Revert "switch to nixpkgs hosteded by cache.nixos.org"

This reverts commit 8f6dd4acc4.
2025-03-23 13:42:22 +01:00
557 changed files with 7801 additions and 14653 deletions
--- a/.github/workflows/repo-sync.yml
+++ b/.github/workflows/repo-sync.yml
@@ -13,7 +13,7 @@ jobs:
      - uses: actions/checkout@v4
        with:
          persist-credentials: false
-      - uses: actions/create-github-app-token@v2
+      - uses: actions/create-github-app-token@v1
        id: app-token
        with:
          app-id: ${{ vars.CI_APP_ID }}
--- a/.gitignore
+++ b/.gitignore
@@ -16,9 +16,6 @@ nixos.qcow2
 /docs/out
 **/.local.env

-# MacOS stuff
-**/.DS_store
-
 # dream2nix
 .dream2nix

@@ -42,6 +39,3 @@ repo
 node_modules
 dist
 .webui
-
-# TODO: remove after bug in select is fixed
-select
--- a/checks/app-ocr/default.nix
+++ b/checks/app-ocr/default.nix
@@ -1,41 +0,0 @@
-{ self, pkgs, ... }:
-{
-  name = "app-ocr-smoke-test";
-
-  enableOCR = true;
-
-  nodes = {
-    wayland =
-      { modulesPath, ... }:
-      {
-        imports = [ (modulesPath + "/../tests/common/wayland-cage.nix") ];
-        services.cage.program = "${self.packages.${pkgs.system}.clan-app}/bin/clan-app";
-        virtualisation.memorySize = 2047;
-        # TODO: get rid of this and fix debus-proxy error instead
-        services.cage.environment.WEBKIT_DISABLE_SANDBOX_THIS_IS_DANGEROUS = "1";
-      };
-    xorg =
-      { pkgs, modulesPath, ... }:
-      {
-        imports = [
-          (modulesPath + "/../tests/common/user-account.nix")
-          (modulesPath + "/../tests/common/x11.nix")
-        ];
-        virtualisation.memorySize = 2047;
-        services.xserver.enable = true;
-        services.xserver.displayManager.sessionCommands = "${
-          self.packages.${pkgs.system}.clan-app
-        }/bin/clan-app";
-        test-support.displayManager.auto.user = "alice";
-      };
-  };
-  testScript = ''
-    start_all()
-
-    wayland.wait_for_unit('graphical.target')
-    xorg.wait_for_unit('graphical.target')
-
-    wayland.wait_for_text('Welcome to Clan')
-    xorg.wait_for_text('Welcome to Clan')
-  '';
-}
--- a/checks/backups/flake-module.nix
+++ b/checks/backups/flake-module.nix
@@ -36,16 +36,17 @@
        # Borgbackup overrides
        services.borgbackup.repos.test-backups = {
          path = "/var/lib/borgbackup/test-backups";
-          authorizedKeys = [ (builtins.readFile ../assets/ssh/pubkey) ];
+          authorizedKeys = [ (builtins.readFile ../lib/ssh/pubkey) ];
        };
        clan.borgbackup.destinations.test-backup.repo = lib.mkForce "borg@machine:.";

        clan.core.networking.targetHost = "machine";
        networking.hostName = "machine";
+        nixpkgs.hostPlatform = "x86_64-linux";

        programs.ssh.knownHosts = {
          machine.hostNames = [ "machine" ];
-          machine.publicKey = builtins.readFile ../assets/ssh/pubkey;
+          machine.publicKey = builtins.readFile ../lib/ssh/pubkey;
        };

        services.openssh = {
@@ -60,7 +61,7 @@
          ];
        };

-        users.users.root.openssh.authorizedKeys.keyFiles = [ ../assets/ssh/pubkey ];
+        users.users.root.openssh.authorizedKeys.keyFiles = [ ../lib/ssh/pubkey ];

        # This is needed to unlock the user for sshd
        # Because we use sshd without setuid binaries
@@ -68,21 +69,21 @@

        systemd.tmpfiles.settings."vmsecrets" = {
          "/root/.ssh/id_ed25519" = {
-            C.argument = "${../assets/ssh/privkey}";
+            C.argument = "${../lib/ssh/privkey}";
            z = {
              mode = "0400";
              user = "root";
            };
          };
          "/etc/secrets/ssh.id_ed25519" = {
-            C.argument = "${../assets/ssh/privkey}";
+            C.argument = "${../lib/ssh/privkey}";
            z = {
              mode = "0400";
              user = "root";
            };
          };
          "/etc/secrets/borgbackup/borgbackup.ssh" = {
-            C.argument = "${../assets/ssh/privkey}";
+            C.argument = "${../lib/ssh/privkey}";
            z = {
              mode = "0400";
              user = "root";
@@ -160,17 +161,24 @@
          "flake.lock"
          "flakeModules"
          "inventory.json"
+          "lib/build-clan"
+          "lib/default.nix"
+          "lib/select.nix"
+          "lib/flake-module.nix"
+          "lib/frontmatter"
+          "lib/inventory"
+          "lib/constraints"
          "nixosModules"
-          # Just include everything in 'lib'
-          # If anything changes in /lib that may affect everything
-          "lib"
        ];
      };
    in
    {
-      checks = pkgs.lib.mkIf pkgs.stdenv.isLinux {
-        backups = self.clanLib.test.containerTest {
-          name = "backups";
+      # Needs investigation on aarch64-linux
+      # vm-test-run-test-backups> qemu-kvm: No machine specified, and there is no default
+      # vm-test-run-test-backups> Use -machine help to list supported machines
+      checks = pkgs.lib.mkIf (pkgs.stdenv.isLinux && pkgs.stdenv.hostPlatform.system != "aarch64-linux") {
+        test-backups = (import ../lib/container-test.nix) {
+          name = "test-backups";
          nodes.machine = {
            imports =
              [
--- a/checks/borgbackup/default.nix
+++ b/checks/borgbackup/default.nix
@@ -1,4 +1,4 @@
-(
+(import ../lib/test-base.nix) (
  { ... }:
  {
    name = "borgbackup";
@@ -12,16 +12,17 @@
          {
            services.openssh.enable = true;
            services.borgbackup.repos.testrepo = {
-              authorizedKeys = [ (builtins.readFile ../assets/ssh/pubkey) ];
+              authorizedKeys = [ (builtins.readFile ../lib/ssh/pubkey) ];
            };
          }
          {
+            clan.core.settings.machine.name = "machine";
            clan.core.settings.directory = ./.;
            clan.core.state.testState.folders = [ "/etc/state" ];
            environment.etc.state.text = "hello world";
            systemd.tmpfiles.settings."vmsecrets" = {
              "/etc/secrets/borgbackup/borgbackup.ssh" = {
-                C.argument = "${../assets/ssh/privkey}";
+                C.argument = "${../lib/ssh/privkey}";
                z = {
                  mode = "0400";
                  user = "root";
--- a/checks/container/default.nix
+++ b/checks/container/default.nix
@@ -1,44 +1,19 @@
-(
+(import ../lib/container-test.nix) (
  { ... }:
  {
    name = "container";

-    nodes.machine1 =
+    nodes.machine =
      { ... }:
      {
-        networking.hostName = "machine1";
+        networking.hostName = "machine";
        services.openssh.enable = true;
        services.openssh.startWhenNeeded = false;
      };
-
-    nodes.machine2 =
-      { ... }:
-      {
-        networking.hostName = "machine2";
-        services.openssh.enable = true;
-        services.openssh.startWhenNeeded = false;
-      };
-
    testScript = ''
-      import subprocess
      start_all()
-      machine1.succeed("systemctl status sshd")
-      machine2.succeed("systemctl status sshd")
-      machine1.wait_for_unit("sshd")
-      machine2.wait_for_unit("sshd")
-
-      p1 = subprocess.run(["ip", "a"], check=False, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
-      assert p1.returncode == 0
-      bridge_output = p1.stdout.decode("utf-8")
-      assert "br0" in bridge_output, f"bridge not found in ip a output: {bridge_output}"
-
-      for m in [machine1, machine2]:
-          out = machine1.succeed("ip addr show eth1")
-          assert "UP" in out, f"UP not found in ip addr show output: {out}"
-          assert "inet" in out, f"inet not found in ip addr show output: {out}"
-          assert "inet6" in out, f"inet6 not found in ip addr show output: {out}"
-
-      machine1.succeed("ping -c 1 machine2")
+      machine.succeed("systemctl status sshd")
+      machine.wait_for_unit("sshd")
    '';
  }
 )
--- a/checks/data-mesher/default.nix
+++ b/checks/data-mesher/default.nix
@@ -1,86 +0,0 @@
-{
-  pkgs,
-  self,
-  clanLib,
-  ...
-}:
-clanLib.test.makeTestClan {
-  inherit pkgs self;
-  nixosTest = (
-    { lib, ... }:
-    let
-      machines = [
-        "admin"
-        "peer"
-        "signer"
-      ];
-    in
-    {
-      name = "data-mesher";
-
-      clan = {
-        directory = ./.;
-        inventory = {
-          machines = lib.genAttrs machines (_: { });
-          services = {
-            data-mesher.default = {
-              roles.peer.machines = [ "peer" ];
-              roles.admin.machines = [ "admin" ];
-              roles.signer.machines = [ "signer" ];
-            };
-          };
-        };
-      };
-
-      defaults =
-        { config, ... }:
-        {
-          environment.systemPackages = [
-            config.services.data-mesher.package
-          ];
-
-          clan.data-mesher.network.interface = "eth1";
-          clan.data-mesher.bootstrapNodes = [
-            "[2001:db8:1::1]:7946" # peer1
-            "[2001:db8:1::2]:7946" # peer2
-          ];
-
-          # speed up for testing
-          services.data-mesher.settings = {
-            cluster.join_interval = lib.mkForce "2s";
-            cluster.push_pull_interval = lib.mkForce "5s";
-          };
-        };
-
-      nodes = {
-        admin.clan.data-mesher.network.tld = "foo";
-      };
-
-      # TODO Add better test script.
-      testScript = ''
-
-        def resolve(node, success = {}, fail = [], timeout = 60):
-          for hostname, ips in success.items():
-              for ip in ips:
-                  node.wait_until_succeeds(f"getent ahosts {hostname} | grep {ip}", timeout)
-
-          for hostname in fail:
-              node.wait_until_fails(f"getent ahosts {hostname}")
-
-        start_all()
-
-        admin.wait_for_unit("data-mesher")
-        signer.wait_for_unit("data-mesher")
-        peer.wait_for_unit("data-mesher")
-
-        # check dns resolution
-        for node in [admin, signer, peer]:
-          resolve(node, {
-              "admin.foo": ["2001:db8:1::1", "192.168.1.1"],
-              "peer.foo": ["2001:db8:1::2", "192.168.1.2"],
-              "signer.foo": ["2001:db8:1::3", "192.168.1.3"]
-          })
-      '';
-    }
-  );
-}
--- a/checks/data-mesher/sops/machines/admin/key.json
+++ b/checks/data-mesher/sops/machines/admin/key.json
@@ -1,4 +0,0 @@
-{
-  "publickey": "age10zxkj45fah3qa8uyg3a36jsd06d839xfq64nrez9etrsf4km0gtsp45gsz",
-  "type": "age"
-}
--- a/checks/data-mesher/sops/machines/peer/key.json
+++ b/checks/data-mesher/sops/machines/peer/key.json
@@ -1,4 +0,0 @@
-{
-  "publickey": "age1faqrml2ukc6unfm75d3v2vnaf62v92rdxaagg3ty3cfna7vt99gqlzs43l",
-  "type": "age"
-}
--- a/checks/data-mesher/sops/machines/signer/key.json
+++ b/checks/data-mesher/sops/machines/signer/key.json
@@ -1,4 +0,0 @@
-{
-  "publickey": "age153mke8v2qksyqjc7vta7wglzdqr5epazt83nch0ur5v7kl87cfdsr07qld",
-  "type": "age"
-}
--- a/checks/data-mesher/sops/secrets/admin-age.key/secret
+++ b/checks/data-mesher/sops/secrets/admin-age.key/secret
@@ -1,20 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:7xyb6WoaN7uRWEO8QRkBw7iytP5hFrA94VRi+sy/UhzqT9AyDPmxB/F8ASFsBbzJUwi0Oqd2E1CeIYRoDhG7JHnDyL2bYonz2RQ=,iv:slh3x774m6oTHAXFwcen1qF+jEchOKCyNsJMbNhqXHE=,tag:wtK8H8PZCESPA1vZCd7Ptw==,type:str]",
-	"sops": {
-		"kms": null,
-		"gcp_kms": null,
-		"azure_kv": null,
-		"hc_vault": null,
-		"age": [
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPTzZ4RTVNb2I1MTBRMEcy\neU1Eek9GakkydEJBVm9kR3AyY1pEYkorNUYwCkh2WHhNQmc1eWI2cCtEUFFWdzJq\nS0FvQWtoOFkzRVBxVzhuczc0aVprbkkKLS0tIFRLdmpnbzY1Uk9LdklEWnQzZHM2\nVEx3dzhMSnMwaWE0V0J6VTZ5ZVFYMjgKdaICa/hprHxhH89XD7ri0vyTT4rM+Si0\niHcQU4x64dgoJa4gKxgr4k9XncjoNEjJhxL7i/ZNZ5deaaLRn5rKMg==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-04-08T13:24:55Z",
-		"mac": "ENC[AES256_GCM,data:TJWDHGSRBfOCW8Q+t3YxG3vlpf9a5u7B27AamnOk95huqIv0htqWV3RuV7NoOZ5v2ijqSe/pLfpwrmtdhO2sUBEvhdhJm8UzLShP7AbH9lxV+icJOsY7VSrp+R5W526V46ONP6p47b7fOQBbp03BMz01G191N68WYOf6k2arGxU=,iv:nEyTBwJ2EA+OAl8Ulo5cvFX6Ow2FwzTWooF/rdkPiXg=,tag:oYcG16zR+Fb5XzVsHhq2Qw==,type:str]",
-		"pgp": null,
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.9.4"
-	}
-}
--- a/checks/data-mesher/sops/secrets/admin-age.key/users/admin
+++ b/checks/data-mesher/sops/secrets/admin-age.key/users/admin
@@ -1 +0,0 @@
-../../../users/admin
--- a/checks/data-mesher/sops/secrets/peer-age.key/secret
+++ b/checks/data-mesher/sops/secrets/peer-age.key/secret
@@ -1,20 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:JOOhvl0clDD/b5YO45CXR3wVopBSNe9dYBG+p5iD+nniN2OgOwBgYPNSCVtc+NemqutD12hFUSfCzXidkv0ijhD1JZeLar9Ygxc=,iv:XctQwSYSvKhDRk/XMacC9uMydZ8e9hnhpoWTgyXiFI0=,tag:foAhBlg4DwpQU2G9DzTo5g==,type:str]",
-	"sops": {
-		"kms": null,
-		"gcp_kms": null,
-		"azure_kv": null,
-		"hc_vault": null,
-		"age": [
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBVWMvWkp5TnZQcGs5Ykhp\nWC91YkoyZERqdXpxQm5JVmRhaUhueEJETDJVCkM4V0hSYldkV1U2Q0d1TGh3eGNR\nVjJ1VFd6ZEN0SXZjSVEvcnV2WW0vbVUKLS0tIFRCNW9nWHdYaUxLSVVUSXM0OGtN\nVFMzRXExNkYxcFE3QWlxVUM3ay9INm8KV6r8ftpwarly3qXoU9y8KxKrUKLvP9KX\nGsP0pORsaM+qPMsdfEo35CqhAeQu0+6DWd7/67+fUMp6Jr0DthtTmg==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-04-08T13:25:28Z",
-		"mac": "ENC[AES256_GCM,data:scY9+/fcXhfHEdrsZJLOM6nfjpRaURgTVbCRepUjhUo24B4ByEsAo2B8psVAaGEHEsFRZuoiByqrGzKhyUASmUs+wn+ziOKBTLzu55fOakp8PWYtQ4miiz2TQffp80gCQRJpykcbUgqIKXNSNutt4tosTBL7osXwCEnEQWd+SaA=,iv:1VXNvLP6DUxZYEr1juOLJmZCGbLp33DlwhxHQV9AMD4=,tag:uFM1R8OmkFS74/zkUG0k8A==,type:str]",
-		"pgp": null,
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.9.4"
-	}
-}
--- a/checks/data-mesher/sops/secrets/peer-age.key/users/admin
+++ b/checks/data-mesher/sops/secrets/peer-age.key/users/admin
@@ -1 +0,0 @@
-../../../users/admin
--- a/checks/data-mesher/sops/secrets/signer-age.key/secret
+++ b/checks/data-mesher/sops/secrets/signer-age.key/secret
@@ -1,20 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:i1YBJdK8XmWnVnZKBpmWggSN8JSOr8pm2Zx+CeE8qqeLZ7xwMO8SYCutM8l94M5vzmmX0CmwzeMZ/JVPbEwFd3ZAImUfh685HOY=,iv:N4rHNaX+WmoPb0EZPqMt+CT1BzaWO9LyoemBxKn+u/s=,tag:PnzSvdGwVnTMK8Do8VzFaQ==,type:str]",
-	"sops": {
-		"kms": null,
-		"gcp_kms": null,
-		"azure_kv": null,
-		"hc_vault": null,
-		"age": [
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4RXlmcVNGTnlkY2ZqZFlH\nVnh0eHhRNE5hRDNDVkt0TEE0bmRNN2JIVkN3CkxnaGM4Y3M3a0xoK2xMRzBLMHRV\nT1FzKzNRMFZOeWc2K3E5K2FzdUsvWmsKLS0tIENtVlFSWElHN3RtOUY2alhxajhs\naXI1MmR4WC9EVGVFK3dHM1gvVnlZMVUKCyLz0DkdbWfSfccShO1xjWfxhunEIbD0\n6imeIBhZHvVJmZLXnVl7B0pNXo6be7WSBMAUM9gUtCNh4zaChBNwGw==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-04-08T13:25:52Z",
-		"mac": "ENC[AES256_GCM,data:WFGysoXN95e/RxL094CoL4iueqEcSqCSQZLahwz9HMLi+8HWZIXr55a+jyK7piqR8nBS4BquU5fKhlC6BvEbZFt69t4onTA+LxS3D7A8/TO0CWS0RymUjW9omJUseRQWwAHtE7l0qI5hdOUKhQ+o5pU+2bc3PUlaONM0aOCCoFo=,iv:l1f4aVqLl5VAMfjNxDbxQEQp/qY/nxzgv2GTuPVBoBA=,tag:4PPDCmDrviqdn42RLHQYbA==,type:str]",
-		"pgp": null,
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.9.4"
-	}
-}
--- a/checks/data-mesher/sops/secrets/signer-age.key/users/admin
+++ b/checks/data-mesher/sops/secrets/signer-age.key/users/admin
@@ -1 +0,0 @@
-../../../users/admin
--- a/checks/data-mesher/sops/users/admin/key.json
+++ b/checks/data-mesher/sops/users/admin/key.json
@@ -1,4 +0,0 @@
-{
-  "publickey": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-  "type": "age"
-}
--- a/checks/data-mesher/vars/per-machine/admin/data-mesher-host-key/private_key/machines/admin
+++ b/checks/data-mesher/vars/per-machine/admin/data-mesher-host-key/private_key/machines/admin
@@ -1 +0,0 @@
-../../../../../../sops/machines/admin
--- a/checks/data-mesher/vars/per-machine/admin/data-mesher-host-key/private_key/secret
+++ b/checks/data-mesher/vars/per-machine/admin/data-mesher-host-key/private_key/secret
@@ -1,24 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:w3bU23Pfe8W89lF+tOmEYPU/A4FkY6n7rgQ6yo+eqCJFxTyHydV6Mg4/g4jaL+4wwIqNYRiMR8J8jLhSvw3Bc59u7Ul+RGwdpiKoBBJfsHjO8r6uOz2u9Raa+iUJH1EJWmGvsQXAILpliZ+klS96VWnGN3pYMEI=,iv:7QbUxta6NPQLZrh6AOcNe+0wkrADuTI9VKVp8q+XoZ8=,tag:ZH0t3RylfQk5U23ZHWaw0g==,type:str]",
-	"sops": {
-		"kms": null,
-		"gcp_kms": null,
-		"azure_kv": null,
-		"hc_vault": null,
-		"age": [
-			{
-				"recipient": "age10zxkj45fah3qa8uyg3a36jsd06d839xfq64nrez9etrsf4km0gtsp45gsz",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKaTBoSFJVSTdZeW4wZG9p\nWFR1LzVmYS8xWmRqTlNtWFVkSW9jZXpVejJBCkpqZm12L1dDSmNhekVsK1JBOU9r\nZThScGdDakFlRzNsVXp1eE5yOStFSW8KLS0tIFRrTkZBQlRsR2VNcUJvNEkzS2pw\nNksvM296UkFWTkZDVVp1ZVZMNUs4cWsKWTteB1G9Oo38a81PeqKO09NUQetuqosC\nhrToQ6NMo5O7/StmVG228MHbJS3KLXsvh2AFOEPyZrbpB2Opd2wwoA==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6U2FWRThRNkVQdk9yZ0VE\nM09iSVhmeldMcDZVaFRDNGtjWTdBa0VIT2pJCkdtd04xSXdicDY3OHI1WXl5TndB\nemtQeW1SS2tVVllPUHhLUTRla3haZGMKLS0tIGN0NVNEN3RKeWM0azBBMnBpQU4r\nTFFzQ0lOcGt0ek9UZmZZRjhibTNTc0EKReUwYBVM1NKX0FD/ZeokFAAknwju5Azq\nGzl4UVJBi5Es0GWORdCGElPXMd7jMud1SwgY04AdZj/dzinCSW4CZw==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-04-08T13:25:10Z",
-		"mac": "ENC[AES256_GCM,data:0vl9Gt4QeH+GJcnl8FuWSaqQXC8S6Pe50NmeDg5Nl2NWagz8aLCvOFyTqX/Icp/bTi1XQ5icHHhF3YhM+QAvdUL3aO0WGbh92dPRnFuvlZsdtwCFhT+LyHyYHFf6yP+0h/uFpJv9fE6xY22CezA6ZVQ8ywi1epaC548Gr27uVe4=,iv:G4hZVCLkIpbg9uwB7Y8xtHLdnlmBvFrPjxSoqdyHNvM=,tag:uvKwakhUY2aa7v0tmR/o8A==,type:str]",
-		"pgp": null,
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.9.4"
-	}
-}
--- a/checks/data-mesher/vars/per-machine/admin/data-mesher-host-key/private_key/users/admin
+++ b/checks/data-mesher/vars/per-machine/admin/data-mesher-host-key/private_key/users/admin
@@ -1 +0,0 @@
-../../../../../../sops/users/admin
--- a/checks/data-mesher/vars/per-machine/admin/data-mesher-host-key/public_key/value
+++ b/checks/data-mesher/vars/per-machine/admin/data-mesher-host-key/public_key/value
@@ -1,3 +0,0 @@
-----BEGIN PUBLIC KEY-----
-MCowBQYDK2VwAyEAm204bpSFi4jOjZuXDpIZ/rcJBrbG4zAc7OSA4rAVSYE=
-----END PUBLIC KEY-----
--- a/checks/data-mesher/vars/per-machine/peer/data-mesher-host-key/private_key/machines/peer
+++ b/checks/data-mesher/vars/per-machine/peer/data-mesher-host-key/private_key/machines/peer
@@ -1 +0,0 @@
-../../../../../../sops/machines/peer
--- a/checks/data-mesher/vars/per-machine/peer/data-mesher-host-key/private_key/secret
+++ b/checks/data-mesher/vars/per-machine/peer/data-mesher-host-key/private_key/secret
@@ -1,24 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:kERPY40pyvke0mRBnafa4zOaF46rbueRbhpUCXjYP5ORpC7zoOhbdlVBhOsPqE2vfEP4RWkH+ZPdDYXOKXwotBCmlq2i7TfZeoNXFkzWXc3GyM5mndnjCc8hvYEQF1w6xkkVSUt4n06BAw/gT0ppz+vo5dExIA8=,iv:JmYD2o4DGqds6DV7ucUmUD0BRB61exbRsNAtINOR8cQ=,tag:Z58gVnHD+4s21Z84IRw+Vw==,type:str]",
-	"sops": {
-		"kms": null,
-		"gcp_kms": null,
-		"azure_kv": null,
-		"hc_vault": null,
-		"age": [
-			{
-				"recipient": "age1faqrml2ukc6unfm75d3v2vnaf62v92rdxaagg3ty3cfna7vt99gqlzs43l",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4OFluVThBdUJSTmRVTk94\neFZnLytvcnNSdmQvR3ZkT2UvWFVieFV1SUFNCm9jWHlyZXRwaVdFaG9ocnd4S3FU\ndTZ2dklBbkFVL0hVT0Y2L1o5dnUyNG8KLS0tIGFvYlBJR3l2b3F6OU9uMTFkYjli\nNVFLOWQzOStpU2kzb0xyZUFCMnBmMVUK5Jzssf1XBX25bq0RKlJY8NwtKIytxL/c\nBPPFDZywJiUgw1izsdfGVkRhhSFCQIz+yWIJWzr01NU2jLyFjSfCNw==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzYW92c3Q4SktwSnJ1TkRJ\nZEJyZk96cG8ybkpPQzYzVk0xZGs0eCtISVR3CmhDaWxTem1FMjJKNmZNaTkxN01n\nenUvdFI1UkFmL1lzNlM5N0Ixd0dpc1EKLS0tIHpyS2VHaHRRdUovQVgvRmRHaXh3\naFpSNURjTWkxaW9TOXpKL2IvcUFEbmMKq4Ch7DIL34NetFV+xygTdcpQjjmV8v1n\nlvYcjUO/9c3nVkxNMJYGjuxFLuFc4Gw+AyawCjpsIYXRskYRW4UR1w==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-04-08T13:25:43Z",
-		"mac": "ENC[AES256_GCM,data:YhL2d6i0VpUd15B4ow2BgRpyEm0KEA8NSb7jZcjI58d7d4lAqBMcDQB+8a9e2NZbPk8p1EYl3q4VXbEnuwsJiPZI2kabRusy/IGoHzUTUMFfVaOuUcC0eyINNVSmzJxnCbLCAA1Aj1yXzgRQ0MWr7r0RHMKw0D1e0HxdEsuAPrA=,iv:yPlMmE6+NEEQ9uOZzD3lUTBcfUwGX/Ar+bCu0XKnjIg=,tag:eR22BCFVAlRHdggg9oCeaA==,type:str]",
-		"pgp": null,
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.9.4"
-	}
-}
--- a/checks/data-mesher/vars/per-machine/peer/data-mesher-host-key/private_key/users/admin
+++ b/checks/data-mesher/vars/per-machine/peer/data-mesher-host-key/private_key/users/admin
@@ -1 +0,0 @@
-../../../../../../sops/users/admin
--- a/checks/data-mesher/vars/per-machine/peer/data-mesher-host-key/public_key/value
+++ b/checks/data-mesher/vars/per-machine/peer/data-mesher-host-key/public_key/value
@@ -1,3 +0,0 @@
-----BEGIN PUBLIC KEY-----
-MCowBQYDK2VwAyEAv5dICFue2fYO0Zi1IyfYjoNfR6713WpISo7+2bSjL18=
-----END PUBLIC KEY-----
--- a/checks/data-mesher/vars/per-machine/signer/data-mesher-host-key/private_key/machines/signer
+++ b/checks/data-mesher/vars/per-machine/signer/data-mesher-host-key/private_key/machines/signer
@@ -1 +0,0 @@
-../../../../../../sops/machines/signer
--- a/checks/data-mesher/vars/per-machine/signer/data-mesher-host-key/private_key/secret
+++ b/checks/data-mesher/vars/per-machine/signer/data-mesher-host-key/private_key/secret
@@ -1,24 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:U8F7clQ2Tuj8zy5EoEga/Mc9N3LLZrlFf5m7UJKrP5yybFRCJSBs05hOcNe+LQZdEAvvr0Qbkry1pQyE84gCVbxHvwkD+l3GbguBuLMsW96bHcmstb6AvZyhMDBpm73Azf4lXhNaiB8p2pDWdxV77E+PPw1MNYI=,iv:hQhN6Ak8tB6cXSCnTmmQqHEpXWpWck3uIVCk5pUqFqU=,tag:uC4ljcs92WPlUOfwSkrK9Q==,type:str]",
-	"sops": {
-		"kms": null,
-		"gcp_kms": null,
-		"azure_kv": null,
-		"hc_vault": null,
-		"age": [
-			{
-				"recipient": "age153mke8v2qksyqjc7vta7wglzdqr5epazt83nch0ur5v7kl87cfdsr07qld",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvV05lejQrdUQvQjZPOG9v\nZ01naXlYZ1JxWHhDT1M1aUs1RWJDSU1acVFFCmdHY094aGRPYWxpdVVxSFVHRU9v\nNnVaeTlpSEdtSWRDMmVMSjdSOEQ4ZlEKLS0tIFo5NVk2bzBxYjZ5ZWpDWTMrQ2VF\nVThWUk0rVXpTY2svSCtiVDhTQ2kvbFkKEM2DBuFtdEj1G/vS1TsyIfQxSFFvPTDq\nCmO7L/J5lHdyfIXzp/FlhdKpjvmchb8gbfJn7IWpKopc7Zimy/JnGQ==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArNzVUaHkzUzVEMlh1Q3Qr\nOEo0aDJIMG91amJiZG50MEhqblRCTWxRRVVRCk4xZlp4SkJuUHc2UnFyU1prczkz\nNGtlQlRlNnBDRFFvUGhReTh6MTBZaXMKLS0tIGxtaXhUMDM0RU4yQytualdzdTFt\nWGRiVG54MnYrR2lqZVZoT0VkbmV5WUUKbzAnOkn8RYOo7z4RISQ0yN875vSEQMDa\nnnttzVrQuK0/iZvzJ0Zq8U9+JJJKvFB1tHqye6CN0zMbv55CLLnA0g==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-04-08T13:26:07Z",
-		"mac": "ENC[AES256_GCM,data:uMss4+BiVupFqX7nHnMo+0yZ8RPuFD8VHYK2EtJSqzgurQrZVT4tJwY50mz2gVmwbrm49QYKk5S+H29DU0cM0HiEOgB5P5ObpXTRJPagWQ48CEFrDpBzLplobxulwnN6jJ1dpL3JF3jfrzrnSDFXMvx+n5x/86/AYXYRsi/UeyY=,iv:mPT1svKrNGmYpbL9hh2Bxxakml69q+U6gQ0ZnEcbEyg=,tag:zcZx1lTw/bEsX/1g+6T04g==,type:str]",
-		"pgp": null,
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.9.4"
-	}
-}
--- a/checks/data-mesher/vars/per-machine/signer/data-mesher-host-key/private_key/users/admin
+++ b/checks/data-mesher/vars/per-machine/signer/data-mesher-host-key/private_key/users/admin
@@ -1 +0,0 @@
-../../../../../../sops/users/admin
--- a/checks/data-mesher/vars/per-machine/signer/data-mesher-host-key/public_key/value
+++ b/checks/data-mesher/vars/per-machine/signer/data-mesher-host-key/public_key/value
@@ -1,3 +0,0 @@
-----BEGIN PUBLIC KEY-----
-MCowBQYDK2VwAyEAeUkW5UIwA1svbNY71ePyJKX68UhxrqIUGQ2jd06w5WM=
-----END PUBLIC KEY-----
--- a/checks/data-mesher/vars/shared/data-mesher-network-key/private_key/machines/admin
+++ b/checks/data-mesher/vars/shared/data-mesher-network-key/private_key/machines/admin
@@ -1 +0,0 @@
-../../../../../sops/machines/admin
--- a/checks/data-mesher/vars/shared/data-mesher-network-key/private_key/machines/peer
+++ b/checks/data-mesher/vars/shared/data-mesher-network-key/private_key/machines/peer
@@ -1 +0,0 @@
-../../../../../sops/machines/peer
--- a/checks/data-mesher/vars/shared/data-mesher-network-key/private_key/machines/signer
+++ b/checks/data-mesher/vars/shared/data-mesher-network-key/private_key/machines/signer
@@ -1 +0,0 @@
-../../../../../sops/machines/signer
--- a/checks/data-mesher/vars/shared/data-mesher-network-key/private_key/secret
+++ b/checks/data-mesher/vars/shared/data-mesher-network-key/private_key/secret
@@ -1,32 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:nRlCMF58cnkdUAE2aVHEG1+vAckKtVt48Jr21Bklfbsqe1yTiHPFAMLL1ywgWWWd7FjI/Z8WID9sWzh9J8Vmotw4aJWU/rIQSeF8cJHALvfOxarJIIyb7purAiPoPPs6ggGmSmVFGB1aw8kH1JMcppQN8OItdQM=,iv:qTwaL2mgw6g7heN/H5qcjei3oY+h46PdSe3v2hDlkTs=,tag:jYNULrOPl9mcQTTrx1SDeA==,type:str]",
-	"sops": {
-		"kms": null,
-		"gcp_kms": null,
-		"azure_kv": null,
-		"hc_vault": null,
-		"age": [
-			{
-				"recipient": "age153mke8v2qksyqjc7vta7wglzdqr5epazt83nch0ur5v7kl87cfdsr07qld",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRcG44cGFBWXk2Z0pmNklv\nTnJ5b0svLytzZmNNRkxCVU1zaDVhNUs2cld3CklsenpWd0g2OEdKKzBMQlNEejRn\nTlEvY01HYjdvVExadnN3aXZIRTZ4YlEKLS0tIGRPUXdNSHZCRDBMbno2MjJqRHBl\nSzdiSURDYitQWFpaSElkdmdicDVjMWsKweQiRqyzXmzabmU2fmgwHtOa9uDmhx9O\ns9NfUhC3ifooQUSeYp58b1ZGJQx5O5bn9q/DaEoit5LTOUprt1pUPA==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiTEdlL29sVWFpSDNNaXRJ\ndTJDRkU4VzFPQ0M4MkFha2IxV2FXN2o3ZEFRCjF3UnZ5U1hTc3VvSTIzcWxOZjl0\ncHlLVEFqRk1UbGdxaUxEeDFqbFVYaU0KLS0tIFFyMnJkZnRHdWg4Z1IyRHFkY0I5\nQjdIMGtGLzRGMFM0ektDZ3hzZDdHSmMKvxOQuKgePom0QfPSvn+4vsGHhJ4BoOvW\nc27Vn4/i4hbjfJr4JpULAwyIwt3F0RaTA2M6EkFkY8otEi3vkcpWvA==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age10zxkj45fah3qa8uyg3a36jsd06d839xfq64nrez9etrsf4km0gtsp45gsz",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5ZzdsaVRnSmsrMGR1Ylg3\nZkpscTdwNUl5NUVXN3kvMU1icE0yZU1WSEJBClB6SlJYZUhDSElRREx5b0VueFUw\nNVFRU3BSU24yWEtpRnJoUC83SDVaUWsKLS0tIGVxNEo3TjlwakpDZlNsSkVCOXlz\nNDgwaE1xNjZkSnJBVlU5YXVHeGxVNFEKsXKyTzq9VsERpXzbFJGv/pbAghFAcXkf\nMmCgQHsfIMBJQUstcO8sAkxv3ced0dAEz8O6NUd0FS2zlhBzt29Rnw==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1faqrml2ukc6unfm75d3v2vnaf62v92rdxaagg3ty3cfna7vt99gqlzs43l",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkK1hDMGxCc1IvYXlJMnBF\nWncxaXBQa1RpTWdwUHc3Yk16My8rVHNJc2dFCkNlK2h0dy9oU3Z5ZGhwRWVLYVUz\ncVBKT2x5VnlhbXNmdHkwbmZzVG5sd0EKLS0tIHJaMzhDanF4Rkl3akN4MEIxOHFC\nYWRUZ08xb1UwOFNRaktkMjIzNXZmNkUK1rlbJ96oUNQZLmCmPNDOKxfDMMa+Bl2E\nJPxcNc7XY3WBHa3xFUbcqiPxWxDyaZjhq/LYQGpepiGonGMEzR5JOQ==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-04-08T13:25:20Z",
-		"mac": "ENC[AES256_GCM,data:za9ku+9lu1TTRjbPcd5LYDM4tJsAYF/yuWFCGkAhqcYguEducsIfoKBwL42ahAzqLjCZp91YJuINtw16mM+Hmlhi/BVwhnXNHqcfnKoAS/zg9KJvWcvXwKMmjEjaBovqaCWXWoKS7dn/wZ7nfGrlsiUilCDkW4BzTIzkqNkyREU=,iv:2X9apXMatwCPRBIRbPxz6PJQwGrlr7O+z+MrsnFq+sQ=,tag:IYvitoV4MhyJyRO1ySxbLQ==,type:str]",
-		"pgp": null,
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.9.4"
-	}
-}
--- a/checks/data-mesher/vars/shared/data-mesher-network-key/private_key/users/admin
+++ b/checks/data-mesher/vars/shared/data-mesher-network-key/private_key/users/admin
@@ -1 +0,0 @@
-../../../../../sops/users/admin
--- a/checks/data-mesher/vars/shared/data-mesher-network-key/public_key/value
+++ b/checks/data-mesher/vars/shared/data-mesher-network-key/public_key/value
@@ -1,3 +0,0 @@
-----BEGIN PUBLIC KEY-----
-MCowBQYDK2VwAyEA/5j+Js7oxwWvZdfjfEO/3UuRqMxLKXsaNc3/5N2WSaw=
-----END PUBLIC KEY-----
--- a/checks/deltachat/default.nix
+++ b/checks/deltachat/default.nix
@@ -10,6 +10,7 @@
          self.clanModules.deltachat
          self.nixosModules.clanCore
          {
+            clan.core.settings.machine.name = "machine";
            clan.core.settings.directory = ./.;
          }
        ];
--- a/checks/dummy-inventory-test/default.nix
+++ b/checks/dummy-inventory-test/default.nix
@@ -1,76 +0,0 @@
-{
-  pkgs,
-  self,
-  clanLib,
-  ...
-}:
-clanLib.test.makeTestClan {
-  inherit pkgs self;
-  nixosTest = (
-    { ... }:
-    {
-      # This tests the compatibility of the inventory
-      # With the test framework
-      # - legacy-modules
-      # - clan.service modules
-      name = "dummy-inventory-test";
-
-      clan = {
-        directory = ./.;
-        inventory = {
-          machines.peer1 = { };
-          machines.admin1 = { };
-          services = {
-            legacy-module.default = {
-              roles.peer.machines = [ "peer1" ];
-              roles.admin.machines = [ "admin1" ];
-            };
-          };
-          instances."test" = {
-            module.name = "new-service";
-            roles.peer.machines.peer1 = { };
-          };
-
-          modules = {
-            legacy-module = ./legacy-module;
-            new-service = {
-              _class = "clan.service";
-              manifest.name = "new-service";
-              roles.peer = { };
-              perMachine = {
-                nixosModule = {
-                  # This should be generated by:
-                  # ./pkgs/scripts/update-vars.py
-                  clan.core.vars.generators.new-service = {
-                    files.hello = {
-                      secret = false;
-                      deploy = true;
-                    };
-                    script = ''
-                      # This is a dummy script that does nothing
-                      echo "This is a dummy script" > $out/hello
-                    '';
-                  };
-                };
-              };
-            };
-          };
-        };
-      };
-
-      testScript =
-        { nodes, ... }:
-        ''
-          start_all()
-          admin1.wait_for_unit("multi-user.target")
-          peer1.wait_for_unit("multi-user.target")
-          # Provided by the legacy module
-          print(admin1.succeed("systemctl status dummy-service"))
-          print(peer1.succeed("systemctl status dummy-service"))
-
-          # peer1 should have the 'hello' file
-          peer1.succeed("cat ${nodes.peer1.clan.core.vars.generators.new-service.files.hello.path}")
-        '';
-    }
-  );
-}
--- a/checks/dummy-inventory-test/legacy-module/README.md
+++ b/checks/dummy-inventory-test/legacy-module/README.md
@@ -1,10 +0,0 @@
---
-description = "Set up dummy-module"
-categories = ["System"]
-features = [ "inventory" ]
-
-[constraints]
-roles.admin.min = 1
-roles.admin.max = 1
---
-
--- a/checks/dummy-inventory-test/legacy-module/roles/admin.nix
+++ b/checks/dummy-inventory-test/legacy-module/roles/admin.nix
@@ -1,5 +0,0 @@
-{
-  imports = [
-    ../shared.nix
-  ];
-}
--- a/checks/dummy-inventory-test/legacy-module/roles/peer.nix
+++ b/checks/dummy-inventory-test/legacy-module/roles/peer.nix
@@ -1,5 +0,0 @@
-{
-  imports = [
-    ../shared.nix
-  ];
-}
--- a/checks/dummy-inventory-test/legacy-module/shared.nix
+++ b/checks/dummy-inventory-test/legacy-module/shared.nix
@@ -1,34 +0,0 @@
-{ config, ... }:
-{
-  systemd.services.dummy-service = {
-    enable = true;
-    description = "Dummy service";
-    wantedBy = [ "multi-user.target" ];
-    serviceConfig = {
-      Type = "oneshot";
-      RemainAfterExit = true;
-    };
-    script = ''
-      generated_password_path="${config.clan.core.vars.generators.dummy-generator.files.generated-password.path}"
-      if [ ! -f "$generated_password_path" ]; then
-        echo "Generated password file not found: $generated_password_path"
-        exit 1
-      fi
-      host_id_path="${config.clan.core.vars.generators.dummy-generator.files.host-id.path}"
-      if [ ! -e "$host_id_path" ]; then
-        echo "Host ID file not found: $host_id_path"
-        exit 1
-      fi
-    '';
-  };
-
-  # TODO: add and prompt and make it work in the test framework
-  clan.core.vars.generators.dummy-generator = {
-    files.host-id.secret = false;
-    files.generated-password.secret = true;
-    script = ''
-      echo $RANDOM > "$out"/host-id
-      echo $RANDOM > "$out"/generated-password
-    '';
-  };
-}
--- a/checks/dummy-inventory-test/sops/machines/admin1/key.json
+++ b/checks/dummy-inventory-test/sops/machines/admin1/key.json
@@ -1,6 +0,0 @@
-[
-  {
-    "publickey": "age1hd2exjq88h7538y6mvjvexx3u5gp6a03yfn5nj32h2667yyksyaqcuk5qs",
-    "type": "age"
-  }
-]
--- a/checks/dummy-inventory-test/sops/machines/peer1/key.json
+++ b/checks/dummy-inventory-test/sops/machines/peer1/key.json
@@ -1,6 +0,0 @@
-[
-  {
-    "publickey": "age19urkt89q45a2wk6a4yaramzufjtnw6nq2snls0v7hmf7tqf73axsfx50tk",
-    "type": "age"
-  }
-]
--- a/checks/dummy-inventory-test/sops/secrets/admin1-age.key/secret
+++ b/checks/dummy-inventory-test/sops/secrets/admin1-age.key/secret
@@ -1,15 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:hhuFgZcPqht0h3tKxGtheS4GlrVDo4TxH0a9lxgPYj2i12QUmE04rB07A+hu4Z8WNWLYvdM5069mEOZYm3lSeTzBHQPxYZRuVj0=,iv:sA1srRFQqsMlJTAjFcb09tI/Jg2WjOVJL5NZkPwiLoU=,tag:6xXo9FZpmAJw6hCBsWzf8Q==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGaGVHeTgrN3dJQ2VITFBM\neWVzbDhjb0pwNUhBUjdUc0p5OTVta1dvSno4ClJxeUc4Z0hiaFRkVlJ1YTA4Lyta\neWdwV005WGYvMUNRVG1qOVdicTk0NUkKLS0tIFQvaDNFS1JMSFlHRXlhc3lsZm03\nYVhDaHNsam5wN1VqdzA3WTZwM1JwV2sKZk/SiZJgjllADdfHLSWuQcU4+LttDpt/\nqqDUATEuqYaALljC/y3COT+grTM2bwGjj6fsfsfiO/EL9iwzD3+7oA==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-04-09T15:10:16Z",
-		"mac": "ENC[AES256_GCM,data:xuXj4833G6nhvcRo2ekDxz8G5phltmU8h1GgGofH9WndzrqLKeRSqm/n03IHRW0f4F68XxnyAkfvokVh6vW3LRQAFkqIlXz5U4+zFNcaVaPobS5gHTgxsCoTUoalWPvHWtXd50hUVXeAt8rPfTfeveVGja8bOERk8mvwUPxb6h4=,iv:yP1usA9m8tKl6Z/UK9PaVMJlZlF5qpY4EiM4+ByVlik=,tag:8DgoIhLstp3MRki90VfEvw==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.1"
-	}
-}
--- a/checks/dummy-inventory-test/sops/secrets/admin1-age.key/users/admin
+++ b/checks/dummy-inventory-test/sops/secrets/admin1-age.key/users/admin
@@ -1 +0,0 @@
-../../../users/admin
--- a/checks/dummy-inventory-test/sops/secrets/peer1-age.key/secret
+++ b/checks/dummy-inventory-test/sops/secrets/peer1-age.key/secret
@@ -1,15 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:rwPhbayGf6mE1E9NCN+LuL7VfWWOfhoJW6H2tNSoyebtyTpM3GO2jWca1+N7hI0juhNkUk+rIsYQYbCa/5DZQiV0/2Jgu4US1XY=,iv:B5mcaQsDjb6BacxGB4Kk88/qLCpVOjQNRvGN+fgUiEo=,tag:Uz0A8kAF5NzFetbv9yHIjQ==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWY0hKQ1dnV0tMYytDMCtj\nTDV4Zk5NeVN0bCtqaWRQV3d4M0VlcGVZMkhZCm02dHZyOGVlYzJ5Z3FlUWNXMVQ0\nb2ZrTXZQRzRNdzFDeWZCVGhlTS9rMm8KLS0tIEJkY1QwOENRYWw3cjIwd3I0bzdz\nOEtQNm1saE5wNWt2UUVnYlN4NWtGdFkKmWHU5ttZoQ3NZu/zkX5VxfC2sMpSOyod\neb7LRhFqPfo5N1XphJcCqr5QUoZOfnH0xFhZ2lxWUS3ItiRpU4VDwg==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-04-09T15:10:41Z",
-		"mac": "ENC[AES256_GCM,data:pab0G2GPjgs59sbiZ8XIV5SdRtq5NPU0yq18FcqiMV8noAL94fyVAY7fb+9HILQWQsEjcykgk9mA2MQ0KpK/XG8+tDQKcBH+F+2aQnw5GJevXmfi7KLTU0P224SNo7EnKlfFruB/+NZ0WBtkbbg1OzekrbplchpSI6BxWz/jASE=,iv:TCj9FCxgfMF2+PJejr67zgGnF+CFS+YeJiejnHbf7j0=,tag:s7r9SqxeqpAkncohYvIQ2Q==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.1"
-	}
-}
--- a/checks/dummy-inventory-test/sops/secrets/peer1-age.key/users/admin
+++ b/checks/dummy-inventory-test/sops/secrets/peer1-age.key/users/admin
@@ -1 +0,0 @@
-../../../users/admin
--- a/checks/dummy-inventory-test/sops/users/admin/key.json
+++ b/checks/dummy-inventory-test/sops/users/admin/key.json
@@ -1,4 +0,0 @@
-{
-  "publickey": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-  "type": "age"
-}
--- a/checks/dummy-inventory-test/vars/per-machine/admin1/dummy-generator/generated-password/machines/admin1
+++ b/checks/dummy-inventory-test/vars/per-machine/admin1/dummy-generator/generated-password/machines/admin1
@@ -1 +0,0 @@
-../../../../../../sops/machines/admin1
--- a/checks/dummy-inventory-test/vars/per-machine/admin1/dummy-generator/generated-password/secret
+++ b/checks/dummy-inventory-test/vars/per-machine/admin1/dummy-generator/generated-password/secret
@@ -1,19 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:bxM9aYMK,iv:SMNYtk9FSyZ1PIfEzayTKKdCnZWdhcyUEiTwFUNb988=,tag:qJYW4+VQyhF1tGPQPTKlOQ==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1hd2exjq88h7538y6mvjvexx3u5gp6a03yfn5nj32h2667yyksyaqcuk5qs",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvZDZYYXdpcXVqRFRnQ2Jx\nTFhFWEJTR290cHZhTXZadFFvcHM4MHVIN3lFCmJhOEZrL3g4TFBZVllxdDFZakJn\nR3NxdXo0eE8vTDh3QlhWOFpVZ0lNUHcKLS0tIEE4dkpCalNzaXJ0Qks3VHJSUzZF\nb2N3NGdjNHJnSUN6bW8welZ1VDdJakEKGKZ7nn1p11IyJB6DMxu2HJMvZ+0+5WpE\nPLWh2NlGJO3XrrL4Fw7xetwbqE+QUZPNl/JbEbu4KLIUGLjqk9JDhQ==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHckJCQVFyb21aT1R0d2Rr\nMWxNMHVqcGxabHBmS0RibW9sN0gyZDI1b1dFCnRWUk5LSWdxV3c4RWVZdUtEN1Fv\nRk4xVmwwT2xrdWVERkJXUVVlVXJjTVUKLS0tIC9ERG9KMGxTNEsrbzFHUGRiVUlm\nRi9qakxoc1FOVVV1TkUrckwxRUVnajQKE8ms/np2NMswden3xkjdC8cXccASLOoN\nu+EaEk69UvBvnOg9VBjyPAraIKgNrTc4WWwz+DOBj1pCwVbu9XxUlA==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-04-09T15:10:30Z",
-		"mac": "ENC[AES256_GCM,data:cIwWctUbAFI8TRMxYWy5xqlKDVLMqBIxVv4LInnLqi3AauL0rJ3Z7AxK/wb2dCQM07E1N7YaORNqgUpFC1xo0hObAA8mrPaToPotKDkjua0zuyTUNS1COoraYjZpI/LKwmik/qtk399LMhiC7aHs+IliT9Dd41B8LSMBXwdMldY=,iv:sZ+//BrYH5Ay2JJAGs7K+WfO2ASK82syDlilQjGmgFs=,tag:nY+Af9eQRLwkiHZe85dQ9A==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.1"
-	}
-}
--- a/checks/dummy-inventory-test/vars/per-machine/admin1/dummy-generator/generated-password/users/admin
+++ b/checks/dummy-inventory-test/vars/per-machine/admin1/dummy-generator/generated-password/users/admin
@@ -1 +0,0 @@
-../../../../../../sops/users/admin
--- a/checks/dummy-inventory-test/vars/per-machine/admin1/dummy-generator/host-id/value
+++ b/checks/dummy-inventory-test/vars/per-machine/admin1/dummy-generator/host-id/value
@@ -1 +0,0 @@
-13898
--- a/checks/dummy-inventory-test/vars/per-machine/peer1/dummy-generator/generated-password/machines/peer1
+++ b/checks/dummy-inventory-test/vars/per-machine/peer1/dummy-generator/generated-password/machines/peer1
@@ -1 +0,0 @@
-../../../../../../sops/machines/peer1
--- a/checks/dummy-inventory-test/vars/per-machine/peer1/dummy-generator/generated-password/secret
+++ b/checks/dummy-inventory-test/vars/per-machine/peer1/dummy-generator/generated-password/secret
@@ -1,19 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:ImlGIKxE,iv:UUWxjLNRKJCD2WHNpw8lfvCc8rnXPCqc2pni1ODckjE=,tag:HFCqiv31E9bShIIaAEjF0A==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age19urkt89q45a2wk6a4yaramzufjtnw6nq2snls0v7hmf7tqf73axsfx50tk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpTEROZjh6NjBhSlJSc1Av\nSHhjdkhwVUd3VzBZemhQb3dhMlJXalBmZlFjCkZPYkhZZGVOVTNjUWdFU0s4cWFn\nL2NXbkRCdUlMdElnK2lGbG5iV0w1cHMKLS0tIFREcmxDdHlUNVBFVGRVZSt0c0E5\nbnpHaW1Vb3R3ZFFnZVMxY3djSjJmOU0KIwqCSQf5S9oA59BXu7yC/V6yqvCh88pa\nYgmNyBjulytPh1aAfOuNWIGdIxBpcEf+gFjz3EiJY9Kft3fTmhp2bw==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArN3R4TThibjdYbE9TMDE1\naUhuNDlscExjaktIR2VmTk1OMWtVM0NpTUJZClJUNEcwVDlibExWQk84TTNEWFhp\nMjYyZStHc1N0ZTh1S3VTVk45WGxlWWMKLS0tIHFab25LY1R1d1l6NE5XbHJvQ3lj\nNGsxUldFVHQ5RVJERDlGbi9NY29hNWsKENBTcAS/R/dTGRYdaWv5Mc/YG4bkah5w\nb421ZMQF+r4CYnzUqnwivTG8TMRMqJLavfkutE6ZUfJbbLufrTk5Lw==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-04-09T15:11:04Z",
-		"mac": "ENC[AES256_GCM,data:JdJzocQZWVprOmZ4Ni04k1tpD1TpFcK5neKy3+0/c3+uPBwjwaMayISKRaa/ILUXlalg60oTqxB4fUFoYVm8KGQVhDwPhO/T1hyYVQqidonrcYfJfCYg00mVSREV/AWqXb7RTnaEBfrdnRJvaAQF9g2qDXGVgzp3eACdlItclv4=,iv:nOw1jQjIWHWwU3SiKpuQgMKXyu8MZYI+zI9UYYd9fCI=,tag:ewUkemIPm/5PkmuUD0EcAQ==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.1"
-	}
-}
--- a/checks/dummy-inventory-test/vars/per-machine/peer1/dummy-generator/generated-password/users/admin
+++ b/checks/dummy-inventory-test/vars/per-machine/peer1/dummy-generator/generated-password/users/admin
@@ -1 +0,0 @@
-../../../../../../sops/users/admin
--- a/checks/dummy-inventory-test/vars/per-machine/peer1/dummy-generator/host-id/value
+++ b/checks/dummy-inventory-test/vars/per-machine/peer1/dummy-generator/host-id/value
@@ -1 +0,0 @@
-30661
--- a/checks/dummy-inventory-test/vars/per-machine/peer1/new-service/hello/value
+++ b/checks/dummy-inventory-test/vars/per-machine/peer1/new-service/hello/value
@@ -1 +0,0 @@
-This is a dummy script
--- a/checks/flake-module.nix
+++ b/checks/flake-module.nix
@@ -12,9 +12,9 @@ in
    ./flash/flake-module.nix
    ./impure/flake-module.nix
    ./installation/flake-module.nix
+    ./installation-without-system/flake-module.nix
    ./morph/flake-module.nix
    ./nixos-documentation/flake-module.nix
-    ./sanity-checks/dont-depend-on-repo-root.nix
  ];
  perSystem =
    {
@@ -28,76 +28,36 @@ in
        let
          nixosTestArgs = {
            # reference to nixpkgs for the current system
-            inherit pkgs lib;
+            inherit pkgs;
            # this gives us a reference to our flake but also all flake inputs
            inherit self;
-            inherit (self) clanLib;
          };
          nixosTests = lib.optionalAttrs (pkgs.stdenv.isLinux) {
+            # import our test
+            secrets = import ./secrets nixosTestArgs;
+            container = import ./container nixosTestArgs;
            # Deltachat is currently marked as broken
            # deltachat = import ./deltachat nixosTestArgs;
-
-            # Base Tests
-            secrets = self.clanLib.test.baseTest ./secrets nixosTestArgs;
-            borgbackup = self.clanLib.test.baseTest ./borgbackup nixosTestArgs;
-            wayland-proxy-virtwl = self.clanLib.test.baseTest ./wayland-proxy-virtwl nixosTestArgs;
-
-            # Container Tests
-            container = self.clanLib.test.containerTest ./container nixosTestArgs;
-            zt-tcp-relay = self.clanLib.test.containerTest ./zt-tcp-relay nixosTestArgs;
-            matrix-synapse = self.clanLib.test.containerTest ./matrix-synapse nixosTestArgs;
-            postgresql = self.clanLib.test.containerTest ./postgresql nixosTestArgs;
-
-            # Clan Tests
+            borgbackup = import ./borgbackup nixosTestArgs;
+            matrix-synapse = import ./matrix-synapse nixosTestArgs;
            mumble = import ./mumble nixosTestArgs;
-            dummy-inventory-test = import ./dummy-inventory-test nixosTestArgs;
-            data-mesher = import ./data-mesher nixosTestArgs;
            syncthing = import ./syncthing nixosTestArgs;
+            zt-tcp-relay = import ./zt-tcp-relay nixosTestArgs;
+            postgresql = import ./postgresql nixosTestArgs;
+            wayland-proxy-virtwl = import ./wayland-proxy-virtwl nixosTestArgs;
          };

-          packagesToBuild = lib.removeAttrs self'.packages [
-            # exclude the check that checks that nothing depends on the repo root
-            # We might want to include this later once everything is fixed
-            "dont-depend-on-repo-root"
-          ];
-
          flakeOutputs =
            lib.mapAttrs' (
              name: config: lib.nameValuePair "nixos-${name}" config.config.system.build.toplevel
-            ) (lib.filterAttrs (n: _: !lib.hasPrefix "test-" n) self.nixosConfigurations)
-            // lib.mapAttrs' (n: lib.nameValuePair "package-${n}") packagesToBuild
+            ) (lib.filterAttrs (n: _v: n != "test-install-machine-without-system") self.nixosConfigurations)
+            // lib.mapAttrs' (n: lib.nameValuePair "package-${n}") self'.packages
            // lib.mapAttrs' (n: lib.nameValuePair "devShell-${n}") self'.devShells
            // lib.mapAttrs' (name: config: lib.nameValuePair "home-manager-${name}" config.activation-script) (
              self'.legacyPackages.homeConfigurations or { }
            );
        in
-        nixosTests
-        // flakeOutputs
-        // {
-          # TODO: Automatically provide this check to downstream users to check their modules
-          clan-modules-json-compatible =
-            let
-              allSchemas = lib.mapAttrs (
-                _n: m:
-                let
-                  schema =
-                    (self.clanLib.inventory.evalClanService {
-                      modules = [ m ];
-                      key = "checks";
-                    }).config.result.api.schema;
-                in
-                schema
-              ) self.clan.modules;
-            in
-            pkgs.runCommand "combined-result"
-              {
-                schemaFile = builtins.toFile "schemas.json" (builtins.toJSON allSchemas);
-              }
-              ''
-                mkdir -p $out
-                cat $schemaFile > $out/allSchemas.json
-              '';
-        };
+        nixosTests // flakeOutputs;
      legacyPackages = {
        nixosTests =
          let
@@ -112,8 +72,6 @@ in
            # import our test
            secrets = import ./secrets nixosTestArgs;
            container = import ./container nixosTestArgs;
-            # Clan app tests
-            app-ocr = self.clanLib.test.baseTest ./app-ocr nixosTestArgs;
          };
      };
    };
--- a/checks/flash/flake-module.nix
+++ b/checks/flash/flake-module.nix
@@ -1,32 +1,18 @@
+{ self, lib, ... }:
 {
-  config,
-  self,
-  lib,
-  ...
-}:
-{
-  clan.machines = lib.listToAttrs (
-    lib.map (
-      system:
-      lib.nameValuePair "test-flash-machine-${system}" {
-        clan.core.networking.targetHost = "test-flash-machine";
-        fileSystems."/".device = lib.mkDefault "/dev/vda";
-        boot.loader.grub.device = lib.mkDefault "/dev/vda";
+  clan.machines.test-flash-machine = {
+    clan.core.networking.targetHost = "test-flash-machine";
+    fileSystems."/".device = lib.mkDefault "/dev/vda";
+    boot.loader.grub.device = lib.mkDefault "/dev/vda";

-        # We need to use `mkForce` because we inherit from `test-install-machine`
-        # which currently hardcodes `nixpkgs.hostPlatform`
-        nixpkgs.hostPlatform = lib.mkForce system;
-
-        imports = [ self.nixosModules.test-flash-machine ];
-      }
-    ) (lib.filter (lib.hasSuffix "linux") config.systems)
-  );
+    imports = [ self.nixosModules.test-flash-machine ];
+  };

  flake.nixosModules = {
    test-flash-machine =
      { lib, ... }:
      {
-        imports = [ self.nixosModules.test-install-machine-without-system ];
+        imports = [ self.nixosModules.test-install-machine ];

        clan.core.vars.generators.test = lib.mkForce { };

@@ -36,6 +22,7 @@

  perSystem =
    {
+      nodes,
      pkgs,
      lib,
      ...
@@ -43,20 +30,20 @@
    let
      dependencies = [
        pkgs.disko
-        self.nixosConfigurations."test-flash-machine-${pkgs.hostPlatform.system}".pkgs.perlPackages.ConfigIniFiles
-        self.nixosConfigurations."test-flash-machine-${pkgs.hostPlatform.system}".pkgs.perlPackages.FileSlurp
+        self.clanInternals.machines.${pkgs.hostPlatform.system}.test-flash-machine.pkgs.perlPackages.ConfigIniFiles
+        self.clanInternals.machines.${pkgs.hostPlatform.system}.test-flash-machine.pkgs.perlPackages.FileSlurp

-        self.nixosConfigurations."test-flash-machine-${pkgs.hostPlatform.system}".config.system.build.toplevel
-        self.nixosConfigurations."test-flash-machine-${pkgs.hostPlatform.system}".config.system.build.diskoScript
-        self.nixosConfigurations."test-flash-machine-${pkgs.hostPlatform.system}".config.system.build.diskoScript.drvPath
-        self.nixosConfigurations."test-flash-machine-${pkgs.hostPlatform.system}".config.system.clan.deployment.file
+        self.clanInternals.machines.${pkgs.hostPlatform.system}.test-flash-machine.config.system.build.toplevel
+        self.clanInternals.machines.${pkgs.hostPlatform.system}.test-flash-machine.config.system.build.diskoScript
+        self.clanInternals.machines.${pkgs.hostPlatform.system}.test-flash-machine.config.system.build.diskoScript.drvPath
+        self.clanInternals.machines.${pkgs.hostPlatform.system}.test-flash-machine.config.system.clan.deployment.file

      ] ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
      closureInfo = pkgs.closureInfo { rootPaths = dependencies; };
    in
    {
-      checks = pkgs.lib.mkIf pkgs.stdenv.isLinux {
-        flash = self.clanLib.test.baseTest {
+      checks = pkgs.lib.mkIf (pkgs.stdenv.isLinux) {
+        flash = (import ../lib/test-base.nix) {
          name = "flash";
          nodes.target = {
            virtualisation.emptyDiskImages = [ 4096 ];
@@ -78,9 +65,7 @@
          testScript = ''
            start_all()

-            # Some distros like to automount disks with spaces
-            machine.succeed('mkdir -p "/mnt/with spaces" && mkfs.ext4 /dev/vdb && mount /dev/vdb "/mnt/with spaces"')
-            machine.succeed("clan flash write --debug --flake ${../..} --yes --disk main /dev/vdb test-flash-machine-${pkgs.hostPlatform.system}")
+            machine.succeed("clan flash write --debug --flake ${../..} --yes --disk main /dev/vdb test-flash-machine")
          '';
        } { inherit pkgs self; };
      };
--- a/checks/impure/flake-module.nix
+++ b/checks/impure/flake-module.nix
@@ -19,7 +19,6 @@
            [
              pkgs.gitMinimal
              pkgs.nix
-              pkgs.coreutils
              pkgs.rsync # needed to have rsync installed on the dummy ssh server
            ]
            ++ self'.packages.clan-cli-full.runtimeDependencies
@@ -31,12 +30,7 @@
        # this disables dynamic dependency loading in clan-cli
        export CLAN_NO_DYNAMIC_DEPS=1

-        jobs=$(nproc)
-        # Spawning worker in pytest is relatively slow, so we limit the number of jobs to 13
-        # (current number of impure tests)
-        jobs="$((jobs > 13 ? 13 : jobs))"
-
-        nix develop "$ROOT#clan-cli" -c bash -c "TMPDIR=/tmp python -m pytest -n $jobs -m impure ./clan_cli $@"
+        nix develop "$ROOT#clan-cli" -c bash -c "TMPDIR=/tmp python -m pytest -m impure ./tests $@"
      '';
    };
 }
--- a/checks/installation-without-system/flake-module.nix
+++ b/checks/installation-without-system/flake-module.nix
@@ -0,0 +1,225 @@
+{
+  self,
+  lib,
+  ...
+}:
+{
+  # The purpose of this test is to ensure `clan machines install` works
+  # for machines that don't have a hardware config yet.
+
+  # If this test starts failing it could be due to the `facter.json` being out of date
+  # you can get a new one by adding
+  # client.fail("cat test-flake/machines/test-install-machine/facter.json >&2")
+  # to the installation test.
+  clan.machines.test-install-machine-without-system = {
+    fileSystems."/".device = lib.mkDefault "/dev/vda";
+    boot.loader.grub.device = lib.mkDefault "/dev/vda";
+
+    imports = [ self.nixosModules.test-install-machine-without-system ];
+  };
+  clan.machines.test-install-machine-with-system = {
+    # https://git.clan.lol/clan/test-fixtures
+    facter.reportPath = builtins.fetchurl {
+      url = "https://git.clan.lol/clan/test-fixtures/raw/commit/3508b7ed11dad068ffc8c9f0047a5c7d54644e2c/nixos-vm-facter-json/facter.json";
+      sha256 = "sha256:16myh0ll2gdwsiwkjw5ba4dl23ppwbsanxx214863j7nvzx42pws";
+    };
+
+    fileSystems."/".device = lib.mkDefault "/dev/vda";
+    boot.loader.grub.device = lib.mkDefault "/dev/vda";
+
+    imports = [ self.nixosModules.test-install-machine-without-system ];
+  };
+  flake.nixosModules = {
+    test-install-machine-without-system =
+      { lib, modulesPath, ... }:
+      {
+        imports = [
+          (modulesPath + "/testing/test-instrumentation.nix") # we need these 2 modules always to be able to run the tests
+          (modulesPath + "/profiles/qemu-guest.nix")
+          ../lib/minify.nix
+        ];
+
+        networking.hostName = "test-install-machine";
+
+        environment.etc."install-successful".text = "ok";
+
+        boot.consoleLogLevel = lib.mkForce 100;
+        boot.kernelParams = [ "boot.shell_on_fail" ];
+
+        # disko config
+        boot.loader.grub.efiSupport = lib.mkDefault true;
+        boot.loader.grub.efiInstallAsRemovable = lib.mkDefault true;
+        clan.core.vars.settings.secretStore = "vm";
+        clan.core.vars.generators.test = {
+          files.test.neededFor = "partitioning";
+          script = ''
+            echo "notok" > $out/test
+          '';
+        };
+        disko.devices = {
+          disk = {
+            main = {
+              type = "disk";
+              device = "/dev/vda";
+
+              preCreateHook = ''
+                test -e /run/partitioning-secrets/test/test
+              '';
+
+              content = {
+                type = "gpt";
+                partitions = {
+                  boot = {
+                    size = "1M";
+                    type = "EF02"; # for grub MBR
+                    priority = 1;
+                  };
+                  ESP = {
+                    size = "512M";
+                    type = "EF00";
+                    content = {
+                      type = "filesystem";
+                      format = "vfat";
+                      mountpoint = "/boot";
+                      mountOptions = [ "umask=0077" ];
+                    };
+                  };
+                  root = {
+                    size = "100%";
+                    content = {
+                      type = "filesystem";
+                      format = "ext4";
+                      mountpoint = "/";
+                    };
+                  };
+                };
+              };
+            };
+          };
+        };
+      };
+  };
+  perSystem =
+    {
+      pkgs,
+      lib,
+      ...
+    }:
+    let
+      dependencies = [
+        self
+        self.nixosConfigurations.test-install-machine-with-system.config.system.build.toplevel
+        self.nixosConfigurations.test-install-machine-with-system.config.system.build.diskoScript
+        self.nixosConfigurations.test-install-machine-with-system.config.system.clan.deployment.file
+        pkgs.stdenv.drvPath
+        pkgs.bash.drvPath
+        pkgs.nixos-anywhere
+        pkgs.bubblewrap
+      ] ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
+      closureInfo = pkgs.closureInfo { rootPaths = dependencies; };
+      # with Nix 2.24 we get:
+      # vm-test-run-test-installation> client # error: sized: unexpected end-of-file
+      # vm-test-run-test-installation> client # error: unexpected end-of-file
+      # This seems to be fixed with Nix 2.26
+      # Remove this line once `pkgs.nix` is 2.26+
+      nixPackage =
+        assert
+          lib.versionOlder pkgs.nix.version "2.26"
+          && lib.versionAtLeast pkgs.nixVersions.latest.version "2.26";
+        pkgs.nixVersions.latest;
+    in
+    {
+      # On aarch64-linux, hangs on reboot with after installation:
+      # vm-test-run-test-installation> (finished: waiting for the VM to power off, in 1.97 seconds)
+      # vm-test-run-test-installation>
+      # vm-test-run-test-installation> new_machine: must succeed: cat /etc/install-successful
+      # vm-test-run-test-installation> new_machine: waiting for the VM to finish booting
+      # vm-test-run-test-installation> new_machine: starting vm
+      # vm-test-run-test-installation> new_machine: QEMU running (pid 80)
+      # vm-test-run-test-installation> new_machine: Guest root shell did not produce any data yet...
+      # vm-test-run-test-installation> new_machine:   To debug, enter the VM and run 'systemctl status backdoor.service'.
+      checks = pkgs.lib.mkIf (pkgs.stdenv.isLinux && pkgs.stdenv.hostPlatform.system != "aarch64-linux") {
+        test-installation-without-system = (import ../lib/test-base.nix) {
+          name = "test-installation-without-system";
+          nodes.target = {
+            services.openssh.enable = true;
+            virtualisation.diskImage = "./target.qcow2";
+            virtualisation.useBootLoader = true;
+            nix.package = nixPackage;
+          };
+          nodes.installer =
+            { modulesPath, ... }:
+            {
+              imports = [
+                (modulesPath + "/../tests/common/auto-format-root-device.nix")
+              ];
+              services.openssh.enable = true;
+              users.users.root.openssh.authorizedKeys.keyFiles = [ ../lib/ssh/pubkey ];
+              system.nixos.variant_id = "installer";
+              environment.systemPackages = [ pkgs.nixos-facter ];
+              virtualisation.emptyDiskImages = [ 512 ];
+              virtualisation.diskSize = 8 * 1024;
+              virtualisation.rootDevice = "/dev/vdb";
+              # both installer and target need to use the same diskImage
+              virtualisation.diskImage = "./target.qcow2";
+              nix.package = nixPackage;
+              nix.settings = {
+                substituters = lib.mkForce [ ];
+                hashed-mirrors = null;
+                connect-timeout = lib.mkForce 3;
+                flake-registry = pkgs.writeText "flake-registry" ''{"flakes":[],"version":2}'';
+                experimental-features = [
+                  "nix-command"
+                  "flakes"
+                ];
+              };
+              system.extraDependencies = dependencies;
+            };
+          nodes.client = {
+            environment.systemPackages = [
+              self.packages.${pkgs.system}.clan-cli
+            ] ++ self.packages.${pkgs.system}.clan-cli.runtimeDependencies;
+            environment.etc."install-closure".source = "${closureInfo}/store-paths";
+            virtualisation.memorySize = 3048;
+            nix.package = nixPackage;
+            nix.settings = {
+              substituters = lib.mkForce [ ];
+              hashed-mirrors = null;
+              connect-timeout = lib.mkForce 3;
+              flake-registry = pkgs.writeText "flake-registry" ''{"flakes":[],"version":2}'';
+              experimental-features = [
+                "nix-command"
+                "flakes"
+              ];
+            };
+            system.extraDependencies = dependencies;
+          };
+
+          testScript = ''
+            client.start()
+            installer.start()
+
+            client.succeed("${pkgs.coreutils}/bin/install -Dm 600 ${../lib/ssh/privkey} /root/.ssh/id_ed25519")
+            client.wait_until_succeeds("timeout 2 ssh -o StrictHostKeyChecking=accept-new -v root@installer hostname")
+            client.succeed("cp -r ${../..} test-flake && chmod -R +w test-flake")
+            client.fail("test -f test-flake/machines/test-install-machine-without-system/hardware-configuration.nix")
+            client.fail("test -f test-flake/machines/test-install-machine-without-system/facter.json")
+            client.succeed("clan machines update-hardware-config --flake test-flake test-install-machine-without-system root@installer >&2")
+            client.succeed("test -f test-flake/machines/test-install-machine-without-system/facter.json")
+            client.succeed("rm test-flake/machines/test-install-machine-without-system/facter.json")
+            client.succeed("clan machines install --debug --flake test-flake --yes test-install-machine-without-system --target-host root@installer --update-hardware-config nixos-facter >&2")
+            try:
+              installer.shutdown()
+            except BrokenPipeError:
+              # qemu has already exited
+              pass
+
+            target.state_dir = installer.state_dir
+            target.start()
+            target.wait_for_unit("multi-user.target")
+            assert(target.succeed("cat /etc/install-successful").strip() == "ok")
+          '';
+        } { inherit pkgs self; };
+      };
+    };
+}
--- a/checks/installation/flake-module.nix
+++ b/checks/installation/flake-module.nix
@@ -3,108 +3,27 @@
  lib,
  ...
 }:
-let
-  installer =
-    { modulesPath, pkgs, ... }:
-    let
-      dependencies = [
-        self.clanInternals.machines.${pkgs.hostPlatform.system}.test-install-machine-with-system.config.system.build.toplevel
-        self.clanInternals.machines.${pkgs.hostPlatform.system}.test-install-machine-with-system.config.system.build.diskoScript
-        self.clanInternals.machines.${pkgs.hostPlatform.system}.test-install-machine-with-system.config.system.clan.deployment.file
-        pkgs.stdenv.drvPath
-        pkgs.bash.drvPath
-        pkgs.nixos-anywhere
-        pkgs.bubblewrap
-      ] ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
-      closureInfo = pkgs.closureInfo { rootPaths = dependencies; };
-    in
-    {
-      imports = [
-        (modulesPath + "/../tests/common/auto-format-root-device.nix")
-      ];
-      networking.useNetworkd = true;
-      services.openssh.enable = true;
-      services.openssh.settings.UseDns = false;
-      services.openssh.settings.PasswordAuthentication = false;
-      system.nixos.variant_id = "installer";
-      environment.systemPackages = [
-        self.packages.${pkgs.system}.clan-cli-full
-        pkgs.nixos-facter
-      ];
-      environment.etc."install-closure".source = "${closureInfo}/store-paths";
-      virtualisation.emptyDiskImages = [ 512 ];
-      virtualisation.diskSize = 8 * 1024;
-      virtualisation.rootDevice = "/dev/vdb";
-      # both installer and target need to use the same diskImage
-      virtualisation.diskImage = "./target.qcow2";
-      virtualisation.memorySize = 3048;
-      nix.settings = {
-        substituters = lib.mkForce [ ];
-        hashed-mirrors = null;
-        connect-timeout = lib.mkForce 3;
-        flake-registry = pkgs.writeText "flake-registry" ''{"flakes":[],"version":2}'';
-        experimental-features = [
-          "nix-command"
-          "flakes"
-        ];
-      };
-      users.users.nonrootuser = {
-        isNormalUser = true;
-        openssh.authorizedKeys.keyFiles = [ ../assets/ssh/pubkey ];
-        extraGroups = [ "wheel" ];
-      };
-      security.sudo.wheelNeedsPassword = false;
-      system.extraDependencies = dependencies;
-    };
-in
 {
-
-  # The purpose of this test is to ensure `clan machines install` works
-  # for machines that don't have a hardware config yet.
-
-  # If this test starts failing it could be due to the `facter.json` being out of date
-  # you can get a new one by adding
-  # client.fail("cat test-flake/machines/test-install-machine/facter.json >&2")
-  # to the installation test.
-  clan.machines.test-install-machine-without-system = {
+  clan.machines.test-install-machine = {
+    clan.core.networking.targetHost = "test-install-machine";
    fileSystems."/".device = lib.mkDefault "/dev/vda";
    boot.loader.grub.device = lib.mkDefault "/dev/vda";

-    imports = [ self.nixosModules.test-install-machine-without-system ];
+    imports = [ self.nixosModules.test-install-machine ];
  };
-  clan.machines.test-install-machine-with-system =
-    { pkgs, ... }:
-    {
-      # https://git.clan.lol/clan/test-fixtures
-      facter.reportPath = builtins.fetchurl {
-        url = "https://git.clan.lol/clan/test-fixtures/raw/commit/4a2bc56d886578124b05060d3fb7eddc38c019f8/nixos-vm-facter-json/${pkgs.hostPlatform.system}.json";
-        sha256 =
-          {
-            aarch64-linux = "sha256:1rlfymk03rmfkm2qgrc8l5kj5i20srx79n1y1h4nzlpwaz0j7hh2";
-            x86_64-linux = "sha256:16myh0ll2gdwsiwkjw5ba4dl23ppwbsanxx214863j7nvzx42pws";
-          }
-          .${pkgs.hostPlatform.system};
-      };
-
-      fileSystems."/".device = lib.mkDefault "/dev/vda";
-      boot.loader.grub.device = lib.mkDefault "/dev/vda";
-
-      imports = [ self.nixosModules.test-install-machine-without-system ];
-    };
  flake.nixosModules = {
-    test-install-machine-without-system =
+    test-install-machine =
      { lib, modulesPath, ... }:
      {
        imports = [
          (modulesPath + "/testing/test-instrumentation.nix") # we need these 2 modules always to be able to run the tests
          (modulesPath + "/profiles/qemu-guest.nix")
-          self.clanLib.test.minifyModule
+          ../lib/minify.nix
        ];

-        networking.hostName = "test-install-machine";
-
        environment.etc."install-successful".text = "ok";

+        nixpkgs.hostPlatform = "x86_64-linux";
        boot.consoleLogLevel = lib.mkForce 100;
        boot.kernelParams = [ "boot.shell_on_fail" ];

@@ -115,7 +34,7 @@ in
        clan.core.vars.generators.test = {
          files.test.neededFor = "partitioning";
          script = ''
-            echo "notok" > "$out"/test
+            echo "notok" > $out/test
          '';
        };
        disko.devices = {
@@ -161,73 +80,138 @@ in
        };
      };
  };
-
  perSystem =
    {
      pkgs,
+      lib,
      ...
    }:
+    let
+      dependencies = [
+        self
+        self.nixosConfigurations.test-install-machine.config.system.build.toplevel
+        self.nixosConfigurations.test-install-machine.config.system.build.diskoScript
+        self.nixosConfigurations.test-install-machine.config.system.clan.deployment.file
+        pkgs.bash.drvPath
+        pkgs.stdenv.drvPath
+        pkgs.nixos-anywhere
+        pkgs.bubblewrap
+      ] ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
+      closureInfo = pkgs.closureInfo { rootPaths = dependencies; };
+
+      # with Nix 2.24 we get:
+      # vm-test-run-test-installation> client # error: sized: unexpected end-of-file
+      # vm-test-run-test-installation> client # error: unexpected end-of-file
+      # This seems to be fixed with Nix 2.26
+      # Remove this line once `pkgs.nix` is 2.26+
+      nixPackage =
+        assert
+          lib.versionOlder pkgs.nix.version "2.26"
+          && lib.versionAtLeast pkgs.nixVersions.latest.version "2.26";
+        pkgs.nixVersions.latest;
+    in
    {
      # On aarch64-linux, hangs on reboot with after installation:
-      # vm-test-run-test-installation-> installer # [  288.002871] reboot: Restarting system
-      # vm-test-run-test-installation-> server # [test-install-machine] ### Done! ###
-      # vm-test-run-test-installation-> server # [test-install-machine] + step 'Done!'
-      # vm-test-run-test-installation-> server # [test-install-machine] + echo '### Done! ###'
-      # vm-test-run-test-installation-> server # [test-install-machine] + rm -rf /tmp/tmp.qb16EAq7hJ
-      # vm-test-run-test-installation-> (finished: must succeed: clan machines install --debug --flake test-flake --yes test-install-machine --target-host root@installer --update-hardware-config nixos-facter >&2, in 154.62 seconds)
-      # vm-test-run-test-installation-> target: starting vm
-      # vm-test-run-test-installation-> target: QEMU running (pid 144)
-      # vm-test-run-test-installation-> target: waiting for unit multi-user.target
-      # vm-test-run-test-installation-> target: waiting for the VM to finish booting
-      # vm-test-run-test-installation-> target: Guest root shell did not produce any data yet...
-      # vm-test-run-test-installation-> target:   To debug, enter the VM and run 'systemctl status backdoor.service'.
-      checks = pkgs.lib.mkIf (pkgs.stdenv.isLinux && !pkgs.stdenv.isAarch64) {
-        installation = self.clanLib.test.baseTest {
-          name = "installation";
+      # vm-test-run-test-installation> (finished: waiting for the VM to power off, in 1.97 seconds)
+      # vm-test-run-test-installation>
+      # vm-test-run-test-installation> new_machine: must succeed: cat /etc/install-successful
+      # vm-test-run-test-installation> new_machine: waiting for the VM to finish booting
+      # vm-test-run-test-installation> new_machine: starting vm
+      # vm-test-run-test-installation> new_machine: QEMU running (pid 80)
+      # vm-test-run-test-installation> new_machine: Guest root shell did not produce any data yet...
+      # vm-test-run-test-installation> new_machine:   To debug, enter the VM and run 'systemctl status backdoor.service'.
+      checks = pkgs.lib.mkIf (pkgs.stdenv.isLinux && pkgs.stdenv.hostPlatform.system != "aarch64-linux") {
+        test-installation = (import ../lib/test-base.nix) {
+          name = "test-installation";
          nodes.target = {
            services.openssh.enable = true;
            virtualisation.diskImage = "./target.qcow2";
            virtualisation.useBootLoader = true;
+            nix.package = nixPackage;
+
+            # virtualisation.fileSystems."/" = {
+            #   device = "/dev/disk/by-label/this-is-not-real-and-will-never-be-used";
+            #   fsType = "ext4";
+            # };
+          };
+          nodes.installer =
+            { modulesPath, ... }:
+            {
+              imports = [
+                (modulesPath + "/../tests/common/auto-format-root-device.nix")
+              ];
+              services.openssh.enable = true;
+              users.users.root.openssh.authorizedKeys.keyFiles = [ ../lib/ssh/pubkey ];
+              system.nixos.variant_id = "installer";
+              environment.systemPackages = [ pkgs.nixos-facter ];
+              virtualisation.emptyDiskImages = [ 512 ];
+              virtualisation.diskSize = 8 * 1024;
+              virtualisation.rootDevice = "/dev/vdb";
+              # both installer and target need to use the same diskImage
+              virtualisation.diskImage = "./target.qcow2";
+              nix.package = nixPackage;
+              nix.settings = {
+                substituters = lib.mkForce [ ];
+                hashed-mirrors = null;
+                connect-timeout = lib.mkForce 3;
+                flake-registry = pkgs.writeText "flake-registry" ''{"flakes":[],"version":2}'';
+                experimental-features = [
+                  "nix-command"
+                  "flakes"
+                ];
+              };
+              system.extraDependencies = dependencies;
+            };
+          nodes.client = {
+            environment.systemPackages = [
+              self.packages.${pkgs.system}.clan-cli
+            ] ++ self.packages.${pkgs.system}.clan-cli.runtimeDependencies;
+            environment.etc."install-closure".source = "${closureInfo}/store-paths";
+            virtualisation.memorySize = 3048;
+            nix.package = nixPackage;
+            nix.settings = {
+              substituters = lib.mkForce [ ];
+              hashed-mirrors = null;
+              connect-timeout = lib.mkForce 3;
+              flake-registry = pkgs.writeText "flake-registry" ''{"flakes":[],"version":2}'';
+              experimental-features = [
+                "nix-command"
+                "flakes"
+              ];
+            };
+            system.extraDependencies = dependencies;
          };
-          nodes.installer = installer;

          testScript = ''
+            client.start()
            installer.start()

-            installer.succeed("${pkgs.coreutils}/bin/install -Dm 600 ${../assets/ssh/privkey} /root/.ssh/id_ed25519")
+            client.succeed("${pkgs.coreutils}/bin/install -Dm 600 ${../lib/ssh/privkey} /root/.ssh/id_ed25519")
+            client.wait_until_succeeds("timeout 2 ssh -o StrictHostKeyChecking=accept-new -v root@installer hostname")
+            client.succeed("cp -r ${../..} test-flake && chmod -R +w test-flake")

-            installer.wait_until_succeeds("timeout 2 ssh -o StrictHostKeyChecking=accept-new -v nonrootuser@localhost hostname")
-            installer.succeed("cp -r ${../..} test-flake && chmod -R +w test-flake")
+            # test that we can generate hardware configurations
+            client.fail("test -f test-flake/machines/test-install-machine/facter.json")
+            client.fail("test -f test-flake/machines/test-install-machine/hardware-configuration.nix")
+            client.succeed("clan machines update-hardware-config --flake test-flake test-install-machine root@installer >&2")
+            client.succeed("test -f test-flake/machines/test-install-machine/facter.json")
+            client.succeed("clan machines update-hardware-config --backend nixos-generate-config --flake test-flake test-install-machine root@installer>&2")
+            client.succeed("test -f test-flake/machines/test-install-machine/hardware-configuration.nix")

-            installer.succeed("clan machines install --no-reboot --debug --flake test-flake --yes test-install-machine-without-system --target-host nonrootuser@localhost --update-hardware-config nixos-facter >&2")
-            installer.shutdown()
+            # but we don't use them because they're not cached
+            client.succeed("rm test-flake/machines/test-install-machine/hardware-configuration.nix test-flake/machines/test-install-machine/facter.json")
+
+            client.succeed("clan machines install --debug --flake test-flake --yes test-install-machine --target-host root@installer >&2")
+            try:
+              installer.shutdown()
+            except BrokenPipeError:
+              # qemu has already exited
+              pass

-            # We are missing the test instrumentation somehow. Test this later.
            target.state_dir = installer.state_dir
            target.start()
            target.wait_for_unit("multi-user.target")
-          '';
-        } { inherit pkgs self; };
-
-        update-hardware-configuration = self.clanLib.test.baseTest {
-          name = "update-hardware-configuration";
-          nodes.installer = installer;
-
-          testScript = ''
-            installer.start()
-            installer.succeed("${pkgs.coreutils}/bin/install -Dm 600 ${../assets/ssh/privkey} /root/.ssh/id_ed25519")
-            installer.wait_until_succeeds("timeout 2 ssh -o StrictHostKeyChecking=accept-new -v nonrootuser@localhost hostname")
-            installer.succeed("cp -r ${../..} test-flake && chmod -R +w test-flake")
-            installer.fail("test -f test-flake/machines/test-install-machine/hardware-configuration.nix")
-            installer.fail("test -f test-flake/machines/test-install-machine/facter.json")
-
-            installer.succeed("clan machines update-hardware-config --debug --flake test-flake test-install-machine-without-system nonrootuser@localhost >&2")
-            installer.succeed("test -f test-flake/machines/test-install-machine-without-system/facter.json")
-            installer.succeed("rm test-flake/machines/test-install-machine-without-system/facter.json")
-
-            installer.succeed("clan machines update-hardware-config --debug --backend nixos-generate-config --flake test-flake test-install-machine-without-system nonrootuser@localhost >&2")
-            installer.succeed("test -f test-flake/machines/test-install-machine-without-system/hardware-configuration.nix")
-            installer.succeed("rm test-flake/machines/test-install-machine-without-system/hardware-configuration.nix")
+            assert(target.succeed("cat /etc/install-successful").strip() == "ok")
          '';
        } { inherit pkgs self; };
      };
--- a/lib/test/container-test-driver/driver-module.nix
+++ b/lib/test/container-test-driver/driver-module.nix
@@ -37,9 +37,6 @@ let
  pythonizedNames = map pythonizeName nodeHostNames;
 in
 {
-  defaults.imports = [
-    ./nixos-module.nix
-  ];
  driver = lib.mkForce (
    hostPkgs.runCommand "nixos-test-driver-${config.name}"
      {
@@ -105,12 +102,6 @@ in
          ${config.driver}/bin/nixos-test-driver -o $out
        '';

-        nativeBuildInputs = [
-          hostPkgs.util-linux
-          hostPkgs.coreutils
-          hostPkgs.iproute2
-        ];
-
        passthru = config.passthru;

        meta = config.meta;
--- a/checks/lib/container-driver/package.nix
+++ b/checks/lib/container-driver/package.nix
@@ -0,0 +1,25 @@
+{
+  extraPythonPackages,
+  python3Packages,
+  buildPythonApplication,
+  setuptools,
+  util-linux,
+  systemd,
+  nix,
+  colorama,
+  junit-xml,
+}:
+buildPythonApplication {
+  pname = "test-driver";
+  version = "0.0.1";
+  propagatedBuildInputs = [
+    util-linux
+    systemd
+    colorama
+    junit-xml
+    nix
+  ] ++ extraPythonPackages python3Packages;
+  nativeBuildInputs = [ setuptools ];
+  format = "pyproject";
+  src = ./.;
+}
--- a/lib/test/container-test-driver/pyproject.toml
+++ b/lib/test/container-test-driver/pyproject.toml
--- a/lib/test/container-test-driver/test-script-prepend.py
+++ b/lib/test/container-test-driver/test-script-prepend.py
--- a/lib/test/container-test-driver/test_driver/init.py
+++ b/lib/test/container-test-driver/test_driver/init.py
@@ -7,8 +7,6 @@ import time
 import types
 from collections.abc import Callable
 from contextlib import _GeneratorContextManager
-from dataclasses import dataclass
-from functools import cached_property
 from pathlib import Path
 from tempfile import TemporaryDirectory
 from typing import Any
@@ -112,10 +110,6 @@ class Machine:
        self.rootdir: Path = rootdir
        self.logger = logger

-    @cached_property
-    def container_pid(self) -> int:
-        return self.get_systemd_process()
-
    def start(self) -> None:
        prepare_machine_root(self.name, self.rootdir)
        cmd = [
@@ -127,16 +121,18 @@ class Machine:
            self.rootdir,
            "--register=no",
            "--resolv-conf=off",
-            f"--bind=/.containers/{self.name}/nix:/nix",
+            "--bind=/nix",
+            "--bind",
+            self.out_dir,
            "--bind=/proc:/run/host/proc",
            "--bind=/sys:/run/host/sys",
            "--private-network",
-            "--network-bridge=br0",
            self.toplevel.joinpath("init"),
        ]
        env = os.environ.copy()
        env["SYSTEMD_NSPAWN_UNIFIED_HIERARCHY"] = "1"
        self.process = subprocess.Popen(cmd, stdout=subprocess.PIPE, text=True, env=env)
+        self.container_pid = self.get_systemd_process()

    def get_systemd_process(self) -> int:
        assert self.process is not None, "Machine not started"
@@ -333,15 +329,6 @@ class Machine:
            raise RuntimeError(msg)
        return res.stdout

-    def fail(self, command: str, timeout: int | None = None) -> str:
-        res = self.execute(command, timeout=timeout)
-        if res.returncode == 0:
-            msg = f"command `{command}` unexpectedly succeeded\n"
-            msg += f"Exit code: {res.returncode}\n"
-            msg += f"Stdout: {res.stdout}"
-            raise RuntimeError(msg)
-        return res.stdout
-
    def shutdown(self) -> None:
        """
        Shut down the machine, waiting for the VM to exit.
@@ -355,70 +342,46 @@ class Machine:
        self.shutdown()


-@dataclass
-class ContainerInfo:
-    toplevel: Path
-    closure_info: Path
-
-    @cached_property
-    def name(self) -> str:
-        name_match = re.match(r".*-nixos-system-(.+)-(.+)", self.toplevel.name)
-        if not name_match:
-            msg = f"Unable to extract hostname from {self.toplevel.name}"
-            raise Error(msg)
-        return name_match.group(1)
-
-    @property
-    def root_dir(self) -> Path:
-        return Path(f"/.containers/{self.name}")
-
-    @property
-    def nix_store_dir(self) -> Path:
-        return self.root_dir / "nix" / "store"
-
-    @property
-    def etc_dir(self) -> Path:
-        return self.root_dir / "etc"
+NIX_DIR = Path("/nix")
+NIX_STORE = Path("/nix/store/")
+NEW_NIX_DIR = Path("/.nix-rw")
+NEW_NIX_STORE_DIR = NEW_NIX_DIR / "store"


-def setup_filesystems(container: ContainerInfo) -> None:
+def setup_filesystems() -> None:
    # We don't care about cleaning up the mount points, since we're running in a nix sandbox.
    Path("/run").mkdir(parents=True, exist_ok=True)
    subprocess.run(["mount", "-t", "tmpfs", "none", "/run"], check=True)
    subprocess.run(["mount", "-t", "cgroup2", "none", "/sys/fs/cgroup"], check=True)
-    container.etc_dir.mkdir(parents=True)
+    Path("/etc").chmod(0o755)
    Path("/etc/os-release").touch()
    Path("/etc/machine-id").write_text("a5ea3f98dedc0278b6f3cc8c37eeaeac")
-    container.nix_store_dir.mkdir(parents=True)
+    NEW_NIX_STORE_DIR.mkdir(parents=True)
    # Read /proc/mounts and replicate every bind mount
    with Path("/proc/self/mounts").open() as f:
        for line in f:
            columns = line.split(" ")
            source = Path(columns[1])
-            if source.parent != Path("/nix/store/"):
+            if source.parent != NIX_STORE:
                continue
-            target = container.nix_store_dir / source.name
+            target = NEW_NIX_STORE_DIR / source.name
            if source.is_dir():
                target.mkdir()
            else:
                target.touch()
            try:
-                if "acl" in target.name:
-                    print(f"mount({source}, {target})")
                mount(source, target, "none", MS_BIND)
            except OSError as e:
                msg = f"mount({source}, {target}) failed"
                raise Error(msg) from e
+    out = Path(os.environ["out"])
+    (NEW_NIX_STORE_DIR / out.name).mkdir()
+    mount(NEW_NIX_DIR, NIX_DIR, "none", MS_BIND | MS_REC)


-def load_nix_db(container: ContainerInfo) -> None:
-    with (container.closure_info / "registration").open() as f:
-        subprocess.run(
-            ["nix-store", "--load-db", "--store", str(container.root_dir)],
-            stdin=f,
-            check=True,
-            text=True,
-        )
+def load_nix_db(closure_info: Path) -> None:
+    with (closure_info / "registration").open() as f:
+        subprocess.run(["nix-store", "--load-db"], stdin=f, check=True, text=True)


 class Driver:
@@ -426,7 +389,7 @@ class Driver:

    def __init__(
        self,
-        containers: list[ContainerInfo],
+        containers: list[tuple[Path, Path]],
        logger: AbstractLogger,
        testscript: str,
        out_dir: str,
@@ -435,34 +398,33 @@ class Driver:
        self.testscript = testscript
        self.out_dir = out_dir
        self.logger = logger
+        setup_filesystems()
+        # TODO: this won't work for multiple containers
+        assert len(containers) == 1, "Only one container is supported at the moment"
+        load_nix_db(containers[0][1])

        self.tempdir = TemporaryDirectory()
        tempdir_path = Path(self.tempdir.name)

        self.machines = []
        for container in containers:
-            setup_filesystems(container)
-            load_nix_db(container)
+            name_match = re.match(r".*-nixos-system-(.+)-(.+)", container[0].name)
+            if not name_match:
+                msg = f"Unable to extract hostname from {container[0].name}"
+                raise Error(msg)
+            name = name_match.group(1)
            self.machines.append(
                Machine(
-                    name=container.name,
-                    toplevel=container.toplevel,
-                    rootdir=tempdir_path / container.name,
+                    name=name,
+                    toplevel=container[0],
+                    rootdir=tempdir_path / name,
                    out_dir=self.out_dir,
                    logger=self.logger,
                )
            )

    def start_all(self) -> None:
-        # child
-        # create bridge
-        subprocess.run(
-            ["ip", "link", "add", "br0", "type", "bridge"], check=True, text=True
-        )
-        subprocess.run(["ip", "link", "set", "br0", "up"], check=True, text=True)
-
        for machine in self.machines:
-            print(f"Starting {machine.name}")
            machine.start()

    def test_symbols(self) -> dict[str, Any]:
@@ -547,10 +509,7 @@ def main() -> None:
    args = arg_parser.parse_args()
    logger = CompositeLogger([TerminalLogger()])
    with Driver(
-        containers=[
-            ContainerInfo(toplevel, closure_info)
-            for toplevel, closure_info in args.containers
-        ],
+        containers=args.containers,
        testscript=args.test_script.read_text(),
        out_dir=args.output_directory.resolve(),
        logger=logger,
--- a/lib/test/container-test-driver/test_driver/logger.py
+++ b/lib/test/container-test-driver/test_driver/logger.py
--- a/lib/test/container-test-driver/test_driver/py.typed
+++ b/lib/test/container-test-driver/test_driver/py.typed
--- a/checks/lib/container-test.nix
+++ b/checks/lib/container-test.nix
@@ -0,0 +1,43 @@
+test:
+{ pkgs, self, ... }:
+let
+  inherit (pkgs) lib;
+  nixos-lib = import (pkgs.path + "/nixos/lib") { };
+in
+(nixos-lib.runTest (
+  { hostPkgs, ... }:
+  {
+    hostPkgs = pkgs;
+    # speed-up evaluation
+    defaults = {
+      imports = [
+        ./minify.nix
+      ];
+      documentation.enable = lib.mkDefault false;
+      boot.isContainer = true;
+
+      # needed since nixpkgs 7fb2f407c01b017737eafc26b065d7f56434a992 removed the getty unit by default
+      console.enable = true;
+
+      # undo qemu stuff
+      system.build.initialRamdisk = "";
+      virtualisation.sharedDirectories = lib.mkForce { };
+      networking.useDHCP = false;
+
+      # we have not private networking so far
+      networking.interfaces = lib.mkForce { };
+      #networking.primaryIPAddress = lib.mkForce null;
+      systemd.services.backdoor.enable = false;
+
+      # we don't have permission to set cpu scheduler in our container
+      systemd.services.nix-daemon.serviceConfig.CPUSchedulingPolicy = lib.mkForce "";
+    };
+    # to accept external dependencies such as disko
+    node.specialArgs.self = self;
+    _module.args = { inherit self; };
+    imports = [
+      test
+      ./container-driver/module.nix
+    ];
+  }
+)).config.result
--- a/checks/lib/minify.nix
+++ b/checks/lib/minify.nix
@@ -1,6 +1,3 @@
-# This is a module to reduce the size of the NixOS configuration
-# Used by the tests
-# It unsets some unnecessary options
 { lib, ... }:
 {
  nixpkgs.flake.setFlakeRegistry = false;
--- a/checks/assets/ssh/privkey
+++ b/checks/assets/ssh/privkey
--- a/checks/assets/ssh/pubkey
+++ b/checks/assets/ssh/pubkey
--- a/checks/lib/test-base.nix
+++ b/checks/lib/test-base.nix
@@ -0,0 +1,26 @@
+test:
+{ pkgs, self, ... }:
+let
+  inherit (pkgs) lib;
+  nixos-lib = import (pkgs.path + "/nixos/lib") { };
+in
+(nixos-lib.runTest {
+  hostPkgs = pkgs;
+  # speed-up evaluation
+  defaults = (
+    { config, ... }:
+    {
+      imports = [
+        ./minify.nix
+      ];
+      documentation.enable = lib.mkDefault false;
+      nix.settings.min-free = 0;
+      system.stateVersion = config.system.nixos.release;
+    }
+  );
+
+  _module.args = { inherit self; };
+  # to accept external dependencies such as disko
+  node.specialArgs.self = self;
+  imports = [ test ];
+}).config.result
--- a/checks/matrix-synapse/default.nix
+++ b/checks/matrix-synapse/default.nix
@@ -1,4 +1,4 @@
-(
+(import ../lib/container-test.nix) (
  { pkgs, ... }:
  {
    name = "matrix-synapse";
@@ -15,6 +15,7 @@
          self.clanModules.matrix-synapse
          self.nixosModules.clanCore
          {
+            clan.core.settings.machine.name = "machine";
            clan.core.settings.directory = ./.;

            services.nginx.virtualHosts."matrix.clan.test" = {
--- a/checks/morph/flake-module.nix
+++ b/checks/morph/flake-module.nix
@@ -23,8 +23,8 @@
      ...
    }:
    {
-      checks = pkgs.lib.mkIf (pkgs.stdenv.isLinux && !pkgs.stdenv.isAarch64) {
-        morph = self.clanLib.test.baseTest {
+      checks = pkgs.lib.mkIf (pkgs.stdenv.isLinux && pkgs.stdenv.hostPlatform.system != "aarch64-linux") {
+        test-morph = (import ../lib/test-base.nix) {
          name = "morph";

          nodes = {
@@ -33,6 +33,7 @@
              let
                dependencies = [
                  self
+                  pkgs.nixos-anywhere
                  pkgs.stdenv.drvPath
                  pkgs.stdenvNoCC
                  self.nixosConfigurations.test-morph-machine.config.system.build.toplevel
@@ -44,12 +45,8 @@
              {
                environment.etc."install-closure".source = "${closureInfo}/store-paths";
                system.extraDependencies = dependencies;
-
                virtualisation.memorySize = 2048;
-                virtualisation.useNixStoreImage = true;
-                virtualisation.writableStore = true;
-
-                environment.systemPackages = [ self.packages.${pkgs.system}.clan-cli-full ];
+                environment.systemPackages = [ self.packages.${pkgs.system}.clan-cli ];
              };
          };
          testScript = ''
--- a/checks/morph/template/configuration.nix
+++ b/checks/morph/template/configuration.nix
@@ -8,8 +8,5 @@
    (modulesPath + "/profiles/minimal.nix")
  ];

-  virtualisation.useNixStoreImage = true;
-  virtualisation.writableStore = true;
-
  clan.core.enableRecommendedDefaults = false;
 }
--- a/checks/mumble/default.nix
+++ b/checks/mumble/default.nix
@@ -1,104 +1,145 @@
-{
-  pkgs,
-  self,
-  clanLib,
-  ...
-}:
-clanLib.test.makeTestClan {
-  inherit pkgs self;
-  # TODO: container driver does not support: sleep, wait_for_window, send_chars, wait_for_text
-  useContainers = false;
-  nixosTest = (
-    { lib, ... }:
-    let
-      common =
-        { pkgs, modulesPath, ... }:
-        {
-          imports = [
-            (modulesPath + "/../tests/common/x11.nix")
-          ];
+(import ../lib/test-base.nix) (
+  { ... }:
+  let
+    common =
+      { self, pkgs, ... }:
+      {
+        imports = [
+          self.clanModules.mumble
+          {
+            clan.services.mumble.user = "alice";
+          }
+          self.nixosModules.clanCore
+          (self.inputs.nixpkgs + "/nixos/tests/common/x11.nix")
+          {
+            clan.core.settings.directory = ./.;
+            environment.systemPackages = [ pkgs.killall ];
+            clan.core.facts.services.mumble.secret."mumble-key".path = "/etc/mumble-key";
+            clan.core.facts.services.mumble.public."mumble-cert".path = "/etc/mumble-cert";
+          }
+        ];

-          clan.services.mumble.user = "alice";
-          environment.systemPackages = [ pkgs.killall ];
-        };
-      machines = [
-        "peer1"
-        "peer2"
-      ];
-    in
-    {
-      name = "mumble";
-
-      clan = {
-        directory = ./.;
-        inventory = {
-          machines = lib.genAttrs machines (_: { });
-          services = {
-            mumble.default = {
-              roles.server.machines = machines;
-            };
-          };
-        };
      };
+  in
+  {
+    name = "mumble";

-      enableOCR = true;
+    enableOCR = true;

-      nodes.peer1 = common;
-      nodes.peer2 = common;
+    nodes.peer1 =
+      { ... }:
+      {
+        imports = [
+          common
+          {
+            clan.core.settings.machine.name = "peer1";
+            environment.etc = {
+              "mumble-key".source = ./peer_1/peer_1_test_key;
+              "mumble-cert".source = ./peer_1/peer_1_test_cert;
+            };
+            systemd.tmpfiles.settings."vmsecrets" = {
+              "/var/lib/murmur/sslKey" = {
+                C.argument = "${./peer_1/peer_1_test_key}";
+                z = {
+                  mode = "0400";
+                  user = "murmur";
+                };
+              };
+              "/var/lib/murmur/sslCert" = {
+                C.argument = "${./peer_1/peer_1_test_cert}";
+                z = {
+                  mode = "0400";
+                  user = "murmur";
+                };
+              };
+            };
+            clan.core.facts.services.mumble.secret."mumble-key".path = "/etc/mumble-key";
+            clan.core.facts.services.mumble.public."mumble-cert".path = "/etc/mumble-cert";
+          }
+        ];
+      };
+    nodes.peer2 =
+      { ... }:
+      {
+        imports = [
+          common
+          {
+            clan.core.settings.machine.name = "peer2";
+            environment.etc = {
+              "mumble-key".source = ./peer_2/peer_2_test_key;
+              "mumble-cert".source = ./peer_2/peer_2_test_cert;
+            };
+            systemd.tmpfiles.settings."vmsecrets" = {
+              "/var/lib/murmur/sslKey" = {
+                C.argument = "${./peer_2/peer_2_test_key}";
+                z = {
+                  mode = "0400";
+                  user = "murmur";
+                };
+              };
+              "/var/lib/murmur/sslCert" = {
+                C.argument = "${./peer_2/peer_2_test_cert}";
+                z = {
+                  mode = "0400";
+                  user = "murmur";
+                };
+              };
+            };
+          }
+        ];
+      };
+    testScript = ''
+      start_all()

-      testScript = ''
-        start_all()
+      with subtest("Waiting for x"):
+        peer1.wait_for_x()
+        peer2.wait_for_x()

-        with subtest("Waiting for x"):
-          peer1.wait_for_x()
-          peer2.wait_for_x()
+      with subtest("Waiting for murmur"):
+        peer1.wait_for_unit("murmur.service")
+        peer2.wait_for_unit("murmur.service")

-        with subtest("Waiting for murmur"):
-          peer1.wait_for_unit("murmur.service")
-          peer2.wait_for_unit("murmur.service")
+      with subtest("Starting Mumble"):
+        # starting mumble is blocking
+        peer1.execute("mumble >&2 &")
+        peer2.execute("mumble >&2 &")

-        with subtest("Starting Mumble"):
-          # starting mumble is blocking
-          peer1.execute("mumble >&2 &")
-          peer2.execute("mumble >&2 &")
+      with subtest("Wait for Mumble"):
+        peer1.wait_for_window(r"^Mumble$")
+        peer2.wait_for_window(r"^Mumble$")

-        with subtest("Wait for Mumble"):
-          peer1.wait_for_window(r"^Mumble$")
-          peer2.wait_for_window(r"^Mumble$")
+      with subtest("Wait for certificate creation"):
+        peer1.wait_for_window(r"^Mumble$")
+        peer1.sleep(3) # mumble is slow to register handlers
+        peer1.send_chars("\n")
+        peer1.send_chars("\n")
+        peer2.wait_for_window(r"^Mumble$")
+        peer2.sleep(3) # mumble is slow to register handlers
+        peer2.send_chars("\n")
+        peer2.send_chars("\n")

-        with subtest("Wait for certificate creation"):
-          peer1.wait_for_window(r"^Mumble$")
-          peer1.sleep(3) # mumble is slow to register handlers
-          peer1.send_chars("\n")
-          peer1.send_chars("\n")
-          peer2.wait_for_window(r"^Mumble$")
-          peer2.sleep(3) # mumble is slow to register handlers
-          peer2.send_chars("\n")
-          peer2.send_chars("\n")
+      with subtest("Wait for server connect"):
+        peer1.wait_for_window(r"^Mumble Server Connect$")
+        peer2.wait_for_window(r"^Mumble Server Connect$")

-        with subtest("Wait for server connect"):
-          peer1.wait_for_window(r"^Mumble Server Connect$")
-          peer2.wait_for_window(r"^Mumble Server Connect$")
+      with subtest("Check validity of server certificates"):
+        peer1.execute("killall .mumble-wrapped")
+        peer1.sleep(1)
+        peer1.execute("mumble mumble://peer2 >&2 &")
+        peer1.wait_for_window(r"^Mumble$")
+        peer1.sleep(3) # mumble is slow to register handlers
+        peer1.send_chars("\n")
+        peer1.send_chars("\n")
+        peer1.wait_for_text("Connected.")

-        with subtest("Check validity of server certificates"):
-          peer1.execute("killall .mumble-wrapped")
-          peer1.sleep(1)
-          peer1.execute("mumble mumble://peer2 >&2 &")
-          peer1.wait_for_window(r"^Mumble$")
-          peer1.sleep(3) # mumble is slow to register handlers
-          peer1.send_chars("\n")
-          peer1.send_chars("\n")
-          peer1.wait_for_text("Connected.")
-
-          peer2.execute("killall .mumble-wrapped")
-          peer2.sleep(1)
-          peer2.execute("mumble mumble://peer1 >&2 &")
-          peer2.wait_for_window(r"^Mumble$")
-          peer2.sleep(3) # mumble is slow to register handlers
-          peer2.send_chars("\n")
-          peer2.send_chars("\n")
-          peer2.wait_for_text("Connected.")
-      '';
-    }
-  );
-}
+        peer2.execute("killall .mumble-wrapped")
+        peer2.sleep(1)
+        peer2.execute("mumble mumble://peer1 >&2 &")
+        peer2.wait_for_window(r"^Mumble$")
+        peer2.sleep(3) # mumble is slow to register handlers
+        peer2.send_chars("\n")
+        peer2.send_chars("\n")
+        peer2.wait_for_text("Connected.")
+    '';
+  }
+)
--- a/checks/mumble/sops/machines/peer1/key.json
+++ b/checks/mumble/sops/machines/peer1/key.json
@@ -1,6 +0,0 @@
-[
-  {
-    "publickey": "age1987metkajgdefk0sfhjqjjtczy9eu2lsg700rwcac6hhy2alhdsshjmpw8",
-    "type": "age"
-  }
-]
--- a/checks/mumble/sops/machines/peer2/key.json
+++ b/checks/mumble/sops/machines/peer2/key.json
@@ -1,6 +0,0 @@
-[
-  {
-    "publickey": "age1fndalxxeduekn5s8q3znl73vjfx2n8kydylyrc2j3aurc93pypvs6pcql4",
-    "type": "age"
-  }
-]
--- a/checks/mumble/sops/secrets/peer1-age.key/secret
+++ b/checks/mumble/sops/secrets/peer1-age.key/secret
@@ -1,15 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:TfEsytctWPCLuo/icbicgRfy7O/txYCllTiLiUlusagGShZyXyIR46TNL9E4XWI2Lce9hIn8zczOdUWaEFPuXcvRMMMWILY3DzI=,iv:zDdq0rdYz/KIwKvIiu9MvKyX9v1pWYxZG3F/7KllBa0=,tag:mTPJGmJ+tKrgYaCZXJ37Nw==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2MmFpbUJuNzRnNGRlQXcy\naEhRanpHbjZpbFZxVkZ2TXFJWk8xYm9lYmlVCmVhRFdDZyt4SjJick1CdnZseWx1\nMGdvaTBYekdBeFUyaHEvTzNJVVM4TncKLS0tIG8rZ1kyTFJTRndQNFVXOC9OTTc5\nZHZGVW1FTzlLQ0RRcjNWeEpVWmVKMDgK7UDm509nexdHqG2xU8CBDZkRStjQIAAN\nDmOz5A8uWpIiyvU2LdOBcc/FQKHaXjB7OAmfT03nJccOeqSF2N3N3g==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-04-16T16:40:26Z",
-		"mac": "ENC[AES256_GCM,data:5Qe20lbqERvSM5fDY9Orhrtv2U6zholh6uHMq0CqV1OOg+vVWSlqTqJrtz2rD/qQTUECRKzWUHB1D/kgLrJ33lRoEMqrhjmvBfxtDnNjLzoYITlLcYOm9qiv3gOqcrpdBKW10YyNlGP/+Q377Lfbo8tcZ8nmuaT8qA9PYr+AKcs=,iv:IIJEFAvoX9SY3jvkD0xVe1/L6iRPMyzmxeRmpGvZI0I=,tag:1D3BBUjj1suNeL+mVYDiKw==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.1"
-	}
-}
--- a/checks/mumble/sops/secrets/peer1-age.key/users/admin
+++ b/checks/mumble/sops/secrets/peer1-age.key/users/admin
@@ -1 +0,0 @@
-../../../users/admin
--- a/checks/mumble/sops/secrets/peer2-age.key/secret
+++ b/checks/mumble/sops/secrets/peer2-age.key/secret
@@ -1,15 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:NI9y5OdFkBgHf+wfn+ISDL11nh/ud+1RV5SPC64TV4Hvg0w8GKkmjJI5uiGDGI1+FfWwnHWOFexavtM2ZJr/cWfhA6dGKvzrKJc=,iv:itiZFGsGEZD/SH42akh1CLCDbuZxMSj05quMNKwvKg4=,tag:v36FGDDHIuFaABHG9we6ag==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByUVVJek9Ha2ljMkt4U2pi\nSmRRd2g2R0VXZGlySG5TT1E1czFpaWFyNlFjCmRJOThCQWlCNDZnRVRFVHpSTzBW\nOWZCUU5jK2dGQTloOEZMUFFVdk04cXMKLS0tIDVzSTdXRk1UZ3psd29kdnVUcitM\nbFlqb0srUGFCVUhlNzU1dUdTTUkwN0UKAIslz1WCMZWrE+aLPJjeM+wZSXMmwnqx\nyRZT5vVzCPWv2r8sbIjhi1rFbkfF+NXHkzNZD9NS4zddwsDsz5HO1g==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-04-16T16:40:48Z",
-		"mac": "ENC[AES256_GCM,data:2iDDnVdLPWxYcjdZrDlTb8PzPVOPEZ06QXCFvnZ2gf8ioXPiSY69ZAHRHTGpqCEp5Ve7qTIELbNja2TGU0ONLIcIRWyzqgc4q+G3n2V5fYQURW114pzaK0Ct6r6yR9oZQy8H66uEYQafkyuN2R9++3w5G0LGj8UovPcYQqNEQVo=,iv:TkCAdIgjRpZpsnhhvTfMqGVD/IveFyobYa9SExFWcC4=,tag:4RLhumGqeLT15waqHT0mRg==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.1"
-	}
-}
--- a/checks/mumble/sops/secrets/peer2-age.key/users/admin
+++ b/checks/mumble/sops/secrets/peer2-age.key/users/admin
@@ -1 +0,0 @@
-../../../users/admin
--- a/checks/mumble/sops/users/admin/key.json
+++ b/checks/mumble/sops/users/admin/key.json
@@ -1,4 +0,0 @@
-{
-  "publickey": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-  "type": "age"
-}
--- a/checks/mumble/vars/per-machine/peer1/mumble/mumble-cert/value
+++ b/checks/mumble/vars/per-machine/peer1/mumble/mumble-cert/value
@@ -1,21 +0,0 @@
-----BEGIN CERTIFICATE-----
-MIIDfzCCAmegAwIBAgIUH9AKYdV75FHHBcR4mgfTZB/7eEcwDQYJKoZIhvcNAQEL
-BQAwaDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM
-DVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBENsYW4xDTALBgNVBAsMBENsYW4xDjAM
-BgNVBAMMBXBlZXIxMB4XDTI1MDQxNjE2NDAzN1oXDTI1MDUxNjE2NDAzN1owaDEL
-MAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBG
-cmFuY2lzY28xDTALBgNVBAoMBENsYW4xDTALBgNVBAsMBENsYW4xDjAMBgNVBAMM
-BXBlZXIxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA80mo3OFSaW8F
-Ni/W7WZ70bJoGGFPFK17kiRgPu6+ghDiinmzlAQOt8A/u+egl4FsvT9Oz99TjCN1
-zkK3I74ItKmumpGKGPp92bpm62vQZa4g861xKqLlcbOwJwcfofwa8r4PhhjDhdXS
-k9vsgiwy0N5FEga79QbDEO/qwSvY+O8yKNG+lNXeOetymKvVbudL8A0je150vmpg
-oYfYjH57Oa7DpGaIrOpbZsmaBlYHD5dhfJbuX0Gxuq42gkfcBtxv3NbY0NoPVZFV
-jOvhVPyV9Xme/3JAQUSti+Fd2ZfJ+Ayl90ElA5wk25T1JBEEnMYQlQVBqPawX87C
-i1EtOysfxQIDAQABoyEwHzAdBgNVHQ4EFgQUFtjyWNCF1Yxd8ymIZ4kE9fXMY5Yw
-DQYJKoZIhvcNAQELBQADggEBAAHiQcWDvZjN2VTaWY2cQMYy3m8wkdoJTR20uV2z
-MpjY4KwCiMzTtsFe2LhiYMYFETwqHpG+B6ElOghh/+F8l96vQRbcVI9I3XTKs0G4
-+zdUtMOyB2XZumB4HBQa3PiXXrA4kAGJV88y5QC4UkZMw6SfwjW8OrtQ5Jim4vUB
-PZxY75ZIjw4JhknTqKNua7xehY4TBghRrGZAlD4eon7Yc5bIew6Gw5LHIoszOZgk
-9CFEo1XLN5z8aL9L+V8dh2DNNqF4KiXCRNgwqLmLoepL2Xptd90AOZsBI9mGxMP9
-YUPsnzcGqcat1x6Fi2Guw++ESDxUp6qKjMGAxPzSXje/TiM=
-----END CERTIFICATE-----
--- a/checks/mumble/vars/per-machine/peer1/mumble/mumble-key/machines/peer1
+++ b/checks/mumble/vars/per-machine/peer1/mumble/mumble-key/machines/peer1
@@ -1 +0,0 @@
-../../../../../../sops/machines/peer1
--- a/checks/mumble/vars/per-machine/peer1/mumble/mumble-key/secret
+++ b/checks/mumble/vars/per-machine/peer1/mumble/mumble-key/secret
@@ -1,19 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:IyVffgpj8MSp2pKoic3+UMYBbeu6Fo/BGslSNQpNoURuulqSze7AZPXry/PnXEWAEvoqkfUURAq8kZdWxu5Go6N8YSkd6/sVOScw2Osa3v/qh9ysEPCuoIwYY1/h9IfUmzNM8Q3hgF4BXhb5D1F2cFQ0fZM8dQU1jn8J0DTfwXlR9ALgWRoCCAXHQxBBc1SYRMlnXbbCACfRxkJHGAtQbwwzsGo/as/Ng+YVUiXdQyLJUv3hwGax793pyX8YKQl+Bu1G3+qZJGlL3lkjL5T/7HIIs81YN9XgsT7G9kvMmR4tJWpHCHGHxU9aofSHSTxUX1lil7GUsR6xSefFEIgbZaQ27KUXwKrlZ8dQKJZIwCiUczkMtrdwBZlKkzqlD+Hi5yGSSUsIQ+lvjeR74UwPXOX/HtvGA+mEgcTSO48FCWmU7ymjvTXyoVf9ui75IZjRyHKfpM8WlFHS+lXCSEN+B6HHHMIEeo1nOpKk6e2qRd28oJHwzoqlms63YFEbPd4d2DTGNVAtO3nhXe4+5IqzvR1DZHoNQO7AiDDAJiz5DKPoOkq/u7FEBVewKQWgZyvt09vC0X+1kxqXeeOXmJILLuRngri5BKLS3YR3hgmKbN31G4KIQm3lJUoE6F0c0Opu5lAJZStwMQcwmflrXdlwYsuzMfc48wcWQYtKenuG+r5DzR0je6iwxaru3XWf/aqUnga700+rFMz5dUVOy8IlJYmpd2hdpjwriTcJyV4KwplWzdjhnb7csjrzgAiHJ5iF2MHzfVgVGje0pk6An2+iUEqoh+fmFRVlA9ZZ923Ksxl+iYRn+29Cde/JgdZu5EywDHHs3yHjfbMnFvoXuAOJ/2TX3cA95DjD2+OGvd78jKExF+Q9rda5IdU6kb93QKVf+OyOSNpTdQhKnJRusou5Q255PqoTguiJIMDoH00qGA2y5k/5q49wl9Xq5jNiU70fyaygoPOfxbghfIeIjT0z2/awaXoUW33jAqXylxY0gTTTNPZI7w4d6hRqixgU27dyCkdAQfN+bnCe6ExXSLczmZf8UfGegjRm4lyKOKgX/QLLgRwStB6BBHGn+a+8NrAH9DFgpof4fJ74LN7Vx5oQTIGbQTvSkjGy4VOez0ajmqjQI516XrBvFbLfAnYA1jGaR0ZRkD6ALISdwFhjlycAc2tAffv9F9WKsrVKWvCU3pqGV0OmWtk5chqWrfvrFY7tj0aVZUUHZBBynksiUx/8Tt5unS3OUap86FiPUknvh5lPEPZqrZc/TNiCN+8oLFAtkOXyEnFSJjZSOB/vLcd+lMkWhcGa+usvE1hGZEaiTOXsN9IOihjcZjcR2YYHR0LlkFxzzlN9ILllt7W1cgKApCovZVmtJuU3fCwjOocP1iBeAFNQfzgJ+6gMqXN8oufCrw7g4v8Y0hNjjEJEriufO+qLIg3nHivcgwy4Cp/fL9wof9UFsaKl2okbP66im7BuDcO/x8ZQ+lk9OjWPSHFJTAPScgiwPchwn74aaHiihjhocyWQ2uVzKn9JkBFkMcoUlAz7xwUFBW7AYvVS/dFQA0xF1l4aki7JdoK6L1JptEu1KpbQ2UHLoIp+W0jFB2MRnSDOEtUHMR9af/vHtgV4xoZoCCHDz/PAlK74C2wK20LO1FoQJdch2/IO6bGiAj832wrLKDp4T2VPooS/hqd6U0Jmvtvcv0vdKbewCDgbfMH3lcydwXl4eQh5lDE8Fm+HXo2Zt8lvqRexeqzyIvGy1P/ndx21uxuacTkp3yi2qTHrdy3IkGMIHTZtfQATRgbxMEpUwHyk2hr08RNqlitbHzgor2+Gn6J/DaLuzvfaFl4p5npjNJ5dGjQqjj5VEz/L16VDeBLL7b9BKorqb7LvZUlqVcCYBcd7S7mHUHT4GhlLaEb67PxA6eJbhdVtyB8o7sTE3tGY8OdBg0ClJB2cEJHS1SqQRS+GdIhuWwZS+Go7YCx9EnnqezMMuEK4lfB+LCGaVDj32XNVtaBhDvdxPuBN5QFgjbWMIOGFV8O3l9dTrlDDwYpmFANG0Wz0pjOzX4CL4LXxNSu9k2SSdPw4iKoe/7Rl3yxVsKhrLOQPW3M6Hc/vULNBMvZxRH32zPE4qKo9SD+h6rwBrC9JiwrWdLJQHtu6Yk8GT5agQNCVC1pogvHVvB7+15UdZ7yjyhUONGOfIHDB2peYame3gF0Nce3dbzqUUE5tNuD4FyKkYZbGNr9WDD9nX1i/7EboDnFh2x6pAU+MRl4oyW0dtHiiTnIR6bE=,iv:IZYhje9AgGRe0gQcodG/PQAaRBipBC/7F8qAkG35cxc=,tag:jpXpm1eghy/668gT0bmqMA==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1987metkajgdefk0sfhjqjjtczy9eu2lsg700rwcac6hhy2alhdsshjmpw8",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3MDdhSTZMbXlSdDVNVVZU\ndkFyVVI0eDhOUHZRU2FFalVNR3g5dUY5T25FCnl0aXpZRVpaR1hvdm5kSHplOE0x\nckloNFF3OVhNTnAxY2ZpZjNFV3plVXMKLS0tIG4yU0w2c1VGbDVCTUhYbjVrMXhr\nb0dpUnp2YUFWSERSRTVVK3g0WTNKWE0KpUfYS71F/1J1G38/ymd/+bWhABmze1GC\nehgSMymmVdsq+ZjHdJ1XcCyecsn/9aFcaZkEbASiLU8ecLNQOEGgRQ==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWeXBUOU13M2VvZVNBNUZW\nMy9VV1dMV1FlQU9qekhZWitwb3JISTFwdENBCnB5ZHpNK29DRHBoZ2M4dEJ6UVpq\nWHFOM1lYS0ROQ2NpSTNUdkZqUkorWGsKLS0tIDhaalVJNE1oU0N3WUtodnlsQWla\nUTVmTnhPTHVCWXUyK1ZESGR1Ym5CMXcK3YqyKO/FTdxcxVy5zBGg+JCOWMBOxqd2\n9+FgUJaYaizGy+HLpP5jgtjgz7k504yqEQCo9aQ1CzbvNHom5tAu7A==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-04-16T16:40:41Z",
-		"mac": "ENC[AES256_GCM,data:R8fWg7Vwq2mnjbTTtyYuLWwrmB6TZYZVx9xPcO5NOvGAABNIxtAVSe9yTpV25OlJiXruTNhPHDxfjwDW8Nad47Sd9fV9QzH36uygT9DOaVrrOD/TH5ojvpCuognofuJ8YHgUsq+yhiQs0QKi5efUrtRVDcXXr8s/UazyuG3vYzk=,iv:eBpSr8GKvG51govZWtqTVMWsWZDctDQ2vVgMm/jq62U=,tag:Yth78awXPAPa/7J+WxTDug==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.1"
-	}
-}
--- a/checks/mumble/vars/per-machine/peer1/mumble/mumble-key/users/admin
+++ b/checks/mumble/vars/per-machine/peer1/mumble/mumble-key/users/admin
@@ -1 +0,0 @@
-../../../../../../sops/users/admin
--- a/checks/mumble/vars/per-machine/peer2/mumble/mumble-cert/value
+++ b/checks/mumble/vars/per-machine/peer2/mumble/mumble-cert/value
@@ -1,21 +0,0 @@
-----BEGIN CERTIFICATE-----
-MIIDfzCCAmegAwIBAgIUYuUk46fwZ4CBcJ40NWnT9VDIEPUwDQYJKoZIhvcNAQEL
-BQAwaDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM
-DVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBENsYW4xDTALBgNVBAsMBENsYW4xDjAM
-BgNVBAMMBXBlZXIyMB4XDTI1MDQxNjE2NDA1OVoXDTI1MDUxNjE2NDA1OVowaDEL
-MAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBG
-cmFuY2lzY28xDTALBgNVBAoMBENsYW4xDTALBgNVBAsMBENsYW4xDjAMBgNVBAMM
-BXBlZXIyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA45nKnn0r3HwU
-qqSRuOXbou8zpdf+5i+e1h7pmunXR7WPxPBP09t6i+99BO27GcID59zGMquabpNS
-dFhj+p+KZkqN+4sokZmyBU1civQqiwX2n5KtoaG0fU3gFFK6pfx3OQawQ6mJ50GU
-HhA2R3CuA0rXcssr6oPynj9z6pbaL7mKckOWE804xIWZuMEoWNdQEKmUmE5d1ioa
-edlblzwhqZSS+zAAeUvmb+YUEL6T54lCYYqPPnmwmiwfYFSBGu/SGyFtIijbCuIZ
-TJMDzzutx1/3Dsv2pOKC0uPb5qRcmdRePAzgBFSna4MNgfbpGHFkGPJgjiue0VIC
-qyedlpF5UQIDAQABoyEwHzAdBgNVHQ4EFgQUuIeLdxGVyhFbgFRtFbPIIJWw1R0w
-DQYJKoZIhvcNAQELBQADggEBAFj26XejazrXOfa67o8vGoZrR2TGXOLFWFeplO8B
-29AruG9poH+sInyxYo1RWAQLQMfDud/yGg73EeYylULbG1bBznKYLLHdvy4l6eXt
-SEVkEMruH0Kw93zt+NqvSO3bHCX+la1rjizyDcD4iu93xUg2uPSBmVpVpW/aeBCN
-3eF4FbBocUexmIWaygmMPY5yFY2tAf+OinBf4uSWcKEpFikIqAxQWRSDMWm8xFwY
-CG7rhfpwDauagpZtkjKkrrRedhdfGiXbxOVtYlBULuUMOggEI+ElpbD0UhyEYCsD
-XoJn7AOC0sYCGpj2F1ESwFX/5EhyciLjMuVwohFVcyWWg+Q=
-----END CERTIFICATE-----
--- a/checks/mumble/vars/per-machine/peer2/mumble/mumble-key/machines/peer2
+++ b/checks/mumble/vars/per-machine/peer2/mumble/mumble-key/machines/peer2
@@ -1 +0,0 @@
-../../../../../../sops/machines/peer2
--- a/checks/mumble/vars/per-machine/peer2/mumble/mumble-key/secret
+++ b/checks/mumble/vars/per-machine/peer2/mumble/mumble-key/secret
@@ -1,19 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:LX0ZXli/xtlyI8JLDyQz2p69eKz3gMQLn/PwJh4GB1tgQ75Ei+zQyetnCKkzrm+xGDZjLgm3QXft8VyNqhxf/7a1konP9IHfZH1j1wn/1ELFyTR2IKQzIdsiilP67+nZeLFIS4wBfEMS4hGoOIVXIqohDYkryDkvoYqHOw2U5HVDf3GlqeaEfKM8zJMZgGUYAoLCJEEWmBSSYrT/jH5hVxVgd1qE+5JmhV1Uah7TWW2HX+XDpU4aeV3zQWyWZNTHDXtgnEUBb4nFsvWGrGUrB9A8FEoZFOC1jJj8NLU/aOZ8EvDkI0Us6nw8leQwwox9O9PY8MDAAlPVsTe5+vcP/svpu+P3Gor/MrJzsk1IKalIdUiSYFego3FyyQonfXdQs8oO+ufF4nkMo+BRPvXwPUGwHjyCVaL5nYtgnV4VCSBoGY612Tmc86ihJW4mUzA5ghjUTWwduDSfoWI5H0JO5TabJnMPkPcIBSms46lhCCNMSY8WvtqcGz1mUgLTjQ+fhHt4Ci/K+VCiQNjjFH5tEq6P4bhYnG1+U5rAFRIyXg+m2Z/JONKkSiVVs/0u6yzKFAji6/osqhLkFZCqpCuk2OhVtsn2Bg1ko7WjuQAZHEgh6WSmsK6nyDfGpLSdfBBRscevPA3QsE3tTwO8/i5pxaGIm7BxH6OJcbv3x/r7+8TX52orgtSO/ODiOn+ylRDUwbnTVqB8pkM6+moLDRmpmCK87a5CETfPJ/7u7bEAmcbAH5LsmBL5T8tqLpGOnCkj4ZozZ6sv8qAFxR3vmmWvpkCtJYKml9Hsqww0Laytgj76TO8xMuQSwRPgbkXRr6QaF+o1EwEW6fArb/wtsUUJSDBdv2K6UpyPwITSEQk2z0o3Cr6Y9luYlGXKmpegQWcjcBxUVWd06V21IFHTT/WM4joEBsliVAAlJBcyjYj3Sq9onxiXOHVgmNFzQpxTlSoaqVCuVLegHB8E5ipyrDtaw4gl6l3pNKdNCyILJtk226rOZpZZ/wBMs2FWUyosrlBe46oa7XynkCzPbItivxpZwqN5nPjOFQi/QXzN9i2iDCXZvoNnFKG0B/fSKb3Dho5cpqhhxUIu1AttcTj9YNx6lsw5ZGkdaLyomqIB4rRFVj9U98cY/lEP4Hgn2kl71bhloIu1R/1qxZXuk7KAC7QJ5Nk773Pb7oHVfWwaQxFmcTR2IEQm5SuXvyxWUVWpH9kuTgwhXPypJRuob3IJX2Nrm4kRKdL8U5HH/UWYhXTFcOMrbqY0b/iFAhxu/qQYvCVOSZrV43elCI70e0PGaIM9c+ifL7EZw+uHlJP6lWgtqqmbjR+K+7ZmXjVAq6KngRGetIlkjC60aMiFmqTZ1f1RADLQyEUHKbLT6YqePU698vHM+zTr+38HLOMxz80/EpC0L0qvdsMY9DXUIHow2/sffGFbWto5Jh2KcWQoSB2dMeQCOeZT45qaCwwE9ZG5sZJTWJvWgjsTegHDvlnv7LzlFOYyfWSr708v+twz/eI0Z1PmCZq8f6iN0T0fA7ncbPjp22ebg+YztDPEO1F+ThtvOrvz4ptVUr5Riywwf1aL6qGYUGZ/epOfaHosnf29l71e3xQD3Ry9DB7DEJXNGmrmF7AF1aEJXsvFSnqNa0A3pkP56cK+SfhEQbaFA7pJWqSnNqRuZR+60ItKQ/plimZRhPobKYb8bjJ0CyFtAf6fez1Q8XC/YohMNi3vZ1sdkmQ+O0CCV72sS7jRpSJOc6zG2KB4zL9JllxThNAXBvB+4rHoowG5ltCw2xm/eTQSdUivCkT67EocjS8RjucLfYvc2aH9+tLaIkwFUYsNKkd+JpNlmD6E6fp229YJ3908JrksYCRc//MQhaDMaig1Bc7JPTGqHlHZFtHhbrGIHPoRMLL6djRKXlPndQ/ZGKTca72oBNt4KXO2MQhTYtP08Zgt8E2lpjUhbWnNsyikuVju7UWi0ynT2RPNaRgffoXZtnDVsCYv1yhYnrfoqNOGZpR4GE/rwyQMw3/osNI91l7vKSGIhAQAPnTT77A5xWiVMb0VL4WzokZaWFWL9BGkSIMcbJNkZB1udwrNeqwU7N8WHwQKGuBSg1YOd9wE0A8GmNNuBo0Qjo4QCGs0Q/GAvrczppinbNkABSgW570/i+Ep7UOJ83Zcv7XhxoHdlsdmpweGIpOdjC4WMfYlNRwVJ2eg7qhvuFOzuvSZBMCmPpC/gkjYgD9FjsH1rzgxbcOvkkUzxHQImiYHxYd6h7ZqqGD7XINy1oSPJEaK,iv:zNaVGK5hNxziOoPTbwaUhUwBuFbCiGNrfVMpeMxL3JI=,tag:6v8Hf4Symd1T16MOEChtcA==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1fndalxxeduekn5s8q3znl73vjfx2n8kydylyrc2j3aurc93pypvs6pcql4",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1VGVjRkdJOGx3c05YM28y\nM3dCbkU4TXBHK1VVOFFkY3FQVk0rQVp0d1g0CnZPR3FtUGlCb2lKSVc1Z3VtM0JM\nV1ZtZ3NVVndvak43cStIRWZxWldKSncKLS0tIEdJVHFFTzdaNklLVHdURndGa3Qy\nc2lEZ1hER3dGL0FKNUZrSkxMOXMvOGsKHGJ44Ey6mR3rV6NPPmn/QTsyjL08wCzu\nkUdD0jgSMLwInX5R9Gh9+Zbc9NIfEgSzLr6up6UlgW/4iWvM4oFPRg==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjcHVweTFZenhZZzVDZ2ts\nTnNxNkZLWnVQRmpoa0ZldHpxdWt0Sy9jRVFFClExS2FMM3hiSlRQR2lmb25RTEo0\nRTRGdmxCaXJoeXdNaVU3cGRIRFlibWsKLS0tIFFzVFhCR2hSOStYNk5yNmc5UkZl\nTHdWSUZTZUIyUEp2OFR0SFpzMzFFd0EKlsRWNJjapPefXxyuUtFWlPs/UIC9V1N7\nF7Ek+TAKl11SwGGA2qla1yvnDOxkZvFg7gWsurZeEBH4PuPZ1OE/Yg==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-04-16T16:41:03Z",
-		"mac": "ENC[AES256_GCM,data:1DcuXden9WAF3frVjOMgpt0nniqiGEAA4SubPLk86GODEaOXxZSVStX1rr0GCF0t0tR4O4jl4cnRvZHF9Zjj7smA5Wf8jPpbSCrZX4oBo/HP3UU+A78yxSrj4gmoeH4m/aaJv0co77Vwcm/HglE6Q89Oc9BUqE2e4FGVmDUZTws=,iv:OAa2hvuw6aUcp3qKkRpDeLMDcq9Kkn/Bc+86DzV5h5g=,tag:wVrs9oyfaCAv3gZxsxbMPg==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.1"
-	}
-}
--- a/checks/mumble/vars/per-machine/peer2/mumble/mumble-key/users/admin
+++ b/checks/mumble/vars/per-machine/peer2/mumble/mumble-key/users/admin
@@ -1 +0,0 @@
-../../../../../../sops/users/admin
--- a/checks/postgresql/default.nix
+++ b/checks/postgresql/default.nix
@@ -1,4 +1,4 @@
-({
+(import ../lib/container-test.nix) ({
  name = "postgresql";

  nodes.machine =
--- a/checks/sanity-checks/dont-depend-on-repo-root.nix
+++ b/checks/sanity-checks/dont-depend-on-repo-root.nix
@@ -1,122 +0,0 @@
-{
-  ...
-}:
-{
-  perSystem =
-    {
-      system,
-      pkgs,
-      self',
-      lib,
-      ...
-    }:
-    let
-      clanCore = self'.packages.clan-core-flake;
-      clanCoreHash = lib.substring 0 12 (builtins.hashString "sha256" "${clanCore}");
-      /*
-        construct a flake for the test which contains a single check which depends
-        on all checks of clan-core.
-      */
-      testFlakeFile = pkgs.writeText "flake.nix" ''
-        {
-          inputs.clan-core.url = path:///to/nowhere;
-          outputs = {clan-core, ...}:
-            let
-              checks =
-                builtins.removeAttrs
-                  clan-core.checks.${system}
-                  [
-                    "dont-depend-on-repo-root"
-                    "package-dont-depend-on-repo-root"
-                    "package-clan-core-flake"
-                  ];
-              checksOutPaths = map (x: "''${x}") (builtins.attrValues checks);
-            in
-            {
-              checks.${system}.check = builtins.derivation {
-                name = "all-clan-core-checks";
-                system = "${system}";
-                builder = "/bin/sh";
-                args = ["-c" '''
-                  of outPath in ''${toString checksOutPaths}; do
-                    echo "$outPath" >> $out
-                  done
-                '''];
-              };
-            };
-        }
-      '';
-    in
-    lib.optionalAttrs (system == "x86_64-linux") {
-      packages.dont-depend-on-repo-root =
-        pkgs.runCommand
-          # append repo hash to this tests name to ensure it gets invalidated on each chain
-          # This is needed because this test is an FOD (due to networking) and would get cached indefinitely.
-          "check-dont-depend-on-repo-root-${clanCoreHash}"
-          {
-            buildInputs = [
-              pkgs.nix
-              pkgs.cacert
-              pkgs.nix-diff
-            ];
-            outputHashAlgo = "sha256";
-            outputHash = "sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=";
-          }
-          ''
-            mkdir clanCore testFlake store
-            clanCore=$(realpath clanCore)
-            testFlake=$(realpath testFlake)
-
-            # copy clan core flake and make writable
-            cp -r ${clanCore}/* clanCore/
-            chmod +w -R clanCore\
-
-            # copy test flake and make writable
-            cp ${testFlakeFile} testFlake/flake.nix
-            chmod +w -R testFlake
-
-            # enable flakes
-            export NIX_CONFIG="experimental-features = nix-command flakes"
-
-            # give nix a $HOME
-            export HOME=$(realpath ./store)
-
-            # override clan-core flake input to point to $clanCore\
-            echo "locking clan-core to $clanCore"
-            nix flake lock --override-input clan-core "path://$clanCore" "$testFlake" --store "$HOME"
-
-            # evaluate all tests
-            echo "evaluating all tests for clan core"
-            nix eval "$testFlake"#checks.${system}.check.drvPath --store "$HOME" --raw > drvPath1 &
-
-            # slightly modify clan core
-            cp -r $clanCore clanCore2
-            cp -r $testFlake testFlake2
-            export clanCore2=$(realpath clanCore2)
-            export testFlake2=$(realpath testFlake2)
-            touch clanCore2/fly-fpv
-
-            # re-evaluate all tests
-            echo "locking clan-core to $clanCore2"
-            nix flake lock --override-input clan-core "path://$clanCore2" "$testFlake2" --store "$HOME"
-            echo "evaluating all tests for clan core with added file"
-            nix eval "$testFlake2"#checks.${system}.check.drvPath --store "$HOME" --raw > drvPath2
-
-            # wait for first nix eval to return as well
-            while ! grep -q drv drvPath1; do sleep 1; done
-
-            # raise error if outputs are different
-            if [ "$(cat drvPath1)" != "$(cat drvPath2)" ]; then
-              echo -e "\n\nERROR: Something in clan-core depends on the whole repo" > /dev/stderr
-              echo -e "See details in the nix-diff below which shows the difference between two evaluations:"
-              echo -e "  1. Evaluation of clan-core checks without any changes"
-              echo -e "  1. Evaluation of clan-core checks after adding a file to the top-level of the repo"
-              echo "nix-diff:"
-              export NIX_REMOTE="$HOME"
-              nix-diff $(cat drvPath1) $(cat drvPath2)
-              exit 1
-            fi
-            touch $out
-          '';
-    };
-}
--- a/checks/secrets/default.nix
+++ b/checks/secrets/default.nix
@@ -1,4 +1,4 @@
-{
+(import ../lib/test-base.nix) {
  name = "secrets";

  nodes.machine =
@@ -11,6 +11,7 @@
      sops.age.keyFile = "/etc/privkey.age";

      clan.core.settings.directory = "${./.}";
+      clan.core.settings.machine.name = "machine";

      networking.hostName = "machine";
    };
--- a/checks/syncthing/default.nix
+++ b/checks/syncthing/default.nix
@@ -1,83 +1,108 @@
-{
-  pkgs,
-  self,
-  clanLib,
-  ...
-}:
-clanLib.test.makeTestClan {
-  inherit pkgs self;
-  # TODO: container driver does not support wait_for_file() yet
-  useContainers = false;
-  nixosTest = (
-    { lib, ... }:
-    {
-      name = "syncthing";
+(import ../lib/test-base.nix) (
+  # Using nixos-test, because our own test system doesn't support the necessary
+  # features for systemd.
+  { lib, ... }:
+  {
+    name = "syncthing";

-      clan = {
-        directory = ./.;
-        inventory = {
-          machines = lib.genAttrs [
-            "introducer"
-            "peer1"
-            "peer2"
-          ] (_: { });
-          services = {
-            syncthing.default = {
-              roles.peer.machines = [
-                "peer1"
-                "peer2"
-              ];
-              roles.introducer.machines = [ "introducer" ];
+    nodes.introducer =
+      { self, ... }:
+      {
+        imports = [
+          self.clanModules.syncthing
+          self.nixosModules.clanCore
+          {
+            clan.core.settings.machine.name = "introducer";
+            clan.core.settings.directory = ./.;
+            environment.etc = {
+              "syncthing.pam".source = ./introducer/introducer_test_cert;
+              "syncthing.key".source = ./introducer/introducer_test_key;
+              "syncthing.api".source = ./introducer/introducer_test_api;
            };
-          };
-        };
-      };
-
-      nodes.introducer = {
-        # Doesn't test zerotier!
-        services.syncthing.openDefaultPorts = true;
-        services.syncthing.settings.folders = {
-          "Shared" = {
-            enable = true;
-            path = "~/Shared";
-            versioning = {
-              type = "trashcan";
-              params = {
-                cleanoutDays = "30";
+            clan.core.facts.services.syncthing.secret."syncthing.api".path = "/etc/syncthing.api";
+            services.syncthing.cert = "/etc/syncthing.pam";
+            services.syncthing.key = "/etc/syncthing.key";
+            # Doesn't test zerotier!
+            services.syncthing.openDefaultPorts = true;
+            services.syncthing.settings.folders = {
+              "Shared" = {
+                enable = true;
+                path = "~/Shared";
+                versioning = {
+                  type = "trashcan";
+                  params = {
+                    cleanoutDays = "30";
+                  };
+                };
              };
            };
-          };
-        };
-        clan.syncthing.autoAcceptDevices = true;
-        clan.syncthing.autoShares = [ "Shared" ];
-        # For faster Tests
-        systemd.timers.syncthing-auto-accept.timerConfig = {
-          OnActiveSec = 1;
-          OnUnitActiveSec = 1;
-        };
+            clan.syncthing.autoAcceptDevices = true;
+            clan.syncthing.autoShares = [ "Shared" ];
+            # For faster Tests
+            systemd.timers.syncthing-auto-accept.timerConfig = {
+              OnActiveSec = 1;
+              OnUnitActiveSec = 1;
+            };
+          }
+        ];
      };
-      nodes.peer1 = {
-        services.syncthing.openDefaultPorts = true;
+    nodes.peer1 =
+      { self, ... }:
+      {
+        imports = [
+          self.clanModules.syncthing
+          self.nixosModules.clanCore
+          {
+            clan.core.settings.machine.name = "peer1";
+            clan.core.settings.directory = ./.;
+            clan.syncthing.introducer = lib.strings.removeSuffix "\n" (
+              builtins.readFile ./introducer/introducer_device_id
+            );
+            environment.etc = {
+              "syncthing.pam".source = ./peer_1/peer_1_test_cert;
+              "syncthing.key".source = ./peer_1/peer_1_test_key;
+            };
+            services.syncthing.openDefaultPorts = true;
+            services.syncthing.cert = "/etc/syncthing.pam";
+            services.syncthing.key = "/etc/syncthing.key";
+          }
+        ];
      };
-      nodes.peer2 = {
-        services.syncthing.openDefaultPorts = true;
+    nodes.peer2 =
+      { self, ... }:
+      {
+        imports = [
+          self.clanModules.syncthing
+          self.nixosModules.clanCore
+          {
+            clan.core.settings.machine.name = "peer2";
+            clan.core.settings.directory = ./.;
+            clan.syncthing.introducer = lib.strings.removeSuffix "\n" (
+              builtins.readFile ./introducer/introducer_device_id
+            );
+            environment.etc = {
+              "syncthing.pam".source = ./peer_2/peer_2_test_cert;
+              "syncthing.key".source = ./peer_2/peer_2_test_key;
+            };
+            services.syncthing.openDefaultPorts = true;
+            services.syncthing.cert = "/etc/syncthing.pam";
+            services.syncthing.key = "/etc/syncthing.key";
+          }
+        ];
      };
-
-      testScript = ''
-        start_all()
-        introducer.wait_for_unit("syncthing")
-        peer1.wait_for_unit("syncthing")
-        peer2.wait_for_unit("syncthing")
-        peer1.execute("ls -la /var/lib/syncthing")
-        peer2.execute("ls -la /var/lib/syncthing")
-        peer1.wait_for_file("/var/lib/syncthing/Shared")
-        peer2.wait_for_file("/var/lib/syncthing/Shared")
-        introducer.shutdown()
-        peer1.execute("echo hello > /var/lib/syncthing/Shared/hello")
-        peer2.wait_for_file("/var/lib/syncthing/Shared/hello")
-        out = peer2.succeed("cat /var/lib/syncthing/Shared/hello")
-        assert "hello" in out
-      '';
-    }
-  );
-}
+    testScript = ''
+      start_all()
+      introducer.wait_for_unit("syncthing")
+      peer1.wait_for_unit("syncthing")
+      peer2.wait_for_unit("syncthing")
+      peer1.wait_for_file("/home/user/Shared")
+      peer2.wait_for_file("/home/user/Shared")
+      introducer.shutdown()
+      peer1.execute("echo hello > /home/user/Shared/hello")
+      peer2.wait_for_file("/home/user/Shared/hello")
+      out = peer2.succeed("cat /home/user/Shared/hello")
+      print(out)
+      assert "hello" in out
+    '';
+  }
+)
--- a/checks/syncthing/introducer/introducer_device_id
+++ b/checks/syncthing/introducer/introducer_device_id
@@ -0,0 +1 @@
+RN4ZZIJ-5AOJVWT-JD5IAAZ-SWVDTHU-B4RWCXE-AEM3SRG-QBM2KC5-JTGUNQT
--- a/checks/syncthing/introducer/introducer_test_api
+++ b/checks/syncthing/introducer/introducer_test_api
@@ -0,0 +1 @@
+fKwzSQK43LWMnjVK2TDjpTkziY364dvP
--- a/checks/syncthing/introducer/introducer_test_cert
+++ b/checks/syncthing/introducer/introducer_test_cert
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICHDCCAaOgAwIBAgIJAJDWPRNYN7/7MAoGCCqGSM49BAMCMEoxEjAQBgNVBAoT
+CVN5bmN0aGluZzEgMB4GA1UECxMXQXV0b21hdGljYWxseSBHZW5lcmF0ZWQxEjAQ
+BgNVBAMTCXN5bmN0aGluZzAeFw0yMzEyMDUwMDAwMDBaFw00MzExMzAwMDAwMDBa
+MEoxEjAQBgNVBAoTCVN5bmN0aGluZzEgMB4GA1UECxMXQXV0b21hdGljYWxseSBH
+ZW5lcmF0ZWQxEjAQBgNVBAMTCXN5bmN0aGluZzB2MBAGByqGSM49AgEGBSuBBAAi
+A2IABEzIpSQGUVVlrSndNjiwkgZ045eH26agwT5RTN44bGRe8SJqBWC7HP3V7u1C
+6ZQZALSDoDUG5Oi89wGrFnxU48mYFSJFlZAVzyZoqfxVMof3vnk3uFDPo47HA4ex
+8fi6yaNVMFMwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
+BgEFBQcDAjAMBgNVHRMBAf8EAjAAMBQGA1UdEQQNMAuCCXN5bmN0aGluZzAKBggq
+hkjOPQQDAgNnADBkAjB+d84wmaQuv3c94ctxV0sMh23xeTR1cPNcE8wbPQYxHmbO
+HbJ3IWo5HF3di63pVgECMBUfzpmFo8dshYR2/76Ovh573Svzk2+NKEMrqRyoNVFr
+JNQFhCtHbFT1rYfqYWgJBQ==
+-----END CERTIFICATE-----
--- a/Show More
+++ b/Show More
				`@@ -0,0 +1 @@`
				`RN4ZZIJ-5AOJVWT-JD5IAAZ-SWVDTHU-B4RWCXE-AEM3SRG-QBM2KC5-JTGUNQT`