fix nix flake cache with chroot stores

The flake cache was not properly checking store paths when custom stores
were used (e.g., when using --store flag or CLAN_TEST_STORE). This
caused cache validation to fail even when the store paths existed.

This fix:
- Updates store path detection to properly identify any path with
  "/store/" in it and a proper nix store item format (hash-name)
- Normalizes store paths to use the current store when checking
  if they exist (CLAN_TEST_STORE or nix config)
- Uses CLAN_TEST_STORE environment variable for test stores, which
  matches how nix --store flag works

Added comprehensive tests to verify the fix works with custom stores.

checks/admin/default.nix

@@ -1,64 +0,0 @@
-{
-  pkgs,
-  self,
-  clanLib,
-  ...
-}:
-
-let
-  public-key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII6zj7ubTg6z/aDwRNwvM/WlQdUocMprQ8E92NWxl6t+ test@test";
-in
-
-clanLib.test.makeTestClan {
-  inherit pkgs self;
-  nixosTest = (
-    { ... }:
-
-    {
-      name = "admin";
-
-      clan = {
-        directory = ./.;
-        modules."@clan/admin" = ../../clanServices/admin/default.nix;
-        inventory = {
-
-          machines.client = { };
-          machines.server = { };
-
-          instances = {
-            ssh-test-one = {
-              module.name = "@clan/admin";
-              roles.default.machines."server".settings = {
-                allowedKeys.testkey = public-key;
-              };
-            };
-          };
-        };
-      };
-
-      nodes = {
-        client.environment.etc.private-test-key.source = ./private-test-key;
-
-        server = {
-          services.openssh = {
-            enable = true;
-            settings.UsePAM = false;
-          };
-        };
-      };
-
-      testScript = ''
-        start_all()
-
-        machines = [client, server]
-        for m in machines:
-            m.systemctl("start network-online.target")
-
-        for m in machines:
-            m.wait_for_unit("network-online.target")
-
-        client.succeed(f"ssh -F /dev/null -i /etc/private-test-key -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o BatchMode=yes root@server true &>/dev/null")
-      '';
-    }
-  );
-}

checks/borgbackup-legacy/default.nix

@@ -0,0 +1,51 @@
+(
+  { ... }:
+  {
+    name = "borgbackup";
+
+    nodes.machine =
+      { self, pkgs, ... }:
+      {
+        imports = [
+          self.clanModules.borgbackup
+          self.nixosModules.clanCore
+          {
+            services.openssh.enable = true;
+            services.borgbackup.repos.testrepo = {
+              authorizedKeys = [ (builtins.readFile ../assets/ssh/pubkey) ];
+            };
+          }
+          {
+            clan.core.settings.directory = ./.;
+            clan.core.state.testState.folders = [ "/etc/state" ];
+            environment.etc.state.text = "hello world";
+            systemd.tmpfiles.settings."vmsecrets" = {
+              "/etc/secrets/borgbackup/borgbackup.ssh" = {
+                C.argument = "${../assets/ssh/privkey}";
+                z = {
+                  mode = "0400";
+                  user = "root";
+                };
+              };
+              "/etc/secrets/borgbackup/borgbackup.repokey" = {
+                C.argument = builtins.toString (pkgs.writeText "repokey" "repokey12345");
+                z = {
+                  mode = "0400";
+                  user = "root";
+                };
+              };
+            };
+            # clan.core.facts.secretStore = "vm";
+            clan.core.vars.settings.secretStore = "vm";
+
+            clan.borgbackup.destinations.test.repo = "borg@localhost:.";
+          }
+        ];
+      };
+    testScript = ''
+      start_all()
+      machine.systemctl("start --wait borgbackup-job-test.service")
+      assert "machine-test" in machine.succeed("BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=yes /run/current-system/sw/bin/borg-job-test list")
+    '';
+  }
+)

checks/borgbackup/default.nix

@@ -1,51 +1,118 @@
-(
+{
+  pkgs,
+  nixosLib,
+  clan-core,
+  ...
+}:
+nixosLib.runTest (
   { ... }:
   {
+    imports = [
+      clan-core.modules.nixosVmTest.clanTest
+    ];
+
+    hostPkgs = pkgs;
+
     name = "borgbackup";
 
-    nodes.machine =
-      { self, pkgs, ... }:
-      {
-        imports = [
-          self.clanModules.borgbackup
-          self.nixosModules.clanCore
-          {
-            services.openssh.enable = true;
-            services.borgbackup.repos.testrepo = {
-              authorizedKeys = [ (builtins.readFile ../assets/ssh/pubkey) ];
-            };
-          }
-          {
-            clan.core.settings.directory = ./.;
-            clan.core.state.testState.folders = [ "/etc/state" ];
-            environment.etc.state.text = "hello world";
-            systemd.tmpfiles.settings."vmsecrets" = {
-              "/etc/secrets/borgbackup/borgbackup.ssh" = {
-                C.argument = "${../assets/ssh/privkey}";
-                z = {
-                  mode = "0400";
-                  user = "root";
-                };
-              };
-              "/etc/secrets/borgbackup/borgbackup.repokey" = {
-                C.argument = builtins.toString (pkgs.writeText "repokey" "repokey12345");
-                z = {
-                  mode = "0400";
-                  user = "root";
-                };
-              };
-            };
-            # clan.core.facts.secretStore = "vm";
-            clan.core.vars.settings.secretStore = "vm";
+    clan = {
+      directory = ./.;
+      test.useContainers = true;
+      modules."@clan/borgbackup" = ../../clanServices/borgbackup/default.nix;
+      inventory = {
 
-            clan.borgbackup.destinations.test.repo = "borg@localhost:.";
-          }
-        ];
+        machines.clientone = { };
+        machines.serverone = { };
+
+        instances = {
+          borgone = {
+
+            module.name = "@clan/borgbackup";
+
+            roles.client.machines."clientone" = { };
+            roles.server.machines."serverone".settings.directory = "/tmp/borg-test";
+          };
+        };
       };
+    };
+
+    nodes = {
+
+      serverone = {
+        services.openssh.enable = true;
+        # Needed so PAM doesn't see the user as locked
+        users.users.borg.password = "borg";
+      };
+
+      clientone =
+        { config, pkgs, ... }:
+        let
+          dependencies = [
+            clan-core
+            pkgs.stdenv.drvPath
+          ] ++ builtins.map (i: i.outPath) (builtins.attrValues clan-core.inputs);
+          closureInfo = pkgs.closureInfo { rootPaths = dependencies; };
+
+        in
+        {
+
+          services.openssh.enable = true;
+
+          users.users.root.openssh.authorizedKeys.keyFiles = [ ../assets/ssh/pubkey ];
+
+          clan.core.networking.targetHost = config.networking.hostName;
+
+          environment.systemPackages = [ clan-core.packages.${pkgs.system}.clan-cli ];
+
+          environment.etc.install-closure.source = "${closureInfo}/store-paths";
+          nix.settings = {
+            substituters = pkgs.lib.mkForce [ ];
+            hashed-mirrors = null;
+            connect-timeout = pkgs.lib.mkForce 3;
+            flake-registry = pkgs.writeText "flake-registry" ''{"flakes":[],"version":2}'';
+          };
+          system.extraDependencies = dependencies;
+
+          clan.core.state.test-backups.folders = [ "/var/test-backups" ];
+        };
+
+    };
+
     testScript = ''
+      import json
       start_all()
-      machine.systemctl("start --wait borgbackup-job-test.service")
-      assert "machine-test" in machine.succeed("BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=yes /run/current-system/sw/bin/borg-job-test list")
+
+      machines = [clientone, serverone]
+
+      for m in machines:
+          m.systemctl("start network-online.target")
+
+      for m in machines:
+          m.wait_for_unit("network-online.target")
+
+      # dummy data
+      clientone.succeed("mkdir -p /var/test-backups /var/test-service")
+      clientone.succeed("echo testing > /var/test-backups/somefile")
+
+      clientone.succeed("${pkgs.coreutils}/bin/install -Dm 600 ${../assets/ssh/privkey} /root/.ssh/id_ed25519")
+      clientone.succeed("${pkgs.coreutils}/bin/touch /root/.ssh/known_hosts")
+      clientone.wait_until_succeeds("timeout 2 ssh -o StrictHostKeyChecking=accept-new localhost hostname")
+      clientone.wait_until_succeeds("timeout 2 ssh -o StrictHostKeyChecking=accept-new $(hostname) hostname")
+
+      # create
+      clientone.succeed("borgbackup-create >&2")
+      clientone.wait_until_succeeds("! systemctl is-active borgbackup-job-serverone >&2")
+
+      # list
+      backup_id = json.loads(clientone.succeed("borg-job-serverone list --json"))["archives"][0]["archive"]
+      out = clientone.succeed("borgbackup-list").strip()
+      print(out)
+      assert backup_id in out, f"backup {backup_id} not found in {out}"
+
+      # borgbackup restore
+      clientone.succeed("rm -f /var/test-backups/somefile")
+      clientone.succeed(f"NAME='serverone::borg@serverone:.::{backup_id}' borgbackup-restore >&2")
+      assert clientone.succeed("cat /var/test-backups/somefile").strip() == "testing", "restore failed"
     '';
   }
 )

checks/borgbackup/sops/machines/clientone/key.json

@@ -0,0 +1,6 @@
+[
+  {
+    "publickey": "age1tyyx2ratu8s9ugyre36xyksnquth9gxeh7wjdhvsk89rtf8yu5wq0pk04c",
+    "type": "age"
+  }
+]

checks/borgbackup/sops/secrets/clientone-age.key/secret

@@ -0,0 +1,15 @@
+{
+	"data": "ENC[AES256_GCM,data:wCKoKuJo4uXycfqEUYAXDlRRMGJaWgOFiaQa4Wigs0jx1eCI80lP3cEZ1QKyrU/9m9POoZz0JlaKHcuhziTKUqaevHvGfVq2y00=,iv:pH5a90bJbK9Ro6zndNJ18qd4/rU+Tdm+y+jJZtY7UGg=,tag:9lHZJ9C/zIfy8nFrYt9JBQ==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwUDhpd1ZqbWFqR0I3dVFI\nOHlyZnFUYXJnWElrRWhoUHVNMzdKd0VrcGdRCkphQVhuYzlJV0p1MG9MSW5ncWJ3\nREp1OEJxMzQzS2MxTk9aMkJ1a3B0Q0kKLS0tIENweVJ2Tk1yeXlFc2F5cTNIV3F3\nTkRFOVZ1amRIYmg1K3hGWUFSTTl4Wk0KHJRJ7756Msod7Bsmn9SgtwRo53B8Ilp3\nhsAPv+TtdmOD8He9MvGV+BElKEXCsLUwhp/Py6n6CJCczu0VIr8owg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-05-20T13:33:56Z",
+		"mac": "ENC[AES256_GCM,data:FyfxXhnI6o4SVGJY2e1eMDnfkbMWiCkP4JL/G4PQvzz+c7OIuz8xaa03P3VW7b7o85NP2Tln4FMNTZ0FYtQwd0kKypLUnIxAHsixAHFCv4X8ul1gtZynzgbFbmc0GkfVWW8Lf+U+vvDwT+UrEVfcmksCjdvAOwP26PvlEhYEkSw=,iv:H+VrWYL+kLOLezCZrI8ZgeCsaUdpb7LxDMiLotezVPs=,tag:B/cbPdiEFumGKQHby5inCA==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

checks/borgbackup/vars/per-machine/clientone/borgbackup/borgbackup.repokey/machines/clientone

@@ -0,0 +1 @@
+../../../../../../sops/machines/clientone

checks/borgbackup/vars/per-machine/clientone/borgbackup/borgbackup.repokey/secret

@@ -0,0 +1,19 @@
+{
+	"data": "ENC[AES256_GCM,data:52vY68gqbwiZRMUBKc9SeXR06fuKAhuAPciLpxXgEOxI,iv:Y34AVoHaZzRiFFTDbekXP1X3W8zSXJmzVCYODYkdxnY=,tag:8WQaGEHQKT/n+auHUZCE0w==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOdUFUZUZ2M00zTGlhNjF4\nL0VlMVY4Z2xMbWRWR29zZlFwdm1XRk12NGtBCnkrb3A4M3BkalMyeWdDaUdQdStt\nUWY3SXJROXdpRzN0NlBJNEpjTEZ0aFkKLS0tIGZkMGhsTXB2RnRqVHVrUFQwL2lw\nZnBreWhWa3Jrcm4yOXBiaUlPWFM1aDAKRE+Zzrja7KeANEJUbmFYuVoO3qGyi4iH\n0cfH0W8irRe9vsKMXz7YJxtByYLwRulrT8tXtElHvIEVJG0mwwaf0Q==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1tyyx2ratu8s9ugyre36xyksnquth9gxeh7wjdhvsk89rtf8yu5wq0pk04c",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsNEljUFdnQ0tTQ1IxZ2Zo\nYkc4V2dCaUk0YXh5SzlSazhsRTVKVzFvVXhFCkRyMlMxR3EyWEZIRzFQV3d2dVpz\na3NPbk9XdWR1NmtMQlZsNlBuU0NkQWMKLS0tIDlDYzMzOExVL1g5SVRHYlpUQlBV\na2lpdTUwaEd4OXhWUWxuV04xRVVKNHcK9coohAD1IoarLOXSGg3MIRXQ3BsTIA4y\nKrcS/PxITKJs7ihg93RZin70R79Qsij1RHZLKGfgGJ67i8ZCxc4N0g==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-05-20T13:33:59Z",
+		"mac": "ENC[AES256_GCM,data:eABMaIe07dwAMMlgrIUUpfpj73q1H5Keafql91MBQ5NN9Znr5lI/ennQsQsuLO8ZTCC34US/MJndliW34SqVM9y53p0jjPzqBxSKYq74iNcBz7+TxbjlY1aapgTRPr6Ta8I/5loohnxlHqjvLL70ZzfbChDN0/4jZsDVXYNfbIk=,iv:41Mz2u40JN0iE5zPUK6siaxo0rTtlk7fGWq7TF5NyUI=,tag:1A+h6XPH7DeQ6kxGDV3PgQ==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

checks/borgbackup/vars/per-machine/clientone/borgbackup/borgbackup.ssh.pub/value

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE3clYF6BDZ0PxfDdprx7YYM4U4PKEZkWUuhpre0wb7w nixbld@kiwi

checks/borgbackup/vars/per-machine/clientone/borgbackup/borgbackup.ssh/machines/clientone

@@ -0,0 +1 @@
+../../../../../../sops/machines/clientone

checks/borgbackup/vars/per-machine/clientone/borgbackup/borgbackup.ssh/secret

@@ -0,0 +1,19 @@
+{
+	"data": "ENC[AES256_GCM,data:tAjfBW75XDS8lfJCf/+9rPYH3aMjRX1nmdN5dPMxnrlhuEPM3Smv9AM93Tz36k7BKk31bUWcV/99ax+KaIK1Rzgym/CwKGGxIUziuVOEOwrCOBeOw7amZ9YGsgiLUTLIhoeO6SjfdZ4q2JxGPw7KqNfUM9kiZT01vx5JTLa24JdvBKpizbtHRlL1lappTRVt0dG2WhT9/YhQUGu9ZFqPs8+bPOBclc78qjCm2DAPgsprK+JCBuq+r+qHgAx4Ee1QHI7FC39e5NeGBTBeZfZ5d95+0klKuTx9FCPs6QRBkQ0tN29OpwzkdSuRAXGGHpzPkZ+FupbETtSQWCmnjma6jPzEl8oDUTWooKK0mUEz8icvTQvRfyM3Qt3mQpkX3e0rTEbZzoLdWCwTufP/tRQNDCWvI/NV7OjIHpNPjymqE5uPmiBpA6y6hhCH7zL1eDo11ICSIX3hkyFJH2svvFQn6oLrPAoByvNutfetKhd8z7NFpVeIOWwtuPzO7wU5M7zESHww0JF78vjFwimQYYhQ,iv:fVjeVez4dTGSrANi5ZeP9PJhsSySqeqqJzBDbd0gFW4=,tag:Aa89+bWLljxV1tlSHtpddw==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVaW94M3VwcFJ2elcrRGlv\nUGdzVk9vU2ZweFpIVVlIRUEyRVlSMlEyeHpVCnJuV0xIS3hMLy9IbG92S0pvL2RP\nL0J0WkVuWVhQdldHekdYNTVXdFkrUlEKLS0tIFQzdGErZVBwQUFNMXErbDBQVURZ\naHlsY2hDa1Zud1E2dFh0ZHl4VEJ2S0kKVABqwRcCUTcsBInfo9CpFtoM3kl4KMyU\nGXDjHOSjlX5df7OKZAvYukgX7Q2penvq+Fq4fa4A1Cmkqga7cHdJ+A==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1tyyx2ratu8s9ugyre36xyksnquth9gxeh7wjdhvsk89rtf8yu5wq0pk04c",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnbHRSVEg3Vi9qTnAwWGF6\nbEdIR2gvZ2laZnJMbVF3NjcvN25OdXF3WXowCnVUODdEa1NWU3JISXlrNldOMjVi\ndUlMTVdBaWxvZHlwSTdJY3NCcll4SjAKLS0tIEp6ZVlDTklqVXdNYzJ2dElCR21o\nUWphMDdyVVppVnFHOVlHZTNtajZzOXMKRB61lUrAkUXSYl3ffOOK8k4QgLA4bFln\naQ7GOol8f8W5H68zXBMZrhjP6k4kZDfknc9jgyoWM7jaZNSWC5J19Q==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-05-20T13:33:59Z",
+		"mac": "ENC[AES256_GCM,data:NjVpDweqxTSQGt9VKR/CMfvbvHQJHCi8P7XbOuKLZKQ4GVoeZ5r4PsC6nxKHHikN6YL1oJCmaSxr0mJRk/sFZg/+wdW8L7F5aQeFRiWo9jCjH0MDMnfiu5a0xjRt21uPl/7LUJ9jNon5nyxPTlZMeYSvTP2Q9spnNuN8vqipP68=,iv:DPvbN9IvWiUfxiJk6mey/us8N1GGVJcSJrT8Bty4kB4=,tag:+emK8uSkfIGUXoYpaWeu3A==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

checks/clan-core-for-checks.nix

@@ -1,6 +1,6 @@
 { fetchgit }:
 fetchgit {
   url = "https://git.clan.lol/clan/clan-core.git";
-  rev = "843e1b24be6ff9a7015e67b3291216c08f628d3e";
-  sha256 = "1bfm3n9r9k8prbwsh0yzp421y4ahblv407gqihwvcpiqsx6s3b9b";
+  rev = "13a9b1719835ef4510e4adb6941ddfe9a91d41cb";
+  sha256 = "sha256-M+pLnpuX+vIsxTFtbBZaNA1OwGQPeSbsMbTiDl1t4vY=";
 }

checks/data-mesher/default.nix

@@ -1,86 +1,89 @@
 {
   pkgs,
-  self,
-  clanLib,
+  nixosLib,
+  clan-core,
+  lib,
   ...
 }:
-clanLib.test.makeTestClan {
-  inherit pkgs self;
-  nixosTest = (
-    { lib, ... }:
-    let
-      machines = [
-        "admin"
-        "peer"
-        "signer"
-      ];
-    in
-    {
-      name = "data-mesher";
+let
+  machines = [
+    "admin"
+    "peer"
+    "signer"
+  ];
+in
+nixosLib.runTest (
+  { ... }:
+  {
+    imports = [
+      clan-core.modules.nixosVmTest.clanTest
+    ];
 
-      clan = {
-        directory = ./.;
-        inventory = {
-          machines = lib.genAttrs machines (_: { });
-          services = {
-            data-mesher.default = {
-              roles.peer.machines = [ "peer" ];
-              roles.admin.machines = [ "admin" ];
-              roles.signer.machines = [ "signer" ];
-            };
+    hostPkgs = pkgs;
+    name = "data-mesher";
+
+    clan = {
+      directory = ./.;
+      inventory = {
+        machines = lib.genAttrs machines (_: { });
+        services = {
+          data-mesher.default = {
+            roles.peer.machines = [ "peer" ];
+            roles.admin.machines = [ "admin" ];
+            roles.signer.machines = [ "signer" ];
           };
         };
       };
+    };
 
-      defaults =
-        { config, ... }:
-        {
-          environment.systemPackages = [
-            config.services.data-mesher.package
-          ];
+    defaults =
+      { config, ... }:
+      {
+        environment.systemPackages = [
+          config.services.data-mesher.package
+        ];
 
-          clan.data-mesher.network.interface = "eth1";
-          clan.data-mesher.bootstrapNodes = [
-            "[2001:db8:1::1]:7946" # peer1
-            "[2001:db8:1::2]:7946" # peer2
-          ];
+        clan.data-mesher.network.interface = "eth1";
+        clan.data-mesher.bootstrapNodes = [
+          "[2001:db8:1::1]:7946" # peer1
+          "[2001:db8:1::2]:7946" # peer2
+        ];
 
-          # speed up for testing
-          services.data-mesher.settings = {
-            cluster.join_interval = lib.mkForce "2s";
-            cluster.push_pull_interval = lib.mkForce "5s";
-          };
+        # speed up for testing
+        services.data-mesher.settings = {
+          cluster.join_interval = lib.mkForce "2s";
+          cluster.push_pull_interval = lib.mkForce "5s";
         };
-
-      nodes = {
-        admin.clan.data-mesher.network.tld = "foo";
       };
 
-      # TODO Add better test script.
-      testScript = ''
+    nodes = {
+      admin.clan.data-mesher.network.tld = "foo";
+    };
 
-        def resolve(node, success = {}, fail = [], timeout = 60):
-          for hostname, ips in success.items():
-              for ip in ips:
-                  node.wait_until_succeeds(f"getent ahosts {hostname} | grep {ip}", timeout)
+    # TODO Add better test script.
+    testScript = ''
 
-          for hostname in fail:
-              node.wait_until_fails(f"getent ahosts {hostname}")
+      def resolve(node, success = {}, fail = [], timeout = 60):
+        for hostname, ips in success.items():
+            for ip in ips:
+                node.wait_until_succeeds(f"getent ahosts {hostname} | grep {ip}", timeout)
 
-        start_all()
+        for hostname in fail:
+            node.wait_until_fails(f"getent ahosts {hostname}")
 
-        admin.wait_for_unit("data-mesher")
-        signer.wait_for_unit("data-mesher")
-        peer.wait_for_unit("data-mesher")
+      start_all()
 
-        # check dns resolution
-        for node in [admin, signer, peer]:
-          resolve(node, {
-              "admin.foo": ["2001:db8:1::1", "192.168.1.1"],
-              "peer.foo": ["2001:db8:1::2", "192.168.1.2"],
-              "signer.foo": ["2001:db8:1::3", "192.168.1.3"]
-          })
-      '';
-    }
-  );
-}
+      admin.wait_for_unit("data-mesher")
+      signer.wait_for_unit("data-mesher")
+      peer.wait_for_unit("data-mesher")
+
+      # check dns resolution
+      for node in [admin, signer, peer]:
+        resolve(node, {
+            "admin.foo": ["2001:db8:1::1", "192.168.1.1"],
+            "peer.foo": ["2001:db8:1::2", "192.168.1.2"],
+            "signer.foo": ["2001:db8:1::3", "192.168.1.3"]
+        })
+    '';
+  }
+)

checks/deltachat/default.nix

@@ -1,28 +0,0 @@
-(import ../lib/container-test.nix) (
-  { pkgs, ... }:
-  {
-    name = "deltachat";
-
-    nodes.machine =
-      { self, ... }:
-      {
-        imports = [
-          self.clanModules.deltachat
-          self.nixosModules.clanCore
-          {
-            clan.core.settings.directory = ./.;
-          }
-        ];
-      };
-    testScript = ''
-      start_all()
-      machine.wait_for_unit("maddy")
-      # imap
-      machine.succeed("${pkgs.netcat}/bin/nc -z -v ::1 143")
-      # smtp submission
-      machine.succeed("${pkgs.netcat}/bin/nc -z -v ::1 587")
-      # smtp
-      machine.succeed("${pkgs.netcat}/bin/nc -z -v ::1 25")
-    '';
-  }
-)

checks/dummy-inventory-test-from-flake/default.nix

@@ -0,0 +1,66 @@
+{
+  pkgs,
+  nixosLib,
+  clan-core,
+  ...
+}:
+
+nixosLib.runTest (
+  { hostPkgs, config, ... }:
+  {
+    imports = [
+      clan-core.modules.nixosVmTest.clanTest
+    ];
+
+    hostPkgs = pkgs;
+
+    # This tests the compatibility of the inventory
+    # With the test framework
+    # - legacy-modules
+    # - clan.service modules
+    name = "dummy-inventory-test-from-flake";
+
+    clan.test.fromFlake = ./.;
+
+    extraPythonPackages = _p: [
+      clan-core.legacyPackages.${hostPkgs.system}.setupNixInNixPythonPackage
+    ];
+
+    testScript =
+      { nodes, ... }:
+      ''
+        from setup_nix_in_nix import setup_nix_in_nix # type: ignore[import-untyped]
+        setup_nix_in_nix()
+
+        def run_clan(cmd: list[str], **kwargs) -> str:
+            import subprocess
+            clan = "${clan-core.packages.${hostPkgs.system}.clan-cli}/bin/clan"
+            clan_args = ["--flake", "${config.clan.test.flakeForSandbox}"]
+            return subprocess.run(
+                ["${hostPkgs.util-linux}/bin/unshare", "--user", "--map-user", "1000", "--map-group", "1000", clan, *cmd, *clan_args],
+                **kwargs,
+                check=True,
+            ).stdout
+
+        start_all()
+        admin1.wait_for_unit("multi-user.target")
+        peer1.wait_for_unit("multi-user.target")
+        # Provided by the legacy module
+        print(admin1.succeed("systemctl status dummy-service"))
+        print(peer1.succeed("systemctl status dummy-service"))
+
+        # peer1 should have the 'hello' file
+        peer1.succeed("cat ${nodes.peer1.clan.core.vars.generators.new-service.files.not-a-secret.path}")
+
+        ls_out = peer1.succeed("ls -la ${nodes.peer1.clan.core.vars.generators.new-service.files.a-secret.path}")
+        # Check that the file is owned by 'nobody'
+        assert "nobody" in ls_out, f"File is not owned by 'nobody': {ls_out}"
+        # Check that the file is in the 'users' group
+        assert "users" in ls_out, f"File is not in the 'users' group: {ls_out}"
+        # Check that the file is in the '0644' mode
+        assert "-rw-r--r--" in ls_out, f"File is not in the '0644' mode: {ls_out}"
+
+        run_clan(["machines", "list"])
+      '';
+  }
+)

checks/dummy-inventory-test-from-flake/flake.nix

@@ -0,0 +1,70 @@
+{
+  inputs.clan-core.url = "https://git.clan.lol/clan/clan-core/archive/main.tar.gz";
+  inputs.nixpkgs.follows = "clan-core/nixpkgs";
+
+  outputs =
+    { self, clan-core, ... }:
+    let
+      # Usage see: https://docs.clan.lol
+      clan = clan-core.clanLib.buildClan {
+        inherit self;
+
+        inventory =
+          { ... }:
+          {
+            meta.name = "foo";
+            machines.peer1 = { };
+            machines.admin1 = { };
+            services = {
+              legacy-module.default = {
+                roles.peer.machines = [ "peer1" ];
+                roles.admin.machines = [ "admin1" ];
+              };
+            };
+
+            instances."test" = {
+              module.name = "new-service";
+              roles.peer.machines.peer1 = { };
+            };
+
+            modules = {
+              legacy-module = ./legacy-module;
+            };
+          };
+
+        modules.new-service = {
+          _class = "clan.service";
+          manifest.name = "new-service";
+          roles.peer = { };
+          perMachine = {
+            nixosModule = {
+              # This should be generated by:
+              # nix run .#generate-test-vars -- checks/dummy-inventory-test dummy-inventory-test
+              clan.core.vars.generators.new-service = {
+                files.not-a-secret = {
+                  secret = false;
+                  deploy = true;
+                };
+                files.a-secret = {
+                  secret = true;
+                  deploy = true;
+                  owner = "nobody";
+                  group = "users";
+                  mode = "0644";
+                };
+                script = ''
+                  # This is a dummy script that does nothing
+                  echo -n "not-a-secret" > $out/not-a-secret
+                  echo -n "a-secret" > $out/a-secret
+                '';
+              };
+            };
+          };
+        };
+      };
+    in
+    {
+      # all machines managed by Clan
+      inherit (clan) nixosConfigurations nixosModules clanInternals;
+    };
+}

checks/dummy-inventory-test-from-flake/legacy-module/README.md

@@ -0,0 +1,10 @@
+---
+description = "Set up dummy-module"
+categories = ["System"]
+features = [ "inventory" ]
+
+[constraints]
+roles.admin.min = 1
+roles.admin.max = 1
+---
+

checks/dummy-inventory-test-from-flake/legacy-module/roles/admin.nix

@@ -0,0 +1,5 @@
+{
+  imports = [
+    ../shared.nix
+  ];
+}

checks/dummy-inventory-test-from-flake/legacy-module/roles/peer.nix

@@ -0,0 +1,5 @@
+{
+  imports = [
+    ../shared.nix
+  ];
+}

checks/dummy-inventory-test-from-flake/legacy-module/shared.nix

@@ -0,0 +1,34 @@
+{ config, ... }:
+{
+  systemd.services.dummy-service = {
+    enable = true;
+    description = "Dummy service";
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    script = ''
+      generated_password_path="${config.clan.core.vars.generators.dummy-generator.files.generated-password.path}"
+      if [ ! -f "$generated_password_path" ]; then
+        echo "Generated password file not found: $generated_password_path"
+        exit 1
+      fi
+      host_id_path="${config.clan.core.vars.generators.dummy-generator.files.host-id.path}"
+      if [ ! -e "$host_id_path" ]; then
+        echo "Host ID file not found: $host_id_path"
+        exit 1
+      fi
+    '';
+  };
+
+  # TODO: add and prompt and make it work in the test framework
+  clan.core.vars.generators.dummy-generator = {
+    files.host-id.secret = false;
+    files.generated-password.secret = true;
+    script = ''
+      echo $RANDOM > "$out"/host-id
+      echo $RANDOM > "$out"/generated-password
+    '';
+  };
+}

checks/dummy-inventory-test-from-flake/sops/machines/admin1/key.json

@@ -0,0 +1,6 @@
+[
+  {
+    "publickey": "age12yt078p9ewxy2sh0a36nxdpgglv8wqqftmj4dkj9rgy5fuyn4p0q5nje9m",
+    "type": "age"
+  }
+]

checks/dummy-inventory-test-from-flake/sops/machines/peer1/key.json

@@ -0,0 +1,6 @@
+[
+  {
+    "publickey": "age12w2ld4vxfyf3hdq2d8la4cu0tye4pq97egvv3me4wary7xkdnq2snh0zx2",
+    "type": "age"
+  }
+]

checks/dummy-inventory-test-from-flake/sops/secrets/admin1-age.key/secret

@@ -0,0 +1,15 @@
+{
+	"data": "ENC[AES256_GCM,data:GPpsUhSzWPtTP8EUNKsobFXjYqDldhkkIH6hBk11RsDLAGWdhVrwcISGbhsWpYhvAdPKA84DB6Zqyh9lL2bLM9//ybC1kzY20BQ=,iv:NrxMLdedT2FCkUAD00SwsAHchIsxWvqe7BQekWuJcxw=,tag:pMDXcMyHnLF2t3Qhb1KolA==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzb2tWb1ExKzdmUTRzaGVj\nK3cyYTBHZTJwVjM1SzUvbHFiMnVhY05iKzFZCnJTSE1VSVdpcUFLSEJuaE1CZzJD\nWjZxYzN2cUltdThNMVRKU3FIb20vUXMKLS0tIFlHQXRIdnMybDZFUVEzWlQrc1dw\nbUxhZURXblhHd0pka0JIK1FTZEVqdUEKI/rfxQRBc+xGRelhswkJQ9GcZs6lzfgy\nuCxS5JI9npdPLQ/131F3b21+sP5YWqks41uZG+vslM1zQ+BlENNhDw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-05-04T12:44:13Z",
+		"mac": "ENC[AES256_GCM,data:fWxLHXBWolHVxv6Q7utcy6OVLV13ziswrIYyNKiwy1vsU8i7xvvuGO1HlnE+q43D2WuHR53liKq1UHuf1JMrWzTwZ0PYe+CVugtoEtbR2qu3rK/jAkOyMyhmmHzmf6Rp4ZMCzKgZeC/X2bDKY/z0firHAvjWydEyogutHpvtznM=,iv:OQI3FfkLneqbdztAXVQB3UkHwDPK+0hWu5hZ9m8Oczg=,tag:em6GfS2QHsXs391QKPxfmA==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

checks/dummy-inventory-test-from-flake/sops/secrets/admin1-age.key/users/admin

@@ -0,0 +1 @@
+../../../users/admin

checks/dummy-inventory-test-from-flake/sops/secrets/peer1-age.key/secret

@@ -0,0 +1,15 @@
+{
+	"data": "ENC[AES256_GCM,data:W3cOkUYL5/YulW2pEISyTlMaA/t7/WBE7BoCdFlqrqgaCL7tG4IV2HgjiPWzIVMs0zvDSaghdEvAIoB4wOf470d1nSWs0/E8SDk=,iv:wXXaZIw3sPY8L/wxsu7+C5v+d3RQRuwxZRP4YLkS8K4=,tag:HeK4okj7O7XDA9JDz2KULw==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxRC83b3dtSVpXcGovNnVs\nTzFka2J2MEFhYkF1ajVrdjMrNUtPWGRObjM4Cm5zSUR5OGw0T0FaL3BaWmR6L29W\nU2syMFIyMUhFRUZpWFpCT28vWko2ZU0KLS0tIFpHK3BjU1V1L0FrMGtwTGFuU3Mz\nRkV5VjI2Vndod202bUR3RWQwNXpmVzQKNk8/y7M62wTIIKqY4r3ZRk5aUCRUfine\n1LUSHMKa2bRe+hR7nS7AF4BGXp03h2UPY0FP5+U5q8XuIj1jfMX8kg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-05-04T12:44:16Z",
+		"mac": "ENC[AES256_GCM,data:yTkQeFvKrN1+5FP+yInsaRWSAG+ZGG0uWF3+gVRvzJTFxab8kT2XkAMc+4D7SKgcjsmwBBb77GNoAKaKByhZ92UaCfZ2X66i7ZmYUwLM1NVVmm+xiwwjsh7PJXlZO/70anTzd1evtlZse0jEmRnV5Y0F0M6YqXmuwU+qGUJU2F8=,iv:sy6ozhXonWVruaQfa7pdEoV5GkNZR/UbbINKAPbgWeg=,tag:VMruQ1KExmlMR7TsGNgMlg==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

checks/dummy-inventory-test-from-flake/sops/secrets/peer1-age.key/users/admin

@@ -0,0 +1 @@
+../../../users/admin

checks/dummy-inventory-test-from-flake/sops/users/admin/key.json

@@ -0,0 +1,4 @@
+{
+  "publickey": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+  "type": "age"
+}

checks/dummy-inventory-test-from-flake/vars/per-machine/admin1/dummy-generator/generated-password/machines/admin1

@@ -0,0 +1 @@
+../../../../../../sops/machines/admin1

checks/dummy-inventory-test-from-flake/vars/per-machine/admin1/dummy-generator/generated-password/secret

@@ -0,0 +1,19 @@
+{
+	"data": "ENC[AES256_GCM,data:T8edCvw=,iv:7/G5xt5fv38I9uFzk7WMIr9xQdz/6lFxqOC+18HBg8Q=,tag:F39Cxbgmzml+lZLsZ59Kmg==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age12yt078p9ewxy2sh0a36nxdpgglv8wqqftmj4dkj9rgy5fuyn4p0q5nje9m",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPNUhiYkZWK3dPMHNiRTVM\nRHNvaHFsOFp1c0UxQitwVG0zY01MNDZRV1E4CjEybENoTVIzN29vQ3FtUTRSYmFU\nNXIzQllVSllXRGN2M1B6WXJLdHZSajgKLS0tIDllZ0ZmZUcxMHhDQUpUOEdWbmkv\neUQweHArYTdFSmNteVpuQ3BKdnh0Y0UKs8Hm3D+rXRRfpUVSZM3zYjs6b9z8g10D\nGTkvreUMim4CS22pjdQ3eNA9TGeDXfWXE7XzwXLCb+wVcf7KwbDmvg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKSDhpT3cvck9PenZYVEZH\ndFQreVRBdG93L1dBUGlvYjFWcDlHWUJsZUVBCm9DMTJ4UytiYzlEVHNWdUcwS1ds\nT0dhbzAzNDdmbDBCU0dvL2xNeHpXcGsKLS0tIFArbmpsbzU3WnpJdUt1MGN0L1d0\nV1JkTDJYWUxsbmhTQVNOeVRaSUhTODQKk9Vph2eldS5nwuvVX0SCsxEm4B+sO76Z\ndIjJ3OQxzoZmXMaOOuKHC5U0Y75Qn7eXC43w5KHsl2CMIUYsBGJOZw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-05-04T12:44:14Z",
+		"mac": "ENC[AES256_GCM,data:6fKrS1eLLUWlHkQpxLFXBRk6f2wa5ADLMViVvYXXGU24ayl9UuNSKrCRHp9cbzhqhti3HdwyNt6TM+2X6qhiiAQanKEB2PF7JRYX74NfNKil9BEDjt5AqqtpSgVv5l7Ku/uSHaPkd2sDmzHsy5Q4bSGxJQokStk1kidrwle+mbc=,iv:I/Aad82L/TCxStM8d8IZICUrwdjRbGx2fuGWqexr21o=,tag:BfgRbGUxhPZzK2fLik1kxA==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

checks/dummy-inventory-test-from-flake/vars/per-machine/admin1/dummy-generator/host-id/value

@@ -0,0 +1 @@
+18650

checks/dummy-inventory-test-from-flake/vars/per-machine/peer1/dummy-generator/generated-password/machines/peer1

@@ -0,0 +1 @@
+../../../../../../sops/machines/peer1

checks/dummy-inventory-test-from-flake/vars/per-machine/peer1/dummy-generator/generated-password/secret

@@ -0,0 +1,19 @@
+{
+	"data": "ENC[AES256_GCM,data:vp0yW0Gt,iv:FO2cy+UpEl5aRay/LUGu//c82QiVxuKuGSaVh0rGJvc=,tag:vf2RAOPpcRW0HwxHoGy17A==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age12w2ld4vxfyf3hdq2d8la4cu0tye4pq97egvv3me4wary7xkdnq2snh0zx2",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjaFVNMEd2YUxpSm5XVVRi\nY2ZUc3NTOStJUFNMWWVPQTgxZ2tCK1QrMW1ZCjYwMlA4dkIzSlc0TGtvZjcyK3Bi\nM3pob2JOOFUyeVJ6M2JpaTRCZlc1R0kKLS0tIDJMb1dFcVRWckhwYWNCQng0RlFO\nTkw3OGt4dkFIZVY5aVEzZE5mMzJSM0EKUv8bUqg48L2FfYVUVlpXvyZvPye699of\nG6PcjLh1ZMbNCfnsCzr+P8Vdk/F4J/ifxL66lRGfu2xOLxwciwQ+5Q==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnZ2dDbVhoQngxM3lTSmZF\nUTAwS1lCTGhEMU1GVXpFUzlIUFdqZy9LajF3Ck9mdVpBRjlyVUNhZXZIUFZjUzF1\nNlhFN28vNmwzcUVkNmlzUnpkWjJuZE0KLS0tIHpXVHVlNk9vU1ZPTGRrYStWbmRO\nbDM4U2o1SlEwYWtqOXBqd3BFUTAvMHcKkI8UVd0v+x+ELZ5CoGq9DzlA6DnVNU2r\nrV9wLfbFd7RHxS0/TYZh5tmU42nO3iMYA9FqERQXCtZgXS9KvfqHwQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-05-04T12:44:18Z",
+		"mac": "ENC[AES256_GCM,data:1ZZ+ZI1JsHmxTov1bRijfol3kTkyheg2o3ivLsMHRhCmScsUry97hQJchF78+y2Izt7avaQEHYn6pVbYt/0rLrSYD7Ru7ITVxXoYHOiN5Qb98masUzpibZjrdyg5nO+LW5/Hmmwsc3yn/+o3IH1AUYpsxlJRdnHHCmoSOFaiFFM=,iv:OQlgmpOTw4ljujNzqwQ5/0Mz8pQpCSUtqRvj3FJAxDs=,tag:foZvdeW7gK9ZVKkWqnlxGA==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

checks/dummy-inventory-test-from-flake/vars/per-machine/peer1/dummy-generator/generated-password/users/admin

@@ -0,0 +1 @@
+../../../../../../sops/users/admin

checks/dummy-inventory-test-from-flake/vars/per-machine/peer1/dummy-generator/host-id/value

@@ -0,0 +1 @@
+6745

checks/dummy-inventory-test-from-flake/vars/per-machine/peer1/new-service/a-secret/machines/peer1

@@ -0,0 +1 @@
+../../../../../../sops/machines/peer1

checks/dummy-inventory-test-from-flake/vars/per-machine/peer1/new-service/a-secret/secret

@@ -0,0 +1,19 @@
+{
+	"data": "ENC[AES256_GCM,data:prFl0EJy8bM=,iv:zITWxf+6Ebk0iB5vhhd7SBQa1HFrIJXm8xpSM+D9I0M=,tag:NZCRMCs1SzNKLBu/KUDKMQ==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age12w2ld4vxfyf3hdq2d8la4cu0tye4pq97egvv3me4wary7xkdnq2snh0zx2",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0S0RZRWxaZVZvTUhjdWVL\naU9WZmtEcm1qa2JsRmdvdmZmNENMaWFEVUFRCmdoVnRXSGlpRlFjNmVVbDJ5VnFT\nMnVJUlVnM3lxNmZCRTdoRVJ4NW1oYWcKLS0tIFFNbXBFUk1RWnlUTW1SeG1vYzlM\nVVpEclFVOE9PWWQxVkZ0eEgwWndoRWcKDAOHe+FIxqGsc6LhxMy164qjwG6t2Ei2\nP0FSs+bcKMDpudxeuxCjnDm/VoLxOWeuqkB+9K2vSm2W/c/fHTSbrA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2VU5jOEpwYUtDVEVFcVpU\nQkExTVZ3ejZHcGo5TG8zdUQwNktoV09WdUZvCmQ0dE1TOWRFbTlxdVd4WWRxd3VF\nQUNTTkNNT3NKYjQ5dEJDY0xVZ3pZVUUKLS0tIDFjajRZNFJZUTdNeS8yN05FMFZU\ncEtjRjhRbGE0MnRLdk10NkFLMkxqencKGzJ66dHluIghH04RV/FccfEQP07yqnfb\n25Hi0XIVJfXBwje4UEyszrWTxPPwVXdQDQmoNKf76Qy2jYqJ56uksw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-05-04T12:44:20Z",
+		"mac": "ENC[AES256_GCM,data:FIkilsni5kOdNlVwDuLsQ/zExypHRWdqIBQDNWMLTwe8OrsNPkX+KYutUvt9GaSoGv4iDULaMRoizO/OZUNfc2d8XYSdj0cxOG1Joov4GPUcC/UGyNuQneAejZBKolvlnidKZArofnuK9g+lOTANEUtEXUTnx8L+VahqPZayQas=,iv:NAo6sT3L8OOB3wv1pjr3RY2FwXgVmZ4N0F4BEX4YPUY=,tag:zHwmXygyvkdpASZCodQT9Q==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

checks/dummy-inventory-test-from-flake/vars/per-machine/peer1/new-service/a-secret/users/admin

@@ -0,0 +1 @@
+../../../../../../sops/users/admin

checks/dummy-inventory-test-from-flake/vars/per-machine/peer1/new-service/not-a-secret/value

@@ -0,0 +1 @@
+not-a-secret

checks/dummy-inventory-test/default.nix

@@ -1,93 +1,96 @@
 {
   pkgs,
-  self,
-  clanLib,
+  nixosLib,
+  clan-core,
   ...
 }:
-clanLib.test.makeTestClan {
-  inherit pkgs self;
-  nixosTest = (
-    { ... }:
-    {
-      # This tests the compatibility of the inventory
-      # With the test framework
-      # - legacy-modules
-      # - clan.service modules
-      name = "dummy-inventory-test";
+nixosLib.runTest (
+  { ... }:
+  {
+    imports = [
+      clan-core.modules.nixosVmTest.clanTest
+    ];
 
-      clan = {
-        directory = ./.;
-        inventory = {
-          machines.peer1 = { };
-          machines.admin1 = { };
-          services = {
-            legacy-module.default = {
-              roles.peer.machines = [ "peer1" ];
-              roles.admin.machines = [ "admin1" ];
-            };
-          };
+    hostPkgs = pkgs;
 
-          instances."test" = {
-            module.name = "new-service";
-            roles.peer.machines.peer1 = { };
-          };
+    # This tests the compatibility of the inventory
+    # With the test framework
+    # - legacy-modules
+    # - clan.service modules
+    name = "dummy-inventory-test";
 
-          modules = {
-            legacy-module = ./legacy-module;
+    clan = {
+      directory = ./.;
+      inventory = {
+        machines.peer1 = { };
+        machines.admin1 = { };
+        services = {
+          legacy-module.default = {
+            roles.peer.machines = [ "peer1" ];
+            roles.admin.machines = [ "admin1" ];
           };
         };
-        modules.new-service = {
-          _class = "clan.service";
-          manifest.name = "new-service";
-          roles.peer = { };
-          perMachine = {
-            nixosModule = {
-              # This should be generated by:
-              # nix run .#generate-test-vars -- checks/dummy-inventory-test dummy-inventory-test
-              clan.core.vars.generators.new-service = {
-                files.not-a-secret = {
-                  secret = false;
-                  deploy = true;
-                };
-                files.a-secret = {
-                  secret = true;
-                  deploy = true;
-                  owner = "nobody";
-                  group = "users";
-                  mode = "0644";
-                };
-                script = ''
-                  # This is a dummy script that does nothing
-                  echo -n "not-a-secret" > $out/not-a-secret
-                  echo -n "a-secret" > $out/a-secret
-                '';
+
+        instances."test" = {
+          module.name = "new-service";
+          roles.peer.machines.peer1 = { };
+        };
+
+        modules = {
+          legacy-module = ./legacy-module;
+        };
+      };
+      modules.new-service = {
+        _class = "clan.service";
+        manifest.name = "new-service";
+        roles.peer = { };
+        perMachine = {
+          nixosModule = {
+            # This should be generated by:
+            # nix run .#generate-test-vars -- checks/dummy-inventory-test dummy-inventory-test
+            clan.core.vars.generators.new-service = {
+              files.not-a-secret = {
+                secret = false;
+                deploy = true;
               };
+              files.a-secret = {
+                secret = true;
+                deploy = true;
+                owner = "nobody";
+                group = "users";
+                mode = "0644";
+              };
+              script = ''
+                # This is a dummy script that does nothing
+                echo -n "not-a-secret" > $out/not-a-secret
+                echo -n "a-secret" > $out/a-secret
+              '';
             };
           };
         };
       };
+    };
 
-      testScript =
-        { nodes, ... }:
-        ''
-          start_all()
-          admin1.wait_for_unit("multi-user.target")
-          peer1.wait_for_unit("multi-user.target")
-          # Provided by the legacy module
-          print(admin1.succeed("systemctl status dummy-service"))
-          print(peer1.succeed("systemctl status dummy-service"))
+    testScript =
+      { nodes, ... }:
+      ''
+        start_all()
+        admin1.wait_for_unit("multi-user.target")
+        peer1.wait_for_unit("multi-user.target")
+        # Provided by the legacy module
+        print(admin1.succeed("systemctl status dummy-service"))
+        print(peer1.succeed("systemctl status dummy-service"))
 
-          # peer1 should have the 'hello' file
-          peer1.succeed("cat ${nodes.peer1.clan.core.vars.generators.new-service.files.not-a-secret.path}")
+        # peer1 should have the 'hello' file
+        peer1.succeed("cat ${nodes.peer1.clan.core.vars.generators.new-service.files.not-a-secret.path}")
 
-          ls_out = peer1.succeed("ls -la ${nodes.peer1.clan.core.vars.generators.new-service.files.a-secret.path}")
-          # Check that the file is owned by 'nobody'
-          assert "nobody" in ls_out, f"File is not owned by 'nobody': {ls_out}"
-          # Check that the file is in the 'users' group
-          assert "users" in ls_out, f"File is not in the 'users' group: {ls_out}"
-          # Check that the file is in the '0644' mode
-          assert "-rw-r--r--" in ls_out, f"File is not in the '0644' mode: {ls_out}"
-        '';
-    }
-  );
-}
+        ls_out = peer1.succeed("ls -la ${nodes.peer1.clan.core.vars.generators.new-service.files.a-secret.path}")
+        # Check that the file is owned by 'nobody'
+        assert "nobody" in ls_out, f"File is not owned by 'nobody': {ls_out}"
+        # Check that the file is in the 'users' group
+        assert "users" in ls_out, f"File is not in the 'users' group: {ls_out}"
+        # Check that the file is in the '0644' mode
+        assert "-rw-r--r--" in ls_out, f"File is not in the '0644' mode: {ls_out}"
+      '';
+  }
+)

checks/flake-module.nix

@@ -4,6 +4,7 @@ let
     filter
     pathExists
     ;
+  nixosLib = import (self.inputs.nixpkgs + "/nixos/lib") { };
 in
 {
   imports = filter pathExists [
@@ -29,19 +30,18 @@ in
         let
           nixosTestArgs = {
             # reference to nixpkgs for the current system
-            inherit pkgs lib;
+            inherit pkgs lib nixosLib;
             # this gives us a reference to our flake but also all flake inputs
             inherit self;
             inherit (self) clanLib;
+            clan-core = self;
           };
           nixosTests =
             lib.optionalAttrs (pkgs.stdenv.isLinux) {
-              # Deltachat is currently marked as broken
-              # deltachat = import ./deltachat nixosTestArgs;
 
               # Base Tests
               secrets = self.clanLib.test.baseTest ./secrets nixosTestArgs;
-              borgbackup = self.clanLib.test.baseTest ./borgbackup nixosTestArgs;
+              borgbackup-legacy = self.clanLib.test.baseTest ./borgbackup-legacy nixosTestArgs;
               wayland-proxy-virtwl = self.clanLib.test.baseTest ./wayland-proxy-virtwl nixosTestArgs;
 
               # Container Tests
@@ -50,11 +50,9 @@ in
               matrix-synapse = self.clanLib.test.containerTest ./matrix-synapse nixosTestArgs;
               postgresql = self.clanLib.test.containerTest ./postgresql nixosTestArgs;
 
-              # Clan Tests
               dummy-inventory-test = import ./dummy-inventory-test nixosTestArgs;
-              admin = import ./admin nixosTestArgs;
+              dummy-inventory-test-from-flake = import ./dummy-inventory-test-from-flake nixosTestArgs;
               data-mesher = import ./data-mesher nixosTestArgs;
-              syncthing = import ./syncthing nixosTestArgs;
             }
             // lib.optionalAttrs (pkgs.stdenv.hostPlatform.system == "aarch64-linux") {
               # for some reason this hangs in an odd place in CI, but it works on my machine ...

checks/mumble/default.nix

@@ -1,130 +1,132 @@
 {
   pkgs,
-  self,
-  clanLib,
+  nixosLib,
+  clan-core,
+  lib,
   ...
 }:
-clanLib.test.makeTestClan {
-  inherit pkgs self;
-  # TODO: container driver does not support: sleep, wait_for_window, send_chars, wait_for_text
-  useContainers = false;
-  nixosTest = (
-    { lib, ... }:
-    let
-      common =
-        { pkgs, modulesPath, ... }:
-        {
-          imports = [
-            (modulesPath + "/../tests/common/x11.nix")
-          ];
+nixosLib.runTest (
+  { ... }:
+  let
+    machines = [
+      "peer1"
+      "peer2"
+    ];
+  in
+  {
+    imports = [
+      clan-core.modules.nixosVmTest.clanTest
+    ];
 
-          clan.services.mumble.user = "alice";
-          environment.systemPackages = [ pkgs.killall ];
-        };
-      machines = [
-        "peer1"
-        "peer2"
-      ];
-    in
-    {
-      name = "mumble";
+    hostPkgs = pkgs;
 
-      clan = {
-        directory = ./.;
-        inventory = {
-          machines = lib.genAttrs machines (_: { });
-          services = {
-            mumble.default = {
-              roles.server.machines = machines;
-            };
+    name = "mumble";
+
+    defaults =
+      { pkgs, modulesPath, ... }:
+      {
+        imports = [
+          (modulesPath + "/../tests/common/x11.nix")
+        ];
+
+        clan.services.mumble.user = "alice";
+        environment.systemPackages = [ pkgs.killall ];
+      };
+
+    clan = {
+      directory = ./.;
+      # TODO: container driver does not support: sleep, wait_for_window, send_chars, wait_for_text
+      test.useContainers = false;
+      inventory = {
+        machines = lib.genAttrs machines (_: { });
+        services = {
+          mumble.default = {
+            roles.server.machines = machines;
           };
         };
       };
+    };
 
-      enableOCR = true;
+    enableOCR = true;
 
-      nodes.peer1 = common;
-      nodes.peer2 = common;
-
-      testScript = ''
-        import time
-        import re
+    testScript = ''
+      import time
+      import re
 
 
-        def machine_has_text(machine: Machine, regex: str) -> bool:
-            variants = machine.get_screen_text_variants()
-            # for debugging
-            # machine.screenshot(f"/tmp/{machine.name}.png")
-            for text in variants:
-                print(f"Expecting '{regex}' in '{text}'")
-                if re.search(regex, text) is not None:
-                    return True
-            return False
+      def machine_has_text(machine: Machine, regex: str) -> bool:
+          variants = machine.get_screen_text_variants()
+          # for debugging
+          # machine.screenshot(f"/tmp/{machine.name}.png")
+          for text in variants:
+              print(f"Expecting '{regex}' in '{text}'")
+              if re.search(regex, text) is not None:
+                  return True
+          return False
 
-        start_all()
+      start_all()
 
-        with subtest("Waiting for x"):
-          peer1.wait_for_x()
-          peer2.wait_for_x()
+      with subtest("Waiting for x"):
+        peer1.wait_for_x()
+        peer2.wait_for_x()
 
-        with subtest("Waiting for murmur"):
-          peer1.wait_for_unit("murmur.service")
-          peer2.wait_for_unit("murmur.service")
+      with subtest("Waiting for murmur"):
+        peer1.wait_for_unit("murmur.service")
+        peer2.wait_for_unit("murmur.service")
 
-        with subtest("Starting Mumble"):
-          # starting mumble is blocking
-          peer1.execute("mumble >&2 &")
-          peer2.execute("mumble >&2 &")
+      with subtest("Starting Mumble"):
+        # starting mumble is blocking
+        peer1.execute("mumble >&2 &")
+        peer2.execute("mumble >&2 &")
 
-        with subtest("Wait for Mumble"):
-          peer1.wait_for_window(r"Mumble")
-          peer2.wait_for_window(r"Mumble")
+      with subtest("Wait for Mumble"):
+        peer1.wait_for_window(r"Mumble")
+        peer2.wait_for_window(r"Mumble")
 
-        with subtest("Wait for certificate creation"):
-          peer1.wait_for_window(r"Mumble")
-          peer2.wait_for_window(r"Mumble")
+      with subtest("Wait for certificate creation"):
+        peer1.wait_for_window(r"Mumble")
+        peer2.wait_for_window(r"Mumble")
 
-          for i in range(20):
-            time.sleep(1)
-            peer1.send_chars("\n")
-            peer1.send_chars("\n")
-            peer2.send_chars("\n")
-            peer2.send_chars("\n")
-            if machine_has_text(peer1, r"Mumble Server Connect") and \
-               machine_has_text(peer2, r"Mumble Server Connect"):
-              break
-          else:
-            raise Exception("Timeout waiting for certificate creation")
+        for i in range(20):
+          time.sleep(1)
+          peer1.send_chars("\n")
+          peer1.send_chars("\n")
+          peer2.send_chars("\n")
+          peer2.send_chars("\n")
+          if machine_has_text(peer1, r"Mumble Server Connect") and \
+              machine_has_text(peer2, r"Mumble Server Connect"):
+            break
+        else:
+          raise Exception("Timeout waiting for certificate creation")
 
-        with subtest("Check validity of server certificates"):
-          peer1.execute("killall .mumble-wrapped")
-          peer1.sleep(1)
-          peer1.execute("mumble mumble://peer2 >&2 &")
-          peer1.wait_for_window(r"Mumble")
+      with subtest("Check validity of server certificates"):
+        peer1.execute("killall .mumble-wrapped")
+        peer1.sleep(1)
+        peer1.execute("mumble mumble://peer2 >&2 &")
+        peer1.wait_for_window(r"Mumble")
 
-          for i in range(20):
-            time.sleep(1)
-            peer1.send_chars("\n")
-            peer1.send_chars("\n")
-            if machine_has_text(peer1, "Connected."):
-              break
-          else:
-            raise Exception("Timeout waiting for certificate creation")
+        for i in range(20):
+          time.sleep(1)
+          peer1.send_chars("\n")
+          peer1.send_chars("\n")
+          if machine_has_text(peer1, "Connected."):
+            break
+        else:
+          raise Exception("Timeout waiting for certificate creation")
 
-          peer2.execute("killall .mumble-wrapped")
-          peer2.sleep(1)
-          peer2.execute("mumble mumble://peer1 >&2 &")
-          peer2.wait_for_window(r"Mumble")
+        peer2.execute("killall .mumble-wrapped")
+        peer2.sleep(1)
+        peer2.execute("mumble mumble://peer1 >&2 &")
+        peer2.wait_for_window(r"Mumble")
 
-          for i in range(20):
-            time.sleep(1)
-            peer2.send_chars("\n")
-            peer2.send_chars("\n")
-            if machine_has_text(peer2, "Connected."):
-              break
-          else:
-            raise Exception("Timeout waiting for certificate creation")
-      '';
-    }
-  );
-}
+        for i in range(20):
+          time.sleep(1)
+          peer2.send_chars("\n")
+          peer2.send_chars("\n")
+          if machine_has_text(peer2, "Connected."):
+            break
+        else:
+          raise Exception("Timeout waiting for certificate creation")
+    '';
+  }
+)

checks/mycelium/default.nix

@@ -0,0 +1,53 @@
+{
+  pkgs,
+  nixosLib,
+  clan-core,
+  ...
+}:
+nixosLib.runTest (
+  { ... }:
+  {
+    imports = [
+      clan-core.modules.nixosVmTest.clanTest
+    ];
+
+    hostPkgs = pkgs;
+
+    name = "mycelium";
+
+    clan = {
+
+      test.useContainers = false;
+      directory = ./.;
+      modules."@clan/mycelium" = ../../clanServices/mycelium/default.nix;
+      inventory = {
+        machines.server = { };
+
+        instances = {
+          mycelium-test = {
+            module.name = "@clan/mycelium";
+            roles.peer.machines."server".settings = {
+              openFirewall = true;
+              addHostedPublicNodes = true;
+            };
+          };
+        };
+      };
+    };
+
+    nodes = {
+      server = { };
+    };
+
+    testScript = ''
+      start_all()
+
+      # Check that mycelium service is running
+      server.wait_for_unit("mycelium")
+      server.succeed("systemctl status mycelium")
+
+      # Check that mycelium is listening on its default port
+      server.wait_until_succeeds("${pkgs.iproute2}/bin/ss -tulpn | grep -q 'mycelium'", 10)
+    '';
+  }
+)

checks/mycelium/sops/machines/server/key.json

@@ -0,0 +1,6 @@
+[
+  {
+    "publickey": "age122lc4fvw2p22gcvwqeme5k49qxtjanqkl2xvr6qvf3r0zyh7scuqz28cam",
+    "type": "age"
+  }
+]

checks/mycelium/sops/secrets/server-age.key/secret

@@ -0,0 +1,15 @@
+{
+	"data": "ENC[AES256_GCM,data:hLJS+CJllYM50KxKuiYamxBLGd9lwoeIFapP9mZAlVGH5DSenylcKUfsphxafASoB516qns2DznBoS9mWqg9uTsRZjk4WlR3x6A=,iv:uRiIpUKIiV3riNcBAWUqhZbE+Vb7lLMfU0C/TClVZ6M=,tag:4+nsMssiSyq9Iv7sDuWmoQ==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPUWFOMzluRmdOQXBmRjRN\ncXNSUlB5Z0t6dWYxNVkvMmhrN1FDdmxHcTNJCkhPL3BYMFFXMmU5ZGRqOC9KWEgv\nSHB5OUJqTk5Dd0tDTks1R1ZhYktrLzgKLS0tIHJIMlFRVWphZXlISmR3VUJKUjNk\ndWF4eCt6UHBrSndBay95RVJ3dldiaFkKCgYqrt0aCGRTaHycBoeqv/zeByu2ZZ3Z\nVfgxnD9liIQkS2wERbpk0/Yq9wkKgVxj+DZoWwHYhP0eKCw2UOorCA==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-06-04T11:54:59Z",
+		"mac": "ENC[AES256_GCM,data:xoeOz7FRCPJ18UTsfbY1x/N65pxbTsehT9Kv3MgEd6NQJn6FTvquaj3HEZ0KvIzStBz1FNOhSql9CZUFc4StYps05EbX61MMMnz6Nlj3xcTwuVQFabGoinxcXbCDSA+tAW7VqzVxumj6FMDg+r77gdcIApZjGJg4Z9ws2RZd3u4=,iv:U8IUDwmfg8Umob9mtKgGaKoIY4SKNL895BABJxzx5n8=,tag:tnMCx6D/17ZYgI6SgNS29A==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

checks/mycelium/sops/secrets/server-age.key/users/admin

@@ -0,0 +1 @@
+../../../users/admin

checks/mycelium/sops/users/admin/key.json

@@ -0,0 +1,4 @@
+{
+  "publickey": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+  "type": "age"
+}

checks/mycelium/vars/per-machine/server/mycelium/ip/value

@@ -0,0 +1 @@
+52d:87c1:4222:b550:ee01:a7ae:254:5a66

checks/mycelium/vars/per-machine/server/mycelium/key/secret

@@ -0,0 +1,19 @@
+{
+	"data": "ENC[AES256_GCM,data:DGzl2G4H+NkwXq0fCUQS0+8FG1x9xoIsYvAgUxP4Qp8=,iv:CXOJVgYNthVOZ4vbdI3n4KLXSFVemzaoEnRGMC+m0i8=,tag:/u+pV3xWpUq0ZtAm6LKuGQ==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age122lc4fvw2p22gcvwqeme5k49qxtjanqkl2xvr6qvf3r0zyh7scuqz28cam",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZZHZjdXMwclBTeGthcGpM\nV1ArVy83akNHNEpXVFhoR1FWNlJUeHNKTW00CjJFTFZneFNrL0hDMXJpaTQ2M1ln\nTmdPMGhzeUp0NU55QnhCZEU2QVk1OG8KLS0tIDFhQmJhOHJsTjhYNEhITEw0WFgy\nWC9pTi9od0wyMWtZRVZJYWo0Nmo5SHMKDohnAAfrnGOiw55huMme2EEWE53N/feS\nutvbiTZh1ECHCi/uoK757fjnJ/WrQMSxUpctT9I8bpJRtbTqkx3XRw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZeTZENGFpWndDbmdsWDRw\nMTBCVXg5Zkg2a2s5Yk1HSERIVlVQRXdUSUNnCnREbno0dEN0ZEgvOFNMRG1ReGx4\na0h1YUFuMkxBZXJUTE9xOUVUMitEalkKLS0tIFZMZ21qclRqUFR0dlAyMFkzdUNX\nNjRLTWVRVWtHSDlDakEzMmpRVWkyc0EKabm8mTKJVxQNTaIgU+8rb/xk9Dpg+Zjz\nb+wgD0+TlARlenMtIub8Y6N06ENOc20oovylfu+g7xV+EkvRPCd6tA==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-06-04T11:55:02Z",
+		"mac": "ENC[AES256_GCM,data:UIBaD/3mACgFzkajkFXz3oKai8IxpYQriR2t0mc5fL92P5ECloxCobY386TDZYOEVrDJ45Bw+IzqZbsCx/G9f1xCCTR2JvqygxYIsK3TpQPsboJzb9Cz3dBNBCXGboVykcg/NobEMaJBw1xtdAQBhuo8S7ymIuOPtGz0vPFJkf8=,iv:g0YAOBsRpgAOikKDMJDyOtcVx+0QwetfA8R6wQFH7lY=,tag:sfdFLjtiqFHdP/Qe1suBBQ==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

checks/mycelium/vars/per-machine/server/mycelium/key/users/admin

@@ -0,0 +1 @@
+../../../../../../sops/users/admin

checks/mycelium/vars/per-machine/server/mycelium/pubkey/value

@@ -0,0 +1 @@
+2125c6b039374467eaa3eaf552bd3e97f434d16006433cfbba3e6823c958b728

checks/syncthing/default.nix

@@ -1,83 +1,87 @@
 {
   pkgs,
-  self,
-  clanLib,
+  nixosLib,
+  clan-core,
+  lib,
   ...
 }:
-clanLib.test.makeTestClan {
-  inherit pkgs self;
-  # TODO: container driver does not support wait_for_file() yet
-  useContainers = false;
-  nixosTest = (
-    { lib, ... }:
-    {
-      name = "syncthing";
+nixosLib.runTest (
+  { ... }:
+  {
+    imports = [
+      clan-core.modules.nixosVmTest.clanTest
+    ];
 
-      clan = {
-        directory = ./.;
-        inventory = {
-          machines = lib.genAttrs [
-            "introducer"
-            "peer1"
-            "peer2"
-          ] (_: { });
-          services = {
-            syncthing.default = {
-              roles.peer.machines = [
-                "peer1"
-                "peer2"
-              ];
-              roles.introducer.machines = [ "introducer" ];
+    hostPkgs = pkgs;
+
+    name = "syncthing";
+
+    clan = {
+      directory = ./.;
+      # TODO: container driver does not support wait_for_file() yet
+      test.useContainers = false;
+      inventory = {
+        machines = lib.genAttrs [
+          "introducer"
+          "peer1"
+          "peer2"
+        ] (_: { });
+        services = {
+          syncthing.default = {
+            roles.peer.machines = [
+              "peer1"
+              "peer2"
+            ];
+            roles.introducer.machines = [ "introducer" ];
+          };
+        };
+      };
+    };
+
+    nodes.introducer = {
+      # Doesn't test zerotier!
+      services.syncthing.openDefaultPorts = true;
+      services.syncthing.settings.folders = {
+        "Shared" = {
+          enable = true;
+          path = "~/Shared";
+          versioning = {
+            type = "trashcan";
+            params = {
+              cleanoutDays = "30";
             };
           };
         };
       };
+      clan.syncthing.autoAcceptDevices = true;
+      clan.syncthing.autoShares = [ "Shared" ];
+      # For faster Tests
+      systemd.timers.syncthing-auto-accept.timerConfig = {
+        OnActiveSec = 1;
+        OnUnitActiveSec = 1;
+      };
+    };
+    nodes.peer1 = {
+      services.syncthing.openDefaultPorts = true;
+    };
+    nodes.peer2 = {
+      services.syncthing.openDefaultPorts = true;
+    };
 
-      nodes.introducer = {
-        # Doesn't test zerotier!
-        services.syncthing.openDefaultPorts = true;
-        services.syncthing.settings.folders = {
-          "Shared" = {
-            enable = true;
-            path = "~/Shared";
-            versioning = {
-              type = "trashcan";
-              params = {
-                cleanoutDays = "30";
-              };
-            };
-          };
-        };
-        clan.syncthing.autoAcceptDevices = true;
-        clan.syncthing.autoShares = [ "Shared" ];
-        # For faster Tests
-        systemd.timers.syncthing-auto-accept.timerConfig = {
-          OnActiveSec = 1;
-          OnUnitActiveSec = 1;
-        };
-      };
-      nodes.peer1 = {
-        services.syncthing.openDefaultPorts = true;
-      };
-      nodes.peer2 = {
-        services.syncthing.openDefaultPorts = true;
-      };
-
-      testScript = ''
-        start_all()
-        introducer.wait_for_unit("syncthing")
-        peer1.wait_for_unit("syncthing")
-        peer2.wait_for_unit("syncthing")
-        peer1.execute("ls -la /var/lib/syncthing")
-        peer2.execute("ls -la /var/lib/syncthing")
-        peer1.wait_for_file("/var/lib/syncthing/Shared")
-        peer2.wait_for_file("/var/lib/syncthing/Shared")
-        introducer.shutdown()
-        peer1.execute("echo hello > /var/lib/syncthing/Shared/hello")
-        peer2.wait_for_file("/var/lib/syncthing/Shared/hello")
-        out = peer2.succeed("cat /var/lib/syncthing/Shared/hello")
-        assert "hello" in out
-      '';
-    }
-  );
-}
+    testScript = ''
+      start_all()
+      introducer.wait_for_unit("syncthing")
+      peer1.wait_for_unit("syncthing")
+      peer2.wait_for_unit("syncthing")
+      peer1.execute("ls -la /var/lib/syncthing")
+      peer2.execute("ls -la /var/lib/syncthing")
+      peer1.wait_for_file("/var/lib/syncthing/Shared")
+      peer2.wait_for_file("/var/lib/syncthing/Shared")
+      introducer.shutdown()
+      peer1.execute("echo hello > /var/lib/syncthing/Shared/hello")
+      peer2.wait_for_file("/var/lib/syncthing/Shared/hello")
+      out = peer2.succeed("cat /var/lib/syncthing/Shared/hello")
+      assert "hello" in out
+    '';
+  }
+)

clanModules/auto-upgrade/README.md

@@ -1,7 +1,7 @@
 ---
 description = "Set up automatic upgrades"
 categories = ["System"]
-features = [ "inventory" ]
+features = [ "inventory", "deprecated" ]
 ---
 
 Whether to periodically upgrade NixOS to the latest version. If enabled, a

clanModules/borgbackup/README.md

@@ -1,7 +1,7 @@
 ---
 description = "Efficient, deduplicating backup program with optional compression and secure encryption."
 categories = ["System"]
-features = [ "inventory" ]
+features = [ "inventory", "deprecated" ]
 ---
 BorgBackup (short: Borg) gives you:
 

clanModules/borgbackup/roles/client.nix

@@ -106,7 +106,8 @@ in
     systemd.services = lib.mapAttrs' (
       _: dest:
       lib.nameValuePair "borgbackup-job-${dest.name}" {
-        # since borgbackup mounts the system read-only, we need to run in a ExecStartPre script, so we can generate additional files.
+        # since borgbackup mounts the system read-only, we need to run in a
+        # ExecStartPre script, so we can generate additional files.
         serviceConfig.ExecStartPre = [
           ''+${pkgs.writeShellScript "borgbackup-job-${dest.name}-pre-backup-commands" preBackupScript}''
         ];

clanModules/borgbackup/roles/server.nix

@@ -45,7 +45,7 @@ in
         else
           lib.warn ''
             Machine ${machine} does not have a borgbackup key at ${fullPath},
-            run `clan var generate ${machine}` to generate it.
+            run `clan vars generate ${machine}` to generate it.
           '' null
       ) allClients;
 

clanModules/deltachat/README.md

@@ -1,5 +1,7 @@
 ---
 description = "Email-based instant messaging for Desktop."
+categories = ["Social"]
+features = [ "inventory", "deprecated" ]
 ---
 
 !!! info

clanModules/deltachat/default.nix

@@ -1,143 +1,3 @@
-{ config, pkgs, ... }:
 {
-  networking.firewall.interfaces."zt+".allowedTCPPorts = [ 25 ]; # smtp with other hosts
-  environment.systemPackages = [ pkgs.deltachat-desktop ];
-
-  services.maddy =
-    let
-      domain = "${config.clan.core.settings.machine.name}.local";
-    in
-    {
-      enable = true;
-      primaryDomain = domain;
-      config = ''
-        # Minimal configuration with TLS disabled, adapted from upstream example
-        # configuration here https://github.com/foxcpp/maddy/blob/master/maddy.conf
-        # Do not use this in unencrypted networks!
-
-        auth.pass_table local_authdb {
-          table sql_table {
-            driver sqlite3
-            dsn credentials.db
-            table_name passwords
-          }
-        }
-
-        storage.imapsql local_mailboxes {
-          driver sqlite3
-          dsn imapsql.db
-        }
-
-        table.chain local_rewrites {
-          optional_step regexp "(.+)\+(.+)@(.+)" "$1@$3"
-          optional_step static {
-            entry postmaster postmaster@$(primary_domain)
-          }
-          optional_step file /etc/maddy/aliases
-        }
-
-        msgpipeline local_routing {
-          destination postmaster $(local_domains) {
-            modify {
-              replace_rcpt &local_rewrites
-            }
-            deliver_to &local_mailboxes
-          }
-          default_destination {
-            reject 550 5.1.1 "User doesn't exist"
-          }
-        }
-
-        smtp tcp://[::]:25 {
-          limits {
-            all rate 20 1s
-            all concurrency 10
-          }
-          dmarc yes
-          check {
-            require_mx_record
-            dkim
-            spf
-          }
-          source $(local_domains) {
-            reject 501 5.1.8 "Use Submission for outgoing SMTP"
-          }
-          default_source {
-            destination postmaster $(local_domains) {
-              deliver_to &local_routing
-            }
-            default_destination {
-              reject 550 5.1.1 "User doesn't exist"
-            }
-          }
-        }
-
-        submission tcp://[::1]:587 {
-          limits {
-            all rate 50 1s
-          }
-          auth &local_authdb
-          source $(local_domains) {
-            check {
-                authorize_sender {
-                    prepare_email &local_rewrites
-                    user_to_email identity
-                }
-            }
-            destination postmaster $(local_domains) {
-                deliver_to &local_routing
-            }
-            default_destination {
-                modify {
-                    dkim $(primary_domain) $(local_domains) default
-                }
-                deliver_to &remote_queue
-            }
-          }
-          default_source {
-            reject 501 5.1.8 "Non-local sender domain"
-          }
-        }
-
-        target.remote outbound_delivery {
-          limits {
-            destination rate 20 1s
-            destination concurrency 10
-          }
-          mx_auth {
-            dane
-            mtasts {
-              cache fs
-              fs_dir mtasts_cache/
-            }
-            local_policy {
-                min_tls_level encrypted
-                min_mx_level none
-            }
-          }
-        }
-
-        target.queue remote_queue {
-          target &outbound_delivery
-          autogenerated_msg_domain $(primary_domain)
-          bounce {
-            destination postmaster $(local_domains) {
-              deliver_to &local_routing
-            }
-            default_destination {
-                reject 550 5.0.0 "Refusing to send DSNs to non-local addresses"
-            }
-          }
-        }
-
-        imap tcp://[::1]:143 {
-          auth &local_authdb
-          storage &local_mailboxes
-        }
-      '';
-      ensureAccounts = [ "user@${domain}" ];
-      ensureCredentials = {
-        "user@${domain}".passwordFile = pkgs.writeText "dummy" "foobar";
-      };
-    };
+  imports = [ ./roles/default.nix ];
 }

clanModules/deltachat/roles/default.nix

@@ -0,0 +1,143 @@
+{ config, pkgs, ... }:
+{
+  networking.firewall.interfaces."zt+".allowedTCPPorts = [ 25 ]; # smtp with other hosts
+  environment.systemPackages = [ pkgs.deltachat-desktop ];
+
+  services.maddy =
+    let
+      domain = "${config.clan.core.settings.machine.name}.local";
+    in
+    {
+      enable = true;
+      primaryDomain = domain;
+      config = ''
+        # Minimal configuration with TLS disabled, adapted from upstream example
+        # configuration here https://github.com/foxcpp/maddy/blob/master/maddy.conf
+        # Do not use this in unencrypted networks!
+
+        auth.pass_table local_authdb {
+          table sql_table {
+            driver sqlite3
+            dsn credentials.db
+            table_name passwords
+          }
+        }
+
+        storage.imapsql local_mailboxes {
+          driver sqlite3
+          dsn imapsql.db
+        }
+
+        table.chain local_rewrites {
+          optional_step regexp "(.+)\+(.+)@(.+)" "$1@$3"
+          optional_step static {
+            entry postmaster postmaster@$(primary_domain)
+          }
+          optional_step file /etc/maddy/aliases
+        }
+
+        msgpipeline local_routing {
+          destination postmaster $(local_domains) {
+            modify {
+              replace_rcpt &local_rewrites
+            }
+            deliver_to &local_mailboxes
+          }
+          default_destination {
+            reject 550 5.1.1 "User doesn't exist"
+          }
+        }
+
+        smtp tcp://[::]:25 {
+          limits {
+            all rate 20 1s
+            all concurrency 10
+          }
+          dmarc yes
+          check {
+            require_mx_record
+            dkim
+            spf
+          }
+          source $(local_domains) {
+            reject 501 5.1.8 "Use Submission for outgoing SMTP"
+          }
+          default_source {
+            destination postmaster $(local_domains) {
+              deliver_to &local_routing
+            }
+            default_destination {
+              reject 550 5.1.1 "User doesn't exist"
+            }
+          }
+        }
+
+        submission tcp://[::1]:587 {
+          limits {
+            all rate 50 1s
+          }
+          auth &local_authdb
+          source $(local_domains) {
+            check {
+                authorize_sender {
+                    prepare_email &local_rewrites
+                    user_to_email identity
+                }
+            }
+            destination postmaster $(local_domains) {
+                deliver_to &local_routing
+            }
+            default_destination {
+                modify {
+                    dkim $(primary_domain) $(local_domains) default
+                }
+                deliver_to &remote_queue
+            }
+          }
+          default_source {
+            reject 501 5.1.8 "Non-local sender domain"
+          }
+        }
+
+        target.remote outbound_delivery {
+          limits {
+            destination rate 20 1s
+            destination concurrency 10
+          }
+          mx_auth {
+            dane
+            mtasts {
+              cache fs
+              fs_dir mtasts_cache/
+            }
+            local_policy {
+                min_tls_level encrypted
+                min_mx_level none
+            }
+          }
+        }
+
+        target.queue remote_queue {
+          target &outbound_delivery
+          autogenerated_msg_domain $(primary_domain)
+          bounce {
+            destination postmaster $(local_domains) {
+              deliver_to &local_routing
+            }
+            default_destination {
+                reject 550 5.0.0 "Refusing to send DSNs to non-local addresses"
+            }
+          }
+        }
+
+        imap tcp://[::1]:143 {
+          auth &local_authdb
+          storage &local_mailboxes
+        }
+      '';
+      ensureAccounts = [ "user@${domain}" ];
+      ensureCredentials = {
+        "user@${domain}".passwordFile = pkgs.writeText "dummy" "foobar";
+      };
+    };
+}

clanModules/ergochat/README.md

@@ -1,3 +1,5 @@
 ---
 description = "A modern IRC server"
+categories = ["Social"]
+features = [ "inventory", "deprecated" ]
 ---

clanModules/ergochat/default.nix

@@ -1,14 +1,3 @@
-_: {
-  services.ergochat = {
-    enable = true;
-
-    settings = {
-      datastore = {
-        autoupgrade = true;
-        path = "/var/lib/ergo/ircd.db";
-      };
-    };
-  };
-
-  clan.core.state.ergochat.folders = [ "/var/lib/ergo" ];
+{
+  imports = [ ./roles/default.nix ];
 }

clanModules/ergochat/roles/default.nix

@@ -0,0 +1,14 @@
+_: {
+  services.ergochat = {
+    enable = true;
+
+    settings = {
+      datastore = {
+        autoupgrade = true;
+        path = "/var/lib/ergo/ircd.db";
+      };
+    };
+  };
+
+  clan.core.state.ergochat.folders = [ "/var/lib/ergo" ];
+}

clanModules/flake-module.nix

@@ -18,7 +18,6 @@ in
     dyndns = ./dyndns;
     ergochat = ./ergochat;
     garage = ./garage;
-    golem-provider = ./golem-provider;
     heisenbridge = ./heisenbridge;
     importer = ./importer;
     iwd = ./iwd;

clanModules/garage/README.md

@@ -1,5 +1,7 @@
 ---
 description = "S3-compatible object store for small self-hosted geo-distributed deployments"
+categories = ["System"]
+features = [ "inventory", "deprecated" ]
 ---
 
 This module generates garage specific keys automatically.

clanModules/garage/default.nix

@@ -1,43 +1,3 @@
-{ config, pkgs, ... }:
 {
-  systemd.services.garage.serviceConfig = {
-    LoadCredential = [
-      "rpc_secret_path:${config.clan.core.vars.generators.garage-shared.files.rpc_secret.path}"
-      "admin_token_path:${config.clan.core.vars.generators.garage.files.admin_token.path}"
-      "metrics_token_path:${config.clan.core.vars.generators.garage.files.metrics_token.path}"
-    ];
-    Environment = [
-      "GARAGE_ALLOW_WORLD_READABLE_SECRETS=true"
-      "GARAGE_RPC_SECRET_FILE=%d/rpc_secret_path"
-      "GARAGE_ADMIN_TOKEN_FILE=%d/admin_token_path"
-      "GARAGE_METRICS_TOKEN_FILE=%d/metrics_token_path"
-    ];
-  };
-
-  clan.core.vars.generators.garage = {
-    files.admin_token = { };
-    files.metrics_token = { };
-    runtimeInputs = [
-      pkgs.coreutils
-      pkgs.openssl
-    ];
-    script = ''
-      openssl rand -base64 -out "$out"/admin_token 32
-      openssl rand -base64 -out "$out"/metrics_token 32
-    '';
-  };
-
-  clan.core.vars.generators.garage-shared = {
-    share = true;
-    files.rpc_secret = { };
-    runtimeInputs = [
-      pkgs.coreutils
-      pkgs.openssl
-    ];
-    script = ''
-      openssl rand -hex -out "$out"/rpc_secret 32
-    '';
-  };
-
-  clan.core.state.garage.folders = [ config.services.garage.settings.metadata_dir ];
+  imports = [ ./roles/default.nix ];
 }

clanModules/garage/roles/default.nix

@@ -0,0 +1,43 @@
+{ config, pkgs, ... }:
+{
+  systemd.services.garage.serviceConfig = {
+    LoadCredential = [
+      "rpc_secret_path:${config.clan.core.vars.generators.garage-shared.files.rpc_secret.path}"
+      "admin_token_path:${config.clan.core.vars.generators.garage.files.admin_token.path}"
+      "metrics_token_path:${config.clan.core.vars.generators.garage.files.metrics_token.path}"
+    ];
+    Environment = [
+      "GARAGE_ALLOW_WORLD_READABLE_SECRETS=true"
+      "GARAGE_RPC_SECRET_FILE=%d/rpc_secret_path"
+      "GARAGE_ADMIN_TOKEN_FILE=%d/admin_token_path"
+      "GARAGE_METRICS_TOKEN_FILE=%d/metrics_token_path"
+    ];
+  };
+
+  clan.core.vars.generators.garage = {
+    files.admin_token = { };
+    files.metrics_token = { };
+    runtimeInputs = [
+      pkgs.coreutils
+      pkgs.openssl
+    ];
+    script = ''
+      openssl rand -base64 -out "$out"/admin_token 32
+      openssl rand -base64 -out "$out"/metrics_token 32
+    '';
+  };
+
+  clan.core.vars.generators.garage-shared = {
+    share = true;
+    files.rpc_secret = { };
+    runtimeInputs = [
+      pkgs.coreutils
+      pkgs.openssl
+    ];
+    script = ''
+      openssl rand -hex -out "$out"/rpc_secret 32
+    '';
+  };
+
+  clan.core.state.garage.folders = [ config.services.garage.settings.metadata_dir ];
+}

clanModules/golem-provider/README.md

@@ -1,7 +0,0 @@
----
-description = "Golem Provider for the Golem Network, an open-source and decentralized platform where everyone can use and share each other's computing power without relying on centralized entities like cloud computing corporations"
----
-
-By running a golem provider your machine's compute resources are offered via the golem network which will allow other members to execute compute tasks on your machine. If this happens, you will be compensated with GLM, an ERC20 token.
-
-More about golem providers: https://docs.golem.network/docs/golem/overview

clanModules/golem-provider/default.nix

@@ -1,34 +0,0 @@
-{ config, pkgs, ... }:
-let
-  cfg = config.clan.golem-provider;
-  yagna = pkgs.callPackage ../../pkgs/yagna { };
-  accountFlag = if cfg.account != null then "--account ${cfg.account}" else "";
-in
-{
-  imports = [ ./interface.nix ];
-
-  users.users.golem = {
-    isSystemUser = true;
-    home = "/var/lib/golem";
-    group = "golem";
-    createHome = true;
-  };
-
-  users.groups.golem = { };
-
-  environment.systemPackages = [ yagna ];
-
-  systemd.services.golem-provider = {
-    description = "Golem Provider";
-    wantedBy = [ "multi-user.target" ];
-    after = [ "network-online.target" ];
-    serviceConfig = {
-      Type = "simple";
-      ExecStart = "${yagna}/bin/golemsp run --no-interactive ${accountFlag}";
-      Restart = "always";
-      RestartSec = "5";
-      User = "golem";
-      Group = "golem";
-    };
-  };
-}

clanModules/golem-provider/interface.nix

@@ -1,20 +0,0 @@
-{ lib, ... }:
-let
-  inherit (lib) mkOption;
-
-  inherit (lib.types) nullOr str;
-
-in
-{
-  options.clan.golem-provider = {
-    account = mkOption {
-      type = nullOr str;
-      description = ''
-        Ethereum address for payouts.
-
-        Leave empty to automatically generate a new address upon first start.
-      '';
-      default = null;
-    };
-  };
-}

clanModules/golem-provider/test/vm.nix

@@ -1,4 +0,0 @@
-{ ... }:
-{
-  imports = [ ../. ];
-}

clanModules/heisenbridge/README.md

@@ -1,4 +1,5 @@
 ---
 description = "A matrix bridge to communicate with IRC"
+categories = ["Social"]
+features = [ "inventory", "deprecated" ]
 ---
-

clanModules/heisenbridge/default.nix

@@ -1,23 +1,3 @@
 {
-  config,
-  lib,
-  ...
-}:
-{
-  imports = [
-    (lib.mkRemovedOptionModule [
-      "clan"
-      "heisenbridge"
-      "enable"
-    ] "Importing the module will already enable the service.")
-  ];
-  config = {
-    services.heisenbridge = {
-      enable = true;
-      homeserver = "http://localhost:8008"; # TODO: Sync with matrix-synapse
-    };
-    services.matrix-synapse.settings.app_service_config_files = [
-      "/var/lib/heisenbridge/registration.yml"
-    ];
-  };
+  imports = [ ./roles/default.nix ];
 }

clanModules/heisenbridge/roles/default.nix

@@ -0,0 +1,22 @@
+{
+  lib,
+  ...
+}:
+{
+  imports = [
+    (lib.mkRemovedOptionModule [
+      "clan"
+      "heisenbridge"
+      "enable"
+    ] "Importing the module will already enable the service.")
+  ];
+  config = {
+    services.heisenbridge = {
+      enable = true;
+      homeserver = "http://localhost:8008"; # TODO: Sync with matrix-synapse
+    };
+    services.matrix-synapse.settings.app_service_config_files = [
+      "/var/lib/heisenbridge/registration.yml"
+    ];
+  };
+}

clanModules/iwd/README.md

@@ -1,6 +1,6 @@
 ---
 description = "Automatically provisions wifi credentials"
-features = [ "inventory" ]
+features = [ "inventory", "deprecated" ]
 categories = [ "Network" ]
 ---
 

clanModules/iwd/roles/default.nix

@@ -80,6 +80,18 @@ in
       # TODO: restart the iwd.service if something changes
     })
     {
+      warnings = [
+        ''
+          The clan module `iwd` is deprecated and replaced by the clan service `wifi`
+          Please migrate your config to the new service (see: https://docs.clan.lol/reference/clanServices/wifi/)
+
+          To keep passwords after migrating the config, use:
+            clan vars get <your-machine> iwd.<network-name>/ssid | clan vars set <your-machine> wifi.<network-name>/network-name
+          and:
+            clan vars get <your-machine> iwd.<network-name>/password | clan vars set <your-machine> wifi.<network-name>/password
+        ''
+      ];
+
       # disable wpa supplicant
       networking.wireless.enable = false;
 

clanModules/localsend/README.md

@@ -1,3 +1,5 @@
 ---
 description = "Securely sharing files and messages over a local network without internet connectivity."
+categories = ["Utility"]
+features = [ "inventory", "deprecated" ]
 ---

clanModules/localsend/default.nix

@@ -1,60 +1,3 @@
 {
-  config,
-  pkgs,
-  lib,
-  ...
-}:
-
-let
-  cfg = config.clan.localsend;
-in
-{
-  # Integration can be improved, if the following issues get implemented:
-  # - cli frontend: https://github.com/localsend/localsend/issues/11
-  # - ipv6 support: https://github.com/localsend/localsend/issues/549
-  options.clan.localsend = {
-
-    displayName = lib.mkOption {
-      type = lib.types.nullOr lib.types.str;
-      default = null;
-      description = "The name that localsend will use to display your instance.";
-    };
-
-    package = lib.mkPackageOption pkgs "localsend" { };
-
-    ipv4Addr = lib.mkOption {
-      type = lib.types.str;
-      example = "192.168.56.2/24";
-      description = "Every machine needs a unique ipv4 address";
-    };
-  };
-
-  imports = [
-    (lib.mkRemovedOptionModule [
-      "clan"
-      "localsend"
-      "enable"
-    ] "Importing the module will already enable the service.")
-  ];
-  config = {
-    clan.core.state.localsend.folders = [
-      "/var/localsend"
-    ];
-    environment.systemPackages = [
-      (pkgs.callPackage ./localsend-ensure-config {
-        localsend = config.clan.localsend.package;
-        alias = config.clan.localsend.displayName;
-      })
-    ];
-
-    networking.firewall.interfaces."zt+".allowedTCPPorts = [ 53317 ];
-    networking.firewall.interfaces."zt+".allowedUDPPorts = [ 53317 ];
-
-    #TODO: This is currently needed because there is no ipv6 multicasting support yet
-    systemd.network.networks."09-zerotier" = {
-      networkConfig = {
-        Address = cfg.ipv4Addr;
-      };
-    };
-  };
+  imports = [ ./roles/default.nix ];
 }

clanModules/localsend/roles/default.nix

@@ -0,0 +1,63 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+
+let
+  cfg = config.clan.localsend;
+in
+{
+  # Integration can be improved, if the following issues get implemented:
+  # - cli frontend: https://github.com/localsend/localsend/issues/11
+  # - ipv6 support: https://github.com/localsend/localsend/issues/549
+  options.clan.localsend = {
+
+    displayName = lib.mkOption {
+      type = lib.types.nullOr lib.types.str;
+      default = null;
+      description = "The name that localsend will use to display your instance.";
+    };
+
+    package = lib.mkPackageOption pkgs "localsend" { };
+
+    ipv4Addr = lib.mkOption {
+      type = lib.types.nullOr lib.types.str;
+      default = null;
+      example = "192.168.56.2/24";
+      description = "Optional IPv4 address for ZeroTier network.";
+    };
+  };
+
+  imports = [
+    (lib.mkRemovedOptionModule [
+      "clan"
+      "localsend"
+      "enable"
+    ] "Importing the module will already enable the service.")
+  ];
+  config = {
+    clan.core.state.localsend.folders = [
+      "/var/localsend"
+    ];
+    environment.systemPackages = [
+      (pkgs.callPackage ./localsend-ensure-config {
+        localsend = config.clan.localsend.package;
+        alias = config.clan.localsend.displayName;
+      })
+    ];
+
+    networking.firewall.interfaces."zt+".allowedTCPPorts = [ 53317 ];
+    networking.firewall.interfaces."zt+".allowedUDPPorts = [ 53317 ];
+
+    #TODO: This is currently needed because there is no ipv6 multicasting support yet
+    systemd.network.networks = lib.mkIf (cfg.ipv4Addr != null) {
+      "09-zerotier" = {
+        networkConfig = {
+          Address = cfg.ipv4Addr;
+        };
+      };
+    };
+  };
+}

clanModules/mycelium/README.md

@@ -1,7 +1,7 @@
 ---
 description = "End-2-end encrypted IPv6 overlay network"
 categories = ["System", "Network"]
-features = [ "inventory" ]
+features = [ "inventory", "deprecated" ]
 ---
 Mycelium is an IPv6 overlay network written in Rust. Each node that joins the overlay network will receive an overlay network IP in the 400::/7 range.
 

clanModules/packages/README.md

@@ -1,5 +1,5 @@
 ---
 description = "Define package sets from nixpkgs and install them on one or more machines"
 categories = ["System"]
-features = [ "inventory" ]
+features = [ "inventory", "deprecated" ]
 ---

clanModules/root-password/README.md

@@ -1,9 +1,11 @@
 ---
 description = "Automatically generates and configures a password for the root user."
 categories = ["System"]
-features = [ "inventory" ]
+features = ["inventory", "deprecated"]
 ---
 
+This module is deprecated and will be removed in a future release. It's functionality has been replaced by the user-password service.
+
 After the system was installed/deployed the following command can be used to display the root-password:
 
 ```bash

clanModules/root-password/roles/default.nix

@@ -1,6 +1,8 @@
 {
+  _class,
   pkgs,
   config,
+  lib,
   ...
 }:
 {
@@ -9,9 +11,13 @@
     config.clan.core.vars.generators.root-password.files.password-hash.path;
 
   clan.core.vars.generators.root-password = {
-    files.password-hash = {
-      neededFor = "users";
-    };
+    files.password-hash =
+      {
+        neededFor = "users";
+      }
+      // (lib.optionalAttrs (_class == "nixos") {
+        restartUnits = lib.optional (config.services.userborn.enable) "userborn.service";
+      });
     files.password = {
       deploy = false;
     };
@@ -30,7 +36,7 @@
       if [[ -n "''${prompt_value-}" ]]; then
         echo "$prompt_value" | tr -d "\n" > "$out"/password
       else
-        xkcdpass --numwords 3 --delimiter - --count 1 | tr -d "\n" > "$out"/password
+        xkcdpass --numwords 4 --delimiter - --count 1 | tr -d "\n" > "$out"/password
       fi
       mkpasswd -s -m sha-512 < "$out"/password | tr -d "\n" > "$out"/password-hash
     '';

clanModules/sshd/README.md

@@ -1,7 +1,7 @@
 ---
 description = "Enables secure remote access to the machine over ssh."
 categories = ["System", "Network"]
-features = [ "inventory" ]
+features = [ "inventory", "deprecated" ]
 ---
 
 This module will setup the opensshd service.

clanModules/state-version/README.md

@@ -1,6 +1,6 @@
 ---
 description = "Automatically generate the state version of the nixos installation."
-features = [ "inventory" ]
+features = [ "inventory", "deprecated" ]
 ---
 
 This module generates the `system.stateVersion` of the nixos installation automatically.

clanModules/trusted-nix-caches/README.md

@@ -1,3 +1,5 @@
 ---
 description = "This module sets the `clan.lol` and `nix-community` cache up as a trusted cache."
-----
+categories = ["System", "Network"]
+features = [ "deprecated" ]
+---

clanModules/user-password/README.md

@@ -1,7 +1,7 @@
 ---
 description = "Automatically generates and configures a password for the specified user account."
 categories = ["System"]
-features = ["inventory"]
+features = ["inventory", "deprecated"]
 ---
 
 If setting the option prompt to true, the user will be prompted to type in their desired password.

clanModules/user-password/roles/default.nix

@@ -18,7 +18,10 @@ in
       type = lib.types.bool;
       default = true;
       example = false;
-      description = "Whether the user should be prompted.";
+      description = ''
+        Whether the user should be prompted
+        If disabled, will autogenerate the password without prompting.
+      '';
     };
   };
 
@@ -31,6 +34,7 @@ in
 
     clan.core.vars.generators.user-password = {
       files.user-password-hash.neededFor = "users";
+      files.user-password-hash.restartUnits = lib.optional (config.services.userborn.enable) "userborn.service";
 
       prompts.user-password.type = "hidden";
       prompts.user-password.persist = true;
@@ -48,7 +52,7 @@ in
         if [[ -n "''${prompt_value-}" ]]; then
           echo "$prompt_value" | tr -d "\n" > "$out"/user-password
         else
-          xkcdpass --numwords 3 --delimiter - --count 1 | tr -d "\n" > "$out"/user-password
+          xkcdpass --numwords 4 --delimiter - --count 1 | tr -d "\n" > "$out"/user-password
         fi
         mkpasswd -s -m sha-512 < "$out"/user-password | tr -d "\n" > "$out"/user-password-hash
       '';

clanModules/wifi/README.md

@@ -1,7 +0,0 @@
----
-description = "Configures Wifi networks to join"
-features = [ "inventory", "experimental", "deprecated" ]
-categories = [ "Network", "System" ]
----
-
-## Experimental wifi module

clanModules/wifi/default.nix

@@ -1,5 +0,0 @@
-{
-  imports = [
-    ./roles/default.nix
-  ];
-}

clanModules/wifi/roles/default.nix

@@ -1,110 +0,0 @@
-{
-  lib,
-  config,
-  pkgs,
-  ...
-}:
-
-let
-  cfg = config.clan.wifi;
-
-  inherit (lib)
-    concatMapAttrsStringSep
-    flip
-    mapAttrs
-    ;
-
-  password_path =
-    network_name: config.clan.core.vars.generators."iwd.${network_name}".files.password.path;
-
-  ssid_path = network_name: config.clan.core.vars.generators."iwd.${network_name}".files.ssid.path;
-
-  secret_generator = name: value: {
-    name = "iwd.${name}";
-    value = {
-      prompts.ssid.type = "line";
-      prompts.ssid.persist = true;
-      prompts.password.type = "hidden";
-      prompts.password.persist = true;
-      share = true;
-    };
-  };
-in
-{
-  options.clan.wifi = {
-    networks = lib.mkOption {
-      visible = false;
-      type = lib.types.attrsOf (
-        lib.types.submodule (
-          { ... }:
-          {
-            options = {
-              enable = lib.mkOption {
-                type = lib.types.bool;
-                default = true;
-                description = "Enable this wifi network";
-              };
-              autoConnect = lib.mkOption {
-                type = lib.types.bool;
-                default = true;
-                description = "Automatically try to join this wifi network";
-              };
-            };
-          }
-        )
-      );
-      default = { };
-      description = "Wifi networks to predefine";
-    };
-  };
-
-  config = lib.mkIf (cfg.networks != { }) {
-
-    clan.core.vars.generators = lib.mapAttrs' secret_generator cfg.networks;
-
-    networking.networkmanager.enable = true;
-
-    networking.networkmanager.ensureProfiles.environmentFiles = [
-      "/run/secrets/NetworkManager/wifi-secrets"
-    ];
-
-    networking.networkmanager.ensureProfiles.profiles = flip mapAttrs cfg.networks (
-      name: _network: {
-        connection.id = "$ssid_${name}";
-        connection.type = "wifi";
-        wifi.mode = "infrastructure";
-        wifi.ssid = "$ssid_${name}";
-        wifi-security.psk = "$pw_${name}";
-        wifi-security.key-mgmt = "wpa-psk";
-      }
-    );
-
-    # service to generate the environment file containing all secrets, as
-    #   expected by the nixos NetworkManager-ensure-profile service
-    systemd.services.NetworkManager-setup-secrets = {
-      description = "Generate wifi secrets for NetworkManager";
-      requiredBy = [ "NetworkManager-ensure-profiles.service" ];
-      partOf = [ "NetworkManager-ensure-profiles.service" ];
-      before = [ "NetworkManager-ensure-profiles.service" ];
-      serviceConfig = {
-        Type = "oneshot";
-        ExecStart = pkgs.writeShellScript "wifi-secrets" ''
-          set -euo pipefail
-
-          env_file=/run/secrets/NetworkManager/wifi-secrets
-          mkdir -p $(dirname "$env_file")
-          : > "$env_file"
-
-          # Generate the secrets file
-          echo "Generating wifi secrets file: $env_file"
-          ${flip (concatMapAttrsStringSep "\n") cfg.networks (
-            name: _network: ''
-              echo "ssid_${name}=\"$(cat "${ssid_path name}")\"" >> /run/secrets/NetworkManager/wifi-secrets
-              echo "pw_${name}=\"$(cat "${password_path name}")\"" >> /run/secrets/NetworkManager/wifi-secrets
-            ''
-          )}
-        '';
-      };
-    };
-  };
-}

clanServices/admin/default.nix

@@ -26,7 +26,6 @@
         nixosModule =
           { ... }:
           {
-
             imports = [
               ../../clanModules/sshd
               ../../clanModules/root-password

clanServices/admin/flake-module.nix

@@ -1,6 +1,17 @@
-{ lib, ... }:
+{ lib, self, ... }:
 {
   clan.modules = {
     admin = lib.modules.importApply ./default.nix { };
   };
+  perSystem =
+    { pkgs, ... }:
+    {
+      checks = lib.optionalAttrs (pkgs.stdenv.isLinux) {
+        admin = import ./tests/vm/default.nix {
+          inherit pkgs;
+          clan-core = self;
+          nixosLib = import (self.inputs.nixpkgs + "/nixos/lib") { };
+        };
+      };
+    };
 }

clanServices/admin/tests/vm/default.nix

@@ -0,0 +1,62 @@
+{
+  pkgs,
+  nixosLib,
+  clan-core,
+  ...
+}:
+
+let
+  public-key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII6zj7ubTg6z/aDwRNwvM/WlQdUocMprQ8E92NWxl6t+ test@test";
+in
+nixosLib.runTest (
+  { ... }:
+  {
+    imports = [
+      clan-core.modules.nixosVmTest.clanTest
+    ];
+
+    hostPkgs = pkgs;
+
+    name = "admin";
+
+    clan = {
+      directory = ./.;
+      modules."@clan/admin" = ../../default.nix;
+      inventory = {
+
+        machines.client = { };
+        machines.server = { };
+
+        instances = {
+          ssh-test-one = {
+            module.name = "@clan/admin";
+            roles.default.machines."server".settings = {
+              allowedKeys.testkey = public-key;
+            };
+          };
+        };
+      };
+    };
+
+    nodes = {
+      client.environment.etc.private-test-key.source = ./private-test-key;
+
+      server = {
+        services.openssh.enable = true;
+      };
+    };
+
+    testScript = ''
+      start_all()
+
+      machines = [client, server]
+      for m in machines:
+          m.systemctl("start network-online.target")
+
+      for m in machines:
+          m.wait_for_unit("network-online.target")
+
+      client.succeed(f"ssh -F /dev/null -i /etc/private-test-key -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o BatchMode=yes root@server true &>/dev/null")
+    '';
+  }
+)