Add yggdrasil clanService

Reviewed-on: https://git.clan.lol/clan/clan-core/pulls/5050

clanServices/certificates/README.md

@@ -0,0 +1,32 @@
+This service sets up a certificate authority (CA) that can issue certificates to
+other machines in your clan. For this the `ca` role is used.
+It additionally provides a `default` role, that can be applied to all machines
+in your clan and will make sure they trust your CA.
+
+## Example Usage
+
+The following configuration would add a CA for the top level domain `.foo`. If
+the machine `server` now hosts a webservice at `https://something.foo`, it will
+get a certificate from `ca` which is valid inside your clan. The machine
+`client` will trust this certificate if it makes a request to
+`https://something.foo`.
+
+This clan service can be combined with the `coredns` service for easy to deploy,
+SSL secured clan-internal service hosting.
+
+```nix
+inventory = {
+  machines.ca = { };
+  machines.client = { };
+  machines.server = { };
+
+  instances."certificates" = {
+    module.name = "certificates";
+    module.input = "self";
+
+    roles.ca.machines.ca.settings.tlds = [ "foo" ];
+    roles.default.machines.client = { };
+    roles.default.machines.server = { };
+  };
+};
+```

clanServices/certificates/default.nix

@@ -0,0 +1,245 @@
+{ ... }:
+{
+  _class = "clan.service";
+  manifest.name = "certificates";
+  manifest.description = "Sets up a certificates internal to your Clan";
+  manifest.categories = [ "Network" ];
+  manifest.readme = builtins.readFile ./README.md;
+
+  roles.ca = {
+
+    interface =
+      { lib, ... }:
+      {
+
+        options.acmeEmail = lib.mkOption {
+          type = lib.types.str;
+          default = "none@none.tld";
+          description = ''
+            Email address for account creation and correspondence from the CA.
+            It is recommended to use the same email for all certs to avoid account
+            creation limits.
+          '';
+        };
+
+        options.tlds = lib.mkOption {
+          type = lib.types.listOf lib.types.str;
+          description = "Top level domain for this CA. Certificates will be issued and trusted for *.<tld>";
+        };
+
+        options.expire = lib.mkOption {
+          type = lib.types.nullOr lib.types.str;
+          description = "When the certificate should expire.";
+          default = "8760h";
+          example = "8760h";
+        };
+      };
+
+    perInstance =
+      { settings, ... }:
+      {
+        nixosModule =
+          {
+            config,
+            pkgs,
+            lib,
+            ...
+          }:
+          let
+            domains = map (tld: "ca.${tld}") settings.tlds;
+          in
+          {
+            security.acme.defaults.email = settings.acmeEmail;
+            security.acme = {
+              certs = builtins.listToAttrs (
+                map (domain: {
+                  name = domain;
+                  value = {
+                    server = "https://${domain}:1443/acme/acme/directory";
+                  };
+                }) domains
+              );
+            };
+
+            networking.firewall.allowedTCPPorts = [
+              80
+              443
+            ];
+
+            services.nginx = {
+              enable = true;
+              recommendedProxySettings = true;
+              virtualHosts = builtins.listToAttrs (
+                map (domain: {
+                  name = domain;
+                  value = {
+                    addSSL = true;
+                    enableACME = true;
+                    locations."/".proxyPass = "https://localhost:1443";
+                    locations."= /ca.crt".alias =
+                      config.clan.core.vars.generators.step-intermediate-cert.files."intermediate.crt".path;
+                  };
+                }) domains
+              );
+            };
+
+            clan.core.vars.generators = {
+
+              # Intermediate key generator
+              "step-intermediate-key" = {
+                files."intermediate.key" = {
+                  secret = true;
+                  deploy = true;
+                  owner = "step-ca";
+                  group = "step-ca";
+                };
+                runtimeInputs = [ pkgs.step-cli ];
+                script = ''
+                  step crypto keypair --kty EC --curve P-256 --no-password --insecure $out/intermediate.pub $out/intermediate.key
+                '';
+              };
+
+              # Intermediate certificate generator
+              "step-intermediate-cert" = {
+                files."intermediate.crt".secret = false;
+                dependencies = [
+                  "step-ca"
+                  "step-intermediate-key"
+                ];
+                runtimeInputs = [ pkgs.step-cli ];
+                script = ''
+                  # Create intermediate certificate
+                  step certificate create \
+                    --ca $in/step-ca/ca.crt \
+                    --ca-key $in/step-ca/ca.key \
+                    --ca-password-file /dev/null \
+                    --key $in/step-intermediate-key/intermediate.key \
+                    --template ${pkgs.writeText "intermediate.tmpl" ''
+                      {
+                        "subject": {{ toJson .Subject }},
+                        "keyUsage": ["certSign", "crlSign"],
+                        "basicConstraints": {
+                          "isCA": true,
+                          "maxPathLen": 0
+                        },
+                        "nameConstraints": {
+                          "critical": true,
+                          "permittedDNSDomains": [${
+                            (lib.strings.concatStringsSep "," (map (tld: ''"${tld}"'') settings.tlds))
+                          }]
+                        }
+                      }
+                    ''} ${lib.optionalString (settings.expire != null) "--not-after ${settings.expire}"} \
+                    --not-before=-12h \
+                    --no-password --insecure \
+                    "Clan Intermediate CA" \
+                    $out/intermediate.crt
+                '';
+              };
+            };
+
+            services.step-ca = {
+              enable = true;
+              intermediatePasswordFile = "/dev/null";
+              address = "0.0.0.0";
+              port = 1443;
+              settings = {
+                root = config.clan.core.vars.generators.step-ca.files."ca.crt".path;
+                crt = config.clan.core.vars.generators.step-intermediate-cert.files."intermediate.crt".path;
+                key = config.clan.core.vars.generators.step-intermediate-key.files."intermediate.key".path;
+                dnsNames = domains;
+                logger.format = "text";
+                db = {
+                  type = "badger";
+                  dataSource = "/var/lib/step-ca/db";
+                };
+                authority = {
+                  provisioners = [
+                    {
+                      type = "ACME";
+                      name = "acme";
+                      forceCN = true;
+                    }
+                  ];
+                  claims = {
+                    maxTLSCertDuration = "2160h";
+                    defaultTLSCertDuration = "2160h";
+                  };
+                  backdate = "1m0s";
+                };
+                tls = {
+                  cipherSuites = [
+                    "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
+                    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
+                  ];
+                  minVersion = 1.2;
+                  maxVersion = 1.3;
+                  renegotiation = false;
+                };
+              };
+            };
+          };
+      };
+  };
+
+  # Empty role, so we can add non-ca machins to the instance to trust the CA
+  roles.default = {
+    interface =
+      { lib, ... }:
+      {
+        options.acmeEmail = lib.mkOption {
+          type = lib.types.str;
+          default = "none@none.tld";
+          description = ''
+            Email address for account creation and correspondence from the CA.
+            It is recommended to use the same email for all certs to avoid account
+            creation limits.
+          '';
+        };
+      };
+
+    perInstance =
+      { settings, ... }:
+      {
+        nixosModule.security.acme.defaults.email = settings.acmeEmail;
+      };
+  };
+
+  # All machines (independent of role) will trust the CA
+  perMachine.nixosModule =
+    { pkgs, config, ... }:
+    {
+      # Root CA generator
+      clan.core.vars.generators = {
+        "step-ca" = {
+          share = true;
+          files."ca.key" = {
+            secret = true;
+            deploy = false;
+          };
+          files."ca.crt".secret = false;
+          runtimeInputs = [ pkgs.step-cli ];
+          script = ''
+            step certificate create --template ${pkgs.writeText "root.tmpl" ''
+              {
+                "subject": {{ toJson .Subject }},
+                "issuer": {{ toJson .Subject }},
+                "keyUsage": ["certSign", "crlSign"],
+                "basicConstraints": {
+                  "isCA": true,
+                  "maxPathLen": 1
+                }
+              }
+            ''} "Clan Root CA" $out/ca.crt $out/ca.key \
+              --kty EC --curve P-256 \
+              --not-after=8760h \
+              --not-before=-12h \
+              --no-password --insecure
+          '';
+        };
+      };
+      security.pki.certificateFiles = [ config.clan.core.vars.generators."step-ca".files."ca.crt".path ];
+      environment.systemPackages = [ pkgs.openssl ];
+      security.acme.acceptTerms = true;
+    };
+}

clanServices/certificates/flake-module.nix

@@ -0,0 +1,21 @@
+{
+  self,
+  lib,
+  ...
+}:
+let
+  module = lib.modules.importApply ./default.nix {
+    inherit (self) packages;
+  };
+in
+{
+  clan.modules.certificates = module;
+  perSystem =
+    { ... }:
+    {
+      clan.nixosTests.certificates = {
+        imports = [ ./tests/vm/default.nix ];
+        clan.modules.certificates = module;
+      };
+    };
+}

clanServices/certificates/tests/vm/default.nix

@@ -0,0 +1,84 @@
+{
+  name = "certificates";
+
+  clan = {
+    directory = ./.;
+    inventory = {
+
+      machines.ca = { }; # 192.168.1.1
+      machines.client = { }; # 192.168.1.2
+      machines.server = { }; # 192.168.1.3
+
+      instances."certificates" = {
+        module.name = "certificates";
+        module.input = "self";
+
+        roles.ca.machines.ca.settings.tlds = [ "foo" ];
+        roles.default.machines.client = { };
+        roles.default.machines.server = { };
+      };
+    };
+  };
+
+  nodes =
+    let
+      hostConfig = ''
+        192.168.1.1 ca.foo
+        192.168.1.3 test.foo
+      '';
+    in
+    {
+
+      client.networking.extraHosts = hostConfig;
+      ca.networking.extraHosts = hostConfig;
+
+      server = {
+
+        networking.extraHosts = hostConfig;
+
+        # TODO: Could this be set automatically?
+        # I would like to get this information from the coredns module, but we
+        # cannot model dependencies yet
+        security.acme.certs."test.foo".server = "https://ca.foo/acme/acme/directory";
+
+        # Host a simple service on 'server', with SSL provided via our CA. 'client'
+        # should be able to curl it via https and accept the certificates
+        # presented
+        networking.firewall.allowedTCPPorts = [
+          80
+          443
+        ];
+
+        services.nginx = {
+          enable = true;
+          virtualHosts."test.foo" = {
+            enableACME = true;
+            forceSSL = true;
+            locations."/" = {
+              return = "200 'test server response'";
+              extraConfig = "add_header Content-Type text/plain;";
+            };
+          };
+        };
+      };
+    };
+
+  testScript = ''
+    start_all()
+
+    import time
+
+    time.sleep(3)
+    ca.succeed("systemctl restart acme-order-renew-ca.foo.service ")
+
+    time.sleep(3)
+    server.succeed("systemctl restart acme-test.foo.service")
+
+    # It takes a while for the correct certs to appear (before that self-signed
+    # are presented by nginx) so we wait for a bit.
+    client.wait_until_succeeds("curl -v https://test.foo")
+
+    # Show certificate information for debugging
+    client.succeed("openssl s_client -connect test.foo:443 -servername test.foo </dev/null 2>/dev/null | openssl x509 -text -noout 1>&2")
+  '';
+}

clanServices/certificates/tests/vm/sops/machines/ca/key.json

@@ -0,0 +1,6 @@
+[
+  {
+    "publickey": "age1yd2cden7jav8x4nzx2fwze2fsa5j0qm2m3t7zum765z3u4gj433q7dqj43",
+    "type": "age"
+  }
+]

clanServices/certificates/tests/vm/sops/machines/client/key.json

@@ -0,0 +1,6 @@
+[
+  {
+    "publickey": "age1js225d8jc507sgcg0fdfv2x3xv3asm4ds5c6s4hp37nq8spxu95sc5x3ce",
+    "type": "age"
+  }
+]

clanServices/certificates/tests/vm/sops/machines/server/key.json

@@ -0,0 +1,6 @@
+[
+  {
+    "publickey": "age1nwuh8lc604mnz5r8ku8zswyswnwv02excw237c0cmtlejp7xfp8sdrcwfa",
+    "type": "age"
+  }
+]

clanServices/certificates/tests/vm/sops/secrets/ca-age.key/secret

@@ -0,0 +1,15 @@
+{
+	"data": "ENC[AES256_GCM,data:6+XilULKRuWtAZ6B8Lj9UqCfi1T6dmqrDqBNXqS4SvBwM1bIWiL6juaT1Q7ByOexzID7tY740gmQBqTey54uLydh8mW0m4ZtUqw=,iv:9kscsrMPBGkutTnxrc5nrc7tQXpzLxw+929pUDKqTu0=,tag:753uIjm8ZRs0xsjiejEY8g==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1d3kycldZRXhmR0FqTXJp\nWWU0MDBYNmxxbFE5M2xKYm5KWnQ0MXBHNEM4CjN4RFFVcFlkd3pjTFVDQ3Vackdj\nVTVhMWoxdFpsWHp5S1p4L05kYk5LUkkKLS0tIENtZFZZTjY2amFVQmZLZFplQzBC\nZm1vWFI4MXR1ZHIxTTQ5VXdSYUhvOTQKte0bKjXQ0xA8FrpuChjDUvjVqp97D8kT\n3tVh6scdjxW48VSBZP1GRmqcMqCdj75GvJTbWeNEV4PDBW7GI0UW+Q==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-09-02T08:42:39Z",
+		"mac": "ENC[AES256_GCM,data:AftMorrH7qX5ctVu5evYHn5h9pC4Mmm2VYaAV8Hy0PKTc777jNsL6DrxFVV3NVqtecpwrzZFWKgzukcdcRJe4veVeBrusmoZYtifH0AWZTEVpVlr2UXYYxCDmNZt1WHfVUo40bT//X6QM0ye6a/2Y1jYPbMbryQNcGmnpk9PDvU=,iv:5nk+d8hzA05LQp7ZHRbIgiENg2Ha6J6YzyducM6zcNU=,tag:dy1hqWVzMu/+fSK57h9ZCA==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

clanServices/certificates/tests/vm/sops/secrets/ca-age.key/users/admin

@@ -0,0 +1 @@
+../../../users/admin

clanServices/certificates/tests/vm/sops/secrets/client-age.key/secret

@@ -0,0 +1,15 @@
+{
+	"data": "ENC[AES256_GCM,data:jdTuGQUYvT1yXei1RHKsOCsABmMlkcLuziHDVhA7NequZeNu0fSbrJTXQDCHsDGhlYRcjU5EsEDT750xdleXuD3Gs9zWvPVobI4=,iv:YVow3K1j6fzRF9bRfIEpuOkO/nRpku/UQxWNGC+UJQQ=,tag:cNLM5R7uu6QpwPB9K6MYzg==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvOVF2WXRSL0NpQzFZR01I\nNU85TGcyQmVDazN1dmpuRFVTZEg5NDRKTGhrCk1IVjFSU1V6WHBVRnFWcHkyVERr\nTjFKbW1mQ2FWOWhjN2VPamMxVEQ5VkkKLS0tIENVUGlhanhuWGtDKzBzRmk2dE4v\nMXZBRXNMa3IrOTZTNHRUWVE3UXEwSWMK2cBLoL/H/Vxd/klVrqVLdX9Mww5j7gw/\nEWc5/hN+km6XoW+DiJxVG4qaJ7qqld6u5ZnKgJT+2h9CfjA04I2akg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-09-02T08:42:51Z",
+		"mac": "ENC[AES256_GCM,data:zOBQVM2Ydu4v0+Fw3p3cEU+5+7eKaadV0tKro1JVOxclG1Vs6Myq57nw2eWf5JxIl0ulL+FavPKY26qOQ3aqcGOT3PMRlCda9z+0oSn9Im9bE/DzAGmoH/bp76kFkgTTOCZTMUoqJ+UJqv0qy1BH/92sSSKmYshEX6d1vr5ISrw=,iv:i9ZW4sLxOCan4UokHlySVr1CW39nCTusG4DmEPj/gIw=,tag:iZBDPHDkE3Vt5mFcFu1TPQ==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

clanServices/certificates/tests/vm/sops/secrets/client-age.key/users/admin

@@ -0,0 +1 @@
+../../../users/admin

clanServices/certificates/tests/vm/sops/secrets/server-age.key/secret

@@ -0,0 +1,15 @@
+{
+	"data": "ENC[AES256_GCM,data:5CJuHcxJMXZJ8GqAeG3BrbWtT1kade4kxgJsn1cRpmr1UgN0ZVYnluPEiBscClNSOzcc6vcrBpfTI3dj1tASKTLP58M+GDBFQDo=,iv:gsK7XqBGkYCoqAvyFlIXuJ27PKSbTmy7f6cgTmT2gow=,tag:qG5KejkBvy9ytfhGXa/Mnw==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxbzVqYkplTzJKN1pwS3VM\naFFIK2VsR3lYUVExYW9ieERBL0tlcFZtVzJRCkpiLzdmWmFlOUZ5QUJ4WkhXZ2tQ\nZm92YXBCV0RpYnIydUdEVTRiamI4bjAKLS0tIG93a2htS1hFcjBOeVFnNCtQTHVr\na2FPYjVGbWtORjJVWXE5bndPU1RWcXMKikMEB7X+kb7OtiyqXn3HRpLYkCdoayDh\n7cjGnplk17q25/lRNHM4JVS5isFfuftCl01enESqkvgq+cwuFwa9DQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-09-02T08:42:59Z",
+		"mac": "ENC[AES256_GCM,data:xybV2D0xukZnH2OwRpIugPnS7LN9AbgGKwFioPJc1FQWx9TxMUVDwgMN6V5WrhWkXgF2zP4krtDYpEz4Vq+LbOjcnTUteuCc+7pMHubuRuip7j+M32MH1kuf4bVZuXbCfvm7brGxe83FzjoioLqzA8g/X6Q1q7/ErkNeFjluC3Q=,iv:QEW3EUKSRZY3fbXlP7z+SffWkQeXwMAa5K8RQW7NvPE=,tag:DhFxY7xr7H1Wbd527swD0Q==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

clanServices/certificates/tests/vm/sops/secrets/server-age.key/users/admin

@@ -0,0 +1 @@
+../../../users/admin

clanServices/certificates/tests/vm/sops/users/admin/key.json

@@ -0,0 +1,4 @@
+{
+  "publickey": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+  "type": "age"
+}

clanServices/certificates/tests/vm/vars/per-machine/ca/state-version/version/value

@@ -0,0 +1 @@
+25.11

clanServices/certificates/tests/vm/vars/per-machine/ca/step-intermediate-cert/intermediate.crt/value

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBsDCCAVegAwIBAgIQbT1Ivm+uwyf0HNkJfan2BTAKBggqhkjOPQQDAjAXMRUw
+EwYDVQQDEwxDbGFuIFJvb3QgQ0EwHhcNMjUwOTAxMjA0MzAzWhcNMjYwOTAyMDg0
+MzAzWjAfMR0wGwYDVQQDExRDbGFuIEludGVybWVkaWF0ZSBDQTBZMBMGByqGSM49
+AgEGCCqGSM49AwEHA0IABDXCNrUIotju9P1U6JxLV43sOxLlRphQJS4dM+lvjTZc
+aQ+HwQg0AHVlQNRwS3JqKrJJtJVyKbZklh6eFaDPoj6jfTB7MA4GA1UdDwEB/wQE
+AwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBRKHaccHgP2ccSWVBWN
+zGoDdTg7aTAfBgNVHSMEGDAWgBSfsnz4phMJx9su/kgeF/FbZQCBgzAVBgNVHR4B
+Af8ECzAJoAcwBYIDZm9vMAoGCCqGSM49BAMCA0cAMEQCICiUDk1zGNzpS/iVKLfW
+zUGaCagpn2mCx4xAXQM9UranAiAn68nVYGWjkzhU31wyCAupxOjw7Bt96XXqIAz9
+hLLtMA==
+-----END CERTIFICATE-----

clanServices/certificates/tests/vm/vars/per-machine/ca/step-intermediate-key/intermediate.key/machines/ca

@@ -0,0 +1 @@
+../../../../../../sops/machines/ca

clanServices/certificates/tests/vm/vars/per-machine/ca/step-intermediate-key/intermediate.key/secret

@@ -0,0 +1,19 @@
+{
+	"data": "ENC[AES256_GCM,data:Auonh9fa7jSkld1Zyxw74x5ydj6Xc+0SOgiqumVETNCfner9K96Rmv1PkREuHNGWPsnzyEM3pRT8ijvu3QoKvy9QPCCewyT07Wqe4G74+bk1iMeAHsV3To6kHs6M8OISvE+CmG0+hlLmdfRSabTzyWPLHbOjvFTEEuA5G7xiryacSYOE++eeEHdn+oUDh/IMTcfLjCGMjsXFikx1Hb+ofeRTlCg47+0w4MXVvQkOzQB5V2C694jZXvZ19jd/ioqr8YASz2xatGvqwW6cpZxqOWyZJ0UAj/6yFk6tZWifqVB3wgU=,iv:ITFCrDkeWl4GWCebVq15ei9QmkOLDwUIYojKZ2TU6JU=,tag:8k4iYbCIusUykY79H86WUQ==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsT25UbjJTQ2tzbnQyUm9p\neWx1UlZIeVpocnBqUCt0YnFlN2FOU25Lb0hNCmdXUUsyalRTbHRRQ0NLSGc1YllV\nUXRwaENhaXU1WmdnVDE0UWprUUUyeDAKLS0tIHV3dHU3aG5JclM0V3FadzN0SU14\ndFptbEJUNXQ4QVlqbkJ1TjAvdDQwSGsKcKPWUjhK7wzIpdIdksMShF2fpLdDTUBS\nZiU7P1T+3psxad9qhapvU0JrAY+9veFaYVEHha2aN/XKs8HqUcTp3A==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yd2cden7jav8x4nzx2fwze2fsa5j0qm2m3t7zum765z3u4gj433q7dqj43",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjZFVteVZwVGVmRE9NT3hG\nNGMyS3FSaXluM1FpeUp6SDVMUEpwYzg5SmdvCkRPU0QyU1JicGNkdlMyQWVkT0k3\nL2YrbDhWeGk4WFhxcUFmTmhZQ0pEQncKLS0tIG85Ui9rKzBJQ2VkMFBUQTMvSTlu\nbm8rZ09Wa24rQkNvTTNtYTZBN3MrZlkK7cjNhlUKZdOrRq/nKUsbUQgNTzX8jO+0\nzADpz6WCMvsJ15xazc10BGh03OtdMWl5tcoWMaZ71HWtI9Gip5DH0w==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-09-02T08:42:42Z",
+		"mac": "ENC[AES256_GCM,data:9xlO5Yis8DG/y8GjvP63NltD4xEL7zqdHL2cQE8gAoh/ZamAmK5ZL0ld80mB3eIYEPKZYvmUYI4Lkrge2ZdqyDoubrW+eJ3dxn9+StxA9FzXYwUE0t+bbsNJfOOp/kDojf060qLGsu0kAGKd2ca4WiDccR0Cieky335C7Zzhi/Q=,iv:bWQ4wr0CJHSN+6ipUbkYTDWZJyFQjDKszfpVX9EEUsY=,tag:kADIFgJBEGCvr5fPbbdEDA==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

clanServices/certificates/tests/vm/vars/per-machine/ca/step-intermediate-key/intermediate.key/users/admin

@@ -0,0 +1 @@
+../../../../../../sops/users/admin

clanServices/certificates/tests/vm/vars/per-machine/client/state-version/version/value

@@ -0,0 +1 @@
+25.11

clanServices/certificates/tests/vm/vars/per-machine/server/state-version/version/value

@@ -0,0 +1 @@
+25.11

clanServices/certificates/tests/vm/vars/shared/step-ca/ca.crt/value

@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBcTCCARigAwIBAgIRAIix99+AE7Y+uyiLGaRHEhUwCgYIKoZIzj0EAwIwFzEV
+MBMGA1UEAxMMQ2xhbiBSb290IENBMB4XDTI1MDkwMTIwNDI1N1oXDTI2MDkwMjA4
+NDI1N1owFzEVMBMGA1UEAxMMQ2xhbiBSb290IENBMFkwEwYHKoZIzj0CAQYIKoZI
+zj0DAQcDQgAEk7nn9kzxI+xkRmNMlxD+7T78UqV3aqus0foJh6uu1CHC+XaebMcw
+JN95nAe3oYA3yZG6Mnq9nCxsYha4EhzGYqNFMEMwDgYDVR0PAQH/BAQDAgEGMBIG
+A1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFJ+yfPimEwnH2y7+SB4X8VtlAIGD
+MAoGCCqGSM49BAMCA0cAMEQCIBId/CcbT5MPFL90xa+XQz+gVTdRwsu6Bg7ehMso
+Bj0oAiBjSlttd5yeuZGXBm+O0Gl+WdKV60QlrWutNewXFS4UpQ==
+-----END CERTIFICATE-----

clanServices/certificates/tests/vm/vars/shared/step-ca/ca.key/secret

@@ -0,0 +1,15 @@
+{
+	"data": "ENC[AES256_GCM,data:PnEXteU3I7U0OKgE+oR3xjHdLWYTpJjM/jlzxtGU0uP2pUBuQv3LxtEz+cP0ZsafHLNq2iNJ7xpUEE0g4d3M296S56oSocK3fREWBiJFiaC7SAEUiil1l3UCwHn7LzmdEmn8Kq7T+FK89wwqtVWIASLo2gZC/yHE5eEanEATTchGLSNiHJRzZ8n0Ekm8EFUA6czOqA5nPQHaSmeLzu1g80lSSi1ICly6dJksa6DVucwOyVFYFEeq8Dfyc1eyP8L1ee0D7QFYBMduYOXTKPtNnyDmdaQMj7cMMvE7fn04idIiAqw=,iv:nvLmAfFk2GXnnUy+Afr648R60Ou13eu9UKykkiA8Y+4=,tag:lTTAxfG0EDCU6u7xlW6xSQ==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEMjNWUm5NbktQeTRWRjJE\nWWFZc2Rsa3I5aitPSno1WnhORENNcng5OHprCjNUQVhBVHFBcWFjaW5UdmxKTnZw\nQlI4MDk5Wkp0RElCeWgzZ2dFQkF2dkkKLS0tIDVreTkydnJ0RDdHSHlQeVV6bGlP\nTmpJOVBSb2dkVS9TZG5SRmFjdnQ1b3cKQ5XvwH1jD4XPVs5RzOotBDq8kiE6S5k2\nDBv6ugjsM5qV7/oGP9H69aSB4jKPZjEn3yiNw++Oorc8uXd5kSGh7w==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-09-02T08:43:00Z",
+		"mac": "ENC[AES256_GCM,data:3jFf66UyZUWEtPdPu809LCS3K/Hc6zbnluystl3eXS+KGI+dCoYmN9hQruRNBRxf6jli2RIlArmmEPBDQVt67gG/qugTdT12krWnYAZ78iocmOnkf44fWxn/pqVnn4JYpjEYRgy8ueGDnUkwvpGWVZpcXw5659YeDQuYOJ2mq0U=,iv:3k7fBPrABdLItQ2Z+Mx8Nx0eIEKo93zG/23K+Q5Hl3I=,tag:aehAObdx//DEjbKlOeM7iQ==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

clanServices/certificates/tests/vm/vars/shared/step-ca/ca.key/users/admin

@@ -0,0 +1 @@
+../../../../../sops/users/admin

clanServices/yggdrasil/README.md

@@ -0,0 +1,33 @@
+This module sets up [yggdrasil](https://yggdrasil-network.github.io/) across
+your clan. 
+
+Yggdrasil is designed to be a future-proof and decentralised alternative to
+the structured routing protocols commonly used today on the internet. Inside
+your clan, it will allow you reaching all of your machines.
+
+## Example Usage
+
+While you can specify statically configured peers for each host, yggdrasil does
+auto-discovery of local peers.
+
+```nix
+inventory = {
+
+  machines = {
+    peer1 = { };
+    peer2 = { };
+  };
+
+  instances = {
+    yggdrasil = {
+
+      # Deploy on all machines
+      roles.default.tags.all = { };
+
+      # Or individual hosts
+      roles.default.machines.peer1 = { };
+      roles.default.machines.peer2 = { };
+    };
+  };
+};
+```

clanServices/yggdrasil/default.nix

@@ -0,0 +1,116 @@
+{ ... }:
+{
+  _class = "clan.service";
+  manifest.name = "clan-core/yggdrasil";
+  manifest.description = "Yggdrasil encrypted IPv6 routing overlay network";
+
+  roles.default = {
+    interface =
+      { lib, ... }:
+      {
+        options.extraMulticastInterfaces = lib.mkOption {
+          type = lib.types.listOf lib.types.attrs;
+          default = [ ];
+          description = ''
+            Additional interfaces to use for Multicast. See
+            https://yggdrasil-network.github.io/configurationref.html#multicastinterfaces
+            for reference.
+          '';
+          example = [
+            {
+              Regex = "(wg).*";
+              Beacon = true;
+              Listen = true;
+              Port = 5400;
+              Priority = 1020;
+            }
+          ];
+        };
+
+        options.peers = lib.mkOption {
+          type = lib.types.listOf lib.types.str;
+          default = [ ];
+          description = ''
+            Static peers to configure for this host.
+            If not set, local peers will be auto-discovered
+          '';
+          example = [
+            "tcp://192.168.1.1:6443"
+            "quic://192.168.1.1:6443"
+            "tls://192.168.1.1:6443"
+            "ws://192.168.1.1:6443"
+          ];
+        };
+      };
+    perInstance =
+      { settings, ... }:
+      {
+        nixosModule =
+          {
+            config,
+            pkgs,
+            ...
+          }:
+          {
+
+            clan.core.vars.generators.yggdrasil = {
+
+              files.privateKey = { };
+              files.publicKey.secret = false;
+              files.address.secret = false;
+
+              runtimeInputs = with pkgs; [
+                yggdrasil
+                jq
+                openssl
+              ];
+
+              script = ''
+                # Generate private key
+                openssl genpkey -algorithm Ed25519 -out $out/privateKey
+
+                # Generate corresponding public key
+                openssl pkey -in $out/privateKey -pubout -out $out/publicKey
+
+                # Derive IPv6 address from key
+                echo "{ \"PrivateKeyPath\": \"$out/privateKey\"}" | yggdrasil -useconf -address > $out/address
+              '';
+            };
+
+            systemd.services.yggdrasil.serviceConfig.BindReadOnlyPaths = [
+              "${config.clan.core.vars.generators.yggdrasil.files.privateKey.path}:/var/lib/yggdrasil/key"
+            ];
+
+            services.yggdrasil = {
+              enable = true;
+              openMulticastPort = true;
+              persistentKeys = true;
+              settings = {
+                PrivateKeyPath = "/var/lib/yggdrasil/key";
+                IfName = "ygg";
+                Peers = settings.peers;
+                MulticastInterfaces = [
+                  # Ethernet is preferred over WIFI
+                  {
+                    Regex = "(eth|en).*";
+                    Beacon = true;
+                    Listen = true;
+                    Port = 5400;
+                    Priority = 1024;
+                  }
+                  {
+                    Regex = "(wl).*";
+                    Beacon = true;
+                    Listen = true;
+                    Port = 5400;
+                    Priority = 1025;
+                  }
+                ]
+                ++ settings.extraMulticastInterfaces;
+              };
+            };
+            networking.firewall.allowedTCPPorts = [ 5400 ];
+          };
+      };
+  };
+}

clanServices/yggdrasil/flake-module.nix

@@ -0,0 +1,24 @@
+{
+  self,
+  lib,
+  ...
+}:
+let
+  module = lib.modules.importApply ./default.nix {
+    inherit (self) packages;
+  };
+in
+{
+  clan.modules = {
+    yggdrasil = module;
+  };
+  perSystem =
+    { ... }:
+    {
+      clan.nixosTests.yggdrasil = {
+        imports = [ ./tests/vm/default.nix ];
+
+        clan.modules.yggdrasil = module;
+      };
+    };
+}

clanServices/yggdrasil/tests/vm/default.nix

@@ -0,0 +1,93 @@
+{
+  name = "yggdrasil";
+
+  clan = {
+    test.useContainers = false;
+    directory = ./.;
+    inventory = {
+
+      machines.peer1 = { };
+      machines.peer2 = { };
+
+      instances."yggdrasil" = {
+        module.name = "yggdrasil";
+        module.input = "self";
+
+        # Assign the roles to the two machines
+        roles.default.machines.peer1 = { };
+        roles.default.machines.peer2 = { };
+      };
+    };
+  };
+
+  # TODO remove after testing, this is just to make @pinpox' life easier
+  nodes =
+    let
+      c =
+        { pkgs, ... }:
+        {
+          environment.systemPackages = with pkgs; [ net-tools ];
+          console = {
+            font = "Lat2-Terminus16";
+            keyMap = "colemak";
+          };
+        };
+    in
+    {
+      peer1 = c;
+      peer2 = c;
+    };
+
+  testScript = ''
+    start_all()
+
+    # Wait for both machines to be ready
+    peer1.wait_for_unit("multi-user.target")
+    peer2.wait_for_unit("multi-user.target")
+
+    # Check that yggdrasil service is running on both machines
+    peer1.wait_for_unit("yggdrasil")
+    peer2.wait_for_unit("yggdrasil")
+
+    peer1.succeed("systemctl is-active yggdrasil")
+    peer2.succeed("systemctl is-active yggdrasil")
+
+    # Check that both machines have yggdrasil network interfaces
+    # Yggdrasil creates a tun interface (usually tun0)
+    peer1.wait_until_succeeds("ip link show | grep -E 'ygg'", 30)
+    peer2.wait_until_succeeds("ip link show | grep -E 'ygg'", 30)
+
+    # Get yggdrasil IPv6 addresses from both machines
+    peer1_ygg_ip = peer1.succeed("yggdrasilctl -json getself | jq -r '.address'").strip()
+    peer2_ygg_ip = peer2.succeed("yggdrasilctl -json getself | jq -r '.address'").strip()
+
+
+    # TODO: enable this check. Values don't match up yet, but I can't
+    # update-vars to test, because the script is borken.
+
+    # Compare runtime addresses with saved addresses from vars
+    # expected_peer1_ip = "${builtins.readFile ./vars/per-machine/peer1/yggdrasil/address/value}"
+    # expected_peer2_ip = "${builtins.readFile ./vars/per-machine/peer2/yggdrasil/address/value}"
+
+    print(f"peer1 yggdrasil IP: {peer1_ygg_ip}")
+    print(f"peer2 yggdrasil IP: {peer2_ygg_ip}")
+
+    # print(f"peer1 expected IP: {expected_peer1_ip}")
+    # print(f"peer2 expected IP: {expected_peer2_ip}")
+    #
+    # # Verify that runtime addresses match expected addresses
+    # assert peer1_ygg_ip == expected_peer1_ip, f"peer1 runtime IP {peer1_ygg_ip} != expected IP {expected_peer1_ip}"
+    # assert peer2_ygg_ip == expected_peer2_ip, f"peer2 runtime IP {peer2_ygg_ip} != expected IP {expected_peer2_ip}"
+
+    # Wait a bit for the yggdrasil network to establish connectivity
+    import time
+    time.sleep(10)
+
+    # Test connectivity: peer1 should be able to ping peer2 via yggdrasil
+    peer1.succeed(f"ping -6 -c 3 {peer2_ygg_ip}")
+
+    # Test connectivity: peer2 should be able to ping peer1 via yggdrasil
+    peer2.succeed(f"ping -6 -c 3 {peer1_ygg_ip}")
+
+  '';
+}

clanServices/yggdrasil/tests/vm/sops/machines/peer1/key.json

@@ -0,0 +1,6 @@
+[
+  {
+    "publickey": "age1r264u9yngfq8qkrveh4tn0rhfes02jfgrtqufdx4n4m3hs4rla2qx0rk4d",
+    "type": "age"
+  }
+]

clanServices/yggdrasil/tests/vm/sops/machines/peer2/key.json

@@ -0,0 +1,6 @@
+[
+  {
+    "publickey": "age1p8kuf8s0nfekwreh4g38cgghp4nzszenx0fraeyky2me0nly2scstqunx8",
+    "type": "age"
+  }
+]

clanServices/yggdrasil/tests/vm/sops/secrets/peer1-age.key/secret

@@ -0,0 +1,15 @@
+{
+	"data": "ENC[AES256_GCM,data:3dolkgdLC4y5fps4gGb9hf4QhwkUUBodlMOKT+/+erO70FB/pzYBg0mQjQy/uqjINzfIiM32iwVDnx3/Yyz5BDRo2CK+83UGEi4=,iv:FRp1HqlU06JeyEXXFO5WxJWxeLnmUJRWGuFKcr4JFOM=,tag:rbi30HJuqPHdU/TqInGXmg==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoYXBxS1JuNW9NeC9YU0xY\nK2xQWDhUYjZ4VzZmeUw1aG9UN2trVnBGQ0J3Ckk0V3d0UFBkT0RnZjBoYjNRVEVW\nN2VEdCtUTUUwenhJSEErT0MyWDA2bHMKLS0tIHJJSzVtR3NCVXozbzREWjltN2ZG\nZm44Y1c4MWNIblcxbmt2YkdxVE10Z1UKmJKEjiYZ9U47QACkbacNTirQIcCvFjM/\nwVxSEVq524sK8LCyIEvsG4e3I3Kn0ybZjoth7J/jg7J4gb8MVw+leQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-09-16T08:13:06Z",
+		"mac": "ENC[AES256_GCM,data:6HJDkg0AWz+zx5niSIyBAGGaeemwPOqTCA/Fa6VjjyCh1wOav3OTzy/DRBOCze4V52hMGV3ULrI2V7G7DdvQy6LqiKBTQX5ZbWm3IxLASamJBjUJ1LvTm97WvyL54u/l2McYlaUIC8bYDl1UQUqDMo9pN4GwdjsRNCIl4O0Z7KY=,iv:zkWfYuhqwKpZk/16GlpKdAi2qS6LiPvadRJmxp2ZW+w=,tag:qz1gxVnT3OjWxKRKss5W8w==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

clanServices/yggdrasil/tests/vm/sops/secrets/peer1-age.key/users/admin

@@ -0,0 +1 @@
+../../../users/admin

clanServices/yggdrasil/tests/vm/sops/secrets/peer2-age.key/secret

@@ -0,0 +1,15 @@
+{
+	"data": "ENC[AES256_GCM,data:BW15ydnNpr0NIXu92nMsD/Y52BDEOsdZg2/fiM8lwSTJN3lEymrIBYsRrcPAnGpFb52d7oN8zdNz9WoW3f/Xwl136sWDz/sc0k4=,iv:7m77nOR/uXLMqXB5QmegtoYVqByJVFFqZIVOtlAonzg=,tag:8sUo9DRscNRajrk+CzHzHw==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLVWpnSlJOTVU4NWRMSCto\nS0RaR2RCTUJjT1J0VzRPVTdPL2N5Yjl3c0EwCmlabm1aSzdlV29nb3lrZFBEZXR6\nRjI2TGZUNW1KQ3pLbDFscUlKSnVBNWcKLS0tIDlLR1VFSTRHeWNiQ29XK1pUUnlr\nVkVHOXdJeHhpcldYNVhpK1V6Nng0eW8KSsqJejY1kll6bUBUngiolCB7OhjyI0Gc\nH+9OrORt/nLnc51eo/4Oh9vp/dvSZzuW9MOF9m0f6B3WOFRVMAbukQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-09-16T08:13:15Z",
+		"mac": "ENC[AES256_GCM,data:dyLnGXBC4nGOgX2TrGhf8kI/+Et0PRy+Ppr228y3LYzgcmUunZl9R8+QXJN51OJSQ63gLun5TBw0v+3VnRVBodlhqTDtfACJ7eILCiArPJqeZoh5MR6HkF31yfqTRlXl1i6KHRPVWvjRIdwJ9yZVN1XNAUsxc7xovqS6kkkGPsA=,iv:7yXnpbU7Zf7GH1+Uimq8eXDUX1kO/nvTaGx4nmTrKdM=,tag:WNn9CUOdCAlksC0Qln5rVg==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

clanServices/yggdrasil/tests/vm/sops/secrets/peer2-age.key/users/admin

@@ -0,0 +1 @@
+../../../users/admin

clanServices/yggdrasil/tests/vm/sops/users/admin/key.json

@@ -0,0 +1,4 @@
+{
+  "publickey": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+  "type": "age"
+}

clanServices/yggdrasil/tests/vm/vars/per-machine/peer1/state-version/version/value

@@ -0,0 +1 @@
+25.11

clanServices/yggdrasil/tests/vm/vars/per-machine/peer1/yggdrasil/address/value

@@ -0,0 +1 @@
+200:91bb:f1ec:c580:6d52:70b3:4d60:7bf2

clanServices/yggdrasil/tests/vm/vars/per-machine/peer1/yggdrasil/privateKey/machines/peer1

@@ -0,0 +1 @@
+../../../../../../sops/machines/peer1

clanServices/yggdrasil/tests/vm/vars/per-machine/peer1/yggdrasil/privateKey/secret

@@ -0,0 +1,19 @@
+{
+	"data": "ENC[AES256_GCM,data:/YoEoYY8CmqK4Yk4fmZieIHIvRn779aikoo3+6SWI5SxuU8TLJVY9+Q7mRmnbCso/8RPMICWkZMIkfbxYi6Dwc4UFmLwPqCoeAYsFBiHsJ6QUoTm1qtDDfXcruFs8Mo93ZmJb7oJIC0a+sVbB5L1NsGmG3g+a+g=,iv:KrMjRIQXutv9WdNzI5VWD6SMDnGzs9LFWcG2d9a6XDg=,tag:x5gQN9FaatRBcHOyS2cicw==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwQ0FNU1c4RDNKTHRtMy8z\nSEtQRzFXTVFvcitMWjVlMURPVkxsZC9wU25nCmt4TS81bnJidzFVZkxEY0ovWUtm\nVk5PMjZEWVJCei9rVTJ2bG1ZNWJoZGMKLS0tIHgyTEhIdUQ3YnlKVi9lNVpUZ0dI\nd3BLL05oMXFldGVKbkpoaklscDJMR3MKpUl/KNPrtyt4/bu3xXUAQIkugQXWjlPf\nFqFc1Vnqxynd+wJkkd/zYs4XcOraogOUj/WIRXkqXgdDDoEqb/VIBg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1r264u9yngfq8qkrveh4tn0rhfes02jfgrtqufdx4n4m3hs4rla2qx0rk4d",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArOUdkd3VVSTU3NHZ6aURB\na2dYMXhyMmVLMDVlM0dzVHpxbUw3K3BFcVNzCm1LczFyd3BubGwvRVUwQ1Q0aWZR\nL1hlb1VpZ3JnTVQ4Zm9wVnlJYVNuL00KLS0tIHlMRVMyNW9rWG45bVVtczF3MVNq\nL2d2RXhEeVcyRVNmSUF6cks5VStxVkUKugI1iDei32852wNV/zPlyVwKJH1UXOlY\nFQq7dqMJMWI6a5F+z4UdaHvzyKxF2CWBG7DVnaUSpq7Q3uGmibsSOQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-09-16T08:13:07Z",
+		"mac": "ENC[AES256_GCM,data:LIlgQgiQt9aHXagpXphxSnpju+DOxuBvPpz5Rr43HSwgbWFgZ8tqlH2C1xo2xsJIexWkc823J9txpy+PLFXSm4/NbQGbKSymjHNEIYaU1tBSQ0KZ+s22X3/ku3Hug7/MkEKv5JsroTEcu3FK6Fv7Mo0VWqUggenl9AsJ5BocUO4=,iv:LGOnpWsod1ek4isWVrHrS+ZOCPrhwlPliPOTiMVY0zY=,tag:tRuHBSd9HxOswNcqjvzg0w==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

clanServices/yggdrasil/tests/vm/vars/per-machine/peer1/yggdrasil/privateKey/users/admin

@@ -0,0 +1 @@
+../../../../../../sops/users/admin

clanServices/yggdrasil/tests/vm/vars/per-machine/peer1/yggdrasil/publicKey/value

@@ -0,0 +1,3 @@
+-----BEGIN PUBLIC KEY-----
+MCowBQYDK2VwAyEAtyIHCZ0/yVbHpllPwgaWIFQ3Kb4fYMcOujgVmttA7gM=
+-----END PUBLIC KEY-----

clanServices/yggdrasil/tests/vm/vars/per-machine/peer2/state-version/version/value

@@ -0,0 +1 @@
+25.11

clanServices/yggdrasil/tests/vm/vars/per-machine/peer2/yggdrasil/address/value

@@ -0,0 +1 @@
+200:bb1f:6f1c:1852:173a:cb5e:5726:870

clanServices/yggdrasil/tests/vm/vars/per-machine/peer2/yggdrasil/privateKey/machines/peer2

@@ -0,0 +1 @@
+../../../../../../sops/machines/peer2

clanServices/yggdrasil/tests/vm/vars/per-machine/peer2/yggdrasil/privateKey/secret

@@ -0,0 +1,19 @@
+{
+	"data": "ENC[AES256_GCM,data:b1dbaJQGr8mnISch0iej+FhMnYOIFxOJYCvWDQseiczltXsBetbYr+89co5Sp7wmhQrH3tlWaih3HZe294Y9j8XvwpNUtmW3RZHsU/6EWA50LKcToFGFCcEBM/Nz9RStQXnjwLbRSLFuMlfoQttUATB2XYSm+Ng=,iv:YCeE3KbHaBhR0q10qO8Og1LBT5OUjsIDxfclpcLJh6I=,tag:M7y9HAC+fh8Fe8HoqQrnbg==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1p8kuf8s0nfekwreh4g38cgghp4nzszenx0fraeyky2me0nly2scstqunx8",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3NTVOT2MxaDJsTXloVVcv\nellUdnVxSVdnZ1NBUGEwLzBiTGoyZENJdm1RClp5eHY3dkdVSzVJYk52dWFCQnlG\nclIrQUJ5RXRYTythWTFHR1NhVHlyMVkKLS0tIEFza3YwcUNiYUV5VWJQcTljY2ZR\nUnc3U1VubmZRTCtTTC9rd1kydnNYa00KqdwV3eRHA6Y865JXQ7lxbS6aTIGf/kQM\nqDFdiUdvEDqo19Df3QBJ7amQ1YjPqSIRbO8CJNPI8JqQJKTaBOgm9g==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzTmV0Skd5Zzk1SXc4ZDc3\nRi9wTVdDM1lTc3N0MXpNNVZjUWJ6VDZHd3hzCkpRZnNtSU14clkybWxvSEhST2py\nR29jcHdXSCtFRE02ejB0dzN1eGVQZ1kKLS0tIE9YVjJBRTg1SGZ5S3lYdFRUM3RW\nOGZjUEhURnJIVTBnZG43UFpTZkdseFUKOgHC10Rqf/QnzfCHUMEPb1PVo9E6qlpo\nW/F1I8ZqkFI8sWh54nilXeR8i8w+QCthliBxsxdDTv2FSxdnKNHu3A==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-09-16T08:13:15Z",
+		"mac": "ENC[AES256_GCM,data:0byytsY3tFK3r4qhM1+iYe9KYYKJ8cJO/HonYflbB0iTD+oRBnnDUuChPdBK50tQxH8aInlvgIGgi45OMk7IrFBtBYQRgFBUR5zDujzel9hJXQvpvqgvRMkzA542ngjxYmZ74mQB+pIuFhlVJCfdTN+smX6N4KyDRj9d8aKK0Qs=,iv:DC8nwgUAUSdOCr8TlgJX21SxOPOoJKYeNoYvwj5b9OI=,tag:cbJ8M+UzaghkvtEnRCp+GA==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

clanServices/yggdrasil/tests/vm/vars/per-machine/peer2/yggdrasil/privateKey/users/admin

@@ -0,0 +1 @@
+../../../../../../sops/users/admin

clanServices/yggdrasil/tests/vm/vars/per-machine/peer2/yggdrasil/publicKey/value

@@ -0,0 +1,3 @@
+-----BEGIN PUBLIC KEY-----
+MCowBQYDK2VwAyEAonBIcfPW9GKaUNRs+8epsgQOShNbR9v26+3H80an2/c=
+-----END PUBLIC KEY-----

devFlake/flake.lock

@@ -84,11 +84,11 @@
     },
     "nixpkgs-dev": {
       "locked": {
-        "lastModified": 1756578978,
-        "narHash": "sha256-dLgwMLIMyHlSeIDsoT2OcZBkuruIbjhIAv1sGANwtes=",
+        "lastModified": 1756662818,
+        "narHash": "sha256-Opggp4xiucQ5gBceZ6OT2vWAZOjQb3qULv39scGZ9Nw=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "a85a50bef870537a9705f64ed75e54d1f4bf9c23",
+        "rev": "2e6aeede9cb4896693434684bb0002ab2c0cfc09",
         "type": "github"
       },
       "original": {
@@ -165,11 +165,11 @@
         "nixpkgs": []
       },
       "locked": {
-        "lastModified": 1755934250,
-        "narHash": "sha256-CsDojnMgYsfshQw3t4zjRUkmMmUdZGthl16bXVWgRYU=",
+        "lastModified": 1756662192,
+        "narHash": "sha256-F1oFfV51AE259I85av+MAia221XwMHCOtZCMcZLK2Jk=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "74e1a52d5bd9430312f8d1b8b0354c92c17453e5",
+        "rev": "1aabc6c05ccbcbf4a635fb7a90400e44282f61c4",
         "type": "github"
       },
       "original": {

docs/mkdocs.yml

@@ -94,6 +94,7 @@ nav:
               - reference/clanServices/index.md
               - reference/clanServices/admin.md
               - reference/clanServices/borgbackup.md
+              - reference/clanServices/certificates.md
               - reference/clanServices/coredns.md
               - reference/clanServices/data-mesher.md
               - reference/clanServices/dyndns.md
@@ -112,6 +113,7 @@ nav:
               - reference/clanServices/users.md
               - reference/clanServices/wifi.md
               - reference/clanServices/wireguard.md
+              - reference/clanServices/yggdrasil.md
               - reference/clanServices/zerotier.md
           - API: reference/clanServices/clan-service-author-interface.md
 

flake.lock

@@ -13,11 +13,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1756091210,
-        "narHash": "sha256-oEUEAZnLbNHi8ti4jY8x10yWcIkYoFc5XD+2hjmOS04=",
-        "rev": "eb831bca21476fa8f6df26cb39e076842634700d",
+        "lastModified": 1756695982,
+        "narHash": "sha256-dyLhOSDzxZtRgi5aj/OuaZJUsuvo+8sZ9CU/qieZ15c=",
+        "rev": "cc8f26e7e6c2dc985526ba59b286ae5a83168cdb",
         "type": "tarball",
-        "url": "https://git.clan.lol/api/v1/repos/clan/data-mesher/archive/eb831bca21476fa8f6df26cb39e076842634700d.tar.gz"
+        "url": "https://git.clan.lol/api/v1/repos/clan/data-mesher/archive/cc8f26e7e6c2dc985526ba59b286ae5a83168cdb.tar.gz"
       },
       "original": {
         "type": "tarball",
@@ -99,11 +99,11 @@
     },
     "nixos-facter-modules": {
       "locked": {
-        "lastModified": 1756291602,
-        "narHash": "sha256-FYhiArSzcx60OwoH3JBp5Ho1D5HEwmZx6WoquauDv3g=",
+        "lastModified": 1756491981,
+        "narHash": "sha256-lXyDAWPw/UngVtQfgQ8/nrubs2r+waGEYIba5UX62+k=",
         "owner": "nix-community",
         "repo": "nixos-facter-modules",
-        "rev": "5c37cee817c94f50710ab11c25de572bc3604bd5",
+        "rev": "c1b29520945d3e148cd96618c8a0d1f850965d8c",
         "type": "github"
       },
       "original": {
@@ -181,11 +181,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1755934250,
-        "narHash": "sha256-CsDojnMgYsfshQw3t4zjRUkmMmUdZGthl16bXVWgRYU=",
+        "lastModified": 1756662192,
+        "narHash": "sha256-F1oFfV51AE259I85av+MAia221XwMHCOtZCMcZLK2Jk=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "74e1a52d5bd9430312f8d1b8b0354c92c17453e5",
+        "rev": "1aabc6c05ccbcbf4a635fb7a90400e44282f61c4",
         "type": "github"
       },
       "original": {

lib/clanTest/flake-module.nix

@@ -87,6 +87,8 @@ in
       relativeDir = removePrefix "${self}/" (toString config.clan.directory);
 
       update-vars = hostPkgs.writeShellScriptBin "update-vars" ''
+        set -x
+        export PRJ_ROOT=$(git rev-parse --show-toplevel)
         ${update-vars-script} $PRJ_ROOT/${relativeDir} ${testName}
       '';
 

lib/test/container-test-driver/test_driver/__init__.py

@@ -268,8 +268,14 @@ class Machine:
         )
 
     def nsenter_command(self, command: str) -> list[str]:
+        nsenter = shutil.which("nsenter")
+
+        if not nsenter:
+            msg = "nsenter command not found"
+            raise RuntimeError(msg)
+
         return [
-            "nsenter",
+            nsenter,
             "--target",
             str(self.container_pid),
             "--mount",
@@ -326,6 +332,7 @@ class Machine:
 
         return subprocess.run(
             self.nsenter_command(command),
+            env={},
             timeout=timeout,
             check=False,
             stdout=subprocess.PIPE,

pkgs/clan-app/fonts.nix

@@ -48,6 +48,10 @@ let
     url = "https://github.com/eigilnikolajsen/commit-mono/raw/0b3b192f035cdc8d1ea8ffb5463cc23d73d0b89f/src/fonts/fontlab/CommitMonoV143-VF.woff2";
     hash = "sha256-80LKbD8ll+bA/NhLPz7WTTzlvbbQrxnRkNZFpVixzyk=";
   };
+  commitMono_ttf = fetchurl {
+    url = "https://github.com/eigilnikolajsen/commit-mono/raw/0b3b192f035cdc8d1ea8ffb5463cc23d73d0b89f/src/fonts/fontlab/CommitMonoV143-VF.ttf";
+    hash = "sha256-mN6akBFjp2mBLDzy8bhtY6mKnO1nINdHqmZSaIQHw08=";
+  };
 
 in
 runCommand "" { } ''
@@ -62,4 +66,5 @@ runCommand "" { } ''
   cp ${archivoSemi.semiBold} $out/ArchivoSemiCondensed-SemiBold.woff2
 
   cp ${commitMono} $out/CommitMonoV143-VF.woff2
+  cp ${commitMono_ttf} $out/CommitMonoV143-VF.ttf
 ''

pkgs/clan-app/ui/package-lock.json

@@ -23,6 +23,7 @@
         "solid-js": "^1.9.7",
         "solid-toast": "^0.5.0",
         "three": "^0.176.0",
+        "troika-three-text": "^0.52.4",
         "valibot": "^1.1.0"
       },
       "devDependencies": {
@@ -3807,6 +3808,15 @@
         "node": ">=12.0.0"
       }
     },
+    "node_modules/bidi-js": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/bidi-js/-/bidi-js-1.0.3.tgz",
+      "integrity": "sha512-RKshQI1R3YQ+n9YJz2QQ147P66ELpa1FQEg20Dk8oW9t2KgLbpDLLp9aGZ7y8WHSshDknG0bknqGw5/tyCs5tw==",
+      "license": "MIT",
+      "dependencies": {
+        "require-from-string": "^2.0.2"
+      }
+    },
     "node_modules/binary-extensions": {
       "version": "2.3.0",
       "resolved": "https://registry.npmjs.org/binary-extensions/-/binary-extensions-2.3.0.tgz",
@@ -7528,6 +7538,15 @@
         "node": ">=0.10.0"
       }
     },
+    "node_modules/require-from-string": {
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/require-from-string/-/require-from-string-2.0.2.tgz",
+      "integrity": "sha512-Xf0nWe6RseziFMu+Ap9biiUbmplq6S9/p+7w7YXP/JBHhrUDDUhwa+vANyubuqfZWTveU//DYVGsDG7RKL/vEw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
     "node_modules/requires-port": {
       "version": "1.0.0",
       "resolved": "https://registry.npmjs.org/requires-port/-/requires-port-1.0.0.tgz",
@@ -8655,6 +8674,36 @@
         "tree-kill": "cli.js"
       }
     },
+    "node_modules/troika-three-text": {
+      "version": "0.52.4",
+      "resolved": "https://registry.npmjs.org/troika-three-text/-/troika-three-text-0.52.4.tgz",
+      "integrity": "sha512-V50EwcYGruV5rUZ9F4aNsrytGdKcXKALjEtQXIOBfhVoZU9VAqZNIoGQ3TMiooVqFAbR1w15T+f+8gkzoFzawg==",
+      "license": "MIT",
+      "dependencies": {
+        "bidi-js": "^1.0.2",
+        "troika-three-utils": "^0.52.4",
+        "troika-worker-utils": "^0.52.0",
+        "webgl-sdf-generator": "1.1.1"
+      },
+      "peerDependencies": {
+        "three": ">=0.125.0"
+      }
+    },
+    "node_modules/troika-three-utils": {
+      "version": "0.52.4",
+      "resolved": "https://registry.npmjs.org/troika-three-utils/-/troika-three-utils-0.52.4.tgz",
+      "integrity": "sha512-NORAStSVa/BDiG52Mfudk4j1FG4jC4ILutB3foPnfGbOeIs9+G5vZLa0pnmnaftZUGm4UwSoqEpWdqvC7zms3A==",
+      "license": "MIT",
+      "peerDependencies": {
+        "three": ">=0.125.0"
+      }
+    },
+    "node_modules/troika-worker-utils": {
+      "version": "0.52.0",
+      "resolved": "https://registry.npmjs.org/troika-worker-utils/-/troika-worker-utils-0.52.0.tgz",
+      "integrity": "sha512-W1CpvTHykaPH5brv5VHLfQo9D1OYuo0cSBEUQFFT/nBUzM8iD6Lq2/tgG/f1OelbAS1WtaTPQzE5uM49egnngw==",
+      "license": "MIT"
+    },
     "node_modules/ts-api-utils": {
       "version": "2.1.0",
       "resolved": "https://registry.npmjs.org/ts-api-utils/-/ts-api-utils-2.1.0.tgz",
@@ -9268,6 +9317,12 @@
         "node": "20 || >=22"
       }
     },
+    "node_modules/webgl-sdf-generator": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/webgl-sdf-generator/-/webgl-sdf-generator-1.1.1.tgz",
+      "integrity": "sha512-9Z0JcMTFxeE+b2x1LJTdnaT8rT8aEp7MVxkNwoycNmJWwPdzoXzMh0BjJSh/AEFP+KPYZUli814h8bJZFIZ2jA==",
+      "license": "MIT"
+    },
     "node_modules/webidl-conversions": {
       "version": "7.0.0",
       "resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-7.0.0.tgz",

pkgs/clan-app/ui/package.json

@@ -80,6 +80,7 @@
     "solid-js": "^1.9.7",
     "solid-toast": "^0.5.0",
     "three": "^0.176.0",
+    "troika-three-text": "^0.52.4",
     "valibot": "^1.1.0"
   },
   "optionalDependencies": {

pkgs/clan-app/ui/src/components/ContextMenu/ContextMenu.module.css

@@ -0,0 +1,33 @@
+.list {
+  display: flex;
+  width: 113px;
+  padding: 8px;
+  flex-direction: column;
+  align-items: flex-start;
+
+  border-radius: 5px;
+  border: 1px solid var(--clr-border-def-2, #d8e8eb);
+  background: var(--clr-bg-def-1, #fff);
+  box-shadow: 0 3px 8px 0 rgba(0, 0, 0, 0.24);
+}
+
+.item {
+  max-height: 28px;
+  height: 28px;
+  padding: 4px 8px;
+  cursor: pointer;
+
+  display: flex;
+  align-items: center;
+  align-self: stretch;
+  gap: 4px;
+
+  &:hover {
+    @apply bg-def-3;
+    border-radius: 2px;
+  }
+  &[aria-disabled="true"] {
+    cursor: not-allowed;
+    pointer-events: none;
+  }
+}

pkgs/clan-app/ui/src/components/ContextMenu/ContextMenu.tsx

@@ -0,0 +1,61 @@
+import { onCleanup, onMount } from "solid-js";
+import styles from "./ContextMenu.module.css";
+import { Typography } from "../Typography/Typography";
+
+export const Menu = (props: {
+  x: number;
+  y: number;
+  onSelect: (option: "move") => void;
+  close: () => void;
+  intersect: string[];
+}) => {
+  let ref: HTMLUListElement;
+
+  const handleClickOutside = (e: MouseEvent) => {
+    if (!ref.contains(e.target as Node)) {
+      props.close();
+    }
+  };
+
+  onMount(() => {
+    document.addEventListener("mousedown", handleClickOutside);
+  });
+
+  onCleanup(() =>
+    document.removeEventListener("mousedown", handleClickOutside),
+  );
+  const currentMachine = () => props.intersect.at(0) || null;
+
+  return (
+    <ul
+      ref={(el) => (ref = el)}
+      style={{
+        position: "absolute",
+        top: `${props.y}px`,
+        left: `${props.x}px`,
+        "z-index": 1000,
+        "pointer-events": "auto",
+      }}
+      class={styles.list}
+    >
+      <li
+        class={styles.item}
+        aria-disabled={!currentMachine()}
+        onClick={() => {
+          console.log("Move clicked", currentMachine());
+          props.onSelect("move");
+          props.close();
+        }}
+      >
+        <Typography
+          hierarchy="label"
+          size="s"
+          weight="bold"
+          color={currentMachine() ? "primary" : "quaternary"}
+        >
+          Move
+        </Typography>
+      </li>
+    </ul>
+  );
+};

pkgs/clan-app/ui/src/components/Form/MachineTags.css

@@ -1,221 +0,0 @@
-div.form-field.machine-tags {
-  div.control {
-    @apply flex flex-col size-full gap-2;
-
-    div.selected-options {
-      @apply flex flex-wrap gap-2 size-full min-h-5;
-    }
-
-    div.input-container {
-      @apply relative left-0 top-0;
-      @apply inline-flex justify-between w-full;
-
-      input {
-        @apply w-full px-2 py-1.5 rounded-sm;
-        @apply outline outline-1 outline-def-acc-1 bg-def-1 fg-def-1;
-
-        font-size: 0.875rem;
-        font-weight: 500;
-        font-family: "Archivo", sans-serif;
-        line-height: 1;
-
-        &::placeholder {
-          @apply fg-def-4;
-        }
-
-        &:hover {
-          @apply bg-def-acc-1 outline-def-acc-2;
-        }
-
-        &:not(:read-only):focus-visible {
-          @apply bg-def-1 outline-def-acc-3;
-
-          box-shadow:
-            0 0 0 0.125rem theme(colors.bg.def.1),
-            0 0 0 0.1875rem theme(colors.border.semantic.info.1);
-        }
-
-        &[data-invalid] {
-          @apply outline-semantic-error-4;
-        }
-
-        &[data-disabled] {
-          @apply outline-def-2 fg-def-4 cursor-not-allowed;
-        }
-
-        &[data-readonly] {
-          @apply outline-none border-none bg-inherit;
-          @apply p-0 resize-none;
-        }
-      }
-
-      & > button.trigger {
-        @apply flex items-center justify-center w-8;
-        @apply absolute right-2 top-1 h-5 w-6 bg-def-2 rounded-sm;
-
-        &[data-disabled] {
-          @apply cursor-not-allowed;
-        }
-
-        & > span.icon {
-          @apply h-full w-full py-0.5 px-1;
-        }
-      }
-    }
-  }
-
-  &.horizontal {
-    @apply flex-row gap-2 justify-between;
-
-    div.control {
-      @apply w-1/2 grow;
-    }
-  }
-
-  &.s {
-    div.control > div.input-container {
-      & > input {
-        @apply px-1.5 py-1;
-        font-size: 0.75rem;
-
-        &[data-readonly] {
-          @apply p-0;
-        }
-      }
-
-      & > button.trigger {
-        @apply top-[0.1875rem] h-4 w-5;
-      }
-    }
-  }
-
-  &.inverted {
-    div.control > div.input-container {
-      & > button.trigger {
-        @apply bg-inv-2;
-      }
-
-      & > input {
-        @apply bg-inv-1 fg-inv-1 outline-inv-acc-1;
-
-        &::placeholder {
-          @apply fg-inv-4;
-        }
-
-        &:hover {
-          @apply bg-inv-acc-2 outline-inv-acc-2;
-        }
-
-        &:not(:read-only):focus-visible {
-          @apply bg-inv-acc-4;
-          box-shadow:
-            0 0 0 0.125rem theme(colors.bg.inv.1),
-            0 0 0 0.1875rem theme(colors.border.semantic.info.1);
-        }
-
-        &[data-invalid] {
-          @apply outline-semantic-error-4;
-        }
-
-        &[data-readonly] {
-          @apply outline-none border-none bg-inherit cursor-auto;
-        }
-      }
-    }
-  }
-
-  &.ghost {
-    div.control > div.input-container {
-      & > input {
-        @apply outline-none;
-
-        &:hover {
-          @apply outline-none;
-        }
-      }
-    }
-  }
-}
-
-div.machine-tags-content {
-  @apply rounded-sm bg-def-1 border border-def-2 z-10;
-
-  transform-origin: var(--kb-combobox-content-transform-origin);
-  animation: machineTagsContentHide 250ms ease-in forwards;
-
-  &[data-expanded] {
-    animation: machineTagsContentShow 250ms ease-out;
-  }
-
-  & > ul.listbox {
-    overflow-y: auto;
-    max-height: 360px;
-
-    @apply px-2 py-3;
-
-    &:focus {
-      outline: none;
-    }
-
-    li.item {
-      @apply flex items-center justify-between;
-      @apply relative px-2 py-1;
-      @apply select-none outline-none rounded-[0.25rem];
-
-      color: hsl(240 4% 16%);
-      height: 32px;
-
-      &[data-disabled] {
-        color: hsl(240 5% 65%);
-        opacity: 0.5;
-        pointer-events: none;
-      }
-
-      &[data-highlighted] {
-        @apply outline-none bg-def-4;
-      }
-    }
-
-    .item-indicator {
-      height: 20px;
-      width: 20px;
-      display: inline-flex;
-      align-items: center;
-      justify-content: center;
-    }
-  }
-}
-
-div.machine-tags-control {
-  @apply flex flex-col w-full gap-2;
-
-  & > div.selected-options {
-    @apply flex gap-2 flex-wrap w-full;
-  }
-
-  & > div.input-container {
-    @apply w-full flex gap-2;
-  }
-}
-
-@keyframes machineTagsContentShow {
-  from {
-    opacity: 0;
-    transform: translateY(-8px);
-  }
-  to {
-    opacity: 1;
-    transform: translateY(0);
-  }
-}
-
-@keyframes machineTagsContentHide {
-  from {
-    opacity: 1;
-    transform: translateY(0);
-  }
-  to {
-    opacity: 0;
-    transform: translateY(-8px);
-  }
-}

pkgs/clan-app/ui/src/components/Form/MachineTags.module.css

@@ -0,0 +1,207 @@
+.machineTags {
+  &.horizontal {
+    @apply flex-row gap-2 justify-between;
+  }
+}
+
+.control {
+  @apply flex flex-col size-full gap-2;
+
+  &.horizontal {
+    @apply w-1/2 grow;
+  }
+}
+
+.selectedOptions {
+  @apply flex flex-wrap gap-2 size-full min-h-5;
+}
+
+.trigger {
+  @apply w-full relative;
+}
+
+.icon {
+  @apply absolute left-1.5;
+  top: calc(50% - 0.5rem);
+
+  &.iconSmall {
+    @apply left-[0.3125rem] size-[0.75rem];
+    top: calc(50% - 0.3125rem);
+  }
+}
+
+.input {
+  @apply outline outline-1 outline-def-acc-1 bg-def-1 fg-def-1 w-full;
+  @apply px-[1.625rem] py-1.5 rounded-sm;
+
+  font-size: 0.875rem;
+  font-weight: 500;
+  font-family: "Archivo", sans-serif;
+  line-height: 1;
+
+  &::placeholder {
+    @apply fg-def-4;
+  }
+
+  &:hover {
+    @apply bg-def-acc-1 outline-def-acc-2;
+  }
+
+  &:not(:read-only):focus-visible {
+    @apply bg-def-1 outline-def-acc-3;
+
+    box-shadow:
+      0 0 0 0.125rem theme(colors.bg.def.1),
+      0 0 0 0.1875rem theme(colors.border.semantic.info.1);
+  }
+
+  &[data-invalid] {
+    @apply outline-semantic-error-4;
+  }
+
+  &[data-disabled] {
+    @apply outline-def-2 fg-def-4 cursor-not-allowed;
+  }
+
+  &[data-readonly] {
+    @apply outline-none border-none bg-inherit;
+    @apply p-0 resize-none;
+  }
+
+  &.inputSmall {
+    @apply px-[1.25rem] py-1;
+    font-size: 0.8125rem;
+
+    &[data-readonly] {
+      @apply p-0;
+    }
+  }
+
+  &.inputInverted {
+    @apply bg-inv-1 fg-inv-1 outline-inv-acc-1;
+
+    &::placeholder {
+      @apply fg-inv-4;
+    }
+
+    &:hover {
+      @apply bg-inv-acc-2 outline-inv-acc-2;
+    }
+
+    &:not(:read-only):focus-visible {
+      @apply bg-inv-acc-4;
+      box-shadow:
+        0 0 0 0.125rem theme(colors.bg.inv.1),
+        0 0 0 0.1875rem theme(colors.border.semantic.info.1);
+    }
+
+    &[data-invalid] {
+      @apply outline-semantic-error-4;
+    }
+
+    &[data-readonly] {
+      @apply outline-none border-none bg-inherit cursor-auto;
+    }
+  }
+
+  &.inputGhost {
+    @apply outline-none;
+
+    &:hover {
+      @apply outline-none;
+    }
+  }
+}
+
+.comboboxContent {
+  @apply rounded-sm bg-def-1 border border-def-2 z-20;
+
+  transform-origin: var(--kb-combobox-content-transform-origin);
+  animation: machineTagsContentHide 250ms ease-in forwards;
+
+  &[data-expanded] {
+    animation: machineTagsContentShow 250ms ease-out;
+  }
+
+  .listbox {
+    overflow-y: auto;
+    max-height: 360px;
+
+    @apply px-2 py-3;
+
+    &:focus {
+      outline: none;
+    }
+
+    .listboxItem {
+      @apply flex items-center justify-between;
+      @apply relative px-2 py-1;
+      @apply select-none outline-none rounded-[0.25rem];
+
+      color: hsl(240 4% 16%);
+      height: 32px;
+
+      &[data-disabled] {
+        color: hsl(240 5% 65%);
+        opacity: 0.5;
+        pointer-events: none;
+      }
+
+      &[data-highlighted] {
+        @apply outline-none bg-def-4;
+      }
+
+      &.listboxItemInverted {
+        &[data-highlighted] {
+          @apply bg-inv-4;
+        }
+      }
+    }
+
+    .itemIndicator {
+      height: 20px;
+      width: 20px;
+      display: inline-flex;
+      align-items: center;
+      justify-content: center;
+    }
+  }
+
+  &.comboboxContentInverted {
+    @apply bg-inv-1 border-inv-2;
+  }
+}
+
+.machineTagsControl {
+  @apply flex flex-col w-full gap-2;
+
+  /*& > div.selected-options {*/
+  /*    @apply flex gap-2 flex-wrap w-full;*/
+  /*}*/
+
+  & > div.input-container {
+    @apply w-full flex gap-2;
+  }
+}
+
+@keyframes machineTagsContentShow {
+  from {
+    opacity: 0;
+    transform: translateY(-8px);
+  }
+  to {
+    opacity: 1;
+    transform: translateY(0);
+  }
+}
+
+@keyframes machineTagsContentHide {
+  from {
+    opacity: 1;
+    transform: translateY(0);
+  }
+  to {
+    opacity: 0;
+    transform: translateY(-8px);
+  }
+}

pkgs/clan-app/ui/src/components/Form/MachineTags.tsx

@@ -6,10 +6,10 @@ import cx from "classnames";
 import { Typography } from "@/src/components/Typography/Typography";
 import { Tag } from "@/src/components/Tag/Tag";
 
-import "./MachineTags.css";
 import { Label } from "@/src/components/Form/Label";
 import { Orienter } from "@/src/components/Form/Orienter";
 import { CollectionNode } from "@kobalte/core";
+import styles from "./MachineTags.module.css";
 
 export interface MachineTag {
   value: string;
@@ -45,20 +45,31 @@ const sortedAndUniqueOptions = (options: MachineTag[]) =>
   sortedOptions(uniqueOptions(options));
 
 // customises how each option is displayed in the dropdown
-const ItemComponent = (props: { item: CollectionNode<MachineTag> }) => {
-  return (
-    <Combobox.Item item={props.item} class="item">
-      <Combobox.ItemLabel>
-        <Typography hierarchy="body" size="xs" weight="bold">
-          {props.item.textValue}
-        </Typography>
-      </Combobox.ItemLabel>
-      <Combobox.ItemIndicator class="item-indicator">
-        <Icon icon="Checkmark" />
-      </Combobox.ItemIndicator>
-    </Combobox.Item>
-  );
-};
+const ItemComponent =
+  (inverted: boolean) => (props: { item: CollectionNode<MachineTag> }) => {
+    return (
+      <Combobox.Item
+        item={props.item}
+        class={cx(styles.listboxItem, {
+          [styles.listboxItemInverted]: inverted,
+        })}
+      >
+        <Combobox.ItemLabel>
+          <Typography
+            hierarchy="body"
+            size="xs"
+            weight="bold"
+            inverted={inverted}
+          >
+            {props.item.textValue}
+          </Typography>
+        </Combobox.ItemLabel>
+        <Combobox.ItemIndicator class={styles.itemIndicator}>
+          <Icon icon="Checkmark" inverted={inverted} />
+        </Combobox.ItemIndicator>
+      </Combobox.Item>
+    );
+  };
 
 export const MachineTags = (props: MachineTagsProps) => {
   // convert default value string[] into MachineTag[]
@@ -112,10 +123,7 @@ export const MachineTags = (props: MachineTagsProps) => {
   return (
     <Combobox<MachineTag>
       multiple
-      class={cx("form-field", "machine-tags", props.size, props.orientation, {
-        inverted: props.inverted,
-        ghost: props.ghost,
-      })}
+      class={cx("form-field", styles.machineTags, props.orientation)}
       {...splitProps(props, ["defaultValue"])[1]}
       defaultValue={defaultValue}
       options={availableOptions()}
@@ -123,7 +131,7 @@ export const MachineTags = (props: MachineTagsProps) => {
       optionTextValue="value"
       optionLabel="value"
       optionDisabled="disabled"
-      itemComponent={ItemComponent}
+      itemComponent={ItemComponent(props.inverted || false)}
       placeholder="Enter a tag name"
       // triggerMode="focus"
       removeOnBackspace={false}
@@ -158,9 +166,11 @@ export const MachineTags = (props: MachineTagsProps) => {
 
         <Combobox.HiddenSelect {...props.input} multiple />
 
-        <Combobox.Control<MachineTag> class="control">
+        <Combobox.Control<MachineTag>
+          class={cx(styles.control, props.orientation)}
+        >
           {(state) => (
-            <div class="selected-options">
+            <div class={styles.selectedOptions}>
               <For each={state.selectedOptions()}>
                 {(option) => (
                   <Tag
@@ -187,18 +197,24 @@ export const MachineTags = (props: MachineTagsProps) => {
                 )}
               </For>
               <Show when={!props.readOnly}>
-                <div class="input-container">
-                  <Combobox.Input onKeyDown={onKeyDown} />
-                  <Combobox.Trigger class="trigger">
-                    <Combobox.Icon class="icon">
-                      <Icon
-                        icon="Expand"
-                        inverted={!props.inverted}
-                        size="100%"
-                      />
-                    </Combobox.Icon>
-                  </Combobox.Trigger>
-                </div>
+                <Combobox.Trigger class={styles.trigger}>
+                  <Icon
+                    icon="Tag"
+                    color="secondary"
+                    inverted={props.inverted}
+                    class={cx(styles.icon, {
+                      [styles.iconSmall]: props.size == "s",
+                    })}
+                  />
+                  <Combobox.Input
+                    onKeyDown={onKeyDown}
+                    class={cx(styles.input, {
+                      [styles.inputSmall]: props.size == "s",
+                      [styles.inputGhost]: props.ghost,
+                      [styles.inputInverted]: props.inverted,
+                    })}
+                  />
+                </Combobox.Trigger>
               </Show>
             </div>
           )}
@@ -206,8 +222,12 @@ export const MachineTags = (props: MachineTagsProps) => {
       </Orienter>
 
       <Combobox.Portal>
-        <Combobox.Content class="machine-tags-content">
-          <Combobox.Listbox class="listbox" />
+        <Combobox.Content
+          class={cx(styles.comboboxContent, {
+            [styles.comboboxContentInverted]: props.inverted,
+          })}
+        >
+          <Combobox.Listbox class={styles.listbox} />
         </Combobox.Content>
       </Combobox.Portal>
     </Combobox>

pkgs/clan-app/ui/src/components/Sidebar/SidebarBody.tsx

@@ -3,13 +3,13 @@ import { A } from "@solidjs/router";
 import { Accordion } from "@kobalte/core/accordion";
 import Icon from "../Icon/Icon";
 import { Typography } from "@/src/components/Typography/Typography";
-import { For, Show, useContext } from "solid-js";
+import { For, Show } from "solid-js";
 import { MachineStatus } from "@/src/components/MachineStatus/MachineStatus";
 import { buildMachinePath, useClanURI } from "@/src/hooks/clan";
 import { useMachineStateQuery } from "@/src/hooks/queries";
 import { SidebarProps } from "./Sidebar";
-import { ClanContext } from "@/src/routes/Clan/Clan";
 import { Button } from "../Button/Button";
+import { useClanContext } from "@/src/routes/Clan/Clan";
 
 interface MachineProps {
   clanURI: string;
@@ -59,10 +59,7 @@ const MachineRoute = (props: MachineProps) => {
 export const SidebarBody = (props: SidebarProps) => {
   const clanURI = useClanURI();
 
-  const ctx = useContext(ClanContext);
-  if (!ctx) {
-    throw new Error("ClanContext not found");
-  }
+  const ctx = useClanContext();
 
   const sectionLabels = (props.staticSections || []).map(
     (section) => section.title,

pkgs/clan-app/ui/src/components/Sidebar/SidebarHeader.tsx

@@ -3,12 +3,12 @@ import Icon from "@/src/components/Icon/Icon";
 import { DropdownMenu } from "@kobalte/core/dropdown-menu";
 import { useNavigate } from "@solidjs/router";
 import { Typography } from "../Typography/Typography";
-import { createSignal, For, Show, Suspense, useContext } from "solid-js";
+import { createSignal, For, Show, Suspense } from "solid-js";
 import { navigateToOnboarding } from "@/src/hooks/clan";
 import { setActiveClanURI } from "@/src/stores/clan";
 import { Button } from "../Button/Button";
-import { ClanContext } from "@/src/routes/Clan/Clan";
 import { ClanSettingsModal } from "@/src/modals/ClanSettingsModal/ClanSettingsModal";
+import { useClanContext } from "@/src/routes/Clan/Clan";
 
 export const SidebarHeader = () => {
   const navigate = useNavigate();
@@ -17,11 +17,7 @@ export const SidebarHeader = () => {
   const [showSettings, setShowSettings] = createSignal(false);
 
   // get information about the current active clan
-  const ctx = useContext(ClanContext);
-
-  if (!ctx) {
-    throw new Error("SidebarContext not found");
-  }
+  const ctx = useClanContext();
 
   const clanChar = () =>
     ctx?.activeClanQuery?.data?.details.name.charAt(0).toUpperCase();

pkgs/clan-app/ui/src/hooks/queries.ts

@@ -143,6 +143,7 @@ export const useMachineStateQuery = (clanURI: string, machineName: string) => {
   const client = useApiClient();
   return useQuery<MachineState>(() => ({
     queryKey: ["clans", encodeBase64(clanURI), "machine", machineName, "state"],
+    staleTime: 60_000, // 1 minute stale time
     queryFn: async () => {
       const apiCall = client.fetch("get_machine_state", {
         machine: {

pkgs/clan-app/ui/src/routes/Clan/Clan.tsx

@@ -8,10 +8,10 @@ import {
   on,
   onMount,
   Show,
-  Signal,
   useContext,
 } from "solid-js";
 import {
+  buildClanPath,
   buildMachinePath,
   maybeUseMachineName,
   useClanURI,
@@ -55,57 +55,38 @@ interface ClanContextProps {
   setShowAddMachine(value: boolean): void;
 }
 
-class DefaultClanContext implements ClanContextProps {
-  public readonly clanURI: string;
+function createClanContext(
+  clanURI: string,
+  machinesQuery: MachinesQueryResult,
+  activeClanQuery: UseQueryResult<ClanDetails>,
+  otherClanQueries: UseQueryResult<ClanDetails>[],
+) {
+  const [showAddMachine, setShowAddMachine] = createSignal(false);
+  const allClansQueries = [activeClanQuery, ...otherClanQueries];
+  const allQueries = [machinesQuery, ...allClansQueries];
 
-  public readonly activeClanQuery: UseQueryResult<ClanDetails>;
-  public readonly otherClanQueries: UseQueryResult<ClanDetails>[];
-  public readonly allClansQueries: UseQueryResult<ClanDetails>[];
-
-  public readonly machinesQuery: MachinesQueryResult;
-
-  allQueries: UseQueryResult[];
-
-  showAddMachineSignal: Signal<boolean>;
-
-  constructor(
-    clanURI: string,
-    machinesQuery: MachinesQueryResult,
-    activeClanQuery: UseQueryResult<ClanDetails>,
-    otherClanQueries: UseQueryResult<ClanDetails>[],
-  ) {
-    this.clanURI = clanURI;
-    this.machinesQuery = machinesQuery;
-
-    this.activeClanQuery = activeClanQuery;
-    this.otherClanQueries = otherClanQueries;
-    this.allClansQueries = [activeClanQuery, ...otherClanQueries];
-
-    this.allQueries = [machinesQuery, activeClanQuery, ...otherClanQueries];
-
-    this.showAddMachineSignal = createSignal(false);
-  }
-
-  isLoading(): boolean {
-    return this.allQueries.some((q) => q.isLoading);
-  }
-
-  isError(): boolean {
-    return this.activeClanQuery.isError;
-  }
-
-  setShowAddMachine(value: boolean) {
-    const [_, setShow] = this.showAddMachineSignal;
-    setShow(value);
-  }
-
-  showAddMachine(): boolean {
-    const [show, _] = this.showAddMachineSignal;
-    return show();
-  }
+  return {
+    clanURI,
+    machinesQuery,
+    activeClanQuery,
+    otherClanQueries,
+    allClansQueries,
+    isLoading: () => allQueries.some((q) => q.isLoading),
+    isError: () => activeClanQuery.isError,
+    showAddMachine,
+    setShowAddMachine,
+  };
 }
 
-export const ClanContext = createContext<ClanContextProps>();
+const ClanContext = createContext<ClanContextProps>();
+
+export const useClanContext = () => {
+  const ctx = useContext(ClanContext);
+  if (!ctx) {
+    throw new Error("ClanContext not found");
+  }
+  return ctx;
+};
 
 export const Clan: Component<RouteSectionProps> = (props) => {
   const clanURI = useClanURI();
@@ -124,17 +105,15 @@ export const Clan: Component<RouteSectionProps> = (props) => {
 
   const machinesQuery = useMachinesQuery(clanURI);
 
+  const ctx = createClanContext(
+    clanURI,
+    machinesQuery,
+    activeClanQuery,
+    otherClanQueries,
+  );
+
   return (
-    <ClanContext.Provider
-      value={
-        new DefaultClanContext(
-          clanURI,
-          machinesQuery,
-          activeClanQuery,
-          otherClanQueries,
-        )
-      }
-    >
+    <ClanContext.Provider value={ctx}>
       <div
         class={cx(styles.sidebarContainer, {
           [styles.machineSelected]: useMachineName(),
@@ -149,10 +128,7 @@ export const Clan: Component<RouteSectionProps> = (props) => {
 };
 
 const ClanSceneController = (props: RouteSectionProps) => {
-  const ctx = useContext(ClanContext);
-  if (!ctx) {
-    throw new Error("ClanContext not found");
-  }
+  const ctx = useClanContext();
 
   const navigate = useNavigate();
 
@@ -197,6 +173,8 @@ const ClanSceneController = (props: RouteSectionProps) => {
     const selected = ids.values().next().value;
     if (selected) {
       navigate(buildMachinePath(ctx.clanURI, selected));
+    } else {
+      navigate(buildClanPath(ctx.clanURI));
     }
   };
 

pkgs/clan-app/ui/src/scene/MachineManager.ts

@@ -27,6 +27,7 @@ export class MachineManager {
     machinesQueryResult: MachinesQueryResult,
     selectedIds: Accessor<Set<string>>,
     setMachinePos: (id: string, position: [number, number] | null) => void,
+    camera: THREE.Camera,
   ) {
     this.machinePositionsSignal = machinePositionsSignal;
 
@@ -82,6 +83,7 @@ export class MachineManager {
               id,
               selectedIds,
               highlightGroups,
+              camera,
             );
             this.machines.set(id, repr);
             scene.add(repr.group);

pkgs/clan-app/ui/src/scene/MachineRepr.ts

@@ -3,6 +3,9 @@ import { ObjectRegistry } from "./ObjectRegistry";
 import { CSS2DObject } from "three/examples/jsm/renderers/CSS2DRenderer.js";
 import { Accessor, createEffect, createRoot, on } from "solid-js";
 import { renderLoop } from "./RenderLoop";
+// @ts-expect-error: No types for troika-three-text
+import { Text } from "troika-three-text";
+import ttf from "../../.fonts/CommitMonoV143-VF.ttf";
 
 // Constants
 const BASE_SIZE = 0.9;
@@ -28,6 +31,7 @@ export class MachineRepr {
   private baseMesh: THREE.Mesh;
   private geometry: THREE.BoxGeometry;
   private material: THREE.MeshPhongMaterial;
+  private camera: THREE.Camera;
 
   private disposeRoot: () => void;
 
@@ -38,8 +42,10 @@ export class MachineRepr {
     id: string,
     selectedSignal: Accessor<Set<string>>,
     highlightGroups: Record<string, Set<string>>, // Reactive store
+    camera: THREE.Camera,
   ) {
     this.id = id;
+    this.camera = camera;
     this.geometry = new THREE.BoxGeometry(CUBE_SIZE, CUBE_SIZE, CUBE_SIZE);
     this.material = new THREE.MeshPhongMaterial({
       color: CUBE_COLOR,
@@ -62,7 +68,6 @@ export class MachineRepr {
     this.baseMesh.name = "base";
 
     const label = this.createLabel(id);
-    this.cubeMesh.add(label);
 
     const shadowPlaneMaterial = new THREE.MeshStandardMaterial({
       color: BASE_COLOR, // any color you like
@@ -82,6 +87,7 @@ export class MachineRepr {
     shadowPlane.position.set(0, BASE_HEIGHT + 0.0001, 0);
 
     this.group = new THREE.Group();
+    this.group.add(label);
     this.group.add(this.cubeMesh);
     this.group.add(this.baseMesh);
     this.group.add(shadowPlane);
@@ -161,12 +167,27 @@ export class MachineRepr {
   }
 
   private createLabel(id: string) {
-    const div = document.createElement("div");
-    div.className = "machine-label";
-    div.textContent = id;
-    const label = new CSS2DObject(div);
-    label.position.set(0, CUBE_SIZE + 0.1, 0);
-    return label;
+    const text = new Text();
+    text.text = id;
+    text.font = ttf;
+    // text.font = ".fonts/CommitMonoV143-VF.woff2"; // <-- normal web font, not JSON
+    text.fontSize = 0.15; // relative to your cube size
+    text.color = 0x000000; // any THREE.Color
+    text.anchorX = "center"; // horizontal centering
+    text.anchorY = "bottom"; // baseline aligns to cube top
+    text.position.set(0, CUBE_SIZE + 0.05, 0);
+
+    // If you want it to always face camera:
+    text.userData.isLabel = true;
+    text.outlineWidth = 0.005;
+    text.outlineColor = 0x333333;
+    text.quaternion.copy(this.camera.quaternion);
+
+    // Re-render on text changes
+    text.sync(() => {
+      renderLoop.requestRender();
+    });
+    return text;
   }
 
   dispose(scene: THREE.Scene) {

pkgs/clan-app/ui/src/scene/RenderLoop.ts

@@ -1,7 +1,7 @@
 import { Scene, Camera, WebGLRenderer } from "three";
 import { MapControls } from "three/examples/jsm/controls/MapControls.js";
 import { CSS2DRenderer } from "three/examples/jsm/renderers/CSS2DRenderer.js";
-
+import * as THREE from "three";
 /**
  * Private class to manage the render loop
  * @internal
@@ -93,6 +93,18 @@ class RenderLoop {
 
     this.renderer.render(this.bgScene, this.bgCamera);
     this.renderer.render(this.scene, this.camera);
+
+    this.scene.traverse((obj) => {
+      if (obj.userData.isLabel) {
+        (obj as THREE.Mesh).quaternion.copy(this.camera.quaternion);
+      }
+      // if (obj.userData.isLabel) {
+      //   const camPos = new THREE.Vector3();
+      //   this.camera.getWorldPosition(camPos);
+      //   obj.lookAt(new THREE.Vector3(camPos.x, obj.position.y, camPos.z));
+      // }
+    });
+
     this.labelRenderer.render(this.scene, this.camera);
   }
 

pkgs/clan-app/ui/src/scene/cubes.tsx

@@ -5,6 +5,7 @@ import {
   onMount,
   on,
   JSX,
+  Show,
 } from "solid-js";
 import "./cubes.css";
 
@@ -22,6 +23,29 @@ import { renderLoop } from "./RenderLoop";
 import { ObjectRegistry } from "./ObjectRegistry";
 import { MachineManager } from "./MachineManager";
 import cx from "classnames";
+import { Portal } from "solid-js/web";
+import { Menu } from "../components/ContextMenu/ContextMenu";
+import { clearHighlight, setHighlightGroups } from "./highlightStore";
+
+function intersectMachines(
+  event: MouseEvent,
+  renderer: THREE.WebGLRenderer,
+  camera: THREE.Camera,
+  machineManager: MachineManager,
+  raycaster: THREE.Raycaster,
+): string[] {
+  const rect = renderer.domElement.getBoundingClientRect();
+  const mouse = new THREE.Vector2(
+    ((event.clientX - rect.left) / rect.width) * 2 - 1,
+    -((event.clientY - rect.top) / rect.height) * 2 + 1,
+  );
+  raycaster.setFromCamera(mouse, camera);
+  const intersects = raycaster.intersectObjects(
+    Array.from(machineManager.machines.values().map((m) => m.group)),
+  );
+
+  return intersects.map((i) => i.object.userData.id);
+}
 
 function garbageCollectGroup(group: THREE.Group) {
   for (const child of group.children) {
@@ -64,7 +88,7 @@ export function useMachineClick() {
 
 /*Gloabl signal*/
 const [worldMode, setWorldMode] = createSignal<
-  "default" | "select" | "service" | "create"
+  "default" | "select" | "service" | "create" | "move"
 >("select");
 export { worldMode, setWorldMode };
 
@@ -88,7 +112,7 @@ export function CubeScene(props: {
   let controls: MapControls;
   // Raycaster for clicking
   const raycaster = new THREE.Raycaster();
-  let initBase: THREE.Mesh | undefined;
+  let actionBase: THREE.Mesh | undefined;
 
   // Create background scene
   const bgScene = new THREE.Scene();
@@ -111,6 +135,10 @@ export function CubeScene(props: {
     position: { x: 0, y: 0, z: 0 },
     spherical: { radius: 0, theta: 0, phi: 0 },
   });
+  // Context menu state
+  const [contextOpen, setContextOpen] = createSignal(false);
+  const [menuPos, setMenuPos] = createSignal<{ x: number; y: number }>();
+  const [menuIntersection, setMenuIntersection] = createSignal<string[]>([]);
 
   // Grid configuration
   const GRID_SIZE = 1;
@@ -126,8 +154,10 @@ export function CubeScene(props: {
   const BASE_COLOR = 0xecfdff;
   const BASE_EMISSIVE = 0x0c0c0c;
 
-  const CREATE_BASE_COLOR = 0x636363;
+  const ACTION_BASE_COLOR = 0x636363;
+
   const CREATE_BASE_EMISSIVE = 0xc5fad7;
+  const MOVE_BASE_EMISSIVE = 0xb2d7ff;
 
   function createCubeBase(
     cube_pos: [number, number, number],
@@ -148,12 +178,6 @@ export function CubeScene(props: {
     return base;
   }
 
-  function toggleSelection(id: string) {
-    const next = new Set<string>();
-    next.add(id);
-    props.onSelect(next);
-  }
-
   const initialCameraPosition = { x: 20, y: 20, z: 20 };
   const initialSphericalCameraPosition = new THREE.Spherical();
   initialSphericalCameraPosition.setFromVector3(
@@ -350,15 +374,15 @@ export function CubeScene(props: {
     );
 
     // Important create CubeBase depends on sharedBaseGeometry
-    initBase = createCubeBase(
+    actionBase = createCubeBase(
       [1, BASE_HEIGHT / 2, 1],
       1,
-      CREATE_BASE_COLOR,
+      ACTION_BASE_COLOR,
       CREATE_BASE_EMISSIVE,
     );
-    initBase.visible = false;
+    actionBase.visible = false;
 
-    scene.add(initBase);
+    scene.add(actionBase);
 
     // const spherical = new THREE.Spherical();
     // spherical.setFromVector3(camera.position);
@@ -387,9 +411,9 @@ export function CubeScene(props: {
     createEffect(
       on(worldMode, (mode) => {
         if (mode === "create") {
-          initBase!.visible = true;
+          actionBase!.visible = true;
         } else {
-          initBase!.visible = false;
+          actionBase!.visible = false;
         }
         renderLoop.requestRender();
       }),
@@ -404,6 +428,7 @@ export function CubeScene(props: {
       props.cubesQuery,
       props.selectedIds,
       props.setMachinePos,
+      camera,
     );
 
     // Click handler:
@@ -426,11 +451,21 @@ export function CubeScene(props: {
             console.error("Error creating cube:", error);
           })
           .finally(() => {
-            if (initBase) initBase.visible = false;
+            if (actionBase) actionBase.visible = false;
 
             setWorldMode("default");
           });
       }
+      if (worldMode() === "move") {
+        console.log("sanpped");
+        const currId = menuIntersection().at(0);
+        const pos = cursorPosition();
+        if (!currId || !pos) return;
+
+        props.setMachinePos(currId, pos);
+        setWorldMode("select");
+        clearHighlight("move");
+      }
 
       const rect = renderer.domElement.getBoundingClientRect();
       const mouse = new THREE.Vector2(
@@ -447,13 +482,13 @@ export function CubeScene(props: {
         console.log("Clicked on cube:", intersects);
         const id = intersects[0].object.userData.id;
 
-        if (worldMode() === "select") toggleSelection(id);
+        if (worldMode() === "select") props.onSelect(new Set<string>([id]));
 
         emitMachineClick(id); // notify subscribers
       } else {
         emitMachineClick(null);
 
-        props.onSelect(new Set<string>()); // Clear selection if clicked outside cubes
+        if (worldMode() === "select") props.onSelect(new Set<string>());
       }
     };
 
@@ -484,18 +519,28 @@ export function CubeScene(props: {
       renderLoop.requestRender();
     };
 
+    const handleMouseDown = (e: MouseEvent) => {
+      if (e.button === 2) {
+        e.preventDefault();
+        e.stopPropagation();
+        const intersection = intersectMachines(
+          e,
+          renderer,
+          camera,
+          machineManager,
+          raycaster,
+        );
+        if (!intersection.length) return;
+        setMenuIntersection(intersection);
+        setMenuPos({ x: e.clientX, y: e.clientY });
+        setContextOpen(true);
+      }
+    };
+
+    renderer.domElement.addEventListener("mousedown", handleMouseDown);
     renderer.domElement.addEventListener("mousemove", onMouseMove);
 
     window.addEventListener("resize", handleResize);
-    // For debugging,
-    // TODO: Remove in production
-    window.addEventListener(
-      "contextmenu",
-      (e) => {
-        e.stopPropagation();
-      },
-      { capture: true },
-    );
 
     // Initial render
     renderLoop.requestRender();
@@ -522,12 +567,12 @@ export function CubeScene(props: {
       renderer.domElement.removeEventListener("mousemove", onMouseMove);
       window.removeEventListener("resize", handleResize);
 
-      if (initBase) {
-        initBase.geometry.dispose();
-        if (Array.isArray(initBase.material)) {
-          initBase.material.forEach((material) => material.dispose());
+      if (actionBase) {
+        actionBase.geometry.dispose();
+        if (Array.isArray(actionBase.material)) {
+          actionBase.material.forEach((material) => material.dispose());
         } else {
-          initBase.material.dispose();
+          actionBase.material.dispose();
         }
       }
 
@@ -543,10 +588,18 @@ export function CubeScene(props: {
     renderLoop.requestRender();
   };
   const onMouseMove = (event: MouseEvent) => {
-    if (worldMode() !== "create") return;
-    if (!initBase) return;
+    if (!(worldMode() === "create" || worldMode() === "move")) return;
+    if (!actionBase) return;
 
-    initBase.visible = true;
+    console.log("Mouse move in create/move mode");
+
+    actionBase.visible = true;
+    (actionBase.material as THREE.MeshPhongMaterial).emissive.set(
+      worldMode() === "create" ? CREATE_BASE_EMISSIVE : MOVE_BASE_EMISSIVE,
+    );
+
+    // Calculate mouse position in normalized device coordinates
+    // (-1 to +1) for both components
 
     const rect = renderer.domElement.getBoundingClientRect();
     const mouse = new THREE.Vector2(
@@ -577,21 +630,37 @@ export function CubeScene(props: {
       }
 
       if (
-        Math.abs(initBase.position.x - snapped.x) > 0.01 ||
-        Math.abs(initBase.position.z - snapped.z) > 0.01
+        Math.abs(actionBase.position.x - snapped.x) > 0.01 ||
+        Math.abs(actionBase.position.z - snapped.z) > 0.01
       ) {
         // Only request render if the position actually changed
-        initBase.position.set(snapped.x, 0, snapped.z);
+        actionBase.position.set(snapped.x, 0, snapped.z);
         setCursorPosition([snapped.x, snapped.z]); // Update next position for cube creation
         renderLoop.requestRender();
       }
     }
   };
+  const handleMenuSelect = (mode: "move") => {
+    setWorldMode(mode);
+    setHighlightGroups({ move: new Set(menuIntersection()) });
+    console.log("Menu selected, new World mode", worldMode());
+  };
 
   const machinesQuery = useMachinesQuery(props.clanURI);
 
   return (
     <>
+      <Show when={contextOpen()}>
+        <Portal mount={document.body}>
+          <Menu
+            onSelect={handleMenuSelect}
+            intersect={menuIntersection()}
+            x={menuPos()!.x - 10}
+            y={menuPos()!.y - 10}
+            close={() => setContextOpen(false)}
+          />
+        </Portal>
+      </Show>
       <div
         class={cx(
           "cubes-scene-container",

pkgs/clan-app/ui/src/workflows/AddMachine/StepTags.tsx

@@ -63,7 +63,6 @@ export const StepTags = (props: { onDone: () => void }) => {
         store.onCreated(store.general.name);
       }
     }
-    console.log("Done creating machine");
     props.onDone();
   };
 

pkgs/clan-app/ui/src/workflows/Service/Service.tsx

@@ -49,11 +49,8 @@ type ModuleItem = ServiceModules["modules"][number];
 
 interface Module {
   value: string;
-  input?: string | null;
   label: string;
-  description: string;
   raw: ModuleItem;
-  instances: string[];
 }
 
 const SelectService = () => {
@@ -70,11 +67,8 @@ const SelectService = () => {
       setModuleOptions(
         serviceModulesQuery.data.modules.map((currService) => ({
           value: `${currService.usage_ref.name}:${currService.usage_ref.input}`,
-          label: currService.info.manifest.name,
-          description: currService.info.manifest.description,
-          input: currService.usage_ref.input,
+          label: currService.usage_ref.name,
           raw: currService,
-          instances: currService.instance_refs,
         })),
       );
     }
@@ -100,14 +94,14 @@ const SelectService = () => {
         // For now:
         // Create a new instance, if there are no instances yet
         // Update the first instance, if there is one
-        if (module.instances.length === 0) {
+        if (module.raw.instance_refs.length === 0) {
           set("action", "create");
         } else {
           if (!serviceInstancesQuery.data) return;
           if (!machinesQuery.data) return;
           set("action", "update");
 
-          const instanceName = module.instances[0];
+          const instanceName = module.raw.instance_refs[0];
           const instance = serviceInstancesQuery.data[instanceName];
           console.log("Editing existing instance", module);
 
@@ -157,7 +151,7 @@ const SelectService = () => {
             </div>
             <div class="flex w-full flex-col">
               <Combobox.ItemLabel class="flex gap-1.5">
-                <Show when={item.instances.length > 0}>
+                <Show when={item.raw.instance_refs.length > 0}>
                   <div class="flex items-center rounded bg-[#76FFA4] px-1 py-0.5">
                     <Typography hierarchy="label" weight="bold" size="xxs">
                       Added
@@ -176,12 +170,12 @@ const SelectService = () => {
                 inverted
                 class="flex justify-between"
               >
-                <span class="inline-block max-w-48 truncate align-middle">
-                  {item.description}
+                <span class="inline-block max-w-80 truncate align-middle">
+                  {item.raw.info.manifest.description}
                 </span>
-                <span class="inline-block max-w-12 truncate align-middle">
+                <span class="inline-block max-w-32 truncate align-middle">
                   <Show when={!item.raw.native} fallback="by clan-core">
-                    by {item.input}
+                    by {item.raw.usage_ref.input}
                   </Show>
                 </span>
               </Typography>

pkgs/generate-test-vars/flake-module.nix

@@ -4,12 +4,14 @@
     {
       config,
       pkgs,
+      self',
       ...
     }:
     {
-      # devShells.vars-generator = pkgs.callPackage ./shell.nix {
+      devShells.vars-generator = pkgs.callPackage ./shell.nix {
+        inherit (self'.packages) generate-test-vars;
+      };
 
-      # };
       packages.generate-test-vars = pkgs.python3.pkgs.callPackage ./default.nix {
         inherit (config.packages) clan-cli;
       };

pkgs/generate-test-vars/generate_test_vars/cli.py

@@ -51,10 +51,23 @@ class TestFlake(Flake):
       clan-core#checks.<system>.<test_name>
     """
 
-    def __init__(self, check_attr: str, *args: Any, **kwargs: Any) -> None:
+    def __init__(
+        self, check_attr: str, test_dir: Path, *args: Any, **kwargs: Any
+    ) -> None:
         """Initialize the TestFlake with the check attribute."""
         super().__init__(*args, **kwargs)
         self.check_attr = check_attr
+        self.test_dir = test_dir
+
+    @override
+    def precache(self, selectors: list[str]) -> None:
+        # Precaching is broken since 501d02056222216330b3820d1c252ffdc81b7daf
+        # TODO @DavHau pls fix!
+        pass
+
+    @property
+    def path(self) -> Path:
+        return self.test_dir
 
     def select_machine(self, machine_name: str, selector: str) -> Any:
         """Select a nix attribute for a specific machine.
@@ -183,7 +196,7 @@ def main() -> None:
     if system.endswith("-darwin"):
         test_system = system.rstrip("darwin") + "linux"
 
-    flake = TestFlake(opts.check_attr, str(opts.repo_root))
+    flake = TestFlake(opts.check_attr, test_dir, str(opts.repo_root))
     machine_names = get_machine_names(
         opts.repo_root,
         opts.check_attr,
@@ -197,6 +210,7 @@ def main() -> None:
     )
 
     # This hack is necessary because the sops store uses flake.path to find the machine keys
+    # This hack does not work because flake.invalidate_cache resets _path
     flake._path = opts.test_dir  # noqa: SLF001
 
     machines = [
@@ -205,6 +219,7 @@ def main() -> None:
     user = "admin"
     admin_key_path = Path(test_dir.resolve() / "sops" / "users" / user / "key.json")
     admin_key_path.parent.mkdir(parents=True, exist_ok=True)
+    os.environ["SOPS_AGE_KEY_FILE"] = str(admin_key_path)
     admin_key_path.write_text(
         json.dumps(
             {

pkgs/generate-test-vars/shell.nix

@@ -0,0 +1,7 @@
+{ pkgs, generate-test-vars }:
+pkgs.mkShell {
+  inputsFrom = [
+    generate-test-vars
+  ];
+  # packages = with pkgs; [ python3 ];
+}