hostname):
            print(
                f"Server with name '{name}' and hostname '{hostname}' already exists."
            )
            return
        # SQL command to insert data into the servers table
        insert_query = """
        INSERT INTO servers (name, hostname, port, username, password, url)
        VALUES (?, ?, ?, ?, ?, ?)
        """
        # Data to be inserted
        data = (name, hostname, port, username, password, url)
        # Execute the insert command with the provided data
        cursor.execute(insert_query, data)
        # Commit the changes
        conn.commit()
        print("Data has been successfully inserted.")
    except sqlite3.Error as e:
        print(f"An error occurred: {e}")
    finally:
        # Close the connection
        conn.close()
 if __name__ == "__main__":
    port = 64738
    password = ""
    url = None
    parser = argparse.ArgumentParser(
        prog="initialize_mumble",
    )
    subparser = parser.add_subparsers(dest="certificates")
    # cert_parser = subparser.add_parser("certificates")
    parser.add_argument("--cert")
    parser.add_argument("--digest")
    parser.add_argument("--machines")
    parser.add_argument("--servers")
    parser.add_argument("--username")
    parser.add_argument("--db-location")
    parser.add_argument("--ensure-config")
    args = parser.parse_args()
    print(args)
    if args.ensure_config:
        ensure_config(args.ensure_config, args.db_location)
        print("Initialized config")
        exit(0)
    if args.servers:
        print(args.servers)
        servers = json.loads(f"{args.servers}")
        db_location = args.db_location
        for server in servers:
            digest = calculate_digest(server.get("value"))
            name = server.get("name")
            initialize_certificates(db_location, name, port, digest)
        print("Initialized certificates")
        exit(0)
    initialize_database(args.db_location)
    # Insert the server into the database
    print(args.machines)
    machines = json.loads(f"{args.machines}")
    print(machines)
    print(list(machines))
    for machine in list(machines):
        print(f"Inserting {machine}.")
        insert_server(
            machine,
            machine,
            port,
            args.username,
            password,
            url,
            args.db_location,
        )
--- a/clanModules/mumble/test.nix
+++ b/clanModules/mumble/test.nix
@@ -0,0 +1,42 @@
 { pkgs, self, ... }:
 pkgs.nixosTest {
  name = "mumble";
  nodes.peer1 =
    { ... }:
    {
      imports = [
        self.nixosModules.mumble
        self.inputs.clan-core.nixosModules.clanCore
        {
          config = {
            clan.core.machineName = "peer1";
            clan.core.clanDir = ./.;
            documentation.enable = false;
          };
        }
      ];
    };
  nodes.peer2 =
    { ... }:
    {
      imports = [
        self.nixosModules.mumble
        self.inputs.clan-core.nixosModules.clanCore
        {
          config = {
            clan.core.machineName = "peer2";
            clan.core.clanDir = ./.;
            documentation.enable = false;
          };
        }
      ];
    };
  testScript = ''
    start_all()
  '';
 }
--- a/clanModules/packages/README.md
+++ b/clanModules/packages/README.md
@@ -0,0 +1,4 @@
 ---
 description = "Define package sets from nixpkgs and install them on one or more machines"
 categories = ["packages"]
 ---
--- a/clanModules/packages/default.nix
+++ b/clanModules/packages/default.nix
@@ -0,0 +1,19 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  options.clan.packages = {
    packages = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      description = "The packages to install on the machine";
    };
  };
  config = {
    environment.systemPackages = map (
      pName: lib.getAttrFromPath (lib.splitString "." pName) pkgs
    ) config.clan.packages.packages;
  };
 }
--- a/clanModules/packages/roles/default.nix
+++ b/clanModules/packages/roles/default.nix
@@ -0,0 +1 @@
 { }
--- a/clanModules/postgresql/README.md
+++ b/clanModules/postgresql/README.md
@@ -0,0 +1,3 @@
 ---
 description = "A free and open-source relational database management system (RDBMS) emphasizing extensibility and SQL compliance."
 ---
--- a/clanModules/postgresql/default.nix
+++ b/clanModules/postgresql/default.nix
@@ -0,0 +1,226 @@
 {
  pkgs,
  lib,
  config,
  ...
 }:
 let
  createDatatbaseState =
    db:
    let
      folder = "/var/backup/postgres/${db.name}";
      current = "${folder}/pg-dump";
      compression = lib.optionalString (lib.versionAtLeast config.services.postgresql.package.version "16") "--compress=zstd";
    in
    {
      folders = [ folder ];
      preBackupScript = ''
        export PATH=${
          lib.makeBinPath [
            config.services.postgresql.package
            config.systemd.package
            pkgs.coreutils
            pkgs.util-linux
            pkgs.zstd
          ]
        }
        while [[ "$(systemctl is-active postgresql)" == activating ]]; do
          sleep 1
        done
        mkdir -p "${folder}"
        runuser -u postgres -- pg_dump ${compression} --dbname=${db.name} -Fc -c > "${current}.tmp"
        mv "${current}.tmp" ${current}
      '';
      postRestoreScript = ''
        export PATH=${
          lib.makeBinPath [
            config.services.postgresql.package
            config.systemd.package
            pkgs.coreutils
            pkgs.util-linux
            pkgs.zstd
            pkgs.gnugrep
          ]
        }
        while [[ "$(systemctl is-active postgresql)" == activating ]]; do
          sleep 1
        done
        echo "Waiting for postgres to be ready..."
        while ! runuser -u postgres -- psql --port=${builtins.toString config.services.postgresql.settings.port} -d postgres -c "" ; do
          if ! systemctl is-active postgresql; then exit 1; fi
          sleep 0.1
        done
        if [[ -e "${current}" ]]; then
          (
            systemctl stop ${lib.concatStringsSep " " db.restore.stopOnRestore}
            trap "systemctl start ${lib.concatStringsSep " " db.restore.stopOnRestore}" EXIT
            mkdir -p "${folder}"
            if runuser -u postgres -- psql -d postgres -c "SELECT 1 FROM pg_database WHERE datname = '${db.name}'" | grep -q 1; then
              runuser -u postgres -- dropdb "${db.name}"
            fi
            runuser -u postgres -- pg_restore -C -d postgres "${current}"
          )
        else
          echo No database backup found, skipping restore
        fi
      '';
    };
  createDatabase = db: ''
    CREATE DATABASE "${db.name}" ${
      lib.concatStringsSep " " (
        lib.mapAttrsToList (name: value: "${name} = '${value}'") db.create.options
      )
    }
  '';
  cfg = config.clan.postgresql;
  userClauses = lib.mapAttrsToList (
    _: user:
    ''$PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname='${user.name}'" | grep -q 1 || $PSQL -tAc 'CREATE USER "${user.name}"' ''
  ) cfg.users;
  databaseClauses = lib.mapAttrsToList (
    name: db:
    lib.optionalString db.create.enable ''$PSQL -d postgres -c "SELECT 1 FROM pg_database WHERE datname = '${name}'" | grep -q 1 || $PSQL -d postgres -c ${lib.escapeShellArg (createDatabase db)} ''
  ) cfg.databases;
 in
 {
  options.clan.postgresql = {
    # we are reimplemeting ensureDatabase and ensureUser options here to allow to create databases with options
    databases = lib.mkOption {
      description = "Databases to create";
      default = { };
      type = lib.types.attrsOf (
        lib.types.submodule (
          { name, ... }:
          {
            options = {
              name = lib.mkOption {
                type = lib.types.str;
                default = name;
                description = "Database name.";
              };
              service = lib.mkOption {
                type = lib.types.str;
                default = name;
                description = "Service name that we associate with the database.";
              };
              # set to false, in case the upstream module uses ensureDatabase option
              create.enable = lib.mkOption {
                type = lib.types.bool;
                default = true;
                description = "Create the database if it does not exist.";
              };
              create.options = lib.mkOption {
                description = "Options to pass to the CREATE DATABASE command.";
                type = lib.types.lazyAttrsOf lib.types.str;
                default = { };
                example = {
                  TEMPLATE = "template0";
                  LC_COLLATE = "C";
                  LC_CTYPE = "C";
                  ENCODING = "UTF8";
                  OWNER = "foo";
                };
              };
              restore.stopOnRestore = lib.mkOption {
                type = lib.types.listOf lib.types.str;
                default = [ ];
                description = "List of systemd services to stop before restoring the database.";
              };
            };
          }
        )
      );
    };
    users = lib.mkOption {
      description = "Users to create";
      default = { };
      type = lib.types.attrsOf (
        lib.types.submodule (
          { name, ... }:
          {
            options.name = lib.mkOption {
              description = "User name";
              type = lib.types.str;
              default = name;
            };
          }
        )
      );
    };
  };
  config = {
    services.postgresql.settings = {
      wal_level = "replica";
      max_wal_senders = 3;
    };
    services.postgresql.enable = true;
    # We are duplicating a bit the upstream module but allow to create databases with options
    systemd.services.postgresql.postStart = ''
      PSQL="psql --port=${builtins.toString config.services.postgresql.settings.port}"
      while ! $PSQL -d postgres -c "" 2> /dev/null; do
        if ! kill -0 "$MAINPID"; then exit 1; fi
        sleep 0.1
      done
      ${lib.concatStringsSep "\n" userClauses}
      ${lib.concatStringsSep "\n" databaseClauses}
    '';
    clan.core.state = lib.mapAttrs' (
      _: db: lib.nameValuePair db.service (createDatatbaseState db)
    ) config.clan.postgresql.databases;
    environment.systemPackages = builtins.map (
      db:
      let
        folder = "/var/backup/postgres/${db.name}";
        current = "${folder}/pg-dump";
      in
      pkgs.writeShellScriptBin "postgres-db-restore-command-${db.name}" ''
        export PATH=${
          lib.makeBinPath [
            config.services.postgresql.package
            config.systemd.package
            pkgs.coreutils
            pkgs.util-linux
            pkgs.zstd
            pkgs.gnugrep
          ]
        }
        while [[ "$(systemctl is-active postgresql)" == activating ]]; do
          sleep 1
        done
        echo "Waiting for postgres to be ready..."
        while ! runuser -u postgres -- psql --port=${builtins.toString config.services.postgresql.settings.port} -d postgres -c "" ; do
          if ! systemctl is-active postgresql; then exit 1; fi
          sleep 0.1
        done
        if [[ -e "${current}" ]]; then
          (
            ${
              lib.optionalString (db.restore.stopOnRestore != [ ]) ''
                systemctl stop ${builtins.toString db.restore.stopOnRestore}
                trap "systemctl start ${builtins.toString db.restore.stopOnRestore}" EXIT
              ''
            }
            mkdir -p "${folder}"
            if runuser -u postgres -- psql -d postgres -c "SELECT 1 FROM pg_database WHERE datname = '${db.name}'" | grep -q 1; then
              runuser -u postgres -- dropdb "${db.name}"
            fi
            runuser -u postgres -- pg_restore -C -d postgres "${current}"
          )
        else
          echo No database backup found, skipping restore
        fi
      ''
    ) (builtins.attrValues config.clan.postgresql.databases);
  };
 }
--- a/clanModules/root-password/README.md
+++ b/clanModules/root-password/README.md
@@ -1,4 +1,5 @@
-Automatically generates and configures a password for the root user.
+---
 description = "Automatically generates and configures a password for the root user."
 ---
 After the system was installed/deployed the following command can be used to display the root-password:
--- a/clanModules/root-password/default.nix
+++ b/clanModules/root-password/default.nix
@@ -1,10 +1,19 @@
-{ pkgs, config, ... }:
+{
  pkgs,
  config,
  lib,
  ...
 }:
 {
  users.mutableUsers = false;
  users.users.root.hashedPasswordFile =
-    config.clanCore.facts.services.root-password.secret.password-hash.path;
+    config.clan.core.facts.services.root-password.secret.password-hash.path;
-  sops.secrets."${config.clanCore.machineName}-password-hash".neededForUsers = true;
+
-  clanCore.facts.services.root-password = {
+  sops.secrets = lib.mkIf (config.clan.core.facts.secretStore == "sops") {
    "${config.clan.core.machineName}-password-hash".neededForUsers = true;
  };
  clan.core.facts.services.root-password = {
    secret.password = { };
    secret.password-hash = { };
    generator.path = with pkgs; [
@@ -13,8 +22,8 @@
      mkpasswd
    ];
    generator.script = ''
-      xkcdpass --numwords 3 --delimiter - --count 1 > $secrets/password
+      xkcdpass --numwords 3 --delimiter - --count 1 | tr -d "\n" > $secrets/password
-      cat $secrets/password | mkpasswd -s -m sha-512 > $secrets/password-hash
+      cat $secrets/password | mkpasswd -s -m sha-512 | tr -d "\n" > $secrets/password-hash
    '';
  };
 }
--- a/clanModules/single-disk/README.md
+++ b/clanModules/single-disk/README.md
@@ -0,0 +1,42 @@
 ---
 description = "Configures partitioning of the main disk"
 categories = ["disk-layout"]
 ---
 # Primary Disk Layout
 A module for the "disk-layout" category MUST be choosen.
 There is exactly one slot for this type of module in the UI, if you don't fill the slot, your machine cannot boot
 This module is a good choice for most machines. In the future clan will offer a broader choice of disk-layouts
 The UI will ask for the options of this module:
 `device: "/dev/null"`
 # Usage example
 `inventory.json`
 ```json
 "services": {
    "single-disk": {
        "default": {
            "meta": {
                "name": "single-disk"
            },
            "roles": {
                "default": {
                    "machines": ["jon"]
                }
            },
            "machines": {
                "jon": {
                    "config": {
                        "device": "/dev/null"
                    }
                }
            }
        }
    }
 }
 ```
--- a/clanModules/single-disk/default.nix
+++ b/clanModules/single-disk/default.nix
@@ -0,0 +1,53 @@
 { lib, config, ... }:
 {
  options.clan.single-disk = {
    device = lib.mkOption {
      default = null;
      type = lib.types.nullOr lib.types.str;
      description = "The primary disk device to install the system on";
      # Question: should we set a default here?
      # default = "/dev/null";
    };
  };
  config = {
    boot.loader.grub.efiSupport = lib.mkDefault true;
    boot.loader.grub.efiInstallAsRemovable = lib.mkDefault true;
    disko.devices = {
      disk = {
        main = {
          type = "disk";
          # This is set through the UI
          device = config.clan.single-disk.device;
          content = {
            type = "gpt";
            partitions = {
              boot = {
                size = "1M";
                type = "EF02"; # for grub MBR
                priority = 1;
              };
              ESP = {
                size = "512M";
                type = "EF00";
                content = {
                  type = "filesystem";
                  format = "vfat";
                  mountpoint = "/boot";
                };
              };
              root = {
                size = "100%";
                content = {
                  type = "filesystem";
                  format = "ext4";
                  mountpoint = "/";
                };
              };
            };
          };
        };
      };
    };
  };
 }
--- a/clanModules/single-disk/roles/default.nix
+++ b/clanModules/single-disk/roles/default.nix
@@ -0,0 +1 @@
 { }
--- a/clanModules/sshd/README.md
+++ b/clanModules/sshd/README.md
@@ -1,2 +1,3 @@
-Enables secure remote access to the machine over ssh
+---
 description = "Enables secure remote access to the machine over ssh"
 ---
--- a/clanModules/sshd/default.nix
+++ b/clanModules/sshd/default.nix
@@ -5,12 +5,12 @@
  services.openssh.hostKeys = [
    {
-      path = config.clanCore.facts.services.openssh.secret."ssh.id_ed25519".path;
+      path = config.clan.core.facts.services.openssh.secret."ssh.id_ed25519".path;
      type = "ed25519";
    }
  ];
-  clanCore.facts.services.openssh = {
+  clan.core.facts.services.openssh = {
    secret."ssh.id_ed25519" = { };
    public."ssh.id_ed25519.pub" = { };
    generator.path = [
--- a/clanModules/static-hosts/README.md
+++ b/clanModules/static-hosts/README.md
@@ -1,2 +1,3 @@
-Statically configure the host names of machines based on their respective zerotier-ip.
+---
 description = "Statically configure the host names of machines based on their respective zerotier-ip."
 ---
--- a/clanModules/static-hosts/default.nix
+++ b/clanModules/static-hosts/default.nix
@@ -3,20 +3,36 @@
  options.clan.static-hosts = {
    excludeHosts = lib.mkOption {
      type = lib.types.listOf lib.types.str;
-      default = [ config.clanCore.machineName ];
+      default =
        if config.clan.static-hosts.topLevelDomain != "" then [ ] else [ config.clan.core.machineName ];
      description = "Hosts that should be excluded";
    };
    topLevelDomain = lib.mkOption {
      type = lib.types.str;
      default = "";
      description = "Top level domain to reach hosts";
    };
  };
  config.networking.hosts =
    let
-      clanDir = config.clanCore.clanDir;
+      clanDir = config.clan.core.clanDir;
      machineDir = clanDir + "/machines/";
      zerotierIpMachinePath = machines: machineDir + machines + "/facts/zerotier-ip";
-      machines = builtins.readDir machineDir;
+      machinesFileSet = builtins.readDir machineDir;
      machines = lib.mapAttrsToList (name: _: name) machinesFileSet;
      networkIpsUnchecked = builtins.map (
        machine:
        let
          fullPath = zerotierIpMachinePath machine;
        in
        if builtins.pathExists fullPath then machine else null
      ) machines;
      networkIps = lib.filter (machine: machine != null) networkIpsUnchecked;
      machinesWithIp = lib.filterAttrs (name: _: (lib.elem name networkIps)) machinesFileSet;
      filteredMachines = lib.filterAttrs (
        name: _: !(lib.elem name config.clan.static-hosts.excludeHosts)
-      ) machines;
+      ) machinesWithIp;
    in
    lib.filterAttrs (_: value: value != null) (
      lib.mapAttrs' (
@@ -24,7 +40,15 @@
        let
          path = zerotierIpMachinePath machine;
        in
-        if builtins.pathExists path then lib.nameValuePair (builtins.readFile path) [ machine ] else null
+        if builtins.pathExists path then
          lib.nameValuePair (builtins.readFile path) (
            if (config.clan.static-hosts.topLevelDomain == "") then
              [ machine ]
            else
              [ "${machine}.${config.clan.static-hosts.topLevelDomain}" ]
          )
        else
          { }
      ) filteredMachines
    );
 }
--- a/clanModules/sunshine/README.md
+++ b/clanModules/sunshine/README.md
@@ -1,2 +1,3 @@
-A desktop streaming server optimized for remote gaming and synchronized movie viewing.
+---
 description = "A desktop streaming server optimized for remote gaming and synchronized movie viewing."
 ---
--- a/clanModules/sunshine/default.nix
+++ b/clanModules/sunshine/default.nix
@@ -97,10 +97,10 @@ in
  systemd.tmpfiles.rules = [
    "d '/var/lib/sunshine' 0770 'user' 'users' - -"
    "C '/var/lib/sunshine/sunshine.cert' 0644 'user' 'users' - ${
-      config.clanCore.facts.services.sunshine.secret."sunshine.cert".path or ""
+      config.clan.core.facts.services.sunshine.secret."sunshine.cert".path or ""
    }"
    "C '/var/lib/sunshine/sunshine.key' 0644 'user' 'users' - ${
-      config.clanCore.facts.services.sunshine.secret."sunshine.key".path or ""
+      config.clan.core.facts.services.sunshine.secret."sunshine.key".path or ""
    }"
  ];
@@ -117,8 +117,8 @@ in
      RestartSec = "5s";
      ReadWritePaths = [ "/var/lib/sunshine" ];
      ReadOnlyPaths = [
-        (config.clanCore.facts.services.sunshine.secret."sunshine.key".path or "")
+        (config.clan.core.facts.services.sunshine.secret."sunshine.key".path or "")
-        (config.clanCore.facts.services.sunshine.secret."sunshine.cert".path or "")
+        (config.clan.core.facts.services.sunshine.secret."sunshine.cert".path or "")
      ];
    };
    wantedBy = [ "graphical-session.target" ];
@@ -137,7 +137,7 @@ in
    startLimitIntervalSec = 500;
    script = ''
      ${ms-accept}/bin/moonlight-sunshine-accept sunshine init-state --uuid ${
-        config.clanCore.facts.services.sunshine.public.sunshine-uuid.value or null
+        config.clan.core.facts.services.sunshine.public.sunshine-uuid.value or null
      } --state-file /var/lib/sunshine/state.json
    '';
    serviceConfig = {
@@ -173,9 +173,9 @@ in
    startLimitIntervalSec = 500;
    script = ''
      ${ms-accept}/bin/moonlight-sunshine-accept sunshine listen --port ${builtins.toString listenPort} --uuid ${
-        config.clanCore.facts.services.sunshine.public.sunshine-uuid.value or null
+        config.clan.core.facts.services.sunshine.public.sunshine-uuid.value or null
      }  --state /var/lib/sunshine/state.json --cert '${
-        config.clanCore.facts.services.sunshine.public."sunshine.cert".value or null
+        config.clan.core.facts.services.sunshine.public."sunshine.cert".value or null
      }'
    '';
    serviceConfig = {
@@ -187,7 +187,7 @@ in
    wantedBy = [ "graphical-session.target" ];
  };
-  clanCore.facts.services.ergochat = {
+  clan.core.facts.services.ergochat = {
    secret."sunshine.key" = { };
    secret."sunshine.cert" = { };
    public."sunshine-uuid" = { };
--- a/clanModules/syncthing-static-peers/README.md
+++ b/clanModules/syncthing-static-peers/README.md
@@ -0,0 +1,3 @@
 ---
 description = "Statically configure syncthing peers through clan"
 ---
--- a/clanModules/syncthing-static-peers/default.nix
+++ b/clanModules/syncthing-static-peers/default.nix
@@ -0,0 +1,108 @@
 {
  lib,
  config,
  pkgs,
  ...
 }:
 let
  clanDir = config.clan.core.clanDir;
  machineDir = clanDir + "/machines/";
  syncthingPublicKeyPath = machines: machineDir + machines + "/facts/syncthing.pub";
  machinesFileSet = builtins.readDir machineDir;
  machines = lib.mapAttrsToList (name: _: name) machinesFileSet;
  syncthingPublicKeysUnchecked = builtins.map (
    machine:
    let
      fullPath = syncthingPublicKeyPath machine;
    in
    if builtins.pathExists fullPath then machine else null
  ) machines;
  syncthingPublicKeyMachines = lib.filter (machine: machine != null) syncthingPublicKeysUnchecked;
  zerotierIpMachinePath = machines: machineDir + machines + "/facts/zerotier-ip";
  networkIpsUnchecked = builtins.map (
    machine:
    let
      fullPath = zerotierIpMachinePath machine;
    in
    if builtins.pathExists fullPath then machine else null
  ) machines;
  networkIpMachines = lib.filter (machine: machine != null) networkIpsUnchecked;
  devices = builtins.map (machine: {
    name = machine;
    value = {
      name = machine;
      id = (lib.removeSuffix "\n" (builtins.readFile (syncthingPublicKeyPath machine)));
      addresses =
        [ "dynamic" ]
        ++ (
          if (lib.elem machine networkIpMachines) then
            [ "tcp://[${(lib.removeSuffix "\n" (builtins.readFile (zerotierIpMachinePath machine)))}]:22000" ]
          else
            [ ]
        );
    };
  }) syncthingPublicKeyMachines;
 in
 {
  options.clan.syncthing-static-peers = {
    excludeMachines = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      example = [ config.clan.core.machineName ];
      default = [ ];
      description = ''
        Machines that should not be added.
      '';
    };
  };
  config.services.syncthing.settings.devices = (builtins.listToAttrs devices);
  imports = [
    {
      # Syncthing ports: 8384 for remote access to GUI
      # 22000 TCP and/or UDP for sync traffic
      # 21027/UDP for discovery
      # source: https://docs.syncthing.net/users/firewall.html
      networking.firewall.interfaces."zt+".allowedTCPPorts = [
        8384
        22000
      ];
      networking.firewall.allowedTCPPorts = [ 8384 ];
      networking.firewall.interfaces."zt+".allowedUDPPorts = [
        22000
        21027
      ];
      # Activates inotify compatibility on syncthing
      # use mkOverride 900 here as it otherwise would collide with the default of the
      # upstream nixos xserver.nix
      boot.kernel.sysctl."fs.inotify.max_user_watches" = lib.mkOverride 900 524288;
      services.syncthing = {
        enable = true;
        configDir = "/var/lib/syncthing";
        group = "syncthing";
        key = lib.mkDefault config.clan.core.facts.services.syncthing.secret."syncthing.key".path or null;
        cert = lib.mkDefault config.clan.core.facts.services.syncthing.secret."syncthing.cert".path or null;
      };
      clan.core.facts.services.syncthing = {
        secret."syncthing.key" = { };
        secret."syncthing.cert" = { };
        public."syncthing.pub" = { };
        generator.path = [
          pkgs.coreutils
          pkgs.gnugrep
          pkgs.syncthing
        ];
        generator.script = ''
          syncthing generate --config "$secrets"
          mv "$secrets"/key.pem "$secrets"/syncthing.key
          mv "$secrets"/cert.pem "$secrets"/syncthing.cert
          cat "$secrets"/config.xml | grep -oP '(?<=<device id=")[^"]+' | uniq > "$facts"/syncthing.pub
        '';
      };
    }
  ];
 }
--- a/clanModules/syncthing/README.md
+++ b/clanModules/syncthing/README.md
@@ -1,4 +1,5 @@
-A secure, file synchronization app for devices over networks, offering a private alternative to cloud services.
+---
 description = "A secure, file synchronization app for devices over networks, offering a private alternative to cloud services."
 ---
 ## Usage
--- a/clanModules/syncthing/default.nix
+++ b/clanModules/syncthing/default.nix
@@ -7,10 +7,14 @@
 {
  options.clan.syncthing = {
    id = lib.mkOption {
      description = ''
        The ID of the machine.
        It is generated automatically by default.
      '';
      type = lib.types.nullOr lib.types.str;
      example = "BABNJY4-G2ICDLF-QQEG7DD-N3OBNGF-BCCOFK6-MV3K7QJ-2WUZHXS-7DTW4AS";
-      default = config.clanCore.facts.services.syncthing.public."syncthing.pub".value or null;
+      default = config.clan.core.facts.services.syncthing.public."syncthing.pub".value or null;
-      defaultText = "config.clanCore.facts.services.syncthing.public.\"syncthing.pub\".value";
+      defaultText = "config.clan.core.facts.services.syncthing.public.\"syncthing.pub\".value";
    };
    introducer = lib.mkOption {
      description = ''
@@ -94,7 +98,7 @@
        settings = {
          options = {
            urAccepted = -1;
-            allowedNetworks = [ config.clan.networking.zerotier.subnet ];
+            allowedNetworks = [ config.clan.core.networking.zerotier.subnet ];
          };
          devices =
            { }
@@ -119,7 +123,7 @@
          getPendingDevices = "/rest/cluster/pending/devices";
          postNewDevice = "/rest/config/devices";
          SharedFolderById = "/rest/config/folders/";
-          apiKey = config.clanCore.facts.services.syncthing.secret."syncthing.api".path or null;
+          apiKey = config.clan.core.facts.services.syncthing.secret."syncthing.api".path or null;
        in
        lib.mkIf config.clan.syncthing.autoAcceptDevices {
          description = "Syncthing auto accept devices";
@@ -161,7 +165,7 @@
      systemd.services.syncthing-init-api-key =
        let
-          apiKey = config.clanCore.facts.services.syncthing.secret."syncthing.api".path or null;
+          apiKey = config.clan.core.facts.services.syncthing.secret."syncthing.api".path or null;
        in
        lib.mkIf config.clan.syncthing.autoAcceptDevices {
          description = "Set the api key";
@@ -183,7 +187,7 @@
          };
        };
-      clanCore.facts.services.syncthing = {
+      clan.core.facts.services.syncthing = {
        secret."syncthing.key" = { };
        secret."syncthing.cert" = { };
        secret."syncthing.api" = { };
--- a/clanModules/thelounge/README.md
+++ b/clanModules/thelounge/README.md
@@ -1,2 +1,3 @@
-Modern web IRC client
+---
 description = "Modern web IRC client"
 ---
--- a/clanModules/thelounge/default.nix
+++ b/clanModules/thelounge/default.nix
@@ -11,5 +11,5 @@ _: {
    };
  };
-  clanCore.state.thelounde.folders = [ "/var/lib/thelounge" ];
+  clan.core.state.thelounde.folders = [ "/var/lib/thelounge" ];
 }
--- a/clanModules/trusted-nix-caches/README.md
+++ b/clanModules/trusted-nix-caches/README.md
@@ -1,2 +1,3 @@
-This module sets the `clan.lol` and `nix-community` cache up as a trusted cache.
+---
 description = "This module sets the `clan.lol` and `nix-community` cache up as a trusted cache."
 ----
--- a/clanModules/user-password/README.md
+++ b/clanModules/user-password/README.md
@@ -1,4 +1,5 @@
-Automatically generates and configures a password for the specified user account.
+---
 description = "Automatically generates and configures a password for the specified user account."
 ---
 If setting the option prompt to true, the user will be prompted to type in their desired password.
--- a/clanModules/user-password/default.nix
+++ b/clanModules/user-password/default.nix
@@ -22,9 +22,13 @@
  config = {
    users.mutableUsers = false;
    users.users.${config.clan.user-password.user}.hashedPasswordFile =
-      config.clanCore.facts.services.user-password.secret.user-password-hash.path;
+      config.clan.core.facts.services.user-password.secret.user-password-hash.path;
-    sops.secrets."${config.clanCore.machineName}-user-password-hash".neededForUsers = true;
+
-    clanCore.facts.services.user-password = {
+    sops.secrets = lib.mkIf (config.clan.core.facts.secretStore == "sops") {
      "${config.clan.core.machineName}-user-password-hash".neededForUsers = true;
    };
    clan.core.facts.services.user-password = {
      secret.user-password = { };
      secret.user-password-hash = { };
      generator.prompt = (
@@ -37,12 +41,12 @@
        mkpasswd
      ];
      generator.script = ''
-        if [[ -n $prompt_value ]]; then
+        if [[ -n ''${prompt_value-} ]]; then
-          echo $prompt_value > $secrets/user-password
+          echo $prompt_value | tr -d "\n" > $secrets/user-password
        else
-          xkcdpass --numwords 3 --delimiter - --count 1 > $secrets/user-password
+          xkcdpass --numwords 3 --delimiter - --count 1 | tr -d "\n" > $secrets/user-password
        fi
-        cat $secrets/user-password | mkpasswd -s -m sha-512 > $secrets/user-password-hash
+        cat $secrets/user-password | mkpasswd -s -m sha-512 | tr -d "\n" > $secrets/user-password-hash
      '';
    };
  };
--- a/clanModules/xfce/README.md
+++ b/clanModules/xfce/README.md
@@ -1,2 +1,3 @@
-A lightweight desktop manager
+---
 description = "A lightweight desktop manager"
 ---
--- a/clanModules/zerotier-static-peers/README.md
+++ b/clanModules/zerotier-static-peers/README.md
@@ -1,4 +1,5 @@
-Statically configure the `zerotier` peers of a clan network.
+---
 description = "Statically configure the `zerotier` peers of a clan network."
 ---
 Statically configure the `zerotier` peers of a clan network.
--- a/clanModules/zerotier-static-peers/default.nix
+++ b/clanModules/zerotier-static-peers/default.nix
@@ -2,11 +2,10 @@
  lib,
  config,
  pkgs,
  inputs,
  ...
 }:
 let
-  clanDir = config.clanCore.clanDir;
+  clanDir = config.clan.core.clanDir;
  machineDir = clanDir + "/machines/";
  machinesFileSet = builtins.readDir machineDir;
  machines = lib.mapAttrsToList (name: _: name) machinesFileSet;
@@ -20,7 +19,7 @@ let
    if builtins.pathExists fullPath then builtins.readFile fullPath else null
  ) machines;
  networkIds = lib.filter (machine: machine != null) networkIdsUnchecked;
-  networkId = builtins.elemAt networkIds 0;
+  networkId = if builtins.length networkIds == 0 then null else builtins.elemAt networkIds 0;
 in
 #TODO:trace on multiple found network-ids
 #TODO:trace on no single found networkId
@@ -28,44 +27,61 @@ in
  options.clan.zerotier-static-peers = {
    excludeHosts = lib.mkOption {
      type = lib.types.listOf lib.types.str;
-      default = [ config.clanCore.machineName ];
+      default = [ config.clan.core.machineName ];
      description = "Hosts that should be excluded";
    };
    networkIps = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      default = [ ];
      description = "Extra zerotier network Ips that should be accepted";
    };
    networkIds = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      default = [ ];
      description = "Extra zerotier network Ids that should be accepted";
    };
  };
  config.systemd.services.zerotier-static-peers-autoaccept =
    let
      machines = builtins.readDir machineDir;
      zerotierIpMachinePath = machines: machineDir + machines + "/facts/zerotier-ip";
-      filteredMachines = lib.filterAttrs (
+      networkIpsUnchecked = builtins.map (
-        name: _: !(lib.elem name config.clan.static-hosts.excludeHosts)
+        machine:
        let
          fullPath = zerotierIpMachinePath machine;
        in
        if builtins.pathExists fullPath then machine else null
      ) machines;
      networkIps = lib.filter (machine: machine != null) networkIpsUnchecked;
      machinesWithIp = lib.filterAttrs (name: _: (lib.elem name networkIps)) machinesFileSet;
      filteredMachines = lib.filterAttrs (
        name: _: !(lib.elem name config.clan.zerotier-static-peers.excludeHosts)
      ) machinesWithIp;
      hosts = lib.mapAttrsToList (host: _: host) (
        lib.mapAttrs' (
          machine: _:
          let
            fullPath = zerotierIpMachinePath machine;
          in
-          if builtins.pathExists fullPath then
+          lib.nameValuePair (builtins.readFile fullPath) [ machine ]
            lib.nameValuePair (builtins.readFile fullPath) [ machine ]
          else
            null
        ) filteredMachines
      );
      allHostIPs = config.clan.zerotier-static-peers.networkIps ++ hosts;
    in
-    lib.mkIf (config.clan.networking.zerotier.controller.enable) {
+    lib.mkIf (config.clan.core.networking.zerotier.controller.enable) {
      wantedBy = [ "multi-user.target" ];
      after = [ "zerotierone.service" ];
-      path = [ pkgs.zerotierone ];
+      path = [ config.clan.core.clanPkgs.zerotierone ];
      serviceConfig.ExecStart = pkgs.writeScript "static-zerotier-peers-autoaccept" ''
        #!/bin/sh
        ${lib.concatMapStringsSep "\n" (host: ''
-          ${
+          ${config.clan.core.clanPkgs.zerotier-members}/bin/zerotier-members allow --member-ip ${host}
-            inputs.clan-core.packages.${pkgs.system}.zerotier-members
+        '') allHostIPs}
-          }/bin/zerotier-members allow --member-ip ${host}
+        ${lib.concatMapStringsSep "\n" (host: ''
-        '') hosts}
+          ${config.clan.core.clanPkgs.zerotier-members}/bin/zerotier-members allow ${host}
        '') config.clan.zerotier-static-peers.networkIds}
      '';
    };
-  config.clan.networking.zerotier.networkId = lib.mkDefault networkId;
+  config.clan.core.networking.zerotier.networkId = lib.mkDefault networkId;
 }
--- a/clanModules/zt-tcp-relay/README.md
+++ b/clanModules/zt-tcp-relay/README.md
@@ -1,2 +1,3 @@
-Enable ZeroTier VPN over TCP for networks where UDP is blocked.
+---
 description = "Enable ZeroTier VPN over TCP for networks where UDP is blocked."
 ---
--- a/devShell.nix
+++ b/devShell.nix
@@ -26,8 +26,10 @@
      devShells.default = pkgs.mkShell {
        packages = [
          select-shell
          pkgs.nix-unit
          pkgs.tea
-          pkgs.nix
+          # Better error messages than nix 2.18
          pkgs.nixVersions.latest
          self'.packages.tea-create-pr
          self'.packages.merge-after-ci
          self'.packages.pending-reviews
@@ -36,6 +38,7 @@
        ];
        shellHook = ''
          echo -e "${ansiEscapes.green}switch to another dev-shell using: select-shell${ansiEscapes.reset}"
          export PROJECT_ROOT=$(git rev-parse --show-toplevel)
        '';
      };
    };
--- a/docs/.envrc
+++ b/docs/.envrc
@@ -1,6 +1,8 @@
 # shellcheck shell=bash
 source_up
-watch_file $(find ./nix -name "*.nix" -printf '%p ')
+mapfile -d '' -t nix_files < <(find ./nix -name "*.nix" -print0)
 watch_file "${nix_files[@]}"
 # Because we depend on nixpkgs sources, uploading to builders takes a long time
 use flake .#docs --builders ''
--- a/docs/.gitignore
+++ b/docs/.gitignore
@@ -1 +1,6 @@
-/site/reference
+/site/reference/clan-core
 /site/reference/clanModules
 /site/reference/nix-api/inventory.md
 /site/reference/cli
 /site/static/Roboto-Regular.ttf
 /site/static/FiraCode-VF.ttf
--- a/docs/CONTRIBUTING.md
+++ b/docs/CONTRIBUTING.md
@@ -15,92 +15,131 @@ Let's get your development environment up and running:
 1. **Install Nix Package Manager**:
-   - You can install the Nix package manager by either [downloading the Nix installer](https://github.com/DeterminateSystems/nix-installer/releases) or running this command:
+      - You can install the Nix package manager by either [downloading the Nix installer](https://github.com/DeterminateSystems/nix-installer/releases) or running this command:
-     ```bash
+        ```bash
-     curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install
+        curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install
-     ```
+        ```
 2. **Install direnv**:
-   - Download the direnv package from [here](https://direnv.net/docs/installation.html) or run the following command:
+      - To automatically setup a devshell on entering the directory
-     ```bash
+        ```bash
-     curl -sfL https://direnv.net/install.sh | bash
+        nix profile install nixpkgs#nix-direnv-flakes
-     ```
+        ```
 3. **Add direnv to your shell**:
-   - Direnv needs to [hook into your shell](https://direnv.net/docs/hook.html) to work.
+      - Direnv needs to [hook into your shell](https://direnv.net/docs/hook.html) to work.
-     You can do this by executing following command. The example below will setup direnv for `zsh` and `bash`
+        You can do this by executing following command. The example below will setup direnv for `zsh` and `bash`
   ```bash
   echo 'eval "$(direnv hook zsh)"' >> ~/.zshrc && echo 'eval "$(direnv hook bash)"' >> ~/.bashrc && eval "$SHELL"
   ```
 4. **Clone the Repository and Navigate**:
   - Clone this repository and navigate to it.
 5. **Allow .envrc**:
   - When you enter the directory, you'll receive an error message like this:
     ```bash
     direnv: error .envrc is blocked. Run `direnv allow` to approve its content
     ```
   - Execute `direnv allow` to automatically execute the shell script `.envrc` when entering the directory.
 # Setting Up Your Git Workflow
 Let's set up your Git workflow to collaborate effectively:
 1. **Register Your Gitea Account Locally**:
   - Execute the following command to add your Gitea account locally:
     ```bash
     tea login add
     ```
   - Fill out the prompt as follows:
     - URL of Gitea instance: `https://git.clan.lol`
     - Name of new Login [gitea.gchq.icu]: `gitea.gchq.icu:7171`
     - Do you have an access token? No
     - Username: YourUsername
     - Password: YourPassword
     - Set Optional settings: No
 2. **Git Workflow**:
   1. Add your changes to Git using `git add <file1> <file2>`.
   2. Run `nix fmt` to lint your files.
   3. Commit your changes with a descriptive message: `git commit -a -m "My descriptive commit message"`.
   4. Make sure your branch has the latest changes from upstream by executing:
      ```bash
-      git fetch && git rebase origin/main --autostash
+      echo 'eval "$(direnv hook zsh)"' >> ~/.zshrc && echo 'eval "$(direnv hook bash)"' >> ~/.bashrc && eval "$SHELL"
      ```
   5. Use `git status` to check for merge conflicts.
   6. If conflicts exist, resolve them. Here's a tutorial for resolving conflicts in [VSCode](https://code.visualstudio.com/docs/sourcecontrol/overview#_merge-conflicts).
   7. After resolving conflicts, execute `git merge --continue` and repeat step 5 until there are no conflicts.
-3. **Create a Pull Request**:
+4. **Create a Gitea Account**:
      - Register an account on https://git.clan.lol
      - Fork the [clan-core](https://git.clan.lol/clan/clan-core) repository
      - Clone the repository and navigate to it
      - Add a new remote called upstream:
         ```bash
         git remote add upstream gitea@git.clan.lol:clan/clan-core.git
         ```
 5. **Create an access token**:
      - Log in to Gitea.
      - Go to your account settings.
      - Navigate to the Applications section.
      - Click Generate New Token.
      - Name your token and select all available scopes.
      - Generate the token and copy it for later use.
      - Your access token is now ready to use with all permissions.
-   - To automatically open a pull request that gets merged if all tests pass, execute:
+5. **Register Your Gitea Account Locally**:
     ```bash
     merge-after-ci
     ```
-4. **Review Your Pull Request**:
+      - Execute the following command to add your Gitea account locally:
        ```bash
        tea login add
        ```
      - Fill out the prompt as follows:
        - URL of Gitea instance: `https://git.clan.lol`
        - Name of new Login [git.clan.lol]:
        - Do you have an access token? Yes
        - Token: <yourtoken>
        - Set Optional settings: No
   - Visit https://git.clan.lol and go to the project page. Check under "Pull Requests" for any issues with your pull request.
-5. **Push Your Changes**:
+6. **Allow .envrc**:
-   - If there are issues, fix them and redo step 2. Afterward, execute:
+
-     ```bash
+      - When you enter the directory, you'll receive an error message like this:
-     git push origin HEAD:YourUsername-main
+        ```bash
-     ```
+        direnv: error .envrc is blocked. Run `direnv allow` to approve its content
-   - This will directly push to your open pull request.
+        ```
      - Execute `direnv allow` to automatically execute the shell script `.envrc` when entering the directory.
 7. **(Optional) Install Git Hooks**:
      - To syntax check your code you can run:
         ```bash
         nix fmt
         ```
      - To make this automatic install the git hooks
         ```bash
         ./scripts/pre-commit
         ```
 8. **Open a Pull Request**:
      - To automatically open up a pull request you can use our tool called:
      ```
      merge-after-ci --reviewers Mic92 Lassulus Qubasa
      ```
 # Debugging
 Here are some methods for debugging and testing the clan-cli:
 ## See all possible packages and tests
 To quickly show all possible packages and tests execute:
 ```bash
 nix flake show --system no-eval
 ```
 Under `checks` you will find all tests that are executed in our CI. Under `packages` you find all our projects.
 ```
 git+file:///home/lhebendanz/Projects/clan-core
 ├───apps
 │   └───x86_64-linux
 │       ├───install-vm: app
 │       └───install-vm-nogui: app
 ├───checks
 │   └───x86_64-linux
 │       ├───borgbackup omitted (use '--all-systems' to show)
 │       ├───check-for-breakpoints omitted (use '--all-systems' to show)
 │       ├───clan-dep-age omitted (use '--all-systems' to show)
 │       ├───clan-dep-bash omitted (use '--all-systems' to show)
 │       ├───clan-dep-e2fsprogs omitted (use '--all-systems' to show)
 │       ├───clan-dep-fakeroot omitted (use '--all-systems' to show)
 │       ├───clan-dep-git omitted (use '--all-systems' to show)
 │       ├───clan-dep-nix omitted (use '--all-systems' to show)
 │       ├───clan-dep-openssh omitted (use '--all-systems' to show)
 │       ├───"clan-dep-python3.11-mypy" omitted (use '--all-systems' to show)
 ├───packages
 │   └───x86_64-linux
 │       ├───clan-cli omitted (use '--all-systems' to show)
 │       ├───clan-cli-docs omitted (use '--all-systems' to show)
 │       ├───clan-ts-api omitted (use '--all-systems' to show)
 │       ├───clan-app omitted (use '--all-systems' to show)
 │       ├───default omitted (use '--all-systems' to show)
 │       ├───deploy-docs omitted (use '--all-systems' to show)
 │       ├───docs omitted (use '--all-systems' to show)
 │       ├───editor omitted (use '--all-systems' to show)
 └───templates
    ├───default: template: Initialize a new clan flake
    └───new-clan: template: Initialize a new clan flake
 ```
 You can execute every test separately by following the tree path `nix build .#checks.x86_64-linux.clan-pytest` for example.
 ## Test Locally in Devshell with Breakpoints
 To test the cli locally in a development environment and set breakpoints for debugging, follow these steps:
@@ -150,12 +189,14 @@ If you need to inspect the Nix sandbox while running tests, follow these steps:
 2. Use `cntr` and `psgrep` to attach to the Nix sandbox. This allows you to interactively debug your code while it's paused. For example:
   ```bash
   cntr exec -w your_sandbox_name
   psgrep -a -x your_python_process_name
   cntr attach <container id, container name or process id>
   ```
 Or you can also use the [nix breakpoint hook](https://nixos.org/manual/nixpkgs/stable/#breakpointhook)
 # Standards
-Every new module name should be in kebab-case.
+- Every new module name should be in kebab-case.
-Every fact definition, where possible should be in kebab-case.
+- Every fact definition, where possible should be in kebab-case.
--- a/docs/main.py
+++ b/docs/main.py
@@ -16,15 +16,26 @@ def define_env(env: Any) -> None:
    @env.macro
    def asciinema(name: str) -> str:
        return f"""<div id="{name}">
            <script src="{asciinema_dir}/asciinema-player.min.js"></script>
            <script>
-                AsciinemaPlayer.create('{video_dir + name}',
+                // Function to load the script and then create the Asciinema player
-                document.getElementById("{name}"), {{
+                function loadAsciinemaPlayer() {{
-                    loop: true,
+                    var script = document.createElement('script');
-                    autoPlay: true,
+                    script.src = "{asciinema_dir}/asciinema-player.min.js";
-                    controls: false,
+                    script.onload = function() {{
-                    speed: 1.5,
+                        AsciinemaPlayer.create('{video_dir + name}', document.getElementById("{name}"), {{
-                    theme: "solarized-light"
+                            loop: true,
-                }});
+                            autoPlay: true,
                            controls: false,
                            speed: 1.5,
                            theme: "solarized-light"
                    }});
                    }};
                    document.head.appendChild(script);
                }}
                // Load the Asciinema player script
                loadAsciinemaPlayer();
            </script>
            <link rel="stylesheet" type="text/css" href="{asciinema_dir}/asciinema-player.css" />
        </div>"""
--- a/docs/mkdocs.yml
+++ b/docs/mkdocs.yml
@@ -1,4 +1,4 @@
-site_name: Clan Docs
+site_name: Clan Documentation
 site_url: https://docs.clan.lol
 repo_url: https://git.clan.lol/clan/clan-core/
 repo_name: clan-core
@@ -14,6 +14,7 @@ markdown_extensions:
  - attr_list
  - footnotes
  - md_in_html
  - def_list
  - meta
  - plantuml_markdown
  - pymdownx.emoji:
@@ -38,8 +39,6 @@ exclude_docs: |
  /drafts/
 nav:
  - Blog:
    - blog/index.md
  - Getting started:
      - index.md
      - Installer: getting-started/installer.md
@@ -49,22 +48,32 @@ nav:
      - Mesh VPN: getting-started/mesh-vpn.md
      - Backup & Restore: getting-started/backups.md
      - Flake-parts: getting-started/flake-parts.md
-  - Modules:
+  - Guides:
      - guides/index.md
      - Inventory: guides/inventory.md
  - Reference:
      - reference/index.md
      - Clan Modules:
          - reference/clanModules/index.md
          - reference/clanModules/borgbackup-static.md
          - reference/clanModules/borgbackup.md
          - reference/clanModules/deltachat.md
          - reference/clanModules/disk-layouts.md
          - reference/clanModules/ergochat.md
          - reference/clanModules/localbackup.md
          - reference/clanModules/localsend.md
          - reference/clanModules/matrix-synapse.md
          - reference/clanModules/moonlight.md
          - reference/clanModules/packages.md
          - reference/clanModules/postgresql.md
          - reference/clanModules/root-password.md
          - reference/clanModules/single-disk.md
          - reference/clanModules/sshd.md
          - reference/clanModules/sunshine.md
          - reference/clanModules/syncthing.md
          - reference/clanModules/static-hosts.md
          - reference/clanModules/sunshine.md
          - reference/clanModules/syncthing-static-peers.md
          - reference/clanModules/syncthing.md
          - reference/clanModules/thelounge.md
          - reference/clanModules/mumble.md
          - reference/clanModules/trusted-nix-caches.md
          - reference/clanModules/user-password.md
          - reference/clanModules/xfce.md
@@ -73,14 +82,15 @@ nav:
      - CLI:
          - reference/cli/index.md
          - reference/cli/backups.md
          - reference/cli/config.md
          - reference/cli/facts.md
          - reference/cli/flakes.md
          - reference/cli/flash.md
          - reference/cli/history.md
          - reference/cli/machines.md
          - reference/cli/secrets.md
          - reference/cli/show.md
          - reference/cli/ssh.md
          - reference/cli/state.md
          - reference/cli/vms.md
      - Clan Core:
          - reference/clan-core/index.md
@@ -88,14 +98,23 @@ nav:
          - reference/clan-core/facts.md
          - reference/clan-core/sops.md
          - reference/clan-core/state.md
          - reference/clan-core/deployment.md
          - reference/clan-core/networking.md
      - Nix API:
          - reference/nix-api/index.md
          - buildClan: reference/nix-api/buildclan.md
          - Inventory: reference/nix-api/inventory.md
  - Contributing: contributing/contributing.md
  - Blog:
      - blog/index.md
 docs_dir: site
 site_dir: out
 theme:
  font: false
  logo: https://clan.lol/static/logo/clan-white.png
-  favicon: https://clan.lol/static/logo/clan-dark.png
+  favicon: https://clan.lol/static/dark-favicon/128x128.png
  name: material
  features:
    - navigation.instant
@@ -104,9 +123,8 @@ theme:
    - content.code.copy
    - content.tabs.link
  icon:
-    repo: fontawesome/brands/git
+    repo: fontawesome/brands/git-alt
-  font:
+  custom_dir: overrides
    code: Roboto Mono
  palette:
    # Palette toggle for light mode
@@ -128,8 +146,7 @@ theme:
        name: Switch to light mode
 extra_css:
-  - static/asciinema-player/custom-theme.css
+  - static/extra.css
  - static/asciinema-player/asciinema-player.css
 extra:
  social:
@@ -142,7 +159,6 @@ extra:
    - icon: fontawesome/solid/rss
      link: /feed_rss_created.xml
 plugins:
  - search
  - blog
--- a/docs/nix/default.nix
+++ b/docs/nix/default.nix
@@ -2,8 +2,11 @@
  pkgs,
  module-docs,
  clan-cli-docs,
  inventory-api-docs,
  asciinema-player-js,
  asciinema-player-css,
  roboto,
  fira-code,
  ...
 }:
 let
@@ -24,15 +27,21 @@ pkgs.stdenv.mkDerivation {
      mkdocs-material
      mkdocs-rss-plugin
      mkdocs-macros
      filelock # FIXME: this should be already provided by mkdocs-rss-plugin
    ]);
  configurePhase = ''
    mkdir -p ./site/reference/cli
    cp -af ${module-docs}/* ./site/reference/
    cp -af ${clan-cli-docs}/* ./site/reference/cli/
    cp -af ${inventory-api-docs} ./site/reference/nix-api/inventory.md
    mkdir -p ./site/static/asciinema-player
    ln -snf ${asciinema-player-js} ./site/static/asciinema-player/asciinema-player.min.js
    ln -snf ${asciinema-player-css} ./site/static/asciinema-player/asciinema-player.css
    # Link to fonts
    ln -snf ${roboto}/share/fonts/truetype/Roboto-Regular.ttf ./site/static/
    ln -snf ${fira-code}/share/fonts/truetype/FiraCode-VF.ttf ./site/static/
  '';
  buildPhase = ''
--- a/docs/nix/flake-module.nix
+++ b/docs/nix/flake-module.nix
@@ -12,13 +12,14 @@
      # { clanCore = «derivation JSON»; clanModules = { ${name} = «derivation JSON» }; }
      jsonDocs = import ./get-module-docs.nix {
        inherit (inputs) nixpkgs;
-        inherit pkgs self;
+        inherit pkgs;
        inherit (self.nixosModules) clanCore;
        inherit (self) clanModules;
      };
      clanModulesFileInfo = pkgs.writeText "info.json" (builtins.toJSON jsonDocs.clanModules);
-      clanModulesReadmes = pkgs.writeText "info.json" (builtins.toJSON jsonDocs.clanModulesReadmes);
+      # clanModulesReadmes = pkgs.writeText "info.json" (builtins.toJSON jsonDocs.clanModulesReadmes);
      # clanModulesMeta = pkgs.writeText "info.json" (builtins.toJSON jsonDocs.clanModulesMeta);
      # Simply evaluated options (JSON)
      renderOptions =
@@ -29,6 +30,7 @@
            nativeBuildInputs = [
              pkgs.python3
              pkgs.mypy
              self'.packages.clan-cli
            ];
          }
          ''
@@ -36,7 +38,7 @@
            patchShebangs --build $out
            ruff format --check --diff $out
-            ruff --line-length 88 $out
+            ruff check --line-length 88 $out
            mypy --strict $out
          '';
@@ -49,28 +51,41 @@
        sha256 = "sha256-GZMeZFFGvP5GMqqh516mjJKfQaiJ6bL38bSYOXkaohc=";
      };
-      module-docs = pkgs.runCommand "rendered" { nativeBuildInputs = [ pkgs.python3 ]; } ''
+      module-docs =
-        export CLAN_CORE=${jsonDocs.clanCore}/share/doc/nixos/options.json 
+        pkgs.runCommand "rendered"
-        # A file that contains the links to all clanModule docs
+          {
-        export CLAN_MODULES=${clanModulesFileInfo}
+            buildInputs = [
-        export CLAN_MODULES_READMES=${clanModulesReadmes}
+              pkgs.python3
              self'.packages.clan-cli
              # TODO: see postFixup clan-cli/default.nix:L188
              self'.packages.clan-cli.propagatedBuildInputs
            ];
          }
          ''
            export CLAN_CORE_PATH=${self}
            export CLAN_CORE_DOCS=${jsonDocs.clanCore}/share/doc/nixos/options.json
            # A file that contains the links to all clanModule docs
            export CLAN_MODULES=${clanModulesFileInfo}
-        mkdir $out
+            mkdir $out
-        # The python script will place mkDocs files in the output directory
+            # The python script will place mkDocs files in the output directory
-        python3 ${renderOptions}
+            python3 ${renderOptions}
-      '';
+          '';
    in
    {
      devShells.docs = pkgs.callPackage ./shell.nix {
-        inherit (self'.packages) docs clan-cli-docs;
+        inherit (self'.packages) docs clan-cli-docs inventory-api-docs;
-        inherit module-docs;
+        inherit
-        inherit asciinema-player-js;
+          asciinema-player-js
-        inherit asciinema-player-css;
+          asciinema-player-css
          module-docs
          self'
          ;
      };
      packages = {
        docs = pkgs.python3.pkgs.callPackage ./default.nix {
-          inherit (self'.packages) clan-cli-docs;
+          inherit (self'.packages) clan-cli-docs inventory-api-docs;
          inherit (inputs) nixpkgs;
          inherit module-docs;
          inherit asciinema-player-js;
--- a/docs/nix/get-module-docs.nix
+++ b/docs/nix/get-module-docs.nix
@@ -3,7 +3,6 @@
  pkgs,
  clanCore,
  clanModules,
  self,
 }:
 let
  allNixosModules = (import "${nixpkgs}/nixos/modules/module-list.nix") ++ [
@@ -13,7 +12,7 @@ let
  clanCoreNixosModules = [
    clanCore
-    { clanCore.clanDir = ./.; }
+    { clan.core.clanDir = ./.; }
  ] ++ allNixosModules;
  # TODO: optimally we would not have to evaluate all nixos modules for every page
@@ -25,27 +24,24 @@ let
  #   improves eval performance slightly (10%)
  getOptions = modules: (clanCoreNixos.extendModules { inherit modules; }).options;
  getOptionsWithoutCore = modules: builtins.removeAttrs (getOptions modules) [ "core" ];
  evalDocs =
    options:
    pkgs.nixosOptionsDoc {
      options = options;
-      warningsAreErrors = false;
+      warningsAreErrors = true;
    };
  # clanModules docs
  clanModulesDocs = builtins.mapAttrs (
-    name: module: (evalDocs ((getOptions [ module ]).clan.${name} or { })).optionsJSON
+    name: module: (evalDocs ((getOptionsWithoutCore [ module ]).clan.${name} or { })).optionsJSON
  ) clanModules;
  clanModulesReadmes = builtins.mapAttrs (
    module_name: _module: self.lib.modules.getReadme module_name
  ) clanModules;
  # clanCore docs
-  clanCoreDocs = (evalDocs (getOptions [ ]).clanCore).optionsJSON;
+  clanCoreDocs = (evalDocs (getOptions [ ]).clan.core).optionsJSON;
 in
 {
  inherit clanModulesReadmes;
  clanCore = clanCoreDocs;
  clanModules = clanModulesDocs;
 }
--- a/docs/nix/scripts/renderOptions.py
+++ b/docs/nix/scripts/renderOptions.py
@@ -28,10 +28,12 @@ import os
 from pathlib import Path
 from typing import Any
 from clan_cli.api.modules import Frontmatter, extract_frontmatter, get_roles
 # Get environment variables
-CLAN_CORE = os.getenv("CLAN_CORE")
+CLAN_CORE_PATH = os.getenv("CLAN_CORE_PATH")
 CLAN_CORE_DOCS = os.getenv("CLAN_CORE_DOCS")
 CLAN_MODULES = os.environ.get("CLAN_MODULES")
 CLAN_MODULES_READMES = os.environ.get("CLAN_MODULES_READMES")
 OUT = os.environ.get("out")
@@ -40,13 +42,14 @@ def sanitize(text: str) -> str:
    return text.replace(">", "\\>")
-def replace_store_path(text: str) -> Path:
+def replace_store_path(text: str) -> tuple[str, str]:
    res = text
    if text.startswith("/nix/store/"):
        res = "https://git.clan.lol/clan/clan-core/src/branch/main/" + str(
            Path(*Path(text).parts[4:])
        )
-    return Path(res)
+    name = Path(res).name
    return (res, name)
 def render_option_header(name: str) -> str:
@@ -75,7 +78,9 @@ def render_option(name: str, option: dict[str, Any], level: int = 3) -> str:
    res = f"""
 {"#" * level} {sanitize(name)}
-{"Readonly" if read_only else ""}
+
 {"**Readonly**" if read_only else ""}
 {option.get("description", "No description available.")}
 **Type**: `{option["type"]}`
@@ -108,17 +113,19 @@ def render_option(name: str, option: dict[str, Any], level: int = 3) -> str:
 """
    decls = option.get("declarations", [])
-    source_path = replace_store_path(decls[0])
+    if decls:
-    res += f"""
+        source_path, name = replace_store_path(decls[0])
-:simple-git: [{source_path.name}]({source_path})
+        print(source_path, name)
        res += f"""
 :simple-git: [{name}]({source_path})
 """
-    res += "\n"
+        res += "\n"
    return res
 def module_header(module_name: str) -> str:
-    return f"# {module_name}\n"
+    return f"# {module_name}\n\n"
 def module_usage(module_name: str) -> str:
@@ -144,9 +151,9 @@ options_head = "\n## Module Options\n"
 def produce_clan_core_docs() -> None:
-    if not CLAN_CORE:
+    if not CLAN_CORE_DOCS:
        raise ValueError(
-            f"Environment variables are not set correctly: $CLAN_CORE={CLAN_CORE}"
+            f"Environment variables are not set correctly: $CLAN_CORE_DOCS={CLAN_CORE_DOCS}"
        )
    if not OUT:
@@ -154,14 +161,14 @@ def produce_clan_core_docs() -> None:
    # A mapping of output file to content
    core_outputs: dict[str, str] = {}
-    with open(CLAN_CORE) as f:
+    with open(CLAN_CORE_DOCS) as f:
        options: dict[str, dict[str, Any]] = json.load(f)
        module_name = "clan-core"
        for option_name, info in options.items():
            outfile = f"{module_name}/index.md"
-            # Create seperate files for nested options
+            # Create separate files for nested options
-            if len(option_name.split(".")) <= 2:
+            if len(option_name.split(".")) <= 3:
                # i.e. clan-core.clanDir
                output = core_outputs.get(
                    outfile,
@@ -172,7 +179,7 @@ def produce_clan_core_docs() -> None:
                core_outputs[outfile] = output
            else:
                # Clan sub-options
-                [_, sub] = option_name.split(".")[0:2]
+                [_, sub] = option_name.split(".")[1:3]
                outfile = f"{module_name}/{sub}.md"
                # Get the content or write the header
                output = core_outputs.get(outfile, render_option_header(sub))
@@ -186,14 +193,47 @@ def produce_clan_core_docs() -> None:
                of.write(output)
 def render_roles(roles: list[str] | None, module_name: str) -> str:
    if roles:
        roles_list = "\n".join([f"    - `{r}`" for r in roles])
        return f"""
 ???+ tip "Inventory usage"
    Predefined roles:
 {roles_list}
    Usage:
    ```{{.nix hl_lines="4"}}
    buildClan {{
      inventory.services = {{
        {module_name}.instance_1 = {{
            roles.{roles[0]}.machines = [ "sara_machine" ];
            # ...
        }};
      }};
    }}
    ```
 """
    return ""
 clan_modules_descr = """Clan modules are [NixOS modules](https://wiki.nixos.org/wiki/NixOS_modules) which have been enhanced with additional features provided by Clan, with certain option types restricted to enable configuration through a graphical interface.
 """
 def produce_clan_modules_docs() -> None:
    if not CLAN_MODULES:
        raise ValueError(
            f"Environment variables are not set correctly: $CLAN_MODULES={CLAN_MODULES}"
        )
-    if not CLAN_MODULES_READMES:
+
    if not CLAN_CORE_PATH:
        raise ValueError(
-            f"Environment variables are not set correctly: $CLAN_MODULES_READMES={CLAN_MODULES_READMES}"
+            f"Environment variables are not set correctly: $CLAN_CORE_PATH={CLAN_CORE_PATH}"
        )
    if not OUT:
@@ -202,18 +242,44 @@ def produce_clan_modules_docs() -> None:
    with open(CLAN_MODULES) as f:
        links: dict[str, str] = json.load(f)
-    with open(CLAN_MODULES_READMES) as readme:
+    # with open(CLAN_MODULES_READMES) as readme:
-        readme_map: dict[str, str] = json.load(readme)
+    #     readme_map: dict[str, str] = json.load(readme)
    # with open(CLAN_MODULES_META) as f:
    #     meta_map: dict[str, Any] = json.load(f)
    #     print(meta_map)
    # {'borgbackup': '/nix/store/hi17dwgy7963ddd4ijh81fv0c9sbh8sw-options.json', ... }
    modules_index = "# Modules Overview\n\n"
    modules_index += clan_modules_descr
    modules_index += "## Overview\n\n"
    modules_index += '<div class="grid cards" markdown>\n\n'
    for module_name, options_file in links.items():
        readme_file = Path(CLAN_CORE_PATH) / "clanModules" / module_name / "README.md"
        print(module_name, readme_file)
        with open(readme_file) as f:
            readme = f.read()
            frontmatter: Frontmatter
            frontmatter, readme_content = extract_frontmatter(readme, str(readme_file))
            print(frontmatter, readme_content)
        modules_index += build_option_card(module_name, frontmatter)
        with open(Path(options_file) / "share/doc/nixos/options.json") as f:
            options: dict[str, dict[str, Any]] = json.load(f)
            print(f"Rendering options for {module_name}...")
            output = module_header(module_name)
-            if readme_map.get(module_name, None):
+            if frontmatter.description:
-                output += f"{readme_map[module_name]}\n"
+                output += f"**{frontmatter.description}**\n\n"
            output += f"{readme_content}\n"
            # get_roles(str) -> list[str] | None
            roles = get_roles(str(Path(CLAN_CORE_PATH) / "clanModules" / module_name))
            if roles:
                output += render_roles(roles, module_name)
            output += module_usage(module_name)
@@ -229,6 +295,39 @@ def produce_clan_modules_docs() -> None:
            with open(outfile, "w") as of:
                of.write(output)
    modules_index += "</div>"
    modules_index += "\n"
    modules_outfile = Path(OUT) / "clanModules/index.md"
    with open(modules_outfile, "w") as of:
        of.write(modules_index)
 def build_option_card(module_name: str, frontmatter: Frontmatter) -> str:
    """
    Build the overview index card for each reference target option.
    """
    def indent_all(text: str, indent_size: int = 4) -> str:
        """
        Indent all lines in a string.
        """
        indent = " " * indent_size
        lines = text.split("\n")
        indented_text = indent + ("\n" + indent).join(lines)
        return indented_text
    def to_md_li(module_name: str, frontmatter: Frontmatter) -> str:
        md_li = (
            f"""-   **[{module_name}](./{"-".join(module_name.split(" "))}.md)**\n\n"""
        )
        md_li += f"""{indent_all("---", 4)}\n\n"""
        fmd = f"\n{frontmatter.description.strip()}" if frontmatter.description else ""
        md_li += f"""{indent_all(fmd, 4)}"""
        return md_li
    return f"{to_md_li(module_name, frontmatter)}\n\n"
 if __name__ == "__main__":
    produce_clan_core_docs()
--- a/docs/nix/shell.nix
+++ b/docs/nix/shell.nix
@@ -3,22 +3,36 @@
  pkgs,
  module-docs,
  clan-cli-docs,
  inventory-api-docs,
  asciinema-player-js,
  asciinema-player-css,
  roboto,
  fira-code,
  self',
  ...
 }:
 pkgs.mkShell {
-  inputsFrom = [ docs ];
+  inputsFrom = [
    docs
    self'.devShells.default
  ];
  shellHook = ''
    mkdir -p ./site/reference/cli
    cp -af ${module-docs}/* ./site/reference/
    cp -af ${clan-cli-docs}/* ./site/reference/cli/
    cp -af ${inventory-api-docs} ./site/reference/nix-api/inventory.md
    chmod +w ./site/reference/*
    echo "Generated API documentation in './site/reference/' "
    mkdir -p ./site/static/asciinema-player
    ln -snf ${asciinema-player-js} ./site/static/asciinema-player/asciinema-player.min.js
    ln -snf ${asciinema-player-css} ./site/static/asciinema-player/asciinema-player.css
    # Link to fonts
    ln -snf ${roboto}/share/fonts/truetype/Roboto-Regular.ttf ./site/static/
    ln -snf ${fira-code}/share/fonts/truetype/FiraCode-VF.ttf ./site/static/
  '';
 }
--- a/docs/overrides/main.html
+++ b/docs/overrides/main.html
@@ -0,0 +1,19 @@
 {% extends "base.html" %} {% block extrahead %}
 <meta
  property="og:title"
  content="Clan - Documentation, Blog & Getting Started Guide"
 />
 <meta
  property="og:description"
  content="Documentation for Clan. The peer-to-peer machine deployment framework."
 />
 <meta
  property="og:image"
  content="https://clan.lol/static/dark-favicon/128x128.png"
 />
 <meta property="og:url" content="https://docs.clan.lol" />
 <meta property="og:type" content="website" />
 <meta property="og:site_name" content="Clan" />
 <meta property="og:locale" content="en_US" />
 {% endblock %}
--- a/Show More
+++ b/Show More
		`@@ -0,0 +1 @@`
							`AGE-SECRET-KEY-1UCXEUJH6JXF8LFKWFHDM4N9AQE2CCGQZGXLUNV4TKR5KY0KC8FDQ2TY4NX`
		`@@ -1,2 +0,0 @@`
			`Automatically format a disk drive on clan installation`
			`---`