WIP: zerotier refactor

Reviewed-on: https://git.clan.lol/clan/clan-core/pulls/5218

.gitea/workflows/deploy.yaml

@@ -8,6 +8,6 @@ jobs:
     runs-on: nix
     steps:
       - uses: actions/checkout@v4
-      - run: nix run .#deploy-docs
+      - run: nix run --print-build-logs .#deploy-docs
     env:
       SSH_HOMEPAGE_KEY: ${{ secrets.SSH_HOMEPAGE_KEY }}

.gitignore

@@ -52,3 +52,5 @@ pkgs/clan-app/ui/.fonts
 *.gif
 *.mp4
 *.mkv
+
+.jj

README.md

@@ -30,7 +30,7 @@ In the Clan ecosystem, security is paramount. Learn how to handle secrets effect
 
 The Clan project thrives on community contributions. We welcome everyone to contribute and collaborate:
 
-- **Contribution Guidelines**: Make a meaningful impact by following the steps in [contributing](https://docs.clan.lol/contributing/contributing/)<!-- [contributing.md](docs/CONTRIBUTING.md) -->.
+- **Contribution Guidelines**: Make a meaningful impact by following the steps in [contributing](https://docs.clan.lol/guides/contributing/CONTRIBUTING/)<!-- [contributing.md](docs/CONTRIBUTING.md) -->.
 
 ## Join the revolution
 

checks/clan-core-for-checks.nix

@@ -1,6 +0,0 @@
-{ fetchgit }:
-fetchgit {
-  url = "https://git.clan.lol/clan/clan-core.git";
-  rev = "5d884cecc2585a29b6a3596681839d081b4de192";
-  sha256 = "09is1afmncamavb2q88qac37vmsijxzsy1iz1vr6gsyjq2rixaxc";
-}

checks/flake-module.nix

@@ -12,7 +12,6 @@ let
     elem
     filter
     filterAttrs
-    flip
     genAttrs
     hasPrefix
     pathExists
@@ -45,7 +44,7 @@ in
   flake.check = genAttrs [ "x86_64-linux" "aarch64-darwin" ] (
     system:
     let
-      checks = flip filterAttrs self.checks.${system} (
+      checks = filterAttrs (
         name: _check:
         !(hasPrefix "nixos-test-" name)
         && !(hasPrefix "nixos-" name)
@@ -57,7 +56,7 @@ in
           "clan-core-for-checks"
           "clan-deps"
         ])
-      );
+      ) self.checks.${system};
     in
     inputs.nixpkgs.legacyPackages.${system}.runCommand "fast-flake-checks-${system}"
       { passthru.checks = checks; }

checks/flash/flake-module.nix

@@ -29,9 +29,20 @@
         imports = [ self.nixosModules.test-install-machine-without-system ];
 
         clan.core.vars.generators.test = lib.mkForce { };
-
         disko.devices.disk.main.preCreateHook = lib.mkForce "";
+
+        # Every option here should match the options set through `clan flash write`
+        # if you get a mass rebuild on the disko derivation, this means you need to
+        # adjust something here. Also make sure that the injected json in clan flash write
+        # is up to date.
+        i18n.defaultLocale = "de_DE.UTF-8";
+        console.keyMap = "de";
+        services.xserver.xkb.layout = "de";
+        users.users.root.openssh.authorizedKeys.keys = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRWUusawhlIorx7VFeQJHmMkhl9X3QpnvOdhnV/bQNG root@target\n"
+        ];
       };
+
   };
 
   perSystem =
@@ -44,12 +55,15 @@
       dependencies = [
         pkgs.disko
         pkgs.buildPackages.xorg.lndir
+        pkgs.glibcLocales
+        pkgs.kbd.out
         self.nixosConfigurations."test-flash-machine-${pkgs.hostPlatform.system}".pkgs.perlPackages.ConfigIniFiles
         self.nixosConfigurations."test-flash-machine-${pkgs.hostPlatform.system}".pkgs.perlPackages.FileSlurp
 
         self.nixosConfigurations."test-flash-machine-${pkgs.hostPlatform.system}".config.system.build.toplevel
         self.nixosConfigurations."test-flash-machine-${pkgs.hostPlatform.system}".config.system.build.diskoScript
         self.nixosConfigurations."test-flash-machine-${pkgs.hostPlatform.system}".config.system.build.diskoScript.drvPath
+        (import ../installation/facter-report.nix pkgs.hostPlatform.system)
       ]
       ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
       closureInfo = pkgs.closureInfo { rootPaths = dependencies; };
@@ -82,10 +96,10 @@
           };
           testScript = ''
             start_all()
-
+            machine.succeed("echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRWUusawhlIorx7VFeQJHmMkhl9X3QpnvOdhnV/bQNG root@target' > ./test_id_ed25519.pub")
             # Some distros like to automount disks with spaces
             machine.succeed('mkdir -p "/mnt/with spaces" && mkfs.ext4 /dev/vdc && mount /dev/vdc "/mnt/with spaces"')
-            machine.succeed("clan flash write --debug --flake ${self.checks.x86_64-linux.clan-core-for-checks} --yes --disk main /dev/vdc test-flash-machine-${pkgs.hostPlatform.system}")
+            machine.succeed("clan flash write --ssh-pubkey ./test_id_ed25519.pub --keymap de --language de_DE.UTF-8 --debug --flake ${self.checks.x86_64-linux.clan-core-for-checks} --yes --disk main /dev/vdc test-flash-machine-${pkgs.hostPlatform.system}")
           '';
         } { inherit pkgs self; };
       };

checks/installation/facter-report.nix

@@ -0,0 +1,10 @@
+system:
+builtins.fetchurl {
+  url = "https://git.clan.lol/clan/test-fixtures/raw/commit/4a2bc56d886578124b05060d3fb7eddc38c019f8/nixos-vm-facter-json/${system}.json";
+  sha256 =
+    {
+      aarch64-linux = "sha256:1rlfymk03rmfkm2qgrc8l5kj5i20srx79n1y1h4nzlpwaz0j7hh2";
+      x86_64-linux = "sha256:16myh0ll2gdwsiwkjw5ba4dl23ppwbsanxx214863j7nvzx42pws";
+    }
+    .${system};
+}

checks/installation/flake-module.nix

@@ -18,27 +18,23 @@
     fileSystems."/".device = lib.mkDefault "/dev/vda";
     boot.loader.grub.device = lib.mkDefault "/dev/vda";
 
-    imports = [ self.nixosModules.test-install-machine-without-system ];
+    imports = [
+      self.nixosModules.test-install-machine-without-system
+    ];
   };
+
   clan.machines.test-install-machine-with-system =
     { pkgs, ... }:
     {
       # https://git.clan.lol/clan/test-fixtures
-      facter.reportPath = builtins.fetchurl {
-        url = "https://git.clan.lol/clan/test-fixtures/raw/commit/4a2bc56d886578124b05060d3fb7eddc38c019f8/nixos-vm-facter-json/${pkgs.hostPlatform.system}.json";
-        sha256 =
-          {
-            aarch64-linux = "sha256:1rlfymk03rmfkm2qgrc8l5kj5i20srx79n1y1h4nzlpwaz0j7hh2";
-            x86_64-linux = "sha256:16myh0ll2gdwsiwkjw5ba4dl23ppwbsanxx214863j7nvzx42pws";
-          }
-          .${pkgs.hostPlatform.system};
-      };
+      facter.reportPath = import ./facter-report.nix pkgs.hostPlatform.system;
 
       fileSystems."/".device = lib.mkDefault "/dev/vda";
       boot.loader.grub.device = lib.mkDefault "/dev/vda";
 
       imports = [ self.nixosModules.test-install-machine-without-system ];
     };
+
   flake.nixosModules = {
     test-install-machine-without-system =
       { lib, modulesPath, ... }:
@@ -159,6 +155,7 @@
               pkgs.stdenv.drvPath
               pkgs.bash.drvPath
               pkgs.buildPackages.xorg.lndir
+              (import ./facter-report.nix pkgs.hostPlatform.system)
             ]
             ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
           };

checks/morph/flake-module.nix

@@ -35,6 +35,7 @@
                   pkgs.stdenv.drvPath
                   pkgs.stdenvNoCC
                   self.nixosConfigurations.test-morph-machine.config.system.build.toplevel
+                  (import ../installation/facter-report.nix pkgs.hostPlatform.system)
                 ]
                 ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
                 closureInfo = pkgs.closureInfo { rootPaths = dependencies; };

checks/update/flake-module.nix

@@ -112,6 +112,7 @@
                     pkgs.stdenv.drvPath
                     pkgs.bash.drvPath
                     pkgs.buildPackages.xorg.lndir
+                    (import ../installation/facter-report.nix pkgs.hostPlatform.system)
                   ]
                   ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
                 };

clanServices/admin/default.nix

@@ -1,4 +1,3 @@
-{ ... }:
 {
   _class = "clan.service";
   manifest.name = "clan-core/admin";

clanServices/admin/flake-module.nix

@@ -1,6 +1,6 @@
-{ lib, ... }:
+{ ... }:
 let
-  module = lib.modules.importApply ./default.nix { };
+  module = ./default.nix;
 in
 {
   clan.modules = {

clanServices/borgbackup/README.md

@@ -5,7 +5,7 @@ inventory.instances = {
   borgbackup = {
     module = {
       name = "borgbackup";
-      input = "clan";
+      input = "clan-core";
     };
     roles.client.machines."jon".settings = {
       destinations."storagebox" = {

clanServices/borgbackup/flake-module.nix

@@ -1,6 +1,6 @@
-{ lib, ... }:
+{ ... }:
 let
-  module = lib.modules.importApply ./default.nix { };
+  module = ./default.nix;
 in
 {
   clan.modules = {

clanServices/certificates/README.md

@@ -0,0 +1,32 @@
+This service sets up a certificate authority (CA) that can issue certificates to
+other machines in your clan. For this the `ca` role is used.
+It additionally provides a `default` role, that can be applied to all machines
+in your clan and will make sure they trust your CA.
+
+## Example Usage
+
+The following configuration would add a CA for the top level domain `.foo`. If
+the machine `server` now hosts a webservice at `https://something.foo`, it will
+get a certificate from `ca` which is valid inside your clan. The machine
+`client` will trust this certificate if it makes a request to
+`https://something.foo`.
+
+This clan service can be combined with the `coredns` service for easy to deploy,
+SSL secured clan-internal service hosting.
+
+```nix
+inventory = {
+  machines.ca = { };
+  machines.client = { };
+  machines.server = { };
+
+  instances."certificates" = {
+    module.name = "certificates";
+    module.input = "self";
+
+    roles.ca.machines.ca.settings.tlds = [ "foo" ];
+    roles.default.machines.client = { };
+    roles.default.machines.server = { };
+  };
+};
+```

clanServices/certificates/default.nix

@@ -0,0 +1,245 @@
+{ ... }:
+{
+  _class = "clan.service";
+  manifest.name = "certificates";
+  manifest.description = "Sets up a certificates internal to your Clan";
+  manifest.categories = [ "Network" ];
+  manifest.readme = builtins.readFile ./README.md;
+
+  roles.ca = {
+
+    interface =
+      { lib, ... }:
+      {
+
+        options.acmeEmail = lib.mkOption {
+          type = lib.types.str;
+          default = "none@none.tld";
+          description = ''
+            Email address for account creation and correspondence from the CA.
+            It is recommended to use the same email for all certs to avoid account
+            creation limits.
+          '';
+        };
+
+        options.tlds = lib.mkOption {
+          type = lib.types.listOf lib.types.str;
+          description = "Top level domain for this CA. Certificates will be issued and trusted for *.<tld>";
+        };
+
+        options.expire = lib.mkOption {
+          type = lib.types.nullOr lib.types.str;
+          description = "When the certificate should expire.";
+          default = "8760h";
+          example = "8760h";
+        };
+      };
+
+    perInstance =
+      { settings, ... }:
+      {
+        nixosModule =
+          {
+            config,
+            pkgs,
+            lib,
+            ...
+          }:
+          let
+            domains = map (tld: "ca.${tld}") settings.tlds;
+          in
+          {
+            security.acme.defaults.email = settings.acmeEmail;
+            security.acme = {
+              certs = builtins.listToAttrs (
+                map (domain: {
+                  name = domain;
+                  value = {
+                    server = "https://${domain}:1443/acme/acme/directory";
+                  };
+                }) domains
+              );
+            };
+
+            networking.firewall.allowedTCPPorts = [
+              80
+              443
+            ];
+
+            services.nginx = {
+              enable = true;
+              recommendedProxySettings = true;
+              virtualHosts = builtins.listToAttrs (
+                map (domain: {
+                  name = domain;
+                  value = {
+                    addSSL = true;
+                    enableACME = true;
+                    locations."/".proxyPass = "https://localhost:1443";
+                    locations."= /ca.crt".alias =
+                      config.clan.core.vars.generators.step-intermediate-cert.files."intermediate.crt".path;
+                  };
+                }) domains
+              );
+            };
+
+            clan.core.vars.generators = {
+
+              # Intermediate key generator
+              "step-intermediate-key" = {
+                files."intermediate.key" = {
+                  secret = true;
+                  deploy = true;
+                  owner = "step-ca";
+                  group = "step-ca";
+                };
+                runtimeInputs = [ pkgs.step-cli ];
+                script = ''
+                  step crypto keypair --kty EC --curve P-256 --no-password --insecure $out/intermediate.pub $out/intermediate.key
+                '';
+              };
+
+              # Intermediate certificate generator
+              "step-intermediate-cert" = {
+                files."intermediate.crt".secret = false;
+                dependencies = [
+                  "step-ca"
+                  "step-intermediate-key"
+                ];
+                runtimeInputs = [ pkgs.step-cli ];
+                script = ''
+                  # Create intermediate certificate
+                  step certificate create \
+                    --ca $in/step-ca/ca.crt \
+                    --ca-key $in/step-ca/ca.key \
+                    --ca-password-file /dev/null \
+                    --key $in/step-intermediate-key/intermediate.key \
+                    --template ${pkgs.writeText "intermediate.tmpl" ''
+                      {
+                        "subject": {{ toJson .Subject }},
+                        "keyUsage": ["certSign", "crlSign"],
+                        "basicConstraints": {
+                          "isCA": true,
+                          "maxPathLen": 0
+                        },
+                        "nameConstraints": {
+                          "critical": true,
+                          "permittedDNSDomains": [${
+                            (lib.strings.concatStringsSep "," (map (tld: ''"${tld}"'') settings.tlds))
+                          }]
+                        }
+                      }
+                    ''} ${lib.optionalString (settings.expire != null) "--not-after ${settings.expire}"} \
+                    --not-before=-12h \
+                    --no-password --insecure \
+                    "Clan Intermediate CA" \
+                    $out/intermediate.crt
+                '';
+              };
+            };
+
+            services.step-ca = {
+              enable = true;
+              intermediatePasswordFile = "/dev/null";
+              address = "0.0.0.0";
+              port = 1443;
+              settings = {
+                root = config.clan.core.vars.generators.step-ca.files."ca.crt".path;
+                crt = config.clan.core.vars.generators.step-intermediate-cert.files."intermediate.crt".path;
+                key = config.clan.core.vars.generators.step-intermediate-key.files."intermediate.key".path;
+                dnsNames = domains;
+                logger.format = "text";
+                db = {
+                  type = "badger";
+                  dataSource = "/var/lib/step-ca/db";
+                };
+                authority = {
+                  provisioners = [
+                    {
+                      type = "ACME";
+                      name = "acme";
+                      forceCN = true;
+                    }
+                  ];
+                  claims = {
+                    maxTLSCertDuration = "2160h";
+                    defaultTLSCertDuration = "2160h";
+                  };
+                  backdate = "1m0s";
+                };
+                tls = {
+                  cipherSuites = [
+                    "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
+                    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
+                  ];
+                  minVersion = 1.2;
+                  maxVersion = 1.3;
+                  renegotiation = false;
+                };
+              };
+            };
+          };
+      };
+  };
+
+  # Empty role, so we can add non-ca machins to the instance to trust the CA
+  roles.default = {
+    interface =
+      { lib, ... }:
+      {
+        options.acmeEmail = lib.mkOption {
+          type = lib.types.str;
+          default = "none@none.tld";
+          description = ''
+            Email address for account creation and correspondence from the CA.
+            It is recommended to use the same email for all certs to avoid account
+            creation limits.
+          '';
+        };
+      };
+
+    perInstance =
+      { settings, ... }:
+      {
+        nixosModule.security.acme.defaults.email = settings.acmeEmail;
+      };
+  };
+
+  # All machines (independent of role) will trust the CA
+  perMachine.nixosModule =
+    { pkgs, config, ... }:
+    {
+      # Root CA generator
+      clan.core.vars.generators = {
+        "step-ca" = {
+          share = true;
+          files."ca.key" = {
+            secret = true;
+            deploy = false;
+          };
+          files."ca.crt".secret = false;
+          runtimeInputs = [ pkgs.step-cli ];
+          script = ''
+            step certificate create --template ${pkgs.writeText "root.tmpl" ''
+              {
+                "subject": {{ toJson .Subject }},
+                "issuer": {{ toJson .Subject }},
+                "keyUsage": ["certSign", "crlSign"],
+                "basicConstraints": {
+                  "isCA": true,
+                  "maxPathLen": 1
+                }
+              }
+            ''} "Clan Root CA" $out/ca.crt $out/ca.key \
+              --kty EC --curve P-256 \
+              --not-after=8760h \
+              --not-before=-12h \
+              --no-password --insecure
+          '';
+        };
+      };
+      security.pki.certificateFiles = [ config.clan.core.vars.generators."step-ca".files."ca.crt".path ];
+      environment.systemPackages = [ pkgs.openssl ];
+      security.acme.acceptTerms = true;
+    };
+}

clanServices/certificates/flake-module.nix

@@ -0,0 +1,17 @@
+{
+  ...
+}:
+let
+  module = ./default.nix;
+in
+{
+  clan.modules.certificates = module;
+  perSystem =
+    { ... }:
+    {
+      clan.nixosTests.certificates = {
+        imports = [ ./tests/vm/default.nix ];
+        clan.modules.certificates = module;
+      };
+    };
+}

clanServices/certificates/tests/vm/default.nix

@@ -0,0 +1,84 @@
+{
+  name = "certificates";
+
+  clan = {
+    directory = ./.;
+    inventory = {
+
+      machines.ca = { }; # 192.168.1.1
+      machines.client = { }; # 192.168.1.2
+      machines.server = { }; # 192.168.1.3
+
+      instances."certificates" = {
+        module.name = "certificates";
+        module.input = "self";
+
+        roles.ca.machines.ca.settings.tlds = [ "foo" ];
+        roles.default.machines.client = { };
+        roles.default.machines.server = { };
+      };
+    };
+  };
+
+  nodes =
+    let
+      hostConfig = ''
+        192.168.1.1 ca.foo
+        192.168.1.3 test.foo
+      '';
+    in
+    {
+
+      client.networking.extraHosts = hostConfig;
+      ca.networking.extraHosts = hostConfig;
+
+      server = {
+
+        networking.extraHosts = hostConfig;
+
+        # TODO: Could this be set automatically?
+        # I would like to get this information from the coredns module, but we
+        # cannot model dependencies yet
+        security.acme.certs."test.foo".server = "https://ca.foo/acme/acme/directory";
+
+        # Host a simple service on 'server', with SSL provided via our CA. 'client'
+        # should be able to curl it via https and accept the certificates
+        # presented
+        networking.firewall.allowedTCPPorts = [
+          80
+          443
+        ];
+
+        services.nginx = {
+          enable = true;
+          virtualHosts."test.foo" = {
+            enableACME = true;
+            forceSSL = true;
+            locations."/" = {
+              return = "200 'test server response'";
+              extraConfig = "add_header Content-Type text/plain;";
+            };
+          };
+        };
+      };
+    };
+
+  testScript = ''
+    start_all()
+
+    import time
+
+    time.sleep(3)
+    ca.succeed("systemctl restart acme-order-renew-ca.foo.service ")
+
+    time.sleep(3)
+    server.succeed("systemctl restart acme-test.foo.service")
+
+    # It takes a while for the correct certs to appear (before that self-signed
+    # are presented by nginx) so we wait for a bit.
+    client.wait_until_succeeds("curl -v https://test.foo")
+
+    # Show certificate information for debugging
+    client.succeed("openssl s_client -connect test.foo:443 -servername test.foo </dev/null 2>/dev/null | openssl x509 -text -noout 1>&2")
+  '';
+}

clanServices/certificates/tests/vm/sops/machines/ca/key.json

@@ -0,0 +1,6 @@
+[
+  {
+    "publickey": "age1yd2cden7jav8x4nzx2fwze2fsa5j0qm2m3t7zum765z3u4gj433q7dqj43",
+    "type": "age"
+  }
+]

clanServices/certificates/tests/vm/sops/machines/client/key.json

@@ -0,0 +1,6 @@
+[
+  {
+    "publickey": "age1js225d8jc507sgcg0fdfv2x3xv3asm4ds5c6s4hp37nq8spxu95sc5x3ce",
+    "type": "age"
+  }
+]

clanServices/certificates/tests/vm/sops/machines/server/key.json

@@ -0,0 +1,6 @@
+[
+  {
+    "publickey": "age1nwuh8lc604mnz5r8ku8zswyswnwv02excw237c0cmtlejp7xfp8sdrcwfa",
+    "type": "age"
+  }
+]

clanServices/certificates/tests/vm/sops/secrets/ca-age.key/secret

@@ -0,0 +1,15 @@
+{
+	"data": "ENC[AES256_GCM,data:6+XilULKRuWtAZ6B8Lj9UqCfi1T6dmqrDqBNXqS4SvBwM1bIWiL6juaT1Q7ByOexzID7tY740gmQBqTey54uLydh8mW0m4ZtUqw=,iv:9kscsrMPBGkutTnxrc5nrc7tQXpzLxw+929pUDKqTu0=,tag:753uIjm8ZRs0xsjiejEY8g==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1d3kycldZRXhmR0FqTXJp\nWWU0MDBYNmxxbFE5M2xKYm5KWnQ0MXBHNEM4CjN4RFFVcFlkd3pjTFVDQ3Vackdj\nVTVhMWoxdFpsWHp5S1p4L05kYk5LUkkKLS0tIENtZFZZTjY2amFVQmZLZFplQzBC\nZm1vWFI4MXR1ZHIxTTQ5VXdSYUhvOTQKte0bKjXQ0xA8FrpuChjDUvjVqp97D8kT\n3tVh6scdjxW48VSBZP1GRmqcMqCdj75GvJTbWeNEV4PDBW7GI0UW+Q==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-09-02T08:42:39Z",
+		"mac": "ENC[AES256_GCM,data:AftMorrH7qX5ctVu5evYHn5h9pC4Mmm2VYaAV8Hy0PKTc777jNsL6DrxFVV3NVqtecpwrzZFWKgzukcdcRJe4veVeBrusmoZYtifH0AWZTEVpVlr2UXYYxCDmNZt1WHfVUo40bT//X6QM0ye6a/2Y1jYPbMbryQNcGmnpk9PDvU=,iv:5nk+d8hzA05LQp7ZHRbIgiENg2Ha6J6YzyducM6zcNU=,tag:dy1hqWVzMu/+fSK57h9ZCA==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

clanServices/certificates/tests/vm/sops/secrets/ca-age.key/users/admin

@@ -0,0 +1 @@
+../../../users/admin

clanServices/certificates/tests/vm/sops/secrets/client-age.key/secret

@@ -0,0 +1,15 @@
+{
+	"data": "ENC[AES256_GCM,data:jdTuGQUYvT1yXei1RHKsOCsABmMlkcLuziHDVhA7NequZeNu0fSbrJTXQDCHsDGhlYRcjU5EsEDT750xdleXuD3Gs9zWvPVobI4=,iv:YVow3K1j6fzRF9bRfIEpuOkO/nRpku/UQxWNGC+UJQQ=,tag:cNLM5R7uu6QpwPB9K6MYzg==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvOVF2WXRSL0NpQzFZR01I\nNU85TGcyQmVDazN1dmpuRFVTZEg5NDRKTGhrCk1IVjFSU1V6WHBVRnFWcHkyVERr\nTjFKbW1mQ2FWOWhjN2VPamMxVEQ5VkkKLS0tIENVUGlhanhuWGtDKzBzRmk2dE4v\nMXZBRXNMa3IrOTZTNHRUWVE3UXEwSWMK2cBLoL/H/Vxd/klVrqVLdX9Mww5j7gw/\nEWc5/hN+km6XoW+DiJxVG4qaJ7qqld6u5ZnKgJT+2h9CfjA04I2akg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-09-02T08:42:51Z",
+		"mac": "ENC[AES256_GCM,data:zOBQVM2Ydu4v0+Fw3p3cEU+5+7eKaadV0tKro1JVOxclG1Vs6Myq57nw2eWf5JxIl0ulL+FavPKY26qOQ3aqcGOT3PMRlCda9z+0oSn9Im9bE/DzAGmoH/bp76kFkgTTOCZTMUoqJ+UJqv0qy1BH/92sSSKmYshEX6d1vr5ISrw=,iv:i9ZW4sLxOCan4UokHlySVr1CW39nCTusG4DmEPj/gIw=,tag:iZBDPHDkE3Vt5mFcFu1TPQ==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

clanServices/certificates/tests/vm/sops/secrets/client-age.key/users/admin

@@ -0,0 +1 @@
+../../../users/admin

clanServices/certificates/tests/vm/sops/secrets/server-age.key/secret

@@ -0,0 +1,15 @@
+{
+	"data": "ENC[AES256_GCM,data:5CJuHcxJMXZJ8GqAeG3BrbWtT1kade4kxgJsn1cRpmr1UgN0ZVYnluPEiBscClNSOzcc6vcrBpfTI3dj1tASKTLP58M+GDBFQDo=,iv:gsK7XqBGkYCoqAvyFlIXuJ27PKSbTmy7f6cgTmT2gow=,tag:qG5KejkBvy9ytfhGXa/Mnw==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxbzVqYkplTzJKN1pwS3VM\naFFIK2VsR3lYUVExYW9ieERBL0tlcFZtVzJRCkpiLzdmWmFlOUZ5QUJ4WkhXZ2tQ\nZm92YXBCV0RpYnIydUdEVTRiamI4bjAKLS0tIG93a2htS1hFcjBOeVFnNCtQTHVr\na2FPYjVGbWtORjJVWXE5bndPU1RWcXMKikMEB7X+kb7OtiyqXn3HRpLYkCdoayDh\n7cjGnplk17q25/lRNHM4JVS5isFfuftCl01enESqkvgq+cwuFwa9DQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-09-02T08:42:59Z",
+		"mac": "ENC[AES256_GCM,data:xybV2D0xukZnH2OwRpIugPnS7LN9AbgGKwFioPJc1FQWx9TxMUVDwgMN6V5WrhWkXgF2zP4krtDYpEz4Vq+LbOjcnTUteuCc+7pMHubuRuip7j+M32MH1kuf4bVZuXbCfvm7brGxe83FzjoioLqzA8g/X6Q1q7/ErkNeFjluC3Q=,iv:QEW3EUKSRZY3fbXlP7z+SffWkQeXwMAa5K8RQW7NvPE=,tag:DhFxY7xr7H1Wbd527swD0Q==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

clanServices/certificates/tests/vm/sops/secrets/server-age.key/users/admin

@@ -0,0 +1 @@
+../../../users/admin

clanServices/certificates/tests/vm/sops/users/admin/key.json

@@ -0,0 +1,4 @@
+{
+  "publickey": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+  "type": "age"
+}

clanServices/certificates/tests/vm/vars/per-machine/ca/state-version/version/value

@@ -0,0 +1 @@
+25.11

clanServices/certificates/tests/vm/vars/per-machine/ca/step-intermediate-cert/intermediate.crt/value

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBsDCCAVegAwIBAgIQbT1Ivm+uwyf0HNkJfan2BTAKBggqhkjOPQQDAjAXMRUw
+EwYDVQQDEwxDbGFuIFJvb3QgQ0EwHhcNMjUwOTAxMjA0MzAzWhcNMjYwOTAyMDg0
+MzAzWjAfMR0wGwYDVQQDExRDbGFuIEludGVybWVkaWF0ZSBDQTBZMBMGByqGSM49
+AgEGCCqGSM49AwEHA0IABDXCNrUIotju9P1U6JxLV43sOxLlRphQJS4dM+lvjTZc
+aQ+HwQg0AHVlQNRwS3JqKrJJtJVyKbZklh6eFaDPoj6jfTB7MA4GA1UdDwEB/wQE
+AwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBRKHaccHgP2ccSWVBWN
+zGoDdTg7aTAfBgNVHSMEGDAWgBSfsnz4phMJx9su/kgeF/FbZQCBgzAVBgNVHR4B
+Af8ECzAJoAcwBYIDZm9vMAoGCCqGSM49BAMCA0cAMEQCICiUDk1zGNzpS/iVKLfW
+zUGaCagpn2mCx4xAXQM9UranAiAn68nVYGWjkzhU31wyCAupxOjw7Bt96XXqIAz9
+hLLtMA==
+-----END CERTIFICATE-----

clanServices/certificates/tests/vm/vars/per-machine/ca/step-intermediate-key/intermediate.key/machines/ca

@@ -0,0 +1 @@
+../../../../../../sops/machines/ca

clanServices/certificates/tests/vm/vars/per-machine/ca/step-intermediate-key/intermediate.key/secret

@@ -0,0 +1,19 @@
+{
+	"data": "ENC[AES256_GCM,data:Auonh9fa7jSkld1Zyxw74x5ydj6Xc+0SOgiqumVETNCfner9K96Rmv1PkREuHNGWPsnzyEM3pRT8ijvu3QoKvy9QPCCewyT07Wqe4G74+bk1iMeAHsV3To6kHs6M8OISvE+CmG0+hlLmdfRSabTzyWPLHbOjvFTEEuA5G7xiryacSYOE++eeEHdn+oUDh/IMTcfLjCGMjsXFikx1Hb+ofeRTlCg47+0w4MXVvQkOzQB5V2C694jZXvZ19jd/ioqr8YASz2xatGvqwW6cpZxqOWyZJ0UAj/6yFk6tZWifqVB3wgU=,iv:ITFCrDkeWl4GWCebVq15ei9QmkOLDwUIYojKZ2TU6JU=,tag:8k4iYbCIusUykY79H86WUQ==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsT25UbjJTQ2tzbnQyUm9p\neWx1UlZIeVpocnBqUCt0YnFlN2FOU25Lb0hNCmdXUUsyalRTbHRRQ0NLSGc1YllV\nUXRwaENhaXU1WmdnVDE0UWprUUUyeDAKLS0tIHV3dHU3aG5JclM0V3FadzN0SU14\ndFptbEJUNXQ4QVlqbkJ1TjAvdDQwSGsKcKPWUjhK7wzIpdIdksMShF2fpLdDTUBS\nZiU7P1T+3psxad9qhapvU0JrAY+9veFaYVEHha2aN/XKs8HqUcTp3A==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yd2cden7jav8x4nzx2fwze2fsa5j0qm2m3t7zum765z3u4gj433q7dqj43",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjZFVteVZwVGVmRE9NT3hG\nNGMyS3FSaXluM1FpeUp6SDVMUEpwYzg5SmdvCkRPU0QyU1JicGNkdlMyQWVkT0k3\nL2YrbDhWeGk4WFhxcUFmTmhZQ0pEQncKLS0tIG85Ui9rKzBJQ2VkMFBUQTMvSTlu\nbm8rZ09Wa24rQkNvTTNtYTZBN3MrZlkK7cjNhlUKZdOrRq/nKUsbUQgNTzX8jO+0\nzADpz6WCMvsJ15xazc10BGh03OtdMWl5tcoWMaZ71HWtI9Gip5DH0w==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-09-02T08:42:42Z",
+		"mac": "ENC[AES256_GCM,data:9xlO5Yis8DG/y8GjvP63NltD4xEL7zqdHL2cQE8gAoh/ZamAmK5ZL0ld80mB3eIYEPKZYvmUYI4Lkrge2ZdqyDoubrW+eJ3dxn9+StxA9FzXYwUE0t+bbsNJfOOp/kDojf060qLGsu0kAGKd2ca4WiDccR0Cieky335C7Zzhi/Q=,iv:bWQ4wr0CJHSN+6ipUbkYTDWZJyFQjDKszfpVX9EEUsY=,tag:kADIFgJBEGCvr5fPbbdEDA==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

clanServices/certificates/tests/vm/vars/per-machine/ca/step-intermediate-key/intermediate.key/users/admin

@@ -0,0 +1 @@
+../../../../../../sops/users/admin

clanServices/certificates/tests/vm/vars/per-machine/client/state-version/version/value

@@ -0,0 +1 @@
+25.11

clanServices/certificates/tests/vm/vars/per-machine/server/state-version/version/value

@@ -0,0 +1 @@
+25.11

clanServices/certificates/tests/vm/vars/shared/step-ca/ca.crt/value

@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBcTCCARigAwIBAgIRAIix99+AE7Y+uyiLGaRHEhUwCgYIKoZIzj0EAwIwFzEV
+MBMGA1UEAxMMQ2xhbiBSb290IENBMB4XDTI1MDkwMTIwNDI1N1oXDTI2MDkwMjA4
+NDI1N1owFzEVMBMGA1UEAxMMQ2xhbiBSb290IENBMFkwEwYHKoZIzj0CAQYIKoZI
+zj0DAQcDQgAEk7nn9kzxI+xkRmNMlxD+7T78UqV3aqus0foJh6uu1CHC+XaebMcw
+JN95nAe3oYA3yZG6Mnq9nCxsYha4EhzGYqNFMEMwDgYDVR0PAQH/BAQDAgEGMBIG
+A1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFJ+yfPimEwnH2y7+SB4X8VtlAIGD
+MAoGCCqGSM49BAMCA0cAMEQCIBId/CcbT5MPFL90xa+XQz+gVTdRwsu6Bg7ehMso
+Bj0oAiBjSlttd5yeuZGXBm+O0Gl+WdKV60QlrWutNewXFS4UpQ==
+-----END CERTIFICATE-----

clanServices/certificates/tests/vm/vars/shared/step-ca/ca.key/secret

@@ -0,0 +1,15 @@
+{
+	"data": "ENC[AES256_GCM,data:PnEXteU3I7U0OKgE+oR3xjHdLWYTpJjM/jlzxtGU0uP2pUBuQv3LxtEz+cP0ZsafHLNq2iNJ7xpUEE0g4d3M296S56oSocK3fREWBiJFiaC7SAEUiil1l3UCwHn7LzmdEmn8Kq7T+FK89wwqtVWIASLo2gZC/yHE5eEanEATTchGLSNiHJRzZ8n0Ekm8EFUA6czOqA5nPQHaSmeLzu1g80lSSi1ICly6dJksa6DVucwOyVFYFEeq8Dfyc1eyP8L1ee0D7QFYBMduYOXTKPtNnyDmdaQMj7cMMvE7fn04idIiAqw=,iv:nvLmAfFk2GXnnUy+Afr648R60Ou13eu9UKykkiA8Y+4=,tag:lTTAxfG0EDCU6u7xlW6xSQ==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEMjNWUm5NbktQeTRWRjJE\nWWFZc2Rsa3I5aitPSno1WnhORENNcng5OHprCjNUQVhBVHFBcWFjaW5UdmxKTnZw\nQlI4MDk5Wkp0RElCeWgzZ2dFQkF2dkkKLS0tIDVreTkydnJ0RDdHSHlQeVV6bGlP\nTmpJOVBSb2dkVS9TZG5SRmFjdnQ1b3cKQ5XvwH1jD4XPVs5RzOotBDq8kiE6S5k2\nDBv6ugjsM5qV7/oGP9H69aSB4jKPZjEn3yiNw++Oorc8uXd5kSGh7w==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-09-02T08:43:00Z",
+		"mac": "ENC[AES256_GCM,data:3jFf66UyZUWEtPdPu809LCS3K/Hc6zbnluystl3eXS+KGI+dCoYmN9hQruRNBRxf6jli2RIlArmmEPBDQVt67gG/qugTdT12krWnYAZ78iocmOnkf44fWxn/pqVnn4JYpjEYRgy8ueGDnUkwvpGWVZpcXw5659YeDQuYOJ2mq0U=,iv:3k7fBPrABdLItQ2Z+Mx8Nx0eIEKo93zG/23K+Q5Hl3I=,tag:aehAObdx//DEjbKlOeM7iQ==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

clanServices/certificates/tests/vm/vars/shared/step-ca/ca.key/users/admin

@@ -0,0 +1 @@
+../../../../../sops/users/admin

clanServices/coredns/README.md

@@ -8,7 +8,7 @@ The service consists of two roles:
 - A `server` role: This is the DNS-server that will be queried when trying to
   resolve clan-internal services. It defines the top-level domain.
 - A `default` role: This does two things. First, it sets up the nameservers so
-  thatclan-internal queries are resolved via the `server` machine, while
+  that clan-internal queries are resolved via the `server` machine, while
   external queries are resolved as normal via DHCP. Second, it allows exposing
   services (see example below).
 

clanServices/coredns/default.nix

@@ -1,4 +1,5 @@
 { ... }:
+
 {
   _class = "clan.service";
   manifest.name = "coredns";
@@ -25,6 +26,12 @@
           # TODO: Set a default
           description = "IP for the DNS to listen on";
         };
+
+        options.dnsPort = lib.mkOption {
+          type = lib.types.int;
+          default = 1053;
+          description = "Port of the clan-internal DNS server";
+        };
       };
 
     perInstance =
@@ -42,8 +49,8 @@
           }:
           {
 
-            networking.firewall.allowedTCPPorts = [ 53 ];
-            networking.firewall.allowedUDPPorts = [ 53 ];
+            networking.firewall.allowedTCPPorts = [ settings.dnsPort ];
+            networking.firewall.allowedUDPPorts = [ settings.dnsPort ];
 
             services.coredns =
               let
@@ -74,16 +81,22 @@
               in
               {
                 enable = true;
-                config = ''
-                  . {
-                      forward . 1.1.1.1
-                      cache 30
-                  }
+                config =
 
-                  ${settings.tld} {
-                      file ${zonefile}
-                  }
-                '';
+                  let
+                    dnsPort = builtins.toString settings.dnsPort;
+                  in
+
+                  ''
+                    .:${dnsPort} {
+                        forward . 1.1.1.1
+                        cache 30
+                    }
+
+                    ${settings.tld}:${dnsPort} {
+                        file ${zonefile}
+                    }
+                  '';
               };
           };
       };
@@ -107,10 +120,16 @@
           # TODO: Set a default
           description = "IP on which the services will listen";
         };
+
+        options.dnsPort = lib.mkOption {
+          type = lib.types.int;
+          default = 1053;
+          description = "Port of the clan-internal DNS server";
+        };
       };
 
     perInstance =
-      { roles, ... }:
+      { roles, settings, ... }:
       {
         nixosModule =
           { lib, ... }:
@@ -147,7 +166,7 @@
                 ];
                 stub-zone = map (m: {
                   name = "${roles.server.machines.${m}.settings.tld}.";
-                  stub-addr = "${roles.server.machines.${m}.settings.ip}";
+                  stub-addr = "${roles.server.machines.${m}.settings.ip}@${builtins.toString settings.dnsPort}";
                 }) (lib.attrNames roles.server.machines);
               };
             };

clanServices/coredns/flake-module.nix

@@ -1,6 +1,6 @@
-{ lib, ... }:
+{ ... }:
 let
-  module = lib.modules.importApply ./default.nix { };
+  module = ./default.nix;
 in
 {
   clan.modules = {

clanServices/coredns/tests/vm/default.nix

@@ -95,18 +95,15 @@
     for m in machines:
         m.wait_for_unit("network-online.target")
 
-    # import time
-    # time.sleep(2333333)
-
     # This should work, but is borken in tests i think? Instead we dig directly
 
     # client.succeed("curl -k -v http://one.foo")
     # client.succeed("curl -k -v http://two.foo")
 
-    answer = client.succeed("dig @192.168.1.2 one.foo")
+    answer = client.succeed("dig @192.168.1.2 -p 1053 one.foo")
     assert "192.168.1.3" in answer, "IP not found"
 
-    answer = client.succeed("dig @192.168.1.2 two.foo")
+    answer = client.succeed("dig @192.168.1.2 -p 1053 two.foo")
     assert "192.168.1.4" in answer, "IP not found"
 
   '';

clanServices/data-mesher/flake-module.nix

@@ -1,6 +1,6 @@
-{ lib, ... }:
+{ ... }:
 let
-  module = lib.modules.importApply ./default.nix { };
+  module = ./default.nix;
 in
 {
   clan.modules = {

clanServices/dyndns/flake-module.nix

@@ -1,6 +1,6 @@
-{ lib, ... }:
+{ ... }:
 let
-  module = lib.modules.importApply ./default.nix { };
+  module = ./default.nix;
 in
 {
   clan.modules = {

clanServices/emergency-access/flake-module.nix

@@ -1,6 +1,6 @@
-{ lib, ... }:
+{ ... }:
 {
   clan.modules = {
-    emergency-access = lib.modules.importApply ./default.nix { };
+    emergency-access = ./default.nix;
   };
 }

clanServices/garage/flake-module.nix

@@ -1,6 +1,6 @@
-{ lib, ... }:
+{ ... }:
 let
-  module = lib.modules.importApply ./default.nix { };
+  module = ./default.nix;
 in
 {
   clan.modules = {

clanServices/hello-world/default.nix

@@ -4,7 +4,6 @@
 # The test for this module in ./tests/vm/default.nix shows an example of how
 # the service is used.
 
-{ packages }:
 { ... }:
 {
   _class = "clan.service";
@@ -34,20 +33,17 @@
         settings,
 
         # The name of this instance of the service
-        instanceName,
 
         # The current machine
-        machine,
 
         # All roles of this service, with their assigned machines
-        roles,
         ...
       }:
       {
         # Analog to 'perSystem' of flake-parts.
         # For every instance of this service we will add a nixosModule to a morning-machine
         nixosModule =
-          { config, ... }:
+          { ... }:
           {
             # Interaction examples what you could do here:
             # - Get some settings of this machine

clanServices/hello-world/flake-module.nix

@@ -5,9 +5,7 @@
   ...
 }:
 let
-  module = lib.modules.importApply ./default.nix {
-    inherit (self) packages;
-  };
+  module = ./default.nix;
 in
 {
   clan.modules = {

clanServices/importer/flake-module.nix

@@ -1,6 +1,6 @@
-{ lib, ... }:
+{ ... }:
 {
   clan.modules = {
-    importer = lib.modules.importApply ./default.nix { };
+    importer = ./default.nix;
   };
 }

clanServices/internet/default.nix

@@ -31,7 +31,6 @@
       {
         roles,
         lib,
-        settings,
         ...
       }:
       {

clanServices/internet/flake-module.nix

@@ -1,6 +1,6 @@
-{ lib, ... }:
+{ ... }:
 let
-  module = lib.modules.importApply ./default.nix { };
+  module = ./default.nix;
 in
 {
   clan.modules = {

clanServices/localbackup/flake-module.nix

@@ -1,6 +1,6 @@
-{ lib, ... }:
+{ ... }:
 let
-  module = lib.modules.importApply ./default.nix { };
+  module = ./default.nix;
 in
 {
   clan.modules.localbackup = module;

clanServices/matrix-synapse/default.nix

@@ -144,7 +144,7 @@
               };
             }
             // lib.mapAttrs' (
-              name: user:
+              _name: user:
               lib.nameValuePair "matrix-password-${user.name}" {
                 files."matrix-password-${user.name}" = { };
                 migrateFact = "matrix-password-${user.name}";

clanServices/matrix-synapse/flake-module.nix

@@ -1,6 +1,6 @@
-{ lib, ... }:
+{ ... }:
 let
-  module = lib.modules.importApply ./default.nix { };
+  module = ./default.nix;
 in
 {
   clan.modules.matrix-synapse = module;

clanServices/monitoring/default.nix

@@ -1,4 +1,3 @@
-{ packages }:
 { ... }:
 {
   _class = "clan.service";
@@ -11,15 +10,15 @@
       { lib, ... }:
       {
         options.allowAllInterfaces = lib.mkOption {
-          type = lib.types.bool;
-          default = false;
-          description = "If true, Telegraf will listen on all interfaces. Otherwise, it will only listen on the interfaces specified in `interfaces`";
+          type = lib.types.nullOr lib.types.bool;
+          default = null;
+          description = "Deprecated. Has no effect.";
         };
 
         options.interfaces = lib.mkOption {
-          type = lib.types.listOf lib.types.str;
-          default = [ "zt+" ];
-          description = "List of interfaces to expose the metrics to";
+          type = lib.types.nullOr (lib.types.listOf lib.types.str);
+          default = null;
+          description = "Deprecated. Has no effect.";
         };
       };
   };

clanServices/monitoring/flake-module.nix

@@ -1,22 +1,24 @@
 {
-  self,
   lib,
+  self,
   ...
 }:
 let
-  module = lib.modules.importApply ./default.nix {
-    inherit (self) packages;
-  };
+  module = ./default.nix;
 in
 {
   clan.modules.monitoring = module;
 
   perSystem =
-    { ... }:
+    { pkgs, ... }:
     {
       clan.nixosTests.monitoring = {
-        imports = [ ./tests/vm/default.nix ];
-
+        imports = [
+          (lib.modules.importApply ./tests/vm/default.nix {
+            inherit (self) packages;
+            inherit pkgs;
+          })
+        ];
         clan.modules.monitoring = module;
       };
     };

clanServices/monitoring/telegraf.nix

@@ -11,34 +11,54 @@
           ...
         }:
         let
-          jsonpath = "/tmp/telegraf.json";
           auth_user = "prometheus";
         in
         {
+          warnings =
+            lib.optionals (settings.allowAllInterfaces != null) [
+              "monitoring.settings.allowAllInterfaces is deprecated and and has no effect. Please remove it from your inventory."
+              "The monitoring service will now always listen on all interfaces over https."
+            ]
+            ++ (lib.optionals (settings.interfaces != null) [
+              "monitoring.settings.interfaces is deprecated and and has no effect. Please remove it from your inventory."
+              "The monitoring service will now always listen on all interfaces over https."
+            ]);
 
-          networking.firewall.interfaces = lib.mkIf (settings.allowAllInterfaces == false) (
-            builtins.listToAttrs (
-              map (name: {
-                inherit name;
-                value.allowedTCPPorts = [
-                  9273
-                  9990
-                ];
-              }) settings.interfaces
-            )
-          );
-
-          networking.firewall.allowedTCPPorts = lib.mkIf (settings.allowAllInterfaces == true) [
+          networking.firewall.allowedTCPPorts = [
             9273
             9990
           ];
 
-          clan.core.vars.generators."telegraf" = {
+          clan.core.vars.generators."telegraf-certs" = {
+            files.crt = {
+              restartUnits = [ "telegraf.service" ];
+              deploy = true;
+              secret = false;
+            };
+            files.key = {
+              mode = "0600";
+              restartUnits = [ "telegraf.service" ];
+            };
 
+            runtimeInputs = [
+              pkgs.openssl
+            ];
+
+            script = ''
+              openssl req -x509 -nodes -newkey rsa:4096 \
+                -keyout "$out"/key \
+                -out "$out"/crt \
+                -subj "/C=US/ST=CA/L=San Francisco/O=Example Corp/OU=IT/CN=example.com"
+            '';
+          };
+
+          clan.core.vars.generators."telegraf" = {
             files.password.restartUnits = [ "telegraf.service" ];
             files.password-env.restartUnits = [ "telegraf.service" ];
             files.miniserve-auth.restartUnits = [ "telegraf.service" ];
 
+            dependencies = [ "telegraf-certs" ];
+
             runtimeInputs = [
               pkgs.coreutils
               pkgs.xkcdpass
@@ -56,7 +76,38 @@
           systemd.services.telegraf-json = {
             enable = true;
             wantedBy = [ "multi-user.target" ];
-            script = "${pkgs.miniserve}/bin/miniserve -p 9990 ${jsonpath} --auth-file ${config.clan.core.vars.generators.telegraf.files.miniserve-auth.path}";
+            after = [ "telegraf.service" ];
+            requires = [ "telegraf.service" ];
+            serviceConfig = {
+              LoadCredential = [
+                "auth_file_path:${config.clan.core.vars.generators.telegraf.files.miniserve-auth.path}"
+                "telegraf_crt_path:${config.clan.core.vars.generators.telegraf-certs.files.crt.path}"
+                "telegraf_key_path:${config.clan.core.vars.generators.telegraf-certs.files.key.path}"
+              ];
+              Environment = [
+                "AUTH_FILE_PATH=%d/auth_file_path"
+                "CRT_PATH=%d/telegraf_crt_path"
+                "KEY_PATH=%d/telegraf_key_path"
+              ];
+              Restart = "on-failure";
+              User = "telegraf";
+              Group = "telegraf";
+              RuntimeDirectory = "telegraf-www";
+            };
+            script = "${pkgs.miniserve}/bin/miniserve -p 9990 /run/telegraf-www --auth-file \"$AUTH_FILE_PATH\" --tls-cert \"$CRT_PATH\" --tls-key \"$KEY_PATH\"";
+          };
+
+          systemd.services.telegraf = {
+            serviceConfig = {
+              LoadCredential = [
+                "telegraf_crt_path:${config.clan.core.vars.generators.telegraf-certs.files.crt.path}"
+                "telegraf_key_path:${config.clan.core.vars.generators.telegraf-certs.files.key.path}"
+              ];
+              Environment = [
+                "CRT_PATH=%d/telegraf_crt_path"
+                "KEY_PATH=%d/telegraf_key_path"
+              ];
+            };
           };
 
           services.telegraf = {
@@ -64,6 +115,7 @@
             environmentFiles = [
               (builtins.toString config.clan.core.vars.generators.telegraf.files.password-env.path)
             ];
+
             extraConfig = {
               agent.interval = "60s";
               inputs = {
@@ -99,10 +151,12 @@
                 metric_version = 2;
                 basic_username = "${auth_user}";
                 basic_password = "$${BASIC_AUTH_PWD}";
+                tls_cert = "$${CRT_PATH}";
+                tls_key = "$${KEY_PATH}";
               };
 
               outputs.file = {
-                files = [ jsonpath ];
+                files = [ "/run/telegraf-www/telegraf.json" ];
                 data_format = "json";
                 json_timestamp_units = "1s";
               };

clanServices/monitoring/tests/vm/default.nix

@@ -1,24 +1,95 @@
+{ ... }:
 {
   name = "monitoring";
 
   clan = {
     directory = ./.;
     inventory = {
-      machines.peer1 = { };
+      machines.peer1 = {
+        deploy.targetHost = "[2001:db8:1::1]";
+      };
 
       instances."test" = {
         module.name = "monitoring";
         module.input = "self";
 
         roles.telegraf.machines.peer1 = { };
-
       };
     };
   };
 
+  nodes = {
+    peer1 =
+      { lib, ... }:
+      {
+        services.telegraf.extraConfig = {
+          agent.interval = lib.mkForce "1s";
+          outputs.prometheus_client = {
+            # BUG: We have to disable basic auth here because the prometheus_client
+            # output plugin will otherwise deadlock Telegraf on startup.
+            basic_password = lib.mkForce "";
+            basic_username = lib.mkForce "";
+          };
+        };
+      };
+  };
+
+  # !!! ANY CHANGES HERE MUST BE REFLECTED IN:
+  # clan_lib/metrics/telegraf.py::get_metrics
   testScript =
-    { ... }:
+    { nodes, ... }:
     ''
+      import time
+      import os
+      import sys
+      import subprocess 
+      import ssl
+      import json
+      import shlex
+      import urllib.request
+      from base64 import b64encode
       start_all()
+
+      peer1.wait_for_unit("network-online.target")
+      peer1.wait_for_unit("telegraf.service")
+      peer1.wait_for_unit("telegraf-json.service")
+
+      # Fetch the basic auth password from the secret file
+      password = peer1.succeed("cat ${nodes.peer1.clan.core.vars.generators.telegraf.files.password.path}").strip()
+      credentials = f"prometheus:{password}"
+
+      print("Using credentials:", credentials)
+      peer1.succeed(f"curl -k -u {credentials}  https://localhost:9990/telegraf.json")
+      peer1.succeed(f"curl -k -u {credentials}  https://localhost:9273/metrics")
+
+      cert_path = "${nodes.peer1.clan.core.vars.generators.telegraf-certs.files.crt.path}"
+      url = "https://192.168.1.1:9990/telegraf.json"  # HTTPS required
+
+      print("Waiting for /var/run/telegraf-www/telegraf.json to be bigger then 200 bytes")
+      peer1.wait_until_succeeds(f"test \"$(stat -c%s /var/run/telegraf-www/telegraf.json)\" -ge 200", timeout=30)
+
+      encoded_credentials = b64encode(credentials.encode("utf-8")).decode("utf-8")
+      headers = {"Authorization": f"Basic {encoded_credentials}"}
+      req = urllib.request.Request(url, headers=headers)  # noqa: S310
+
+      # Trust the provided CA/server certificate
+      context = ssl.create_default_context(cafile=cert_path)
+      context.check_hostname = False
+      context.verify_mode = ssl.CERT_REQUIRED
+
+      found_system = False
+      with urllib.request.urlopen(req, context=context, timeout=5) as response:
+          for raw_line in response:
+              line_str = raw_line.decode("utf-8").strip()
+              if not line_str:
+                  continue
+              obj = json.loads(line_str)
+              if obj.get("name") == "nixos_systems":
+                  found_system = True
+                  print("Found nixos_systems metric in json output")
+                  break
+
+      assert found_system, "nixos_systems metric not found in json output"
+
     '';
 }

clanServices/monitoring/tests/vm/sops/machines/peer1/key.json

@@ -0,0 +1,6 @@
+[
+  {
+    "publickey": "age1ntpf7lqqw4zrk8swjvwtyfak7f2wg04uf7ggu6vk2yyt9qt74qkswn25ck",
+    "type": "age"
+  }
+]

clanServices/monitoring/tests/vm/sops/secrets/peer1-age.key/secret

@@ -0,0 +1,15 @@
+{
+	"data": "ENC[AES256_GCM,data:ACFpRJRDIgVPurZwHYW0J1MnvyuiRGnXMeQj1nb9rDAIqHbZzZk8+E0Nu1+EdXwk78ziP6tHR1GQP2ILTtpLME4lXXRVjouW5Eo=,iv:ctR1HENO3XGIq1/gzYi47nateYzsSK317EKn92ptqDI=,tag:q1yuk/ZMx3nuORkiT/XXqg==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvMUtabnp3V0dzNFFYRzk0\nd0ZJbUtDMXRPRGxpRjhYR1MyQzdJYWdJTUFrCjBNV0pPTTlIOHBBbzlEQkFzVy92\ndENxcDdIZlNDSm1oZTNveUtIeVc3MXcKLS0tIGtocENjMFNYT0s1LzhYNy92QU5G\nREVEdjErb0xPSE1yb0g5bGlackh6bEUKwxBoDteD7+JfnlFF71CHx4oEdV/TFYcF\n3JPYUbTWAIyMtUu/CLbX+Pn9Mv+McrEIqhwT7TWL/YbELKVadX/k5Q==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-09-18T14:33:37Z",
+		"mac": "ENC[AES256_GCM,data:4631iJmioJ2vZ2PTFbdEJu7UqtyQbp43XBlgEbFAviGZdugb3weVI24rJ8m1Rdnxq8uciEeiX6YHBhURdWQY4JNm2wTGnjz7e2PwQ8FCwOmxCcIQPpdKKsziq/M4HArgD66eUxIWfTt1yJfHgBcUuuANbrbH8MirllT+hJTBhqE=,iv:rM8a/MpKbK7DlqjuR4BG77XDHLK11Q+E2rzZLDJalhk=,tag:bbGMn4anXrLHg4eLA0/CXA==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

clanServices/monitoring/tests/vm/sops/secrets/peer1-age.key/users/admin

@@ -0,0 +1 @@
+../../../users/admin

clanServices/monitoring/tests/vm/sops/users/admin/key.json

@@ -0,0 +1,4 @@
+{
+  "publickey": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+  "type": "age"
+}

clanServices/monitoring/tests/vm/vars/per-machine/peer1/state-version/version/value

@@ -0,0 +1 @@
+25.11

clanServices/monitoring/tests/vm/vars/per-machine/peer1/telegraf-certs/crt/value

@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIFuTCCA6GgAwIBAgIUMXnA00bMrYvYSq0PjU5/HhXTpmcwDQYJKoZIhvcNAQEL
+BQAwbDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRYwFAYDVQQHDA1TYW4gRnJh
+bmNpc2NvMRUwEwYDVQQKDAxFeGFtcGxlIENvcnAxCzAJBgNVBAsMAklUMRQwEgYD
+VQQDDAtleGFtcGxlLmNvbTAeFw0yNTA5MTgxNDMzMzZaFw0yNTEwMTgxNDMzMzZa
+MGwxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNU2FuIEZyYW5j
+aXNjbzEVMBMGA1UECgwMRXhhbXBsZSBDb3JwMQswCQYDVQQLDAJJVDEUMBIGA1UE
+AwwLZXhhbXBsZS5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC7
+sdy27E/XMAyKrgeFcXY70R/vX0gx6EcZlWGp2vZSUVAfW1ni/Vq/LVC02sxGEGwv
+10+42yP2yghi89doKo8oCoLsbVu+Pi+TmRsgAijy4jN8pHqbn9/Vk8M8utLa1u4z
+VonSIx9pzCYd2+IIdwVuWoyPAAnK/JIKS3n0A8KWkZ/1lq6YDl2whj8iY4YF2Ekg
+M0SWhquLZiaApAs7STTYvcP7iLfL4U6cH65dRAbwWMpMErPuLf/CedkXiSUp8Zqx
+YIXXE5lf7wqt7tM6k6BHic9FEzAo1HnBWBXV5eB5fs1lX9M1VPmx43XINCfzKwxE
+xODtIBrmvj+qOp6/ihBsu3LlOoOikxmL+T9Wgvf7fOuFC4BgmX85mGUV+EMZCDoJ
+44jlwFF8wgrfG/ZawkP+opNsQLsdOm9DbAdWpx5+JYdgWBahjxuH4z2eIiBmMKgj
+puqDgXdZzcERiYtOEEn0p0tvIkVLO3Tm2GjtHbmg1yF2nwsZjupGfcOGTVX4Zi5x
+ZCs7vYgBtZy96kNAuyZcFl8eBUr/oVg//i3Zc9Vnw/UJryB7I6dvj228hlrSz0Ve
+pGoeZXbcCzRv8NX2V0V1VTtrblSA3w5WRxVzK7UAVetPZ4dlJX+eyx3x2wiC3TiW
+ZYH8haFubQqr1h9oXFHgDE5xYZKr51T3SRGfpn6KvQIDAQABo1MwUTAdBgNVHQ4E
+FgQUJHOErJYWaGdla1XhxWha4XBKFYgwHwYDVR0jBBgwFoAUJHOErJYWaGdla1Xh
+xWha4XBKFYgwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAXqcg
+DW6qzFccR+JTqNR5HBOneB07LxaUqfBTAzU5GTRljY3mVpnTa6vVvXlStChqdmwU
+JJdRhWzTpzE4K92l4UKiYKy486PT1ff34aPLPX5BB9OzL4dgvC3gO0MYDJ84AFZl
+6BN/MRTinioG+s14SsxmgcUTl+HXsxt75r3WKjXvqECqhONLPXEXDJ6TVmfb2yd5
+X9cE6HLS2IXqfvs0EdXmQhSQVS7AlUQWZPDeoBTDUA1tT6ZKCcG0BuHEFnHxg4Yg
+W9xp/wMJCEly+9eNJYZYzyK1AHRGnTMRCSifTJEybwI4A35v68FyRLfAC0lM2qVL
+yQIGjj55+r4yGCK7bySSKjs59LLLxi6Px3S61OxAYq9KMT65nBLK9JAPFyTnikw9
+q/xW208lL+kcRtG+ARo5ycx5QUjWdsHn7TCnqxnDhHznwSV4KGbJFaGQZTtgfcz0
+g5a1GwxqHjEZ9IWiN38f2l4kpLLybKhwVQMYeG000s7rDa5hgjbh13qtQN6vUvI6
+VozzZPnFcR1Rsa8RR9njDugxbVwlJQfGkoMiMZwNGgXnZRC2XaI6SCyPwqTPBuVP
+ZR1eWv4qwsIGKJzJYcdChb5dimlTuVSfZmONpnrOP/4mhQLyaWr3XLqxxP3mIXsz
+k1PNWTkgLsXO8DNkCudxcvPElXfmaw6zwaLrZys=
+-----END CERTIFICATE-----

clanServices/monitoring/tests/vm/vars/per-machine/peer1/telegraf-certs/key/machines/peer1

@@ -0,0 +1 @@
+../../../../../../sops/machines/peer1

clanServices/monitoring/tests/vm/vars/per-machine/peer1/telegraf-certs/key/secret

@@ -0,0 +1,19 @@
+{
+	"data": "ENC[AES256_GCM,data:eWZyDgPQppMI/wNGSGsXowQ35I1KW1KH9p3GfxMFKNfoG2rnNwiBG11ARd9CDVMnY5OUt6RxL2sRKBlvqqjouCICDEEj3CWNnEpA55JGnmp3jj+kCRiA/te67F5vDXWus/mLGgI00apHwqUkwRkdck0URgniEIektncP9mQhcKDT7Lksm1S8oTHGDRcdiG4MxhrOq0qumVWdwS3qkAuwOvFMlYeCec6nfKBV5QTGeDxe8m8tijr7RTfM8cEaXrwaJDct1IIiHsl1U+V7+rz0KEvJ8ofeyOLP2zNSq4JfwM9rg/EwVuPsKf6LNmm6G/JdePlaCrwTaLchwb20/Tnf9nvrZu3P5w86IuniIyjFByvLR3bc6wKjxkWDU/+9UoTXfms5qKYNsgylFdg1xfqPjK0SgWiUL4IlxTBYPoPouNp/NZO+vzB+nkAcljCNGnYrfCz53F3gsTwBXIGmye2gvmNMvP+rs2/ySEt3XIzMEiWlBjDlurpAaYgqHhxVuc2jiqX56W8nu/QStopKP6sziPQbRqKDERSACxJ/WWumXTVO56dVJzqTpYnkqpq28tFoRd2yG7cJjlAbgqyxRuNkcLwnTEjGeGSSdVvmBeCqr4LuIh5qd2B4lrHQ6fR9xE/EHuJ2bcAH/x8ukOE7CZrACIEr6HfcpsnNhnpFYdA6gf4Gle21UJpK7hpY3+nCMNEPdfTjYkCvi/guzjG+X+UQPY466qbiVhUnNK4sg35axAJyNH1Jk6lK6+L/o4EVHBvnEUagLN2xFD5w0kXYMpzvQWEMaexyciDs6Natn7MzYVhmea8OfKXVE6dQz3Y5YFJ3uEQGGjuNO4fPyfnVgUULeaAs/IWkoPl2HV0x0KdxMEKGw2CAl7XuHYfV1rFTur+Wvf72rECUiiDmOgDU1g4plcBxQ6ocp34kize3lt1PdEL0R9lWg5c6l8LsqFhLqK8lpPV6neRdXX4UDzPjxnf3Ra/p1Hn283QSAv55pIwJQAo+kjWGckzr9CleUnLfPxQUKJQ7Jpjb/HtuhTQGA0mTsCbEHR6VWM/EYS4WzUd6opmfBstzSplD+kSBFIBoee+0dkUjfZcdFIWJRcabtjnn2TEsHHCK+dAguYY77OGeAh+tw7r66gONgtNlwjCN+KrzWH8cTu8BEaUoZH35lExs/wn+Ucj8IXDUXYLTTzGgokBybEeis+BDWFpDrhsZKFSwRE8tsrxfpgr7R1Ue9zMLoHnKeDZ6ndkm6fMinZ81OOchfE8bElRecCEzs9N/zU9nCtXKSAiYc86VntdbDFcPAm+bZ4hVkQpiRvQVGFYhgLuol7i9xhKD86TuIkqwMybEnT0ruqMNEVljxMWK7Cy+CAWg68w+hY2Pd54vXyC9ORndrYG7zbtVEe2dR7peeWTDTjU+5gVqIlC9lIhnIjgDprzvjszukHzc6TE98W9bnEKieSNGbQntm+YPohprg3CdVoPc1GfVueRqyXfXG0WVkLgfrhgfuLaJGKgwo438cUcRV8qH2wgCa7CGPMgvxzXJrK2dSRmZA/vPgZDpX9r78YlFGo+g/ghGhiNVonMYtMhohlSrzrQARA2AYuMgM91aXPnoKtqDy8+UL4g344bu7Jh3SKyGoqBo3TFLJyQgutzIx6EHG/eIDnTfc/I/3RgBtwo7RR/g+g899nhsiBLKVQId0/EZ+rKSndRTguCnFkjwCvXNW1z5uoiom/J5Q+J0xC1lqcjWF0zn9UwStQmvXDOABJUsGu+AZnj5l27MdRWvTfP2p3r12TXbyPEwOGuJa2LKSL/k4XmuaO8HkxSsfC1ImPOuPGbjgVkh62Y2oMqI90dtVrZ2HyosHwxv4tKzGAZbvH5vkK7TZXgoXCgAq+XwCPG9gtW2sIA2qoxw+SLOG5CEnHt6VlSgelLce9lU6kETdJ13fSqjMwZTQD07vXVnrtCHhsC6s+aY/7/2lJ2x8VmRBXVW7yREF56AdjYYVYgiAoHQqaQ0/OHpr6hacckqBTP0VzlNHLAzwm5zlgsZLDt3NxjTUZdgJEvFxF+rjzZHgyXwMA8hfzPbfVjftDW8hCMD1p8wJSY+CqaH+6/Ui9Q0X4F3YcZbhn/i9ZmMrB+CzBcjVzGrZIA0FLFoJWD2bFVPmMbcmDsT5ei0HafGBb2NBQ1gYvceGlN3WVQbTYCG54QavABNAyGFH+eQHvnk5jCg2DYspoCOPjEvIHjKM+gluIrozrnzMO2+hzp4Z+AscJCOm91LmL4PIFviyWzqy6AV1BLYPMLybdqrbEqUCFIzkXdFW3AZxV69hwhnBaZbLAaLeOG9YUz48o7oOITsDKVtuzUxkYDj+vBxI6zf7SvqjmopNXuZ2+4J+oa/p7xCpNUJTi0V4Ac38BZMiUcpXidu1V0pkGWbca4Dfqf2vBOzOcpLxrorizsyROv1SJAA7mR8KQut28HnkXgshIhB4cY99tnmKN/E1oiLGU0NkUHR6fCBtV2Ak8k7PNCVzhU0y6/NCJoSKqKQpuPEMVT+0QaKNfjtGvWgvZrvcchoMNAAGQa1OMSkmcZ4KdnAUaMROrS5LH3IBwpmSwtTBFkx9Shl3xMm2SpF6SdWnpweUbRAQqKNmRvSQLsXiEwOwxIO018mo8CgyiDyyIf4k0gFlNTapYyacwRO4vTMc3vfXjTcwK1LzUZVeG+e61WVDmmu2e6zls0JhXe7V58OkbnYWnzNzBSxWJluicno/P9h5vefBOHfysKe6SlGye/H0BO7piVG96cjqC0hTul8k1ysQoXtFgf4fbrlqs/D1kR9xVHcr3hAeWd9c4LwXEcSCeVuBd0bsoo2sYIeNSWNdJo9bSF0vb49snroh/RgbzntW3+geL94DEZaXMmf+RLujLEIgoNLlZ6r2jTMvlV6DWbSRE3cii6LFOXdQq53fmG/cI73R3hGNdQaLhZDaOi7hLnxbAMAjtEVQQOQg93a43d/BDGFzgNhKjYqyjZ9mM/Tk37DLlZ+xeIEJpALLIAaOguSG5cg3ALBrdGRec+SPf0r6M6DVkS1VHFz54kPx1eGkJQyQTotcykafNIt1Ahbqif0Z7U2bF0LxUbrZxcoldFteBNzihlXxa4zrY5Uj3BWEOrd6E8zHUIW97KwUAdttMTlNoOrMOgLY4790cVX+K7sa9ZPWz8Lts7o99sdcF7+dHoVxvfM0O3vXdzA/2O1opKqD6ZfPmU1UyWL/N2d4d9JerDhD6RFuBJP7nsv8osf2NHyWdHV9Luj0gOiBZvoOuSI4nvE05rPIXR/UEjXBw+1XaGHqcj8x/6rE6oTAma/1DH+E+N0j6mUd97vHFa48rbABCLWK4n9MrjXpQAVYNlXsSRgmEaVcq3S4RdRHKIp6yhhsUfNI8B8i8obQ3lBj7ktx1BNynnSJKTbQVOritYsQEY3t/+PvCdr4RKflftx0KzwcFTscVSrX22+aZZD+VrPZ3o8OUH8yxBWUsK5hdhuVOfNEjL6TpgDUZgbFUdlTDHmzPm5RxDxK6qGLxr0JwfLNm/+nYliKoyiTFKVKWFDE5Z+Rt0yKj+pDrWXBpKPySTfWX80VbioPW0curpiLt4tjVFfzhZ6V60vPfjcCjHlGz/pA5atUTGlZBP6DynDFJVV4QO0uhRYRfDvk+D6YOjZSHAX0e82IFg5l4d3fcF9WveqIfKRhJEVt3s4PLhCul/ESTWp45h1IA9ZfI4wvmuP0hCUvLgTOKx75QnwfVQRKJ5xa+R0e2Igywnobz63LaX9+yC8KJ23U8ZHS0Wc3E2NqTVEiP93ds98pMRMepoln20bsLUypcW2/py0WYb/YEGzlww9MxywAEQX+Pce8XhI7iylSfUzUmk863Y8cE1RMAiDeMFIQ8vZBT+LKwJ5zdik8jqJFED5XVGtYai7vEjj1tZKrfL+fR6CtDdQqyP1fWS+Xi5CZ7rdr2HiD943Vre1ZA8B7byozkMuahiYVzfTKIGI6lUMvXmmVNkdWXmj26YRy4l4X1KYM9L7f4NX8jRe61sUXanWJgcScxQTNKfGDOiKWRFQjo5UgCXOvjGtFCpRQyksY19TatFHRGrNdV2CmZhFTaaGbCbqD5QlfdoY1StT0Ko3x/YJR4/4Yoa2oCr2cVzNZ0/xPW0bC5NszLnKMjVI8Nj1nNFvMm4yZBpaz6YKk2REf9nndbkbhcppdrZN4Vt7wdt2gV2+5OpXRZ8OaxnegFpNiYuJb61gzXFYmYjWCkU6V9ncGV/71fXWMlxSlu4kLVhIQqD2+RI/VWAcS+cFEvb0Ntjft/gkyQcrLCeeFzdxXSNnlX1h5DigeRwyNtW4Mrk8vFQ6o2Oi3HiBKmvAD7sPkJg+lOJngQ/hI0477c0=,iv:q3j8EAokyyxiszf+wyRqxEr2igaD1bX7YnFx/NbsGg8=,tag:HKKYWRJEUwW2/TxL+5dSng==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1ntpf7lqqw4zrk8swjvwtyfak7f2wg04uf7ggu6vk2yyt9qt74qkswn25ck",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaeXRjU214aWk5ajl1aW9E\naGJlb1ViaVRmMTBHdkFDQUNDZS94WFZiNUNvCllmWTJBck9hR3U3V09VWDZwQ2xI\nd3ZEQnBIUG5ZSTVIdS8rQ2FMYVhyNk0KLS0tIEE1UG8rSzFyU01sVXhGVHpoaE9i\nSis4Qi9tMGFqbTNMTDZUVk1ZdXkrM28Km4VkfaOsZ69ckjvrg+os43H/O1IoWHzC\nt4LqZRz1Tk7/d1aLWavSPPjVYrCOMZeNBqGbQpGfjjuXrafClRNQdQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3R1RHTGViTnRLVVkyM3J0\nbm96cGVPTlo4NXBNL0g1eEVSNG9DUkgwVFRBCmRKVTlMRmV3Tmg2RTZIclBlWlcr\ndzI5MUxhcllzbE1IMDNxa08zVkpITmsKLS0tIG01Y2dyQkY3UmRudFk2d0p6bThn\nemlaWnZoS3p4VHhMTFFwTm9VN0ttYzQKVbLFgtK6NIRIiryWHeeOPD45iwUds4QD\n7b8xYYoxlo+DETggxK6Vz3IdT/BSK5bFtgAxl864b5gW+Aw4c6AO5w==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-09-18T14:33:37Z",
+		"mac": "ENC[AES256_GCM,data:XKCnd0QrAlOCECSeSvbLYHMLbmUh4fMRnLaTb5ARoP4Zc9joWGsCaRZxokc2/sG4BXA/6pkbQXHyIOudKbcBpVjjvs9E+6Mnzt53nfRoH/iOkYPbN2EO49okVZJXW0M1rlBxrxvGuiDlz2p2p6L7neKLy4EB482pYea5+dUr2Yw=,iv:oj/MkZCfkvCmAb79uzEvKwEAm1bKtWhS4rPRAWSgRgw=,tag:h5TPPILXkhJplnDT2Gqtfw==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

clanServices/monitoring/tests/vm/vars/per-machine/peer1/telegraf-certs/key/users/admin

@@ -0,0 +1 @@
+../../../../../../sops/users/admin

clanServices/monitoring/tests/vm/vars/per-machine/peer1/telegraf/miniserve-auth/machines/peer1

@@ -0,0 +1 @@
+../../../../../../sops/machines/peer1

clanServices/monitoring/tests/vm/vars/per-machine/peer1/telegraf/miniserve-auth/secret

@@ -0,0 +1,19 @@
+{
+	"data": "ENC[AES256_GCM,data:Q0Vn7J0nERccBYT8HZxHF0Zi5qxmMu40n0H1c+L2SCRF6vRLdURxXKDwvh8xtTU=,iv:ucExjoYDFYy19GsBbNNldJRPBSpT+L+x4PrwTG+m2K8=,tag:/Quupyy/nnUNZsDudEMmNA==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1ntpf7lqqw4zrk8swjvwtyfak7f2wg04uf7ggu6vk2yyt9qt74qkswn25ck",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQWWo5OEJ5N1RTR0xMaDhL\nQnlUV2RrRXIzM01OemhQWjVkd3FNZjRhR2dzCi9IeE56b3VZTkNkdW9DMzVia3Zx\nbklxWmFpenRjdEIrc0ZDTGdmSTAxRTQKLS0tIHZJdjdYUzhhY0YzQjRqS0psZmpI\nVHJpUjNZNHRpc2ZWSml1TVNNejhiT28K8TTP/J+XspXZ7TVYj9YaBhEodPIXjojB\nRLqAIgJXRaK4NCLukC6l0IMii6w5J/512RnO2ZBTGhKfbdLfyLOFqg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrZVc5b0FhbzNXcG1zUDlD\neEVWcWpSRkRCMkxBTHdBM3dCbjVpR3FBa0VjCitlTmx4eUJOMHlaU0dFZEhpK3ZD\nZzlMQXVuZWpnaUNmQW9kOGtOaGVDMU0KLS0tIFNlUi9LSzF0UEJCSVBiRlRSNFQz\nNHhMbmNlRXd4ZEJQWVcvTWdCRWEzMUkKls7RbmNOdPDx8z15F+7qay9qIWx6jNsN\nTahT+GgbG29t1aGQCb0yEzKuUyAp39maxxSWToPsfCgJSYJ8RYiUng==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-09-18T14:33:39Z",
+		"mac": "ENC[AES256_GCM,data:g+9/fRiqom2+W28ZpiF+oBj9V6ieq5Xz3sRz3GyzvHoLr6yw51JvpG2QuYNYANW0WCiUjFDkU0qPj/9gLHcuX52nc+gNaTzznb1QGPg7WCGSQI7xaMzyYsPxHpg/BOdj5CL8GyLiOWstD1ch0kc3bJmyu68sJUs04uGtHAADzsE=,iv:oASrYaZarEPDu0R3hd/jMazLgwG5r//hIdMyU/tN15o=,tag:o1fgf5oy+rlWXg88FN5Nfw==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

clanServices/monitoring/tests/vm/vars/per-machine/peer1/telegraf/miniserve-auth/users/admin

@@ -0,0 +1 @@
+../../../../../../sops/users/admin

clanServices/monitoring/tests/vm/vars/per-machine/peer1/telegraf/password-env/machines/peer1

@@ -0,0 +1 @@
+../../../../../../sops/machines/peer1

clanServices/monitoring/tests/vm/vars/per-machine/peer1/telegraf/password-env/secret

@@ -0,0 +1,19 @@
+{
+	"data": "ENC[AES256_GCM,data:4NIUEK05kEQAKjR8F9mU3M/XvtZXw+X6CejVI0usMcb4WzagNz7XTVDhLWXZ9St5Ev0Y,iv:bD2+rDLMoWSqUAIZRJof0wRrJVya1xwZUTIJBdCs98I=,tag:g2s4byFHTzwU3ikcBGMElA==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1ntpf7lqqw4zrk8swjvwtyfak7f2wg04uf7ggu6vk2yyt9qt74qkswn25ck",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQeVh2M2tqSGlOVkpzNlhU\nd0pMd1R0c0tQWnZzdXViWmtxcjl1Wk1Ka0FNCnBUUWJVbjlyR1hSNGpXNWlPRHJB\nNnMzN3BMQ2NDamFBMlhHbVdJUEZ6cjQKLS0tIEJjWmI0ZDl1NXgrSW9uc0R0LzAr\neEwwOC9DdDg2RTJHQ0M3QTFlcVBaSE0K2Du4NguefdEyY1gS6OuVdO3gHga4omcR\n8B+K1wUfIQbArxZLawPxrj7WNDoW5d4mF9fA3MeV1DFyc4KwtYZmUw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvWkdBakVrMVR4RU8xdDlF\nRDkvL0Mrb3ltazhIMjRLZDVlSTVlaFY2ODBBCnlQM2s0SGEvZjFDN3dGWDhIN0dK\nenhQbjZ1ZS9QZzg5SE5XazZXS3dFSkkKLS0tIHJhKzhadGpjTXd4L3hOQkhpR0Fy\nYzhTN2dxVSt3OE5uZFpuWmVlYW4vd1kKwHOxP0C5mLcm4oIT/sGQtUsdsmu3LSN0\nSola5+N+IrAZ+HKnuZlDLZ5JmJSc5j/YhGNn7KR1xhkhfGSS1e3UZw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-09-18T14:33:39Z",
+		"mac": "ENC[AES256_GCM,data:ehbrYqTJcsBKGHUB25JHFnKXrJ6z3LkcElZ89xVr4XxLet+odbhsjIoP2FCcxex7PlXcegMduhHBpXwNGUbX+IUNAXTxlWA9CLDmYhWuS2WLiEVXrS11NE03/zUyHdVx/C38dbIPrWD9iaYSrAiuOyfqDTh9k/Bn7vehLTtadoE=,iv:Nk2WVuJydi5tfsb1Mib4A6NocBCDp9QoIbSadq3bIDI=,tag:IaoyfCv3SkmtemXMR9XnkA==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

clanServices/monitoring/tests/vm/vars/per-machine/peer1/telegraf/password-env/users/admin

@@ -0,0 +1 @@
+../../../../../../sops/users/admin

clanServices/monitoring/tests/vm/vars/per-machine/peer1/telegraf/password/machines/peer1

@@ -0,0 +1 @@
+../../../../../../sops/machines/peer1

clanServices/monitoring/tests/vm/vars/per-machine/peer1/telegraf/password/secret

@@ -0,0 +1,19 @@
+{
+	"data": "ENC[AES256_GCM,data:0BmP+NwG/NGe6R5yU55/MdPEQ8E5u+VXWtvstHc4GpDtmBY=,iv:vo8XBcN7KcYjiyKvvp+XDOdP9yR9B7wJi0XlaiCdVbk=,tag:brK9ntAPSuOvw/C+oDo51g==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1ntpf7lqqw4zrk8swjvwtyfak7f2wg04uf7ggu6vk2yyt9qt74qkswn25ck",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4Tk1INGtybUVlejlNNlZE\nVms3TkdRVVF1T0E4TmV3NmxvYWVEL2U3WVhNCjJIaHhBcWVlMEYxRjg5bzJpTWdJ\neUhaRTNRTmtlTW0zUXQxTVZEMkQ2MFEKLS0tIFNGWDI4b2FXTE8xQ2xqb0cyK3FI\ncktHWnE5c1ZSVFpmQU1HZmU2VVB1QmcK/s1fVmwpMMg4BYkkAJzSY7hVQWae1F7g\nmfH8EGlr74mifWUNEbd49/K13nl8atQx6bcau83JIEQR+yyihuY4Jw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsL2FXVytUUVZnVU90bG5L\nYURiYjgwN3RuTldWMGl4clpUWmxkeUsrVzM0CkhKZFgwWHl4dWhNSWRQRXVPNDR6\na3hHNmp2RG9YNDhNM2MyV2FuOGY2UlUKLS0tIFpNU2tNOHdhRDRTdHhYWVh2NGZa\nU3J3S0hpclZzWGIwTlFyczdNZkZSZTAKXCZrLaIOVq90ejoKMaRiK0xNw8WOPcnm\nz2uxProEYvQhY8k29mhCFX5HCN0tGn1XTtHeDL7uHuKuFsnSG/fgYQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-09-18T14:33:39Z",
+		"mac": "ENC[AES256_GCM,data:QkGJKj/H+MI9Mr9Up5NDUToSddY5eTz47egc2+IatfxR8RebKJ2/mYaeLV26vPdmY60bIac4N/nZkoa6IVBhkHHMvsEHsx3nD6Lro9Wf/pWP8Zddzr90LF5p2+wusq25JutKQiPKOb2gmrcagmSsH/7V/UqI/my3PMeKmw6irhw=,iv:hOtHF/cDFdNfvqCKRhJsOwAHEiQmCPjENzsg23sKG+Q=,tag:K7qG9b4fQD0VbAV8OYp3vw==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

clanServices/monitoring/tests/vm/vars/per-machine/peer1/telegraf/password/users/admin

@@ -0,0 +1 @@
+../../../../../../sops/users/admin

clanServices/mycelium/flake-module.nix

@@ -1,6 +1,6 @@
-{ lib, ... }:
+{ ... }:
 let
-  module = lib.modules.importApply ./default.nix { };
+  module = ./default.nix;
 in
 {
   clan.modules = {

clanServices/packages/flake-module.nix

@@ -1,6 +1,6 @@
-{ lib, ... }:
+{ ... }:
 let
-  module = lib.modules.importApply ./default.nix { };
+  module = ./default.nix;
 in
 {
   clan.modules = {

clanServices/sshd/flake-module.nix

@@ -1,6 +1,6 @@
-{ lib, ... }:
+{ ... }:
 let
-  module = lib.modules.importApply ./default.nix { };
+  module = ./default.nix;
 in
 {
   clan.modules = {

clanServices/syncthing/flake-module.nix

@@ -5,9 +5,7 @@
   ...
 }:
 let
-  module = lib.modules.importApply ./default.nix {
-    inherit (self) packages;
-  };
+  module = ./default.nix;
 in
 {
   clan.modules = {

clanServices/syncthing/vars.nix

@@ -11,7 +11,9 @@
       pkgs.syncthing
     ];
     script = ''
-      syncthing generate --config "$out"
+      export TMPDIR=/tmp
+      TEMPORARY=$(mktemp -d)
+      syncthing generate --config "$out" --data "$TEMPORARY"
       mv "$out"/key.pem "$out"/key
       mv "$out"/cert.pem "$out"/cert
       cat "$out"/config.xml | grep -oP '(?<=<device id=")[^"]+' | uniq > "$out"/id

clanServices/tor/default.nix

@@ -58,7 +58,7 @@
           priority = lib.mkDefault 10;
           # TODO add user space network support to clan-cli
           module = "clan_lib.network.tor";
-          peers = lib.mapAttrs (name: machine: {
+          peers = lib.mapAttrs (name: _machine: {
             host.var = {
               machine = name;
               generator = "tor_${instanceName}";

clanServices/tor/flake-module.nix

@@ -1,6 +1,6 @@
-{ lib, ... }:
+{ ... }:
 let
-  module = lib.modules.importApply ./default.nix { };
+  module = ./default.nix;
 in
 {
   clan.modules = {

clanServices/trusted-nix-caches/README.md

@@ -7,7 +7,7 @@ inventory.instances = {
   clan-cache = {
     module = {
       name = "trusted-nix-caches";
-      input = "clan";
+      input = "clan-core";
     };
     roles.default.machines.draper = { };
   };

clanServices/trusted-nix-caches/flake-module.nix

@@ -1,6 +1,6 @@
-{ lib, ... }:
+{ ... }:
 let
-  module = lib.modules.importApply ./default.nix { };
+  module = ./default.nix;
 in
 {
   clan.modules.trusted-nix-caches = module;

clanServices/users/README.md

@@ -8,7 +8,7 @@
     user-alice = {
       module = {
         name = "users";
-        input = "clan";
+        input = "clan-core";
       };
       roles.default.tags.all = { };
       roles.default.settings = {
@@ -35,7 +35,7 @@
     user-bob = {
       module = {
         name = "users";
-        input = "clan";
+        input = "clan-core";
       };
       roles.default.machines.bobs-laptop = { };
       roles.default.settings.user = "bob";

clanServices/users/flake-module.nix

@@ -1,6 +1,6 @@
-{ lib, ... }:
+{ ... }:
 let
-  module = lib.modules.importApply ./default.nix { };
+  module = ./default.nix;
 in
 {
   clan.modules.users = module;

clanServices/wifi/default.nix

@@ -1,4 +1,3 @@
-{ packages }:
 { lib, ... }:
 let
   inherit (lib)
@@ -29,6 +28,15 @@ in
                   default = true;
                   description = "Automatically try to join this wifi network";
                 };
+                keyMgmt = lib.mkOption {
+                  type = lib.types.str;
+                  default = "wpa-psk";
+                  description = ''
+                    Key management used for the connection. 
+                    One of "none" (WEP or no password protection), "ieee8021x" (Dynamic WEP), "owe" (Opportunistic Wireless Encryption), "wpa-psk" (WPA2 + WPA3 personal), 
+                    "sae" (WPA3 personal only), "wpa-eap" (WPA2 + WPA3 enterprise) or "wpa-eap-suite-b-192" (WPA3 enterprise only).
+                  '';
+                };
               };
             }
           )
@@ -50,7 +58,7 @@ in
             ssid_path =
               network_name: config.clan.core.vars.generators."wifi.${network_name}".files.network-name.path;
 
-            secret_generator = name: value: {
+            secret_generator = name: _value: {
               name = "wifi.${name}";
               value = {
                 prompts.network-name.type = "line";
@@ -80,7 +88,7 @@ in
                 wifi.mode = "infrastructure";
                 wifi.ssid = "$ssid_${name}";
                 wifi-security.psk = "$pw_${name}";
-                wifi-security.key-mgmt = "wpa-psk";
+                wifi-security.key-mgmt = networkCfg.keyMgmt;
               }
             );
 

clanServices/wifi/flake-module.nix

@@ -1,12 +1,8 @@
 {
-  self,
-  lib,
   ...
 }:
 let
-  module = lib.modules.importApply ./default.nix {
-    inherit (self) packages;
-  };
+  module = ./default.nix;
 in
 {
   clan.modules.wifi = module;

clanServices/wireguard/flake-module.nix

@@ -1,6 +1,6 @@
-{ lib, ... }:
+{ ... }:
 let
-  module = lib.modules.importApply ./default.nix { };
+  module = ./default.nix;
 in
 {
   clan.modules.wireguard = module;

clanServices/yggdrasil/README.md

@@ -0,0 +1,33 @@
+This module sets up [yggdrasil](https://yggdrasil-network.github.io/) across
+your clan. 
+
+Yggdrasil is designed to be a future-proof and decentralised alternative to
+the structured routing protocols commonly used today on the internet. Inside
+your clan, it will allow you to reach all of your machines.
+
+## Example Usage
+
+While you can specify statically configured peers for each host, yggdrasil does
+auto-discovery of local peers.
+
+```nix
+inventory = {
+
+  machines = {
+    peer1 = { };
+    peer2 = { };
+  };
+
+  instances = {
+    yggdrasil = {
+
+      # Deploy on all machines
+      roles.default.tags.all = { };
+
+      # Or individual hosts
+      roles.default.machines.peer1 = { };
+      roles.default.machines.peer2 = { };
+    };
+  };
+};
+```

clanServices/yggdrasil/default.nix

@@ -0,0 +1,125 @@
+{ ... }:
+{
+  _class = "clan.service";
+  manifest.name = "clan-core/yggdrasil";
+  manifest.description = "Yggdrasil encrypted IPv6 routing overlay network";
+
+  roles.default = {
+    interface =
+      { lib, ... }:
+      {
+        options.extraMulticastInterfaces = lib.mkOption {
+          type = lib.types.listOf lib.types.attrs;
+          default = [ ];
+          description = ''
+            Additional interfaces to use for Multicast. See
+            https://yggdrasil-network.github.io/configurationref.html#multicastinterfaces
+            for reference.
+          '';
+          example = [
+            {
+              Regex = "(wg).*";
+              Beacon = true;
+              Listen = true;
+              Port = 5400;
+              Priority = 1020;
+            }
+          ];
+        };
+
+        options.peers = lib.mkOption {
+          type = lib.types.listOf lib.types.str;
+          default = [ ];
+          description = ''
+            Static peers to configure for this host.
+            If not set, local peers will be auto-discovered
+          '';
+          example = [
+            "tcp://192.168.1.1:6443"
+            "quic://192.168.1.1:6443"
+            "tls://192.168.1.1:6443"
+            "ws://192.168.1.1:6443"
+          ];
+        };
+      };
+    perInstance =
+      { settings, ... }:
+      {
+        nixosModule =
+          {
+            config,
+            pkgs,
+            ...
+          }:
+          {
+
+            clan.core.vars.generators.yggdrasil = {
+
+              files.privateKey = { };
+              files.publicKey.secret = false;
+              files.address.secret = false;
+
+              runtimeInputs = with pkgs; [
+                yggdrasil
+                jq
+                openssl
+              ];
+
+              script = ''
+                # Generate private key
+                openssl genpkey -algorithm Ed25519 -out $out/privateKey
+
+                # Generate corresponding public key
+                openssl pkey -in $out/privateKey -pubout -out $out/publicKey
+
+                # Derive IPv6 address from key
+                echo "{\"PrivateKeyPath\": \"$out/privateKey\"}" | yggdrasil -useconf -address | tr -d '\n' > $out/address
+              '';
+            };
+
+            systemd.services.yggdrasil.serviceConfig.BindReadOnlyPaths = [
+              "%d/key:/key"
+            ];
+
+            systemd.services.yggdrasil.serviceConfig.LoadCredential =
+              "key:${config.clan.core.vars.generators.yggdrasil.files.privateKey.path}";
+
+            services.yggdrasil = {
+              enable = true;
+              openMulticastPort = true;
+              # We don't need this option, because we persist our keys with
+              # vars by ourselfs. This option creates an unnessesary additional
+              # systemd service to save/load the keys and should be removed
+              # from the NixOS module entirely, as it can be replaced by the
+              # (at the time of writing undocumented) PrivateKeyPath= setting.
+              # See https://github.com/NixOS/nixpkgs/pull/440910#issuecomment-3301835895 for details.
+              persistentKeys = false;
+              settings = {
+                PrivateKeyPath = "/key";
+                IfName = "ygg";
+                Peers = settings.peers;
+                MulticastInterfaces = [
+                  # Ethernet is preferred over WIFI
+                  {
+                    Regex = "(eth|en).*";
+                    Beacon = true;
+                    Listen = true;
+                    Port = 5400;
+                    Priority = 1024;
+                  }
+                  {
+                    Regex = "(wl).*";
+                    Beacon = true;
+                    Listen = true;
+                    Port = 5400;
+                    Priority = 1025;
+                  }
+                ]
+                ++ settings.extraMulticastInterfaces;
+              };
+            };
+            networking.firewall.allowedTCPPorts = [ 5400 ];
+          };
+      };
+  };
+}

clanServices/yggdrasil/flake-module.nix

@@ -0,0 +1,24 @@
+{
+  self,
+  lib,
+  ...
+}:
+let
+  module = lib.modules.importApply ./default.nix {
+    inherit (self) packages;
+  };
+in
+{
+  clan.modules = {
+    yggdrasil = module;
+  };
+  perSystem =
+    { ... }:
+    {
+      clan.nixosTests.yggdrasil = {
+        imports = [ ./tests/vm/default.nix ];
+
+        clan.modules.yggdrasil = module;
+      };
+    };
+}

clanServices/yggdrasil/tests/vm/default.nix

@@ -0,0 +1,67 @@
+{
+  name = "yggdrasil";
+
+  clan = {
+    test.useContainers = false;
+    directory = ./.;
+    inventory = {
+
+      machines.peer1 = { };
+      machines.peer2 = { };
+
+      instances."yggdrasil" = {
+        module.name = "yggdrasil";
+        module.input = "self";
+
+        # Assign the roles to the two machines
+        roles.default.machines.peer1 = { };
+        roles.default.machines.peer2 = { };
+      };
+    };
+  };
+
+  testScript = ''
+    start_all()
+
+    # Wait for both machines to be ready
+    peer1.wait_for_unit("multi-user.target")
+    peer2.wait_for_unit("multi-user.target")
+
+    # Check that yggdrasil service is running on both machines
+    peer1.wait_for_unit("yggdrasil")
+    peer2.wait_for_unit("yggdrasil")
+    peer1.succeed("systemctl is-active yggdrasil")
+    peer2.succeed("systemctl is-active yggdrasil")
+
+    # Check that both machines have yggdrasil network interfaces
+    peer1.wait_until_succeeds("ip link show | grep -E 'ygg'", 30)
+    peer2.wait_until_succeeds("ip link show | grep -E 'ygg'", 30)
+
+    # Get yggdrasil IPv6 addresses from both machines
+    peer1_ygg_ip = peer1.succeed("yggdrasilctl -json getself | jq -r '.address'").strip()
+    peer2_ygg_ip = peer2.succeed("yggdrasilctl -json getself | jq -r '.address'").strip()
+
+    # Compare runtime addresses with saved addresses from vars
+    expected_peer1_ip = "${builtins.readFile ./vars/per-machine/peer1/yggdrasil/address/value}"
+    expected_peer2_ip = "${builtins.readFile ./vars/per-machine/peer2/yggdrasil/address/value}"
+
+    print(f"peer1 yggdrasil IP: {peer1_ygg_ip}")
+    print(f"peer2 yggdrasil IP: {peer2_ygg_ip}")
+    print(f"peer1 expected IP: {expected_peer1_ip}")
+    print(f"peer2 expected IP: {expected_peer2_ip}")
+
+    # Verify that runtime addresses match expected addresses
+    assert peer1_ygg_ip == expected_peer1_ip, f"peer1 runtime IP {peer1_ygg_ip} != expected IP {expected_peer1_ip}"
+    assert peer2_ygg_ip == expected_peer2_ip, f"peer2 runtime IP {peer2_ygg_ip} != expected IP {expected_peer2_ip}"
+
+    # Wait a bit for the yggdrasil network to establish connectivity
+    import time
+    time.sleep(10)
+
+    # Test connectivity: peer1 should be able to ping peer2 via yggdrasil
+    peer1.succeed(f"ping -6 -c 3 {peer2_ygg_ip}")
+
+    # Test connectivity: peer2 should be able to ping peer1 via yggdrasil
+    peer2.succeed(f"ping -6 -c 3 {peer1_ygg_ip}")
+  '';
+}

clanServices/yggdrasil/tests/vm/sops/machines/peer1/key.json

@@ -0,0 +1,6 @@
+[
+  {
+    "publickey": "age1p8trv2dmpanl3gnzj294c4t5uysu7d6rfjncp5lmn6redyda8fns6p7kca",
+    "type": "age"
+  }
+]

clanServices/yggdrasil/tests/vm/sops/machines/peer2/key.json

@@ -0,0 +1,6 @@
+[
+  {
+    "publickey": "age107mprppm3r9u7f26e6t5mhtdny0h5ugfmfjy8kac2tw9nrh9a3ksex0xca",
+    "type": "age"
+  }
+]

clanServices/yggdrasil/tests/vm/sops/secrets/peer1-age.key/secret

@@ -0,0 +1,15 @@
+{
+	"data": "ENC[AES256_GCM,data:jDEog7FFXl28Le3rh5VTiY0DFmLhIy2ZccFjuYWx+OQrKNEqTLI1fzaeMWIcgu6ln6wfGUk640d3IhmrF45MVZiJGkpkOU8UFx0=,iv:4oGaoxhFQwr9OQfdLL7y1N/gJo/uGkTPG/xicVprIAQ=,tag:Smu0/P2bQB66w+0J2Bjlxw==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpQ2hib2Mrb0plWUVwNWU5\nWmpxNlduaUVJckhuQlhQbUJpanloWGFLelJ3CjJJMlBGbGRTWEhGUHh2VVkzUzNa\nL3FGVkF3R3JJT051UTg4UlkwOHRNanMKLS0tIDVWcHU4NmFMUWp3STFTYmg5YmNp\nVzd1Uzg2Wkp5QnJ3V1Qyb2lwSXdBRDgK/V5lgw2TePhUC9ngW53ZapIMkcwPvJus\ns0jUYkStHXjsvEiN7BG8cG7/vRbLD8CnKXnmieM20mT6o7GHGfhHMg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-09-17T07:12:51Z",
+		"mac": "ENC[AES256_GCM,data:gy/1NFmpFz/tdhgU/Vr+xg46DUjy9ZbrAtCBnIxclwZLJ/fneBpblv8TFgdysY4Ay6jp1S/TOc8eyr+KLHMqcBlje09wd1ac/Y3ee6GccXitB+/c5ayuXX/ShVCdicsr/9COw7vfndAQPU8XIz6tdy0dbL7jgVTyViZW/P5CXEU=,iv:BQ/INwTTCshl5BVnJbVzHW8rwafERS6bKh2JAJsMv9s=,tag:QhsbjeEBivbl8fQLHjiKtQ==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

clanServices/yggdrasil/tests/vm/sops/secrets/peer1-age.key/users/admin

@@ -0,0 +1 @@
+../../../users/admin

clanServices/yggdrasil/tests/vm/sops/secrets/peer2-age.key/secret

@@ -0,0 +1,15 @@
+{
+	"data": "ENC[AES256_GCM,data:1rVgSwg2qPHuXUOQCgOunaNYiBbsh99dZ2y0BV4TxzACwdb3lb6/XnLeDenLELOpKruZQoNJax/NziRr+VHzmh/TlQhNgTkS71A=,iv:Wi5/cFOETb1rhAYeyzkpppzSSm+S+8cCQYc7zkp74FY=,tag:JQHFZJwYMQH4jUqSw6Ld8Q==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGV3ZLZmNrejlvTFF6NDZW\nYmljS0VXQUtCR3IzMG9tMksvSllVVkIxVTEwCi9Fd1dBbmFlYmF2cE1raVJoS3RR\nWmxQY3RwanRZUE5aN1Q2SzhJOFU1elEKLS0tIG9RMElDMEo3TFJjU0RvU3FMQk12\nT1pNc1VjeUliejk3YmJ6d29zUU15aDQKuZ62Q/ywLrpyu1jB34OCPKQEDd150qH6\nHzyw+MasUlzKNs0ZrALwfhnCKiNb/Pq0Lu660Dx5/sFxI/TAqC7NGg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-09-17T07:13:24Z",
+		"mac": "ENC[AES256_GCM,data:N7mmiEZxinOgWdd7QcZBAumnWaApjlQVww4EzAQ1/JH5i8r8CIfPh/7lGMQntlJj5ob+UgrS96nl6XKdvs3Bt7z34zPq7KV3c0mSmclEctRfcZiG4F+rZ0QIMIRJjq7xJL/M9WupSn8Lgms7qHJMdJyHdDkw47bmXz3MIw9c9zo=,iv:ZYPoo5jTIGnZ1HcAWlr26gloVhSjfhwbO/xH5YCbgF0=,tag:UKMVMGEfqyfo04cIkuKD0A==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

clanServices/yggdrasil/tests/vm/sops/secrets/peer2-age.key/users/admin

@@ -0,0 +1 @@
+../../../users/admin