Remove clanModules

Reviewed-on: https://git.clan.lol/clan/clan-core/pulls/4785

.gitea/workflows/update-clan-core-for-checks.yml

@@ -1,28 +0,0 @@
-name: "Update pinned clan-core for checks"
-on:
-  repository_dispatch:
-  workflow_dispatch:
-  schedule:
-    - cron: "51 2 * * *"
-jobs:
-  update-pinned-clan-core:
-    runs-on: nix
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          submodules: true
-      - name: Update clan-core for checks
-        run: nix run .#update-clan-core-for-checks
-      - name: Create pull request
-        env:
-          CI_BOT_TOKEN: ${{ secrets.CI_BOT_TOKEN }}
-        run: |
-          export GIT_AUTHOR_NAME=clan-bot GIT_AUTHOR_EMAIL=clan-bot@clan.lol GIT_COMMITTER_NAME=clan-bot GIT_COMMITTER_EMAIL=clan-bot@clan.lol
-          git commit -am "Update pinned clan-core for checks"
-
-          # Use shared PR creation script
-          export PR_BRANCH="update-clan-core-for-checks"
-          export PR_TITLE="Update Clan Core for Checks"
-          export PR_BODY="This PR updates the pinned clan-core flake input that is used for checks."
-
-          ./.gitea/workflows/create-pr.sh

.gitea/workflows/update-flake-inputs.yml

@@ -19,8 +19,11 @@ jobs:
         uses: Mic92/update-flake-inputs-gitea@main
         with:
           # Exclude private flakes and update-clan-core checks flake
-
+          exclude-patterns: "checks/impure/flake.nix"
-          exclude-patterns: "devFlake/private/flake.nix,checks/impure/flake.nix"
           auto-merge: true
+          git-author-name: "clan-bot"
+          git-committer-name: "clan-bot"
+          git-author-email: "clan-bot@clan.lol"
+          git-committer-email: "clan-bot@clan.lol"
           gitea-token: ${{ secrets.CI_BOT_TOKEN }}
           github-token: ${{ secrets.CI_BOT_GITHUB_TOKEN }}

.gitea/workflows/update-private-flake-inputs.yml

@@ -1,40 +0,0 @@
-name: "Update private flake inputs"
-on:
-  repository_dispatch:
-  workflow_dispatch:
-  schedule:
-    - cron: "0 3 * * *" # Run daily at 3 AM
-jobs:
-  update-private-flake:
-    runs-on: nix
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          submodules: true
-      - name: Update private flake inputs
-        run: |
-          # Update the private flake lock file
-          cd devFlake/private
-          nix flake update
-          cd ../..
-
-          # Update the narHash
-          bash ./devFlake/update-private-narhash
-      - name: Create pull request
-        env:
-          CI_BOT_TOKEN: ${{ secrets.CI_BOT_TOKEN }}
-        run: |
-          export GIT_AUTHOR_NAME=clan-bot GIT_AUTHOR_EMAIL=clan-bot@clan.lol GIT_COMMITTER_NAME=clan-bot GIT_COMMITTER_EMAIL=clan-bot@clan.lol
-
-          # Check if there are any changes
-          if ! git diff --quiet; then
-            git add devFlake/private/flake.lock devFlake/private.narHash
-            git commit -m "Update dev flake"
-            
-            # Use shared PR creation script
-            export PR_BRANCH="update-dev-flake"
-            export PR_TITLE="Update dev flake"
-            export PR_BODY="This PR updates the dev flake inputs and corresponding narHash."
-          else
-            echo "No changes detected in dev flake inputs"
-          fi

.gitignore

@@ -39,7 +39,6 @@ select
 # Generated files
 pkgs/clan-app/ui/api/API.json
 pkgs/clan-app/ui/api/API.ts
-pkgs/clan-app/ui/api/Inventory.ts
 pkgs/clan-app/ui/api/modules_schemas.json
 pkgs/clan-app/ui/api/schema.json
 pkgs/clan-app/ui/.fonts

CODEOWNERS

@@ -1,2 +0,0 @@
-nixosModules/clanCore/vars/.* @lopter
-pkgs/clan-cli/clan_cli/(secrets|vars)/.* @lopter

checks/backups/flake-module.nix

@@ -1,210 +0,0 @@
-{ self, ... }:
-{
-  clan.machines.test-backup = {
-    imports = [ self.nixosModules.test-backup ];
-    fileSystems."/".device = "/dev/null";
-    boot.loader.grub.device = "/dev/null";
-  };
-  clan.inventory.services = {
-    borgbackup.test-backup = {
-      roles.client.machines = [ "test-backup" ];
-      roles.server.machines = [ "test-backup" ];
-    };
-  };
-  flake.nixosModules = {
-    test-backup =
-      {
-        pkgs,
-        lib,
-        ...
-      }:
-      let
-        dependencies =
-          [
-            pkgs.stdenv.drvPath
-          ]
-          ++ builtins.map (i: i.outPath) (builtins.attrValues (builtins.removeAttrs self.inputs [ "self" ]));
-        closureInfo = pkgs.closureInfo { rootPaths = dependencies; };
-      in
-      {
-        imports = [
-          # Do not import inventory modules. They should be configured via 'clan.inventory'
-          #
-          # TODO: Configure localbackup via inventory
-          self.clanModules.localbackup
-        ];
-        # Borgbackup overrides
-        services.borgbackup.repos.test-backups = {
-          path = "/var/lib/borgbackup/test-backups";
-          authorizedKeys = [ (builtins.readFile ../assets/ssh/pubkey) ];
-        };
-        clan.borgbackup.destinations.test-backup.repo = lib.mkForce "borg@machine:.";
-
-        clan.core.networking.targetHost = "machine";
-        networking.hostName = "machine";
-
-        programs.ssh.knownHosts = {
-          machine.hostNames = [ "machine" ];
-          machine.publicKey = builtins.readFile ../assets/ssh/pubkey;
-        };
-
-        services.openssh = {
-          enable = true;
-          settings.UsePAM = false;
-          settings.UseDns = false;
-          hostKeys = [
-            {
-              path = "/root/.ssh/id_ed25519";
-              type = "ed25519";
-            }
-          ];
-        };
-
-        users.users.root.openssh.authorizedKeys.keyFiles = [ ../assets/ssh/pubkey ];
-
-        # This is needed to unlock the user for sshd
-        # Because we use sshd without setuid binaries
-        users.users.borg.initialPassword = "hello";
-
-        systemd.tmpfiles.settings."vmsecrets" = {
-          "/root/.ssh/id_ed25519" = {
-            C.argument = "${../assets/ssh/privkey}";
-            z = {
-              mode = "0400";
-              user = "root";
-            };
-          };
-          "/etc/secrets/ssh.id_ed25519" = {
-            C.argument = "${../assets/ssh/privkey}";
-            z = {
-              mode = "0400";
-              user = "root";
-            };
-          };
-          "/etc/secrets/borgbackup/borgbackup.ssh" = {
-            C.argument = "${../assets/ssh/privkey}";
-            z = {
-              mode = "0400";
-              user = "root";
-            };
-          };
-          "/etc/secrets/borgbackup/borgbackup.repokey" = {
-            C.argument = builtins.toString (pkgs.writeText "repokey" "repokey12345");
-            z = {
-              mode = "0400";
-              user = "root";
-            };
-          };
-        };
-        clan.core.facts.secretStore = "vm";
-        clan.core.vars.settings.secretStore = "vm";
-
-        environment.systemPackages = [ self.packages.${pkgs.system}.clan-cli ];
-        environment.etc.install-closure.source = "${closureInfo}/store-paths";
-        nix.settings = {
-          substituters = lib.mkForce [ ];
-          hashed-mirrors = null;
-          connect-timeout = lib.mkForce 3;
-          flake-registry = pkgs.writeText "flake-registry" ''{"flakes":[],"version":2}'';
-        };
-        system.extraDependencies = dependencies;
-        clan.core.state.test-backups.folders = [ "/var/test-backups" ];
-
-        clan.core.state.test-service = {
-          preBackupScript = ''
-            touch /var/test-service/pre-backup-command
-          '';
-          preRestoreScript = ''
-            touch /var/test-service/pre-restore-command
-          '';
-          postRestoreScript = ''
-            touch /var/test-service/post-restore-command
-          '';
-          folders = [ "/var/test-service" ];
-        };
-
-        fileSystems."/mnt/external-disk" = {
-          device = "/dev/vdb"; # created in tests with virtualisation.emptyDisks
-          autoFormat = true;
-          fsType = "ext4";
-          options = [
-            "defaults"
-            "noauto"
-          ];
-        };
-
-        clan.localbackup.targets.hdd = {
-          directory = "/mnt/external-disk";
-          preMountHook = ''
-            touch /run/mount-external-disk
-          '';
-          postUnmountHook = ''
-            touch /run/unmount-external-disk
-          '';
-        };
-      };
-  };
-  perSystem =
-    { pkgs, ... }:
-    let
-      clanCore = self.checks.x86_64-linux.clan-core-for-checks;
-    in
-    {
-      checks = pkgs.lib.mkIf pkgs.stdenv.isLinux {
-        nixos-test-backups = self.clanLib.test.containerTest {
-          name = "nixos-test-backups";
-          nodes.machine = {
-            imports =
-              [
-                self.nixosModules.clanCore
-                # Some custom overrides for the backup tests
-                self.nixosModules.test-backup
-              ]
-              ++
-              # import the inventory generated nixosModules
-              self.clan.clanInternals.inventoryClass.machines.test-backup.machineImports;
-            clan.core.settings.directory = ./.;
-          };
-
-          testScript = ''
-            import json
-            start_all()
-
-            # dummy data
-            machine.succeed("mkdir -p /var/test-backups /var/test-service")
-            machine.succeed("echo testing > /var/test-backups/somefile")
-
-            # create
-            machine.succeed("clan backups create --debug --flake ${clanCore} test-backup")
-            machine.wait_until_succeeds("! systemctl is-active borgbackup-job-test-backup >&2")
-            machine.succeed("test -f /run/mount-external-disk")
-            machine.succeed("test -f /run/unmount-external-disk")
-
-            # list
-            backup_id = json.loads(machine.succeed("borg-job-test-backup list --json"))["archives"][0]["archive"]
-            out = machine.succeed("clan backups list --debug --flake ${clanCore} test-backup").strip()
-            print(out)
-            assert backup_id in out, f"backup {backup_id} not found in {out}"
-            localbackup_id = "hdd::/mnt/external-disk/snapshot.0"
-            assert localbackup_id in out, "localbackup not found in {out}"
-
-            ## borgbackup restore
-            machine.succeed("rm -f /var/test-backups/somefile")
-            machine.succeed(f"clan backups restore --debug --flake ${clanCore} test-backup borgbackup 'test-backup::borg@machine:.::{backup_id}' >&2")
-            assert machine.succeed("cat /var/test-backups/somefile").strip() == "testing", "restore failed"
-            machine.succeed("test -f /var/test-service/pre-restore-command")
-            machine.succeed("test -f /var/test-service/post-restore-command")
-            machine.succeed("test -f /var/test-service/pre-backup-command")
-
-            ## localbackup restore
-            machine.succeed("rm -rf /var/test-backups/somefile /var/test-service/ && mkdir -p /var/test-service")
-            machine.succeed(f"clan backups restore --debug --flake ${clanCore} test-backup localbackup '{localbackup_id}' >&2")
-            assert machine.succeed("cat /var/test-backups/somefile").strip() == "testing", "restore failed"
-            machine.succeed("test -f /var/test-service/pre-restore-command")
-            machine.succeed("test -f /var/test-service/post-restore-command")
-            machine.succeed("test -f /var/test-service/pre-backup-command")
-          '';
-        } { inherit pkgs self; };
-      };
-    };
-}

checks/borgbackup-legacy/default.nix

@@ -1,51 +0,0 @@
-(
-  { ... }:
-  {
-    name = "borgbackup";
-
-    nodes.machine =
-      { self, pkgs, ... }:
-      {
-        imports = [
-          self.clanModules.borgbackup
-          self.nixosModules.clanCore
-          {
-            services.openssh.enable = true;
-            services.borgbackup.repos.testrepo = {
-              authorizedKeys = [ (builtins.readFile ../assets/ssh/pubkey) ];
-            };
-          }
-          {
-            clan.core.settings.directory = ./.;
-            clan.core.state.testState.folders = [ "/etc/state" ];
-            environment.etc.state.text = "hello world";
-            systemd.tmpfiles.settings."vmsecrets" = {
-              "/etc/secrets/borgbackup/borgbackup.ssh" = {
-                C.argument = "${../assets/ssh/privkey}";
-                z = {
-                  mode = "0400";
-                  user = "root";
-                };
-              };
-              "/etc/secrets/borgbackup/borgbackup.repokey" = {
-                C.argument = builtins.toString (pkgs.writeText "repokey" "repokey12345");
-                z = {
-                  mode = "0400";
-                  user = "root";
-                };
-              };
-            };
-            # clan.core.facts.secretStore = "vm";
-            clan.core.vars.settings.secretStore = "vm";
-
-            clan.borgbackup.destinations.test.repo = "borg@localhost:.";
-          }
-        ];
-      };
-    testScript = ''
-      start_all()
-      machine.systemctl("start --wait borgbackup-job-test.service")
-      assert "machine-test" in machine.succeed("BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=yes /run/current-system/sw/bin/borg-job-test list")
-    '';
-  }
-)

checks/clan-core-for-checks.nix

@@ -1,6 +1,6 @@
 { fetchgit }:
 fetchgit {
   url = "https://git.clan.lol/clan/clan-core.git";
-  rev = "ba8a80eccf091fc7f99aef3895e31617d3813d20";
+  rev = "5d884cecc2585a29b6a3596681839d081b4de192";
-  sha256 = "189srg4mc5y3prapm8day0x0wpibbqc72hrnl61agsmiq7cfmbkd";
+  sha256 = "09is1afmncamavb2q88qac37vmsijxzsy1iz1vr6gsyjq2rixaxc";
 }

checks/flake-module.nix

@@ -2,6 +2,7 @@
   self,
   lib,
   inputs,
+  privateInputs ? { },
   ...
 }:
 let
@@ -33,7 +34,6 @@ in
     in
     getClanCoreTestModules
     ++ filter pathExists [
-      ./backups/flake-module.nix
       ./devshell/flake-module.nix
       ./flash/flake-module.nix
       ./impure/flake-module.nix
@@ -93,17 +93,15 @@ in
 
             # Base Tests
             nixos-test-secrets = self.clanLib.test.baseTest ./secrets nixosTestArgs;
-            nixos-test-borgbackup-legacy = self.clanLib.test.baseTest ./borgbackup-legacy nixosTestArgs;
             nixos-test-wayland-proxy-virtwl = self.clanLib.test.baseTest ./wayland-proxy-virtwl nixosTestArgs;
 
             # Container Tests
             nixos-test-container = self.clanLib.test.containerTest ./container nixosTestArgs;
-            nixos-test-zt-tcp-relay = self.clanLib.test.containerTest ./zt-tcp-relay nixosTestArgs;
-            nixos-test-matrix-synapse = self.clanLib.test.containerTest ./matrix-synapse nixosTestArgs;
             nixos-test-user-firewall-iptables = self.clanLib.test.containerTest ./user-firewall/iptables.nix nixosTestArgs;
             nixos-test-user-firewall-nftables = self.clanLib.test.containerTest ./user-firewall/nftables.nix nixosTestArgs;
 
             service-dummy-test = import ./service-dummy-test nixosTestArgs;
+            wireguard = import ./wireguard nixosTestArgs;
             service-dummy-test-from-flake = import ./service-dummy-test-from-flake nixosTestArgs;
           };
 
@@ -113,6 +111,8 @@ in
             "dont-depend-on-repo-root"
           ];
 
+          # Temporary workaround: Filter out docs package and devshell for aarch64-darwin due to CI builder hangs
+          # TODO: Remove this filter once macOS CI builder is updated
           flakeOutputs =
             lib.mapAttrs' (
               name: config: lib.nameValuePair "nixos-${name}" config.config.system.build.toplevel
@@ -120,8 +120,18 @@ in
             // lib.mapAttrs' (
               name: config: lib.nameValuePair "darwin-${name}" config.config.system.build.toplevel
             ) (self.darwinConfigurations or { })
-            // lib.mapAttrs' (n: lib.nameValuePair "package-${n}") packagesToBuild
+            // lib.mapAttrs' (n: lib.nameValuePair "package-${n}") (
-            // lib.mapAttrs' (n: lib.nameValuePair "devShell-${n}") self'.devShells
+              if system == "aarch64-darwin" then
+                lib.filterAttrs (n: _: n != "docs" && n != "deploy-docs" && n != "docs-options") packagesToBuild
+              else
+                packagesToBuild
+            )
+            // lib.mapAttrs' (n: lib.nameValuePair "devShell-${n}") (
+              if system == "aarch64-darwin" then
+                lib.filterAttrs (n: _: n != "docs") self'.devShells
+              else
+                self'.devShells
+            )
             // lib.mapAttrs' (name: config: lib.nameValuePair "home-manager-${name}" config.activation-script) (
               self'.legacyPackages.homeConfigurations or { }
             );
@@ -129,35 +139,8 @@ in
         nixosTests
         // flakeOutputs
         // {
-          # TODO: Automatically provide this check to downstream users to check their modules
-          clan-modules-json-compatible =
-            let
-              allSchemas = lib.mapAttrs (
-                _n: m:
-                let
-                  schema =
-                    (self.clanLib.evalService {
-                      modules = [ m ];
-                      prefix = [
-                        "checks"
-                        system
-                      ];
-                    }).config.result.api.schema;
-                in
-                schema
-              ) self.clan.modules;
-            in
-            pkgs.runCommand "combined-result"
-              {
-                schemaFile = builtins.toFile "schemas.json" (builtins.toJSON allSchemas);
-              }
-              ''
-                mkdir -p $out
-                cat $schemaFile > $out/allSchemas.json
-              '';
-
           clan-core-for-checks = pkgs.runCommand "clan-core-for-checks" { } ''
-            cp -r ${pkgs.callPackage ./clan-core-for-checks.nix { }} $out
+            cp -r ${privateInputs.clan-core-for-checks} $out
             chmod -R +w $out
             cp ${../flake.lock} $out/flake.lock
 

checks/flash/flake-module.nix

@@ -50,7 +50,8 @@
         self.nixosConfigurations."test-flash-machine-${pkgs.hostPlatform.system}".config.system.build.toplevel
         self.nixosConfigurations."test-flash-machine-${pkgs.hostPlatform.system}".config.system.build.diskoScript
         self.nixosConfigurations."test-flash-machine-${pkgs.hostPlatform.system}".config.system.build.diskoScript.drvPath
-      ] ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
+      ]
+      ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
       closureInfo = pkgs.closureInfo { rootPaths = dependencies; };
     in
     {
@@ -60,6 +61,10 @@
           nodes.target = {
             virtualisation.emptyDiskImages = [ 4096 ];
             virtualisation.memorySize = 4096;
+
+            virtualisation.useNixStoreImage = true;
+            virtualisation.writableStore = true;
+
             environment.systemPackages = [ self.packages.${pkgs.system}.clan-cli ];
             environment.etc."install-closure".source = "${closureInfo}/store-paths";
 
@@ -78,8 +83,8 @@
             start_all()
 
             # Some distros like to automount disks with spaces
-            machine.succeed('mkdir -p "/mnt/with spaces" && mkfs.ext4 /dev/vdb && mount /dev/vdb "/mnt/with spaces"')
+            machine.succeed('mkdir -p "/mnt/with spaces" && mkfs.ext4 /dev/vdc && mount /dev/vdc "/mnt/with spaces"')
-            machine.succeed("clan flash write --debug --flake ${self.checks.x86_64-linux.clan-core-for-checks} --yes --disk main /dev/vdb test-flash-machine-${pkgs.hostPlatform.system}")
+            machine.succeed("clan flash write --debug --flake ${self.checks.x86_64-linux.clan-core-for-checks} --yes --disk main /dev/vdc test-flash-machine-${pkgs.hostPlatform.system}")
           '';
         } { inherit pkgs self; };
       };

checks/impure/flake-module.nix

@@ -40,7 +40,7 @@
         jobs=$(nproc)
         # Spawning worker in pytest is relatively slow, so we limit the number of jobs to 13
         # (current number of impure tests)
-        jobs="$((jobs > 13 ? 13 : jobs))"
+        jobs="$((jobs > 6 ? 6 : jobs))"
 
         nix develop "$ROOT#clan-cli" -c bash -c "TMPDIR=/tmp python -m pytest -n $jobs -m impure ./clan_cli $@"
 

checks/installation/flake-module.nix

@@ -1,6 +1,7 @@
 {
   self,
   lib,
+  privateInputs,
 
   ...
 }:
@@ -151,14 +152,15 @@
         let
           closureInfo = pkgs.closureInfo {
             rootPaths = [
-              self.checks.x86_64-linux.clan-core-for-checks
+              privateInputs.clan-core-for-checks
               self.clanInternals.machines.${pkgs.hostPlatform.system}.test-install-machine-with-system.config.system.build.toplevel
               self.clanInternals.machines.${pkgs.hostPlatform.system}.test-install-machine-with-system.config.system.build.initialRamdisk
               self.clanInternals.machines.${pkgs.hostPlatform.system}.test-install-machine-with-system.config.system.build.diskoScript
               pkgs.stdenv.drvPath
               pkgs.bash.drvPath
               pkgs.buildPackages.xorg.lndir
-            ] ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
+            ]
+            ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
           };
         in
         pkgs.lib.mkIf (pkgs.stdenv.isLinux && !pkgs.stdenv.isAarch64) {
@@ -239,7 +241,7 @@
                   target.shutdown()
               except BrokenPipeError:
                   # qemu has already exited
-                  pass
+                  target.connected = False
 
               # Create a new machine instance that boots from the installed system
               installed_machine = create_test_machine(target, "${pkgs.qemu_test}", name="after_install")

checks/installation/test-helpers.nix

@@ -159,7 +159,8 @@ let
       pkgs.stdenv.drvPath
       pkgs.bash.drvPath
       pkgs.buildPackages.xorg.lndir
-    ] ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
+    ]
+    ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
   };
 
 in

checks/matrix-synapse/default.nix

@@ -1,83 +0,0 @@
-(
-  { pkgs, ... }:
-  {
-    name = "matrix-synapse";
-
-    nodes.machine =
-      {
-        config,
-        self,
-        lib,
-        ...
-      }:
-      {
-        imports = [
-          self.clanModules.matrix-synapse
-          self.nixosModules.clanCore
-          {
-            clan.core.settings.directory = ./.;
-
-            services.nginx.virtualHosts."matrix.clan.test" = {
-              enableACME = lib.mkForce false;
-              forceSSL = lib.mkForce false;
-            };
-            clan.nginx.acme.email = "admins@clan.lol";
-            clan.matrix-synapse = {
-              server_tld = "clan.test";
-              app_domain = "matrix.clan.test";
-            };
-            clan.matrix-synapse.users.admin.admin = true;
-            clan.matrix-synapse.users.someuser = { };
-
-            clan.core.facts.secretStore = "vm";
-            clan.core.vars.settings.secretStore = "vm";
-            clan.core.vars.settings.publicStore = "in_repo";
-
-            # because we use systemd-tmpfiles to copy the secrets, we need to a separate systemd-tmpfiles call to provision them.
-            boot.postBootCommands = "${config.systemd.package}/bin/systemd-tmpfiles --create /etc/tmpfiles.d/00-vmsecrets.conf";
-
-            systemd.tmpfiles.settings."00-vmsecrets" = {
-              # run before 00-nixos.conf
-              "/etc/secrets" = {
-                d.mode = "0700";
-                z.mode = "0700";
-              };
-              "/etc/secrets/matrix-synapse/synapse-registration_shared_secret" = {
-                f.argument = "supersecret";
-                z = {
-                  mode = "0400";
-                  user = "root";
-                };
-              };
-              "/etc/secrets/matrix-password-admin/matrix-password-admin" = {
-                f.argument = "matrix-password1";
-                z = {
-                  mode = "0400";
-                  user = "root";
-                };
-              };
-              "/etc/secrets/matrix-password-someuser/matrix-password-someuser" = {
-                f.argument = "matrix-password2";
-                z = {
-                  mode = "0400";
-                  user = "root";
-                };
-              };
-            };
-          }
-        ];
-      };
-    testScript = ''
-      start_all()
-      machine.wait_for_unit("matrix-synapse")
-      machine.succeed("${pkgs.netcat}/bin/nc -z -v ::1 8008")
-      machine.wait_until_succeeds("${pkgs.curl}/bin/curl -Ssf -L http://localhost/_matrix/static/ -H 'Host: matrix.clan.test'")
-
-      machine.systemctl("restart matrix-synapse >&2") # check if user creation is idempotent
-      machine.execute("journalctl -u matrix-synapse --no-pager >&2")
-      machine.wait_for_unit("matrix-synapse")
-      machine.succeed("${pkgs.netcat}/bin/nc -z -v ::1 8008")
-      machine.succeed("${pkgs.curl}/bin/curl -Ssf -L http://localhost/_matrix/static/ -H 'Host: matrix.clan.test'")
-    '';
-  }
-)

checks/matrix-synapse/synapse-registration_shared_secret

@@ -1 +0,0 @@
-registration_shared_secret: supersecret

checks/morph/flake-module.nix

@@ -35,7 +35,8 @@
                   pkgs.stdenv.drvPath
                   pkgs.stdenvNoCC
                   self.nixosConfigurations.test-morph-machine.config.system.build.toplevel
-                ] ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
+                ]
+                ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
                 closureInfo = pkgs.closureInfo { rootPaths = dependencies; };
               in
 

checks/service-dummy-test-from-flake/default.nix

@@ -16,7 +16,6 @@ nixosLib.runTest (
 
     # This tests the compatibility of the inventory
     # With the test framework
-    # - legacy-modules
     # - clan.service modules
     name = "service-dummy-test-from-flake";
 
@@ -37,9 +36,6 @@ nixosLib.runTest (
         start_all()
         admin1.wait_for_unit("multi-user.target")
         peer1.wait_for_unit("multi-user.target")
-        # Provided by the legacy module
-        print(admin1.succeed("systemctl status dummy-service"))
-        print(peer1.succeed("systemctl status dummy-service"))
 
         # peer1 should have the 'hello' file
         peer1.succeed("cat ${nodes.peer1.clan.core.vars.generators.new-service.files.not-a-secret.path}")

checks/service-dummy-test-from-flake/flake.nix

@@ -15,12 +15,6 @@
             meta.name = "foo";
             machines.peer1 = { };
             machines.admin1 = { };
-            services = {
-              legacy-module.default = {
-                roles.peer.machines = [ "peer1" ];
-                roles.admin.machines = [ "admin1" ];
-              };
-            };
 
             instances."test" = {
               module.name = "new-service";
@@ -28,9 +22,6 @@
               roles.peer.machines.peer1 = { };
             };
 
-            modules = {
-              legacy-module = ./legacy-module;
-            };
           };
 
         modules.new-service = {

checks/service-dummy-test-from-flake/legacy-module/README.md

@@ -1,10 +0,0 @@
----
-description = "Set up dummy-module"
-categories = ["System"]
-features = [ "inventory" ]
-
-[constraints]
-roles.admin.min = 1
-roles.admin.max = 1
----
-

checks/service-dummy-test-from-flake/legacy-module/roles/admin.nix

@@ -1,5 +0,0 @@
-{
-  imports = [
-    ../shared.nix
-  ];
-}

checks/service-dummy-test-from-flake/legacy-module/roles/peer.nix

@@ -1,5 +0,0 @@
-{
-  imports = [
-    ../shared.nix
-  ];
-}

checks/service-dummy-test-from-flake/legacy-module/shared.nix

@@ -1,34 +0,0 @@
-{ config, ... }:
-{
-  systemd.services.dummy-service = {
-    enable = true;
-    description = "Dummy service";
-    wantedBy = [ "multi-user.target" ];
-    serviceConfig = {
-      Type = "oneshot";
-      RemainAfterExit = true;
-    };
-    script = ''
-      generated_password_path="${config.clan.core.vars.generators.dummy-generator.files.generated-password.path}"
-      if [ ! -f "$generated_password_path" ]; then
-        echo "Generated password file not found: $generated_password_path"
-        exit 1
-      fi
-      host_id_path="${config.clan.core.vars.generators.dummy-generator.files.host-id.path}"
-      if [ ! -e "$host_id_path" ]; then
-        echo "Host ID file not found: $host_id_path"
-        exit 1
-      fi
-    '';
-  };
-
-  # TODO: add and prompt and make it work in the test framework
-  clan.core.vars.generators.dummy-generator = {
-    files.host-id.secret = false;
-    files.generated-password.secret = true;
-    script = ''
-      echo $RANDOM > "$out"/host-id
-      echo $RANDOM > "$out"/generated-password
-    '';
-  };
-}

checks/service-dummy-test/default.nix

@@ -15,7 +15,6 @@ nixosLib.runTest (
 
     # This tests the compatibility of the inventory
     # With the test framework
-    # - legacy-modules
     # - clan.service modules
     name = "service-dummy-test";
 
@@ -24,12 +23,6 @@ nixosLib.runTest (
       inventory = {
         machines.peer1 = { };
         machines.admin1 = { };
-        services = {
-          legacy-module.default = {
-            roles.peer.machines = [ "peer1" ];
-            roles.admin.machines = [ "admin1" ];
-          };
-        };
 
         instances."test" = {
           module.name = "new-service";
@@ -37,9 +30,6 @@ nixosLib.runTest (
           roles.peer.machines.peer1 = { };
         };
 
-        modules = {
-          legacy-module = ./legacy-module;
-        };
       };
       modules.new-service = {
         _class = "clan.service";
@@ -78,9 +68,6 @@ nixosLib.runTest (
         start_all()
         admin1.wait_for_unit("multi-user.target")
         peer1.wait_for_unit("multi-user.target")
-        # Provided by the legacy module
-        print(admin1.succeed("systemctl status dummy-service"))
-        print(peer1.succeed("systemctl status dummy-service"))
 
         # peer1 should have the 'hello' file
         peer1.succeed("cat ${nodes.peer1.clan.core.vars.generators.new-service.files.not-a-secret.path}")

checks/update/flake-module.nix

@@ -35,6 +35,13 @@
       services.openssh.enable = true;
       services.openssh.settings.PasswordAuthentication = false;
       users.users.root.openssh.authorizedKeys.keys = [ (builtins.readFile ../assets/ssh/pubkey) ];
+      services.openssh.knownHosts.localhost.publicKeyFile = ../assets/ssh/pubkey;
+      services.openssh.hostKeys = [
+        {
+          path = ../assets/ssh/privkey;
+          type = "ed25519";
+        }
+      ];
       security.sudo.wheelNeedsPassword = false;
 
       boot.consoleLogLevel = lib.mkForce 100;
@@ -99,12 +106,14 @@
               let
                 closureInfo = pkgs.closureInfo {
                   rootPaths = [
-                    self.checks.x86_64-linux.clan-core-for-checks
+                    self.packages.${pkgs.system}.clan-cli
+                    self.checks.${pkgs.system}.clan-core-for-checks
                     self.clanInternals.machines.${pkgs.hostPlatform.system}.test-update-machine.config.system.build.toplevel
                     pkgs.stdenv.drvPath
                     pkgs.bash.drvPath
                     pkgs.buildPackages.xorg.lndir
-                  ] ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
+                  ]
+                  ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
                 };
               in
               self.clanLib.test.containerTest {
@@ -151,14 +160,6 @@
                       machine_config_path = os.path.join(flake_dir, "machines", "test-update-machine", "configuration.nix")
                       os.makedirs(os.path.dirname(machine_config_path), exist_ok=True)
 
-                      with open(machine_config_path, "w") as f:
-                          f.write("""
-                      {
-                        environment.etc."update-successful".text = "ok";
-                      }
-                      """)
-
-                      # Run clan update command  
                       # Note: update command doesn't accept -i flag, SSH key must be in ssh-agent
                       # Start ssh-agent and add the key
                       agent_output = subprocess.check_output(["${pkgs.openssh}/bin/ssh-agent", "-s"], text=True)
@@ -172,6 +173,90 @@
                       subprocess.run(["${pkgs.openssh}/bin/ssh-add", ssh_conn.ssh_key], check=True)
 
 
+                      ##############
+                      print("TEST: update with --build-host local")
+                      with open(machine_config_path, "w") as f:
+                          f.write("""
+                      {
+                        environment.etc."update-build-local-successful".text = "ok";
+                      }
+                      """)
+
+                      # rsync the flake into the container
+                      os.environ["PATH"] = f"{os.environ['PATH']}:${pkgs.openssh}/bin"
+                      subprocess.run(
+                        [
+                            "${pkgs.rsync}/bin/rsync",
+                            "-a",
+                            "--delete",
+                            "-e",
+                            "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no",
+                            f"{str(flake_dir)}/",
+                            f"root@192.168.1.1:/flake",
+                        ],
+                        check=True
+                      )
+
+                      # allow machine to ssh into itself
+                      subprocess.run([
+                          "ssh",
+                          "-o", "UserKnownHostsFile=/dev/null",
+                          "-o", "StrictHostKeyChecking=no",
+                          f"root@192.168.1.1",
+                          "mkdir -p /root/.ssh && chmod 700 /root/.ssh && echo \"$(cat \"${../assets/ssh/privkey}\")\" > /root/.ssh/id_ed25519 && chmod 600 /root/.ssh/id_ed25519",
+                      ], check=True)
+
+                      # install the clan-cli package into the container's Nix store
+                      subprocess.run(
+                        [
+                            "${pkgs.nix}/bin/nix",
+                            "copy",
+                            "--to",
+                            "ssh://root@192.168.1.1",
+                            "--no-check-sigs",
+                            f"${self.packages.${pkgs.system}.clan-cli}",
+                            "--extra-experimental-features", "nix-command flakes",
+                            "--from", f"{os.environ["TMPDIR"]}/store"
+                        ],
+                        check=True,
+                        env={
+                          **os.environ,
+                          "NIX_SSHOPTS": "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no",
+                        },
+                      )
+
+                      # Run ssh on the host to run the clan update command via --build-host local
+                      subprocess.run([
+                          "ssh",
+                          "-o", "UserKnownHostsFile=/dev/null",
+                          "-o", "StrictHostKeyChecking=no",
+                          f"root@192.168.1.1",
+                          "${self.packages.${pkgs.system}.clan-cli}/bin/clan",
+                          "machines",
+                          "update",
+                          "--debug",
+                          "--flake", "/flake",
+                          "--host-key-check", "none",
+                          "--upload-inputs",  # Use local store instead of fetching from network
+                          "--build-host", "localhost",
+                          "test-update-machine",
+                          "--target-host", f"root@localhost",
+                      ], check=True)
+
+                      # Verify the update was successful
+                      machine.succeed("test -f /etc/update-build-local-successful")
+
+
+                      ##############
+                      print("TEST: update with --target-host")
+
+                      with open(machine_config_path, "w") as f:
+                          f.write("""
+                      {
+                        environment.etc."target-host-update-successful".text = "ok";
+                      }
+                      """)
+
                       # Run clan update command
                       subprocess.run([
                           "${self.packages.${pkgs.system}.clan-cli-full}/bin/clan",
@@ -180,16 +265,18 @@
                           "--debug",
                           "--flake", flake_dir,
                           "--host-key-check", "none",
-                          "--fetch-local",  # Use local store instead of fetching from network
+                          "--upload-inputs",  # Use local store instead of fetching from network
                           "test-update-machine",
                           "--target-host", f"root@192.168.1.1:{ssh_conn.host_port}",
                       ], check=True)
 
                       # Verify the update was successful
-                      machine.succeed("test -f /etc/update-successful")
+                      machine.succeed("test -f /etc/target-host-update-successful")
 
-                      # Test update with --build-host
+
-                      # Update configuration again to test build-host functionality
+                      ##############
+                      print("TEST: update with --build-host")
+                      # Update configuration again
                       with open(machine_config_path, "w") as f:
                           f.write("""
                       {
@@ -205,24 +292,7 @@
                           "--debug",
                           "--flake", flake_dir,
                           "--host-key-check", "none",
-                          "--fetch-local",  # Use local store instead of fetching from network
+                          "--upload-inputs",  # Use local store instead of fetching from network
-                          "--build-host", f"root@192.168.1.1:{ssh_conn.host_port}",
-                          "test-update-machine",
-                          "--target-host", f"root@192.168.1.1:{ssh_conn.host_port}",
-                      ], check=True)
-
-                      # Verify the second update was successful
-                      machine.succeed("test -f /etc/build-host-update-successful")
-
-                      # Run clan update command with --build-host
-                      subprocess.run([
-                          "${self.packages.${pkgs.system}.clan-cli-full}/bin/clan",
-                          "machines",
-                          "update",
-                          "--debug",
-                          "--flake", flake_dir,
-                          "--host-key-check", "none",
-                          "--fetch-local",  # Use local store instead of fetching from network
                           "--build-host", f"root@192.168.1.1:{ssh_conn.host_port}",
                           "test-update-machine",
                           "--target-host", f"root@192.168.1.1:{ssh_conn.host_port}",

checks/wireguard/default.nix

@@ -0,0 +1,115 @@
+{
+  pkgs,
+  nixosLib,
+  clan-core,
+  lib,
+  ...
+}:
+nixosLib.runTest (
+  { ... }:
+
+  let
+    machines = [
+      "controller1"
+      "controller2"
+      "peer1"
+      "peer2"
+      "peer3"
+    ];
+  in
+  {
+    imports = [
+      clan-core.modules.nixosTest.clanTest
+    ];
+
+    hostPkgs = pkgs;
+
+    name = "wireguard";
+
+    clan = {
+      directory = ./.;
+      modules."@clan/wireguard" = import ../../clanServices/wireguard/default.nix;
+      inventory = {
+
+        machines = lib.genAttrs machines (_: { });
+
+        instances = {
+
+          /*
+                          wg-test-one
+            ┌───────────────────────────────┐
+            │            ◄─────────────     │
+            │ controller2              controller1
+            │    ▲       ─────────────►    ▲     ▲
+            │    │ │ │ │                 │ │   │ │
+            │    │ │ │ │                 │ │   │ │
+            │    │ │ │ │                 │ │   │ │
+            │    │ │ │ └───────────────┐ │ │   │ │
+            │    │ │ └──────────────┐  │ │ │   │ │
+            │      ▼                │  ▼ ▼     ▼
+            └─► peer2               │  peer1  peer3
+                                    │          ▲
+                                    └──────────┘
+          */
+
+          wg-test-one = {
+
+            module.name = "@clan/wireguard";
+            module.input = "self";
+
+            roles.controller.machines."controller1".settings = {
+              endpoint = "192.168.1.1";
+            };
+
+            roles.controller.machines."controller2".settings = {
+              endpoint = "192.168.1.2";
+            };
+
+            roles.peer.machines = {
+              peer1.settings.controller = "controller1";
+              peer2.settings.controller = "controller2";
+              peer3.settings.controller = "controller1";
+            };
+          };
+
+          # TODO: Will this actually work with conflicting ports? Can we re-use interfaces?
+          #wg-test-two = {
+          #  module.name = "@clan/wireguard";
+
+          #  roles.controller.machines."controller1".settings = {
+          #    endpoint = "192.168.1.1";
+          #    port = 51922;
+          #  };
+
+          #  roles.peer.machines = {
+          #    peer1 = { };
+          #  };
+          #};
+        };
+      };
+    };
+
+    testScript = ''
+      start_all()
+
+      # Show all addresses
+      machines = [peer1, peer2, peer3, controller1, controller2]
+      for m in machines:
+          m.systemctl("start network-online.target")
+
+      for m in machines:
+          m.wait_for_unit("network-online.target")
+          m.wait_for_unit("systemd-networkd.service")
+
+      print("\n\n" + "="*60)
+      print("STARTING PING TESTS")
+      print("="*60)
+
+      for m1 in machines:
+          for m2 in machines:
+              if m1 != m2:
+                  print(f"\n--- Pinging from {m1.name} to {m2.name}.wg-test-one ---")
+                  m1.wait_until_succeeds(f"ping -c1 {m2.name}.wg-test-one >&2")
+    '';
+  }
+)

checks/wireguard/sops/machines/controller1/key.json

@@ -0,0 +1,6 @@
+[
+  {
+    "publickey": "age1rnkc2vmrupy9234clyu7fpur5kephuqs3v7qauaw5zeg00jqjdasefn3cc",
+    "type": "age"
+  }
+]

checks/wireguard/sops/machines/controller2/key.json

@@ -0,0 +1,6 @@
+[
+  {
+    "publickey": "age1t2hhg99d4p2yymuhngcy5ccutp8mvu7qwvg5cdhck303h9e7ha9qnlt635",
+    "type": "age"
+  }
+]

checks/wireguard/sops/machines/peer1/key.json

@@ -0,0 +1,6 @@
+[
+  {
+    "publickey": "age1jts52rzlqcwjc36jkp56a7fmjn3czr7kl9ta2spkfzhvfama33sqacrzzd",
+    "type": "age"
+  }
+]

checks/wireguard/sops/machines/peer2/key.json

@@ -0,0 +1,6 @@
+[
+  {
+    "publickey": "age12nqnp0zd435ckp5p0v2fv4p2x4cvur2mnxe8use2sx3fgy883vaq4ae75e",
+    "type": "age"
+  }
+]

checks/wireguard/sops/machines/peer3/key.json

@@ -0,0 +1,6 @@
+[
+  {
+    "publickey": "age1sglr4zp34drjfydzeweq43fz3uwpul3hkh53lsfa9drhuzwmkqyqn5jegp",
+    "type": "age"
+  }
+]

checks/wireguard/sops/secrets/controller1-age.key/secret

@@ -0,0 +1,15 @@
+{
+	"data": "ENC[AES256_GCM,data:zDF0RiBqaawpg+GaFkuLPomJ01Xu+lgY5JfUzaIk2j03XkCzIf8EMrmn6pRtBP3iUjPBm+gQSTQk6GHTONrixA5hRNyETV+UgQw=,iv:zUUCAGZ0cz4Tc2t/HOjVYNsdnrAOtid/Ns5ak7rnyCk=,tag:z43WtNSue4Ddf7AVu21IKA==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlY1NEdjAzQm5RMFZWY3BJ\nclp6c01FdlZFK3dOSDB4cHc1NTdwMXErMFJFCnIrRVFNZEFYOG1rVUhFd2xsbTJ2\nVkJHNmdOWXlOcHJoQ0QzM1VyZmxmcGcKLS0tIFk1cEx4dFdvNGRwK1FWdDZsb1lR\nV2d1RFZtNzZqVFdtQ1FzNStEcEgyUUkKx8tkxqJz/Ko3xgvhvd6IYiV/lRGmrY13\nUZpYWR9tsQwZAR9dLjCyVU3JRuXeGB1unXC1CO0Ff3R0A/PuuRHh+g==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-08-13T09:19:37Z",
+		"mac": "ENC[AES256_GCM,data:8RGOUhZ2LGmC9ugULwHDgdMrtdo9vzBm3BJmL4XTuNJKm0NlKfgNLi1E4n9DMQ+kD4hKvcwbiUcwSGE8jZD6sm7Sh3bJi/HZCoiWm/O/OIzstli2NNDBGvQBgyWZA5H+kDjZ6aEi6icNWIlm5gsty7KduABnf5B3p0Bn5Uf5Bio=,iv:sGZp0XF+mgocVzAfHF8ATdlSE/5zyz5WUSRMJqNeDQs=,tag:ymYVBRwF5BOSAu5ONU2qKw==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

checks/wireguard/sops/secrets/controller1-age.key/users/admin

@@ -0,0 +1 @@
+../../../users/admin

checks/wireguard/sops/secrets/controller2-age.key/secret

@@ -0,0 +1,15 @@
+{
+	"data": "ENC[AES256_GCM,data:dHM7zWzqnC1QLRKYpbI2t63kOFnSaQy6ur9zlkLQf17Q03CNrqUsZtdEbwMnLR3llu7eVMhtvVRkXjEkvn3leb9HsNFmtk/DP70=,iv:roEZsBFqRypM106O5sehTzo7SySOJUJgAR738rTtOo8=,tag:VDd9/6uU0SAM7pWRLIUhUQ==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKTEVYUmVGbUtOcHZ4cnc3\nKzNETnlxaVRKYTI3eWVHdEoyc3l2SnhsZ1J3CnB2RnZrOXM5Uml6TThDUlZjY25J\nbkJ6eUZ2ckN1NWpNUU9IaE93UDJQdlEKLS0tIC95ZDhkU0R1VHhCdldxdW4zSmps\nN3NqL1cvd05hRTRPdDA3R2pzNUFFajgKS+DJH14fH9AvEAa3PoUC1jEqKAzTmExN\nl32FeHTHbGMo1PKeaFm+Eg0WSpAmFE7beBunc5B73SW30ok6x4FcQw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-08-13T09:19:47Z",
+		"mac": "ENC[AES256_GCM,data:77EnuBQyguvkCtobUg8/6zoLHjmeGDrSBZuIXOZBMxdbJjzhRg++qxQjuu6t0FoWATtz7u4Y3/jzUMGffr/N5HegqSq0D2bhv7AqJwBiVaOwd80fRTtM+YiP/zXsCk52Pj/Gadapg208bDPQ1BBDOyz/DrqZ7w//j+ARJjAnugI=,iv:IuTDmJKZEuHXJXjxrBw0gP2t6vpxAYEqbtpnVbavVCY=,tag:4EnpX6rOamtg1O+AaEQahQ==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

checks/wireguard/sops/secrets/controller2-age.key/users/admin

@@ -0,0 +1 @@
+../../../users/admin

checks/wireguard/sops/secrets/peer1-age.key/secret

@@ -0,0 +1,15 @@
+{
+	"data": "ENC[AES256_GCM,data:wcSsqxTKiMAnzPwxs5DNjcSdLyjVQ9UOrZxfSbOkVfniwx6F7xz6dLNhaDq7MHQ0vRWpg28yNs7NHrp52bYFnb/+eZsis46WiCw=,iv:B4t1lvS2gC601MtsmZfEiEulLWvSGei3/LSajwFS9Vs=,tag:hnRXlZyYEFfLJUrw1SqbSQ==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAybUgya2VEdzMvRG1hdkpu\nM2pGNmcyVmcvYVZ1ZjJlY3A1bXFUUUtkMTI0CmJoRFZmejZjN2UxUXNuc1k5WnE2\nNmxIcnpNQ1lJZ3ZKSmhtSlVURXJTSUUKLS0tIGU4Wi9yZ3VYekJkVW9pNWFHblFk\na0gzbTVKUWdSam1sVjRUaUlTdVd5YWMKntRc9yb9VPOTMibp8QM5m57DilP01N/X\nPTQaw8oI40znnHdctTZz7S+W/3Te6sRnkOhFyalWmsKY0CWg/FELlA==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-08-13T09:19:58Z",
+		"mac": "ENC[AES256_GCM,data:8nq+ugkUJxE24lUIySySs/cAF8vnfqr936L/5F0O1QFwNrbpPmKRXkuwa6u0V+187L2952Id20Fym4ke59f3fJJsF840NCKDwDDZhBZ20q9GfOqIKImEom/Nzw6D0WXQLUT3w8EMyJ/F+UaJxnBNPR6f6+Kx4YgStYzCcA6Ahzg=,iv:VBPktEz7qwWBBnXE+xOP/EUVy7/AmNCHPoK56Yt/ZNc=,tag:qXONwOLFAlopymBEf5p4Sw==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

checks/wireguard/sops/secrets/peer1-age.key/users/admin

@@ -0,0 +1 @@
+../../../users/admin

checks/wireguard/sops/secrets/peer2-age.key/secret

@@ -0,0 +1,15 @@
+{
+	"data": "ENC[AES256_GCM,data:4d3ri0EsDmWRtA8vzvpPRLMsSp4MIMKwvtn0n0pRY05uBPXs3KcjnweMPIeTE1nIhqnMR2o2MfLah5TCPpaFax9+wxIt74uacbg=,iv:0LBAldTC/hN4QLCxgXTl6d9UB8WmUTnj4sD2zHQuG2w=,tag:zr/RhG/AU4g9xj9l2BprKw==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvV0JnZDhlU1piU1g2cng0\ncytKOEZ6WlZlNGRGUjV3MmVMd2Nzc0ZwelgwCjBGdThCUGlXbVFYdnNoZWpJZ3Vm\nc2xkRXhxS09vdzltSVoxLzhFSVduak0KLS0tIE5DRjJ6cGxiVlB1eElHWXhxN1pJ\nYWtIMDMvb0Z6akJjUzlqeEFsNHkxL2cKpghv/QegnXimeqd9OPFouGM//jYvoVmw\n2d4mLT2JSMkEhpfGcqb6vswhdJfCiKuqr2B4bqwAnPMaykhsm8DFRQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-08-13T09:20:08Z",
+		"mac": "ENC[AES256_GCM,data:BzlQVAJ7HzcxNPKB3JhabqRX/uU0EElj172YecjmOflHnzz/s9xgfdAfJK/c53hXlX4LtGPnubH7a8jOolRq98zmZeBYE27+WLs2aN7Ufld6mYk90/i7u4CqR+Fh2Kfht04SlUJCjnS5A9bTPwU9XGRHJ0BiOhzTuSMUJTRaPRM=,iv:L50K5zc1o99Ix9nP0pb9PRH+VIN2yvq7JqKeVHxVXmc=,tag:XFLkSCsdbTPxbasDYYxcFQ==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

checks/wireguard/sops/secrets/peer2-age.key/users/admin

@@ -0,0 +1 @@
+../../../users/admin

checks/wireguard/sops/secrets/peer3-age.key/secret

@@ -0,0 +1,15 @@
+{
+	"data": "ENC[AES256_GCM,data:qfLm6+g1vYnESCik9uyBeKsY6Ju2Gq3arnn2I8HHNO67Ri5BWbOQTvtz7WT8/q94RwVjv8SGeJ/fsJSpwLSrJSbqTZCPAnYwzzQ=,iv:PnA9Ao8RRELNhNQYbaorstc0KaIXRU7h3+lgDCXZFHk=,tag:VeLgYQYwqthYihIoQTwYiA==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNWVVQaDJFd0N3WHptRC9Z\nZTgxTWh5bnU1SkpqRWRXZnhPaFhpSVJmVEhrCjFvdHFYenNWaFNrdXlha09iS2xj\nOTZDcUNkcHkvTDUwNjM4Z3gxUkxreUEKLS0tIE5oY3Q2bWhsb2FSQTVGTWVSclJw\nWllrelRwT3duYjJJbTV0d3FwU1VuNlkK2eN3fHFX/sVUWom8TeZC9fddqnSCsC1+\nJRCZsG46uHDxqLcKIfdFWh++2t16XupQYk3kn+NUR/aMc3fR32Uwjw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-08-13T09:20:18Z",
+		"mac": "ENC[AES256_GCM,data:nUwsPcP1bsDjAHFjQ1NlVkTwyZY4B+BpzNkMx9gl0rE14j425HVLtlhlLndhRp+XMpnDldQppLAAtSdzMsrw8r5efNgTRl7cu4Fy/b9cHt84k7m0aou5lrGus9SV1bM7/fzC9Xm7CSXBcRzyDGVsKC6UBl1rx+ybh7HyAN05XSo=,iv:It57H+zUUNPkoN1D8sYwyZx5zIFIga7mydhGUHYBCGE=,tag:mBQdYqUpjPknbYa13qESyw==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

checks/wireguard/sops/secrets/peer3-age.key/users/admin

@@ -0,0 +1 @@
+../../../users/admin

checks/wireguard/sops/users/admin/key.json

@@ -0,0 +1,4 @@
+{
+  "publickey": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+  "type": "age"
+}

checks/wireguard/vars/per-machine/controller1/wireguard-keys-wg-test-one/privatekey/machines/controller1

@@ -0,0 +1 @@
+../../../../../../sops/machines/controller1

checks/wireguard/vars/per-machine/controller1/wireguard-keys-wg-test-one/privatekey/secret

@@ -0,0 +1,19 @@
+{
+	"data": "ENC[AES256_GCM,data:noe913+28JWkoDkGGMu++cc1+j5NPDoyIhWixdsowoiVO3cTWGkZ88SUGO5D,iv:ynYMljwqMcBdk8RpVcw/2Jflg2RCF28r4fKUgIAF8B4=,tag:+TsXDJgfUhKgg4iQVXKKlQ==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhYVRReTZBQ05GYmVBVjhS\nNXM5aFlhVzZRaVl6UHl6S3JnMC9Sb1dwZ1ZjCmVuS2dEVExYZWROVklUZWFCSnM2\nZnlxbVNseTM2c0Q0TjhsT3NzYmtqREUKLS0tIHBRTFpvVGt6d1cxZ2lFclRsUVhZ\nZDlWaG9PcXVrNUZKaEgxWndjUDVpYjgKt0eOhAgcYdkg9JSEakx4FjChLTn3pis+\njOkuGd4JfXMKcwC7vJV5ygQBxzVJSBw+RucP7sYCBPK0m8Voj94ntw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1rnkc2vmrupy9234clyu7fpur5kephuqs3v7qauaw5zeg00jqjdasefn3cc",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6MFJqNHNraG9DSnJZMFdz\ndU8zVXNTamxROFd1dWtuK2RiekhPdHhleVhFCi8zNWJDNXJMRUlDdjc4Q0UycTIz\nSGFGSmdnNU0wZWlDaTEwTzBqWjh6SFkKLS0tIEJOdjhOMDY2TUFLb3RPczNvMERx\nYkpSeW5VOXZvMlEvdm53MDE3aUFTNjgKyelSTjrTIR9I3rJd3krvzpsrKF1uGs4J\n4MtmQj0/3G+zPYZVBx7b3HF6B3f1Z7LYh05+z7nCnN/duXyPnDjNcg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-08-13T09:19:37Z",
+		"mac": "ENC[AES256_GCM,data:+DmIkPG/H6tCtf8CvB98E1QFXv08QfTcCB3CRsi+XWnIRBkryRd/Au9JahViHMdK7MED8WNf84NWTjY2yH4y824/DjI8XXNMF1iVMo0CqY42xbVHtUuhXrYeT+c8CyEw+M6zfy1jC0+Bm3WQWgagz1G6A9SZk3D2ycu0N08+axA=,iv:kwBjTYebIy5i2hagAajSwwuKnSkrM9GyrnbeQXB2e/w=,tag:EgKJ5gVGYj1NGFUduxLGfg==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

checks/wireguard/vars/per-machine/controller1/wireguard-keys-wg-test-one/privatekey/users/admin

@@ -0,0 +1 @@
+../../../../../../sops/users/admin

checks/wireguard/vars/per-machine/controller1/wireguard-keys-wg-test-one/publickey/value

@@ -0,0 +1 @@
+lQfR7GhivN87XoXruTGOPjVPhNu1Brt//wyc3pdwE20=

checks/wireguard/vars/per-machine/controller1/wireguard-network-wg-test-one/.validation-hash

@@ -0,0 +1 @@
+7470bb5c79df224a9b7f5a2259acd2e46db763c27e24cb3416c8b591cb328077

checks/wireguard/vars/per-machine/controller1/wireguard-network-wg-test-one/prefix/value

@@ -0,0 +1 @@
+fd51:19c1:3b:f700

checks/wireguard/vars/per-machine/controller2/wireguard-keys-wg-test-one/privatekey/machines/controller2

@@ -0,0 +1 @@
+../../../../../../sops/machines/controller2

checks/wireguard/vars/per-machine/controller2/wireguard-keys-wg-test-one/privatekey/secret

@@ -0,0 +1,19 @@
+{
+	"data": "ENC[AES256_GCM,data:2kehACgvNgoYGPwnW7p86BR0yUu689Chth6qZf9zoJtuTY9ATS68dxDyBc5S,iv:qb2iDUtExegTeN3jt6SA8RnU61W5GDDhn56QXiQT4gw=,tag:pSGPICX5p6qlZ1WMVoIEYQ==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSTTR5TDY4RE9VYmlCK1dL\nWkVRcVZqVDlsbmQvUlJmdzF2b1Z1S0k3NngwCkFWNzRVaERtSmFsd0o2aFJOb0ZX\nSU9yUnVaNi9IUjJWeGRFcEpDUXo5WkEKLS0tIEczNkxiYnJsTWRoLzFhQVF1M21n\nWnZEdGV1N2N5d1FZQkJUQ1IrdGFLblkKPTpha2bxS8CCAMXWTDKX/WOcdvggaP3Y\nqewyahDNzb4ggP+LNKp55BtwFjdvoPoq4BpYOOgMRbQMMk+H1o9WFw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1t2hhg99d4p2yymuhngcy5ccutp8mvu7qwvg5cdhck303h9e7ha9qnlt635",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYcEZ6Tzk3M0pkV0tOdTBj\nenF2a0tHNnhBa0NrazMwV1VBbXBZR3pzSHpvCnBZOEU0VlFHS1FHcVpTTDdPczVV\nV0RFSlZ0VmIzWGoydEdKVXlIUE9OOEkKLS0tIFZ0cWVBR1loeVlWa2c4U3oweXE2\ncm1ja0JCS3U5Nk41dlAzV2NabDc2bDQKdgCDNnpRZlFPnEGlX6fo0SQX4yOB+E6r\ntnSwofR3xxZvkyme/6JJU5qBZXyCXEAhKMRkFyvJANXzMJAUo/Osow==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-08-13T09:19:48Z",
+		"mac": "ENC[AES256_GCM,data:e3EkL8vwRhLsec83Zi9DE3PKT+4RwgiffpN4QHcJKTgmDW6hzizWc5kAxbNWGJ9Qqe6sso2KY7tc+hg1lHEsmzjCbg153p8h+7lVI2XT6adi/CS8WZ2VpeL+0X9zDQCjqHmrESZAYFBdkLqO4jucdf0Pc3CKKD+N3BDDTwSUvHM=,iv:xvR7dJL8sdYen00ovrYT8PNxhB9XxSWDSRz1IK23I/o=,tag:OyhAvllBgfAp3eGeNpR/Nw==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

checks/wireguard/vars/per-machine/controller2/wireguard-keys-wg-test-one/privatekey/users/admin

@@ -0,0 +1 @@
+../../../../../../sops/users/admin

checks/wireguard/vars/per-machine/controller2/wireguard-keys-wg-test-one/publickey/value

@@ -0,0 +1 @@
+5Z7gbLFbXpEFfomW2pKyZBpZN5xvUtiqrIL0GVfNtQ8=

checks/wireguard/vars/per-machine/controller2/wireguard-network-wg-test-one/.validation-hash

@@ -0,0 +1 @@
+c3672fdb9fb31ddaf6572fc813cf7a8fe50488ef4e9d534c62d4f29da60a1a99

checks/wireguard/vars/per-machine/controller2/wireguard-network-wg-test-one/prefix/value

@@ -0,0 +1 @@
+fd51:19c1:c1:aa00

checks/wireguard/vars/per-machine/peer1/wireguard-keys-wg-test-one/privatekey/machines/peer1

@@ -0,0 +1 @@
+../../../../../../sops/machines/peer1

checks/wireguard/vars/per-machine/peer1/wireguard-keys-wg-test-one/privatekey/secret

@@ -0,0 +1,19 @@
+{
+	"data": "ENC[AES256_GCM,data:b+akw85T3D9xc75CPLHucR//k7inpxKDvgpR8tCNKwNDRVjVHjcABhfZNLXW,iv:g11fZE8UI0MVh9GKdjR6leBlxa4wN7ZubozXG/VlBbw=,tag:0YkzWCW3zJ3Mt3br/jmTYw==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1jts52rzlqcwjc36jkp56a7fmjn3czr7kl9ta2spkfzhvfama33sqacrzzd",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXWkJUR0pIa2xOSEw2dThm\nYlNuOHZCVW93Wkc5LzE4YmpUTHRkZlk3ckc4CnN4M3ZRMWNFVitCT3FyWkxaR0di\nb0NmSXFhRHJmTWg0d05OcWx1LytscEEKLS0tIEtleTFqU3JrRjVsdHpJeTNuVUhF\nWEtnOVlXVXRFamFSak5ia2F2b0JiTzAKlhOBZvZ4AN+QqAYQXvd6YNmgVS4gtkWT\nbV3bLNTgwtrDtet9NDHM8vdF+cn5RZxwFfgmTbDEow6Zm8EXfpxj/g==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6YVYyQkZqMTJYQTlyRG5Y\nbnJ2UkE1TS9FZkpSa2tQbk1hQjViMi9OcGk0CjFaZUdjU3JtNzh0bDFXdTdUVW4x\nanFqZHZjZjdzKzA2MC8vTWh3Uy82UGcKLS0tIDhyOFl3UGs3czdoMlpza3UvMlB1\nSE90MnpGc05sSCtmVWg0UVNVdmRvN2MKHlCr4U+7bsoYb+2fgT4mEseZCEjxrtLu\n55sR/4YH0vqMnIBnLTSA0e+WMrs3tQfseeJM5jY/ZNnpec1LbxkGTg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-08-13T09:19:58Z",
+		"mac": "ENC[AES256_GCM,data:gEoEC9D2Z7k5F8egaY1qPXT5/96FFVsyofSBivQ28Ir/9xHX2j40PAQrYRJUWsk/GAUMOyi52Wm7kPuacw+bBcdtQ0+MCDEmjkEnh1V83eZ/baey7iMmg05uO92MYY5o4e7ZkwzXoAeMCMcfO0GqjNvsYJHF1pSNa+UNDj+eflw=,iv:dnIYpvhAdvUDe9md53ll42krb0sxcHy/toqGc7JFxNA=,tag:0WkZU7GeKMD1DQTYaI+1dg==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

checks/wireguard/vars/per-machine/peer1/wireguard-keys-wg-test-one/privatekey/users/admin

@@ -0,0 +1 @@
+../../../../../../sops/users/admin

checks/wireguard/vars/per-machine/peer1/wireguard-keys-wg-test-one/publickey/value

@@ -0,0 +1 @@
+juK7P/92N2t2t680aLIRobHc3ts49CsZBvfZOyIKpUc=

checks/wireguard/vars/per-machine/peer1/wireguard-network-wg-test-one/.validation-hash

@@ -0,0 +1 @@
+b36142569a74a0de0f9b229f2a040ae33a22d53bef5e62aa6939912d0cda05ba

checks/wireguard/vars/per-machine/peer1/wireguard-network-wg-test-one/suffix/value

@@ -0,0 +1 @@
+6987:50a0:9b93:4337

checks/wireguard/vars/per-machine/peer2/wireguard-keys-wg-test-one/privatekey/machines/peer2

@@ -0,0 +1 @@
+../../../../../../sops/machines/peer2

checks/wireguard/vars/per-machine/peer2/wireguard-keys-wg-test-one/privatekey/secret

@@ -0,0 +1,19 @@
+{
+	"data": "ENC[AES256_GCM,data:apX2sLwtq6iQgLJslFwiRMNBUe0XLzLQbhKfmb2pKiJG7jGNHUgHJz3Ls4Ca,iv:HTDatm3iD5wACTkkd3LdRNvJfnfg75RMtn9G6Q7Fqd4=,tag:Mfehlljnes5CFD1NJdk27A==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age12nqnp0zd435ckp5p0v2fv4p2x4cvur2mnxe8use2sx3fgy883vaq4ae75e",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVZzFyMUZsd2V2VWxOUmhP\nZE8yZTc4Q0RkZisxR25NemR1TzVDWmJZVjBVClA1MWhsU0xzSG16aUx3cWFWKzlG\nSkxrT09OTkVqLzlWejVESE1QWHVJaFkKLS0tIGxlaGVuWU43RXErNTB3c3FaUnM3\nT0N5M253anZkbnFkZWw2VHA0eWhxQW8Kd1PMtEX1h0Hd3fDLMi++gKJkzPi9FXUm\n+uYhx+pb+pJM+iLkPwP/q6AWC7T0T4bHfekkdzxrbsKMi73x/GrOiw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqVzRIMWdlNjVwTURyMFkv\nSUhiajZkZVNuWklRYit6cno4UzNDa2szOFN3CkQ2TWhHb25pbmR1MlBsRXNLL2lx\ncVZ3c3BsWXN2aS9UUVYvN3I4S0xUSmMKLS0tIE5FV0U5aXVUZk9XL0U0Z2ZSNGd5\nbU9zY3IvMlpSNVFLYkRNQUpUYVZOWFUK7j4Otzb8CJTcT7aAj9/irxHEDXh1HkTg\nzz7Ho8/ZncNtaCVHlHxjTgVW9d5aIx8fSsV9LRCFwHMtNzvwj1Nshg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-08-13T09:20:08Z",
+		"mac": "ENC[AES256_GCM,data:e7WNVEz78noHBiz6S3A6qNfop+yBXB3rYN0k4GvaQKz3b99naEHuqIF8Smzzt4XrbbiPKu2iLa5ddLBlqqsi32UQUB8JS9TY7hvW8ol+jpn0VxusGCXW9ThdDEsM/hXiPyr331C73zTvbOYI1hmcGMlJL9cunVRO9rkMtEqhEfo=,iv:6zt7wjIs1y5xDHNK+yLOwoOuUpY7/dOGJGT6UWAFeOg=,tag:gzFTgoxhoLzUV0lvzOhhfg==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

checks/wireguard/vars/per-machine/peer2/wireguard-keys-wg-test-one/privatekey/users/admin

@@ -0,0 +1 @@
+../../../../../../sops/users/admin

checks/wireguard/vars/per-machine/peer2/wireguard-keys-wg-test-one/publickey/value

@@ -0,0 +1 @@
+XI9uSaQRDBCb82cMnGzGJcbqRfDG/IXZobyeL+kV03k=

checks/wireguard/vars/per-machine/peer2/wireguard-network-wg-test-one/.validation-hash

@@ -0,0 +1 @@
+360f9fce4a984eb87ce2a673eb5341ecb89c0f62126548d45ef25ff5243dd646

checks/wireguard/vars/per-machine/peer2/wireguard-network-wg-test-one/suffix/value

@@ -0,0 +1 @@
+3b21:3ced:003e:89b3

checks/wireguard/vars/per-machine/peer3/wireguard-keys-wg-test-one/privatekey/machines/peer3

@@ -0,0 +1 @@
+../../../../../../sops/machines/peer3

checks/wireguard/vars/per-machine/peer3/wireguard-keys-wg-test-one/privatekey/secret

@@ -0,0 +1,19 @@
+{
+	"data": "ENC[AES256_GCM,data:Gluvjes/3oH5YsDq00JDJyJgoEFcj56smioMArPSt309MDGExYX2QsCzeO1q,iv:oBBJRDdTj/1dWEvzhdFKQ2WfeCKyavKMLmnMbqnU5PM=,tag:2WNFxKz2dWyVcybpm5N4iw==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtQWpjRmhZTFdPa2VSZkFN\nbUczMlY5bDBmMTdoMy8xcWxMaXpWVitMZGdjCnRWb2Y3eGpHU1hmNHRJVFBqbU5w\nVEZGdUIrQXk0U0dUUEZ6bE5EMFpTRHMKLS0tIGpYSmZmQThJUTlvTHpjc05ZVlM4\nQWhTOWxnUHZnYlJ3czE3ZUJ0L3ozWTQK3a7N0Zpzo4sUezYveqvKR49RUdJL23eD\n+cK5lk2xbtj+YHkeG+dg7UlHfDaicj0wnFH1KLuWmNd1ONa6eQp3BQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1sglr4zp34drjfydzeweq43fz3uwpul3hkh53lsfa9drhuzwmkqyqn5jegp",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3a2FOWlVsSkdnendrYmUz\ndEpuL1hZSWNFTUtDYm14S3V1aW9KS3hsazJRCkp2SkFFbi9hbGJpNks1MlNTL0s5\nTk5pcUMxaEJobkcvWmRGeU9jMkdNdzAKLS0tIDR6M0Y5eE1ETHJJejAzVW1EYy9v\nZCtPWHJPUkhuWnRzSGhMUUtTa280UmMKXvtnxyop7PmRvTOFkV80LziDjhGh93Pf\nYwhD/ByD/vMmr21Fd6PVHOX70FFT30BdnMc1/wt7c/0iAw4w4GoQsA==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-08-13T09:20:18Z",
+		"mac": "ENC[AES256_GCM,data:3nXMTma0UYXCco+EM8UW45cth7DVMboFBKyesL86GmaG6OlTkA2/25AeDrtSVO13a5c2jC6yNFK5dE6pSe5R9f0BoDF7d41mgc85zyn+LGECNWKC6hy6gADNSDD6RRuV1S3FisFQl1F1LD8LiSWmg/XNMZzChNlHYsCS8M+I84g=,iv:pu5VVXAVPmVoXy0BJ+hq5Ar8R0pZttKSYa4YS+dhDNc=,tag:xp1S/4qExnxMTGwhfLJrkA==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

checks/wireguard/vars/per-machine/peer3/wireguard-keys-wg-test-one/privatekey/users/admin

@@ -0,0 +1 @@
+../../../../../../sops/users/admin

checks/wireguard/vars/per-machine/peer3/wireguard-keys-wg-test-one/publickey/value

@@ -0,0 +1 @@
+t6qN4VGLR+VMhrBDNKQEXZVyRsEXs1/nGFRs5DI82F8=

checks/wireguard/vars/per-machine/peer3/wireguard-network-wg-test-one/.validation-hash

@@ -0,0 +1 @@
+e3facc99b73fe029d4c295f71829a83f421f38d82361cf412326398175da162a

checks/wireguard/vars/per-machine/peer3/wireguard-network-wg-test-one/suffix/value

@@ -0,0 +1 @@
+e42b:bf85:33f4:f0b1

checks/zt-tcp-relay/default.nix

@@ -1,24 +0,0 @@
-(
-  { pkgs, ... }:
-  {
-    name = "zt-tcp-relay";
-
-    nodes.machine =
-      { self, ... }:
-      {
-        imports = [
-          self.nixosModules.clanCore
-          self.clanModules.zt-tcp-relay
-          {
-            clan.core.settings.directory = ./.;
-          }
-        ];
-      };
-    testScript = ''
-      start_all()
-      machine.wait_for_unit("zt-tcp-relay.service")
-      out = machine.succeed("${pkgs.netcat}/bin/nc -z -v localhost 4443")
-      print(out)
-    '';
-  }
-)

clanModules/admin/README.md

@@ -1,5 +0,0 @@
----
-description = "Convenient Administration for the Clan App"
-categories = ["Utility"]
-features = [ "inventory", "deprecated" ]
----

clanModules/admin/default.nix

@@ -1,3 +0,0 @@
-{
-  imports = [ ./roles/default.nix ];
-}

clanModules/admin/roles/default.nix

@@ -1,30 +0,0 @@
-{ lib, config, ... }:
-{
-
-  options.clan.admin = {
-    allowedKeys = lib.mkOption {
-      default = { };
-      type = lib.types.attrsOf lib.types.str;
-      description = "The allowed public keys for ssh access to the admin user";
-      example = {
-        "key_1" = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD...";
-      };
-    };
-  };
-  # Bad practice.
-  # Should we add 'clanModules' to specialArgs?
-  imports = [
-    ../../sshd
-    ../../root-password
-  ];
-  config = {
-
-    warnings = [
-      "The clan.admin module is deprecated and will be removed on 2025-07-15.
-      Please migrate to user-maintained configuration or the new equivalent clan services
-      (https://docs.clan.lol/reference/clanServices)."
-    ];
-
-    users.users.root.openssh.authorizedKeys.keys = builtins.attrValues config.clan.admin.allowedKeys;
-  };
-}

clanModules/auto-upgrade/README.md

@@ -1,8 +0,0 @@
----
-description = "Set up automatic upgrades"
-categories = ["System"]
-features = [ "inventory", "deprecated" ]
----
-
-Whether to periodically upgrade NixOS to the latest version. If enabled, a
-systemd timer will run `nixos-rebuild switch --upgrade` once a day.

clanModules/auto-upgrade/roles/default.nix

@@ -1,32 +0,0 @@
-{
-  config,
-  lib,
-  ...
-}:
-let
-  cfg = config.clan.auto-upgrade;
-in
-{
-  options.clan.auto-upgrade = {
-    flake = lib.mkOption {
-      type = lib.types.str;
-      description = "Flake reference";
-    };
-  };
-
-  config = {
-
-    warnings = [
-      "The clan.auto-upgrade module is deprecated and will be removed on 2025-07-15.
-      Please migrate to user-maintained configuration or the new equivalent clan services
-      (https://docs.clan.lol/reference/clanServices)."
-    ];
-
-    system.autoUpgrade = {
-      inherit (cfg) flake;
-      enable = true;
-      dates = "02:00";
-      randomizedDelaySec = "45min";
-    };
-  };
-}

clanModules/borgbackup-static/README.md

@@ -1,16 +0,0 @@
----
-description = "Statically configure borgbackup with sane defaults."
----
-!!! Danger "Deprecated"
-    Use [borgbackup](borgbackup.md) instead.
-
-    Don't use borgbackup-static through [inventory](../../concepts/inventory.md).
-
-This module implements the `borgbackup` backend and implements sane defaults
-for backup management through `borgbackup` for members of the clan.
-
-Configure target machines where the backups should be sent to through `targets`.
-
-Configure machines that should be backuped either through `includeMachines`
-which will exclusively add the included machines to be backuped, or through
-`excludeMachines`, which will add every machine except the excluded machine to the backup.

clanModules/borgbackup-static/default.nix

@@ -1,104 +0,0 @@
-{ lib, config, ... }:
-let
-  dir = config.clan.core.settings.directory;
-  machineDir = dir + "/machines/";
-in
-{
-  imports = [ ../borgbackup ];
-
-  options.clan.borgbackup-static = {
-    excludeMachines = lib.mkOption {
-      type = lib.types.listOf lib.types.str;
-      example = lib.literalExpression "[ config.clan.core.settings.machine.name ]";
-      default = [ ];
-      description = ''
-        Machines that should not be backuped.
-        Mutually exclusive with includeMachines.
-        If this is not empty, every other machine except the targets in the clan will be backuped by this module.
-        If includeMachines is set, only the included machines will be backuped.
-      '';
-    };
-    includeMachines = lib.mkOption {
-      type = lib.types.listOf lib.types.str;
-      example = lib.literalExpression "[ config.clan.core.settings.machine.name ]";
-      default = [ ];
-      description = ''
-        Machines that should be backuped.
-        Mutually exclusive with excludeMachines.
-      '';
-    };
-    targets = lib.mkOption {
-      type = lib.types.listOf lib.types.str;
-      default = [ ];
-      description = ''
-        Machines that should act as target machines for backups.
-      '';
-    };
-  };
-
-  config.services.borgbackup.repos =
-    let
-      machines = builtins.readDir machineDir;
-      borgbackupIpMachinePath = machines: machineDir + machines + "/facts/borgbackup.ssh.pub";
-      filteredMachines =
-        if ((builtins.length config.clan.borgbackup-static.includeMachines) != 0) then
-          lib.filterAttrs (name: _: (lib.elem name config.clan.borgbackup-static.includeMachines)) machines
-        else
-          lib.filterAttrs (name: _: !(lib.elem name config.clan.borgbackup-static.excludeMachines)) machines;
-      machinesMaybeKey = lib.mapAttrsToList (
-        machine: _:
-        let
-          fullPath = borgbackupIpMachinePath machine;
-        in
-        if builtins.pathExists fullPath then machine else null
-      ) filteredMachines;
-      machinesWithKey = lib.filter (x: x != null) machinesMaybeKey;
-      hosts = builtins.map (machine: {
-        name = machine;
-        value = {
-          path = "/var/lib/borgbackup/${machine}";
-          authorizedKeys = [ (builtins.readFile (borgbackupIpMachinePath machine)) ];
-        };
-      }) machinesWithKey;
-    in
-    lib.mkIf
-      (builtins.any (
-        target: target == config.clan.core.settings.machine.name
-      ) config.clan.borgbackup-static.targets)
-      (if (builtins.listToAttrs hosts) != null then builtins.listToAttrs hosts else { });
-
-  config.clan.borgbackup.destinations =
-    let
-      destinations = builtins.map (d: {
-        name = d;
-        value = {
-          repo = "borg@${d}:/var/lib/borgbackup/${config.clan.core.settings.machine.name}";
-        };
-      }) config.clan.borgbackup-static.targets;
-    in
-    lib.mkIf (builtins.any (
-      target: target == config.clan.core.settings.machine.name
-    ) config.clan.borgbackup-static.includeMachines) (builtins.listToAttrs destinations);
-
-  config.assertions = [
-    {
-      assertion =
-        !(
-          ((builtins.length config.clan.borgbackup-static.excludeMachines) != 0)
-          && ((builtins.length config.clan.borgbackup-static.includeMachines) != 0)
-        );
-      message = ''
-        The options:
-        config.clan.borgbackup-static.excludeMachines = [${builtins.toString config.clan.borgbackup-static.excludeMachines}]
-        and
-        config.clan.borgbackup-static.includeMachines = [${builtins.toString config.clan.borgbackup-static.includeMachines}]
-        are mutually exclusive.
-        Use excludeMachines to exclude certain machines and backup the other clan machines.
-        Use include machines to only backup certain machines.
-      '';
-    }
-  ];
-  config.warnings = lib.optional (
-    builtins.length config.clan.borgbackup-static.targets > 0
-  ) "The borgbackup-static module is deprecated use the service via the inventory interface instead.";
-}

clanModules/borgbackup/README.md

@@ -1,14 +0,0 @@
----
-description = "Efficient, deduplicating backup program with optional compression and secure encryption."
-categories = ["System"]
-features = [ "inventory", "deprecated" ]
----
-BorgBackup (short: Borg) gives you:
-
-- Space efficient storage of backups.
-- Secure, authenticated encryption.
-- Compression: lz4, zstd, zlib, lzma or none.
-- Mountable backups with FUSE.
-- Easy installation on multiple platforms: Linux, macOS, BSD, …
-- Free software (BSD license).
-- Backed by a large and active open-source community.

clanModules/borgbackup/default.nix

@@ -1,6 +0,0 @@
-# Dont import this file
-# It is only here for backwards compatibility.
-# Dont author new modules with this file.
-{
-  imports = [ ./roles/client.nix ];
-}

clanModules/borgbackup/roles/client.nix

@@ -1,210 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
-let
-  # Instances might be empty, if the module is not used via the inventory
-  instances = config.clan.inventory.services.borgbackup or { };
-  # roles = { ${role_name} :: { machines :: [string] } }
-  allServers = lib.foldlAttrs (
-    acc: _instanceName: instanceConfig:
-    acc
-    ++ (
-      if builtins.elem machineName instanceConfig.roles.client.machines then
-        instanceConfig.roles.server.machines
-      else
-        [ ]
-    )
-  ) [ ] instances;
-
-  machineName = config.clan.core.settings.machine.name;
-
-  cfg = config.clan.borgbackup;
-  preBackupScript = ''
-    declare -A preCommandErrors
-
-    ${lib.concatMapStringsSep "\n" (
-      state:
-      lib.optionalString (state.preBackupCommand != null) ''
-        echo "Running pre-backup command for ${state.name}"
-        if ! /run/current-system/sw/bin/${state.preBackupCommand}; then
-          preCommandErrors["${state.name}"]=1
-        fi
-      ''
-    ) (lib.attrValues config.clan.core.state)}
-
-    if [[ ''${#preCommandErrors[@]} -gt 0 ]]; then
-      echo "pre-backup commands failed for the following services:"
-      for state in "''${!preCommandErrors[@]}"; do
-        echo "  $state"
-      done
-      exit 1
-    fi
-  '';
-in
-{
-  options.clan.borgbackup.destinations = lib.mkOption {
-    type = lib.types.attrsOf (
-      lib.types.submodule (
-        { name, ... }:
-        {
-          options = {
-            name = lib.mkOption {
-              type = lib.types.strMatching "^[a-zA-Z0-9._-]+$";
-              default = name;
-              description = "the name of the backup job";
-            };
-            repo = lib.mkOption {
-              type = lib.types.str;
-              description = "the borgbackup repository to backup to";
-            };
-            rsh = lib.mkOption {
-              type = lib.types.str;
-              default = "ssh -i ${
-                config.clan.core.vars.generators.borgbackup.files."borgbackup.ssh".path
-              } -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o IdentitiesOnly=Yes";
-              defaultText = "ssh -i \${config.clan.core.vars.generators.borgbackup.files.\"borgbackup.ssh\".path} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null";
-              description = "the rsh to use for the backup";
-            };
-          };
-        }
-      )
-    );
-    default = { };
-    description = ''
-      destinations where the machine should be backuped to
-    '';
-  };
-
-  options.clan.borgbackup.exclude = lib.mkOption {
-    type = lib.types.listOf lib.types.str;
-    example = [ "*.pyc" ];
-    default = [ ];
-    description = ''
-      Directories/Files to exclude from the backup.
-      Use * as a wildcard.
-    '';
-  };
-
-  config = {
-
-    warnings = [
-      "The clan.borgbackup module is deprecated and will be removed on 2025-07-15.
-      Please migrate to user-maintained configuration or the new equivalent clan services
-      (https://docs.clan.lol/reference/clanServices)."
-    ];
-
-    # Destinations
-    clan.borgbackup.destinations =
-      let
-        destinations = builtins.map (serverName: {
-          name = serverName;
-          value = {
-            repo = "borg@${serverName}:/var/lib/borgbackup/${machineName}";
-          };
-        }) allServers;
-      in
-      (builtins.listToAttrs destinations);
-
-    # Derived from the destinations
-    systemd.services = lib.mapAttrs' (
-      _: dest:
-      lib.nameValuePair "borgbackup-job-${dest.name}" {
-        # since borgbackup mounts the system read-only, we need to run in a
-        # ExecStartPre script, so we can generate additional files.
-        serviceConfig.ExecStartPre = [
-          ''+${pkgs.writeShellScript "borgbackup-job-${dest.name}-pre-backup-commands" preBackupScript}''
-        ];
-      }
-    ) cfg.destinations;
-
-    services.borgbackup.jobs = lib.mapAttrs (_: dest: {
-      paths = lib.unique (
-        lib.flatten (map (state: state.folders) (lib.attrValues config.clan.core.state))
-      );
-      exclude = cfg.exclude;
-      repo = dest.repo;
-      environment.BORG_RSH = dest.rsh;
-      compression = "auto,zstd";
-      startAt = "*-*-* 01:00:00";
-      persistentTimer = true;
-
-      encryption = {
-        mode = "repokey";
-        passCommand = "cat ${config.clan.core.vars.generators.borgbackup.files."borgbackup.repokey".path}";
-      };
-
-      prune.keep = {
-        within = "1d"; # Keep all archives from the last day
-        daily = 7;
-        weekly = 4;
-        monthly = 0;
-      };
-    }) cfg.destinations;
-
-    environment.systemPackages = [
-      (pkgs.writeShellApplication {
-        name = "borgbackup-create";
-        runtimeInputs = [ config.systemd.package ];
-        text = ''
-          ${lib.concatMapStringsSep "\n" (dest: ''
-            systemctl start borgbackup-job-${dest.name}
-          '') (lib.attrValues cfg.destinations)}
-        '';
-      })
-      (pkgs.writeShellApplication {
-        name = "borgbackup-list";
-        runtimeInputs = [ pkgs.jq ];
-        text = ''
-          (${
-            lib.concatMapStringsSep "\n" (
-              dest:
-              # we need yes here to skip the changed url verification
-              ''echo y | /run/current-system/sw/bin/borg-job-${dest.name} list --json | jq '[.archives[] | {"name": ("${dest.name}::${dest.repo}::" + .name)}]' ''
-            ) (lib.attrValues cfg.destinations)
-          }) | jq -s 'add // []'
-        '';
-      })
-      (pkgs.writeShellApplication {
-        name = "borgbackup-restore";
-        runtimeInputs = [ pkgs.gawk ];
-        text = ''
-          cd /
-          IFS=':' read -ra FOLDER <<< "''${FOLDERS-}"
-          job_name=$(echo "$NAME" | awk -F'::' '{print $1}')
-          backup_name=''${NAME#"$job_name"::}
-          if [[ ! -x /run/current-system/sw/bin/borg-job-"$job_name" ]]; then
-            echo "borg-job-$job_name not found: Backup name is invalid" >&2
-            exit 1
-          fi
-          echo y | /run/current-system/sw/bin/borg-job-"$job_name" extract "$backup_name" "''${FOLDER[@]}"
-        '';
-      })
-    ];
-
-    clan.core.vars.generators.borgbackup = {
-      files."borgbackup.ssh.pub".secret = false;
-      files."borgbackup.ssh" = { };
-      files."borgbackup.repokey" = { };
-
-      migrateFact = "borgbackup";
-      runtimeInputs = [
-        pkgs.coreutils
-        pkgs.openssh
-        pkgs.xkcdpass
-      ];
-      script = ''
-        ssh-keygen -t ed25519 -N "" -C "" -f "$out"/borgbackup.ssh
-        xkcdpass -n 4 -d - > "$out"/borgbackup.repokey
-      '';
-    };
-
-    clan.core.backups.providers.borgbackup = {
-      list = "borgbackup-list";
-      create = "borgbackup-create";
-      restore = "borgbackup-restore";
-    };
-  };
-}

clanModules/borgbackup/roles/server.nix

@@ -1,63 +0,0 @@
-{ config, lib, ... }:
-let
-  dir = config.clan.core.settings.directory;
-  machineDir = dir + "/vars/per-machine/";
-  machineName = config.clan.core.settings.machine.name;
-
-  # Instances might be empty, if the module is not used via the inventory
-  #
-  # Type: { ${instanceName} :: { roles :: Roles } }
-  #   Roles :: { ${role_name} :: { machines :: [string] } }
-  instances = config.clan.inventory.services.borgbackup or { };
-
-  allClients = lib.foldlAttrs (
-    acc: _instanceName: instanceConfig:
-    acc
-    ++ (
-      if (builtins.elem machineName instanceConfig.roles.server.machines) then
-        instanceConfig.roles.client.machines
-      else
-        [ ]
-    )
-  ) [ ] instances;
-in
-{
-  options = {
-    clan.borgbackup.directory = lib.mkOption {
-      type = lib.types.str;
-      default = "/var/lib/borgbackup";
-      description = ''
-        The directory where the borgbackup repositories are stored.
-      '';
-    };
-  };
-  config.services.borgbackup.repos =
-    let
-      borgbackupIpMachinePath = machine: machineDir + machine + "/borgbackup/borgbackup.ssh.pub/value";
-
-      machinesMaybeKey = builtins.map (
-        machine:
-        let
-          fullPath = borgbackupIpMachinePath machine;
-        in
-        if builtins.pathExists fullPath then
-          machine
-        else
-          lib.warn ''
-            Machine ${machine} does not have a borgbackup key at ${fullPath},
-            run `clan vars generate ${machine}` to generate it.
-          '' null
-      ) allClients;
-
-      machinesWithKey = lib.filter (x: x != null) machinesMaybeKey;
-
-      hosts = builtins.map (machine: {
-        name = machine;
-        value = {
-          path = "${config.clan.borgbackup.directory}/${machine}";
-          authorizedKeys = [ (builtins.readFile (borgbackupIpMachinePath machine)) ];
-        };
-      }) machinesWithKey;
-    in
-    if (builtins.listToAttrs hosts) != [ ] then builtins.listToAttrs hosts else { };
-}

clanModules/data-mesher/README.md

@@ -1,10 +0,0 @@
----
-description = "Set up data-mesher"
-categories = ["System"]
-features = [ "inventory" ]
-
-[constraints]
-roles.admin.min = 1
-roles.admin.max = 1
----
-

clanModules/data-mesher/lib.nix

@@ -1,19 +0,0 @@
-lib: {
-
-  machines =
-    config:
-    let
-      instanceNames = builtins.attrNames config.clan.inventory.services.data-mesher;
-      instanceName = builtins.head instanceNames;
-      dataMesherInstances = config.clan.inventory.services.data-mesher.${instanceName};
-
-      uniqueStrings = list: builtins.attrNames (builtins.groupBy lib.id list);
-    in
-    rec {
-      admins = dataMesherInstances.roles.admin.machines or [ ];
-      signers = dataMesherInstances.roles.signer.machines or [ ];
-      peers = dataMesherInstances.roles.peer.machines or [ ];
-      bootstrap = uniqueStrings (admins ++ signers);
-    };
-
-}

clanModules/data-mesher/roles/admin.nix

@@ -1,58 +0,0 @@
-{ lib, config, ... }:
-let
-  cfg = config.clan.data-mesher;
-
-  dmLib = import ../lib.nix lib;
-in
-{
-  imports = [
-    ../shared.nix
-  ];
-
-  options.clan.data-mesher = {
-    network = {
-      tld = lib.mkOption {
-        type = lib.types.str;
-        default = (config.networking.domain or "clan");
-        description = "Top level domain to use for the network";
-      };
-
-      hostTTL = lib.mkOption {
-        type = lib.types.str;
-        default = "672h"; # 28 days
-        example = "24h";
-        description = "The TTL for hosts in the network, in the form of a Go time.Duration";
-      };
-    };
-  };
-
-  config = {
-
-    warnings = [
-      "The clan.admin module is deprecated and will be removed on 2025-07-15.
-      Please migrate to user-maintained configuration or the new equivalent clan services
-      (https://docs.clan.lol/reference/clanServices)."
-    ];
-
-    services.data-mesher.initNetwork =
-      let
-        # for a given machine, read it's public key and remove any new lines
-        readHostKey =
-          machine:
-          let
-            path = "${config.clan.core.settings.directory}/vars/per-machine/${machine}/data-mesher-host-key/public_key/value";
-          in
-          builtins.elemAt (lib.splitString "\n" (builtins.readFile path)) 1;
-      in
-      {
-        enable = true;
-        keyPath = config.clan.core.vars.generators.data-mesher-network-key.files.private_key.path;
-
-        tld = cfg.network.tld;
-        hostTTL = cfg.network.hostTTL;
-
-        # admin and signer host public keys
-        signingKeys = builtins.map readHostKey (dmLib.machines config).bootstrap;
-      };
-  };
-}

clanModules/data-mesher/roles/peer.nix

@@ -1,5 +0,0 @@
-{
-  imports = [
-    ../shared.nix
-  ];
-}

clanModules/data-mesher/roles/signer.nix

@@ -1,5 +0,0 @@
-{
-  imports = [
-    ../shared.nix
-  ];
-}

clanModules/data-mesher/shared.nix

@@ -1,152 +0,0 @@
-{
-  config,
-  lib,
-  ...
-}:
-let
-  cfg = config.clan.data-mesher;
-  dmLib = import ./lib.nix lib;
-
-  # the default bootstrap nodes are any machines with the admin or signers role
-  # we iterate through those machines, determining an IP address for them based on their VPN
-  # currently only supports zerotier
-  defaultBootstrapNodes = builtins.foldl' (
-    urls: name:
-    let
-
-      ipPath = "${config.clan.core.settings.directory}/vars/per-machine/${name}/zerotier/zerotier-ip/value";
-
-    in
-    if builtins.pathExists ipPath then
-      let
-        ip = builtins.readFile ipPath;
-      in
-      urls ++ [ "[${ip}]:${builtins.toString cfg.network.port}" ]
-    else
-      urls
-  ) [ ] (dmLib.machines config).bootstrap;
-in
-{
-  options.clan.data-mesher = {
-
-    bootstrapNodes = lib.mkOption {
-      type = lib.types.nullOr (lib.types.listOf lib.types.str);
-      default = null;
-      description = ''
-        A list of bootstrap nodes that act as an initial gateway when joining
-        the cluster.
-      '';
-      example = [
-        "192.168.1.1:7946"
-        "192.168.1.2:7946"
-      ];
-    };
-
-    network = {
-
-      interface = lib.mkOption {
-        type = lib.types.str;
-        description = ''
-          The interface over which cluster communication should be performed.
-          All the ip addresses associate with this interface will be part of
-          our host claim, including both ipv4 and ipv6.
-
-          This should be set to an internal/VPN interface.
-        '';
-        example = "tailscale0";
-      };
-
-      port = lib.mkOption {
-        type = lib.types.port;
-        default = 7946;
-        description = ''
-          Port to listen on for cluster communication.
-        '';
-      };
-    };
-  };
-
-  config = {
-
-    services.data-mesher = {
-      enable = true;
-      openFirewall = true;
-
-      settings = {
-        log_level = "warn";
-        state_dir = "/var/lib/data-mesher";
-
-        # read network id from vars
-        network.id = config.clan.core.vars.generators.data-mesher-network-key.files.public_key.value;
-
-        host = {
-          names = [ config.networking.hostName ];
-          key_path = config.clan.core.vars.generators.data-mesher-host-key.files.private_key.path;
-        };
-
-        cluster = {
-          port = cfg.network.port;
-          join_interval = "30s";
-          push_pull_interval = "30s";
-
-          interface = cfg.network.interface;
-
-          bootstrap_nodes = if cfg.bootstrapNodes == null then defaultBootstrapNodes else cfg.bootstrapNodes;
-        };
-
-        http.port = 7331;
-        http.interface = "lo";
-      };
-    };
-
-    # Generate host key.
-    clan.core.vars.generators.data-mesher-host-key = {
-      files =
-        let
-          owner = config.users.users.data-mesher.name;
-        in
-        {
-          private_key = {
-            inherit owner;
-          };
-          public_key.secret = false;
-        };
-
-      runtimeInputs = [
-        config.services.data-mesher.package
-      ];
-
-      script = ''
-        data-mesher generate keypair \
-            --public-key-path "$out"/public_key \
-            --private-key-path "$out"/private_key
-      '';
-    };
-
-    clan.core.vars.generators.data-mesher-network-key = {
-      # generated once per clan
-      share = true;
-
-      files =
-        let
-          owner = config.users.users.data-mesher.name;
-        in
-        {
-          private_key = {
-            inherit owner;
-          };
-          public_key.secret = false;
-        };
-
-      runtimeInputs = [
-        config.services.data-mesher.package
-      ];
-
-      script = ''
-        data-mesher generate keypair \
-            --public-key-path "$out"/public_key \
-            --private-key-path "$out"/private_key
-      '';
-    };
-  };
-}

clanModules/deltachat/README.md

@@ -1,17 +0,0 @@
----
-description = "Email-based instant messaging for Desktop."
-categories = ["Social"]
-features = [ "inventory", "deprecated" ]
----
-
-!!! info
-    This module will automatically configure an email server on the machine for handling the e-mail messaging seamlessly.
-
-## Features
-
-- [x] **Email-based**: Uses any email account as its backend.
-- [x] **End-to-End Encryption**: Supports Autocrypt to automatically encrypt messages.
-- [x] **No Phone Number Required**: Uses your email address instead of a phone number.
-- [x] **Cross-Platform**: Available on desktop and mobile platforms.
-- [x] **Automatic Server Setup**: Includes your own DeltaChat server for enhanced control and privacy.
-- [ ] **Bake a cake**: This module cannot cake a bake.

clanModules/deltachat/default.nix

@@ -1,3 +0,0 @@
-{
-  imports = [ ./roles/default.nix ];
-}

clanModules/deltachat/roles/default.nix

@@ -1,153 +0,0 @@
-{
-  config,
-  pkgs,
-  ...
-}:
-{
-  warnings = [
-    "The clan.deltachat module is deprecated and will be removed on 2025-07-15.
-      Please migrate to user-maintained configuration or the new equivalent clan services
-      (https://docs.clan.lol/reference/clanServices)."
-  ];
-
-  networking.firewall.interfaces."zt+".allowedTCPPorts = [ 25 ]; # smtp with other hosts
-  environment.systemPackages = [ pkgs.deltachat-desktop ];
-
-  services.maddy =
-    let
-      domain = "${config.clan.core.settings.machine.name}.local";
-    in
-    {
-      enable = true;
-      primaryDomain = domain;
-      config = ''
-        # Minimal configuration with TLS disabled, adapted from upstream example
-        # configuration here https://github.com/foxcpp/maddy/blob/master/maddy.conf
-        # Do not use this in unencrypted networks!
-
-        auth.pass_table local_authdb {
-          table sql_table {
-            driver sqlite3
-            dsn credentials.db
-            table_name passwords
-          }
-        }
-
-        storage.imapsql local_mailboxes {
-          driver sqlite3
-          dsn imapsql.db
-        }
-
-        table.chain local_rewrites {
-          optional_step regexp "(.+)\+(.+)@(.+)" "$1@$3"
-          optional_step static {
-            entry postmaster postmaster@$(primary_domain)
-          }
-          optional_step file /etc/maddy/aliases
-        }
-
-        msgpipeline local_routing {
-          destination postmaster $(local_domains) {
-            modify {
-              replace_rcpt &local_rewrites
-            }
-            deliver_to &local_mailboxes
-          }
-          default_destination {
-            reject 550 5.1.1 "User doesn't exist"
-          }
-        }
-
-        smtp tcp://[::]:25 {
-          limits {
-            all rate 20 1s
-            all concurrency 10
-          }
-          dmarc yes
-          check {
-            require_mx_record
-            dkim
-            spf
-          }
-          source $(local_domains) {
-            reject 501 5.1.8 "Use Submission for outgoing SMTP"
-          }
-          default_source {
-            destination postmaster $(local_domains) {
-              deliver_to &local_routing
-            }
-            default_destination {
-              reject 550 5.1.1 "User doesn't exist"
-            }
-          }
-        }
-
-        submission tcp://[::1]:587 {
-          limits {
-            all rate 50 1s
-          }
-          auth &local_authdb
-          source $(local_domains) {
-            check {
-                authorize_sender {
-                    prepare_email &local_rewrites
-                    user_to_email identity
-                }
-            }
-            destination postmaster $(local_domains) {
-                deliver_to &local_routing
-            }
-            default_destination {
-                modify {
-                    dkim $(primary_domain) $(local_domains) default
-                }
-                deliver_to &remote_queue
-            }
-          }
-          default_source {
-            reject 501 5.1.8 "Non-local sender domain"
-          }
-        }
-
-        target.remote outbound_delivery {
-          limits {
-            destination rate 20 1s
-            destination concurrency 10
-          }
-          mx_auth {
-            dane
-            mtasts {
-              cache fs
-              fs_dir mtasts_cache/
-            }
-            local_policy {
-                min_tls_level encrypted
-                min_mx_level none
-            }
-          }
-        }
-
-        target.queue remote_queue {
-          target &outbound_delivery
-          autogenerated_msg_domain $(primary_domain)
-          bounce {
-            destination postmaster $(local_domains) {
-              deliver_to &local_routing
-            }
-            default_destination {
-                reject 550 5.0.0 "Refusing to send DSNs to non-local addresses"
-            }
-          }
-        }
-
-        imap tcp://[::1]:143 {
-          auth &local_authdb
-          storage &local_mailboxes
-        }
-      '';
-      ensureAccounts = [ "user@${domain}" ];
-      ensureCredentials = {
-        "user@${domain}".passwordFile = pkgs.writeText "dummy" "foobar";
-      };
-    };
-}

clanModules/disk-id/README.md

@@ -1,5 +0,0 @@
----
-description = "Generates a uuid for use in disk device naming"
-features = [ "inventory" ]
-categories = [ "System" ]
----

clanModules/disk-id/default.nix

@@ -1,6 +0,0 @@
-# Dont import this file
-# It is only here for backwards compatibility.
-# Dont author new modules with this file.
-{
-  imports = [ ./roles/default.nix ];
-}

clanModules/disk-id/roles/default.nix

@@ -1,36 +0,0 @@
-{
-  pkgs,
-  ...
-}:
-
-{
-
-  config = {
-
-    warnings = [
-      ''
-        The clan.disk-id module is deprecated and will be removed on 2025-07-15.
-        For migration see: https://docs.clan.lol/guides/migrations/disk-id/
-
-        !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-        !!! Please migrate. Otherwise you may not be able to boot your system after that date.  !!!
-        !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-      ''
-    ];
-    clan.core.vars.generators.disk-id = {
-      files.diskId.secret = false;
-      runtimeInputs = [
-        pkgs.coreutils
-        pkgs.bash
-      ];
-      script = ''
-        uuid=$(bash ${./uuid4.sh})
-
-        # Remove the hyphens from the UUID
-        uuid_no_hyphens=$(echo -n "$uuid" | tr -d '-')
-
-        echo -n "$uuid_no_hyphens" > "$out/diskId"
-      '';
-    };
-  };
-}

clanModules/disk-id/roles/uuid4.sh

@@ -1,20 +0,0 @@
-#!/usr/bin/env bash
-
-# Read 16 bytes from /dev/urandom
-uuid=$(dd if=/dev/urandom bs=1 count=16 2>/dev/null | od -An -tx1 | tr -d ' \n')
-
-# Break the UUID into pieces and apply the required modifications
-byte6=${uuid:12:2}
-byte8=${uuid:16:2}
-
-# Construct the correct version and variant
-hex_byte6=$(printf "%x" $((0x$byte6 & 0x0F | 0x40)))
-hex_byte8=$(printf "%x" $((0x$byte8 & 0x3F | 0x80)))
-
-# Rebuild the UUID with the correct fields
-uuid_v4="${uuid:0:12}${hex_byte6}${uuid:14:2}${hex_byte8}${uuid:18:14}"
-
-# Format the UUID correctly 8-4-4-4-12
-uuid_formatted="${uuid_v4:0:8}-${uuid_v4:8:4}-${uuid_v4:12:4}-${uuid_v4:16:4}-${uuid_v4:20:12}"
-
-echo -n "$uuid_formatted"

clanModules/dyndns/README.md

@@ -1,6 +0,0 @@
----
-description = "A dynamic DNS service to update domain IPs"
----
-
-To understand the possible options that can be set visit the documentation of [ddns-updater](https://github.com/qdm12/ddns-updater?tab=readme-ov-file#versioned-documentation)
-

clanModules/dyndns/default.nix

@@ -1,257 +0,0 @@
-{
-  config,
-  pkgs,
-  lib,
-  ...
-}:
-
-let
-  name = "dyndns";
-  cfg = config.clan.${name};
-
-  # We dedup secrets if they have the same provider + base domain
-  secret_id = opt: "${name}-${opt.provider}-${opt.domain}";
-  secret_path =
-    opt: config.clan.core.vars.generators."${secret_id opt}".files."${secret_id opt}".path;
-
-  # We check that a secret has not been set in extraSettings.
-  extraSettingsSafe =
-    opt:
-    if (builtins.hasAttr opt.secret_field_name opt.extraSettings) then
-      throw "Please do not set ${opt.secret_field_name} in extraSettings, it is automatically set by the dyndns module."
-    else
-      opt.extraSettings;
-  /*
-    We go from:
-    {home.example.com:{value:{domain:example.com,host:home, provider:namecheap}}}
-    To:
-    {settings: [{domain: example.com, host: home, provider: namecheap, password: dyndns-namecheap-example.com}]}
-  */
-  service_config = {
-    settings = builtins.catAttrs "value" (
-      builtins.attrValues (
-        lib.mapAttrs (_: opt: {
-          value =
-            (extraSettingsSafe opt)
-            // {
-              domain = opt.domain;
-              provider = opt.provider;
-            }
-            // {
-              "${opt.secret_field_name}" = secret_id opt;
-            };
-        }) cfg.settings
-      )
-    );
-  };
-
-  secret_generator = _: opt: {
-    name = secret_id opt;
-    value = {
-      share = true;
-      migrateFact = "${secret_id opt}";
-      prompts.${secret_id opt} = {
-        type = "hidden";
-        persist = true;
-      };
-    };
-  };
-in
-{
-  options.clan.${name} = {
-    server = {
-      enable = lib.mkEnableOption "dyndns webserver";
-      domain = lib.mkOption {
-        type = lib.types.str;
-        description = "Domain to serve the webservice on";
-      };
-      port = lib.mkOption {
-        type = lib.types.int;
-        default = 54805;
-        description = "Port to listen on";
-      };
-    };
-
-    period = lib.mkOption {
-      type = lib.types.int;
-      default = 5;
-      description = "Domain update period in minutes";
-    };
-
-    settings = lib.mkOption {
-      type = lib.types.attrsOf (
-        lib.types.submodule (
-          { ... }:
-          {
-            options = {
-              provider = lib.mkOption {
-                example = "namecheap";
-                type = lib.types.str;
-                description = "The dyndns provider to use";
-              };
-              domain = lib.mkOption {
-                type = lib.types.str;
-                example = "example.com";
-                description = "The top level domain to update.";
-              };
-              secret_field_name = lib.mkOption {
-                example = [
-                  "password"
-                  "api_key"
-                ];
-                type = lib.types.enum [
-                  "password"
-                  "token"
-                  "api_key"
-                  "secret_api_key"
-                ];
-                default = "password";
-                description = "The field name for the secret";
-              };
-              # TODO: Ideally we would create a gigantic list of all possible settings / types
-              # optimally we would have a way to generate the options from the source code
-              extraSettings = lib.mkOption {
-                type = lib.types.attrsOf lib.types.str;
-                default = { };
-                description = ''
-                  Extra settings for the provider.
-                  Provider specific settings: https://github.com/qdm12/ddns-updater#configuration
-                '';
-              };
-            };
-          }
-        )
-      );
-      default = [ ];
-      description = "Configuration for which domains to update";
-    };
-  };
-
-  imports = [
-    ../nginx
-  ];
-
-  config = lib.mkMerge [
-    (lib.mkIf (cfg.settings != { }) {
-      clan.core.vars.generators = lib.mapAttrs' secret_generator cfg.settings;
-
-      users.groups.${name} = { };
-      users.users.${name} = {
-        group = name;
-        isSystemUser = true;
-        description = "User for ${name} service";
-        home = "/var/lib/${name}";
-        createHome = true;
-      };
-
-      services.nginx = lib.mkIf cfg.server.enable {
-        enable = true;
-        virtualHosts = {
-          "${cfg.server.domain}" = {
-            forceSSL = true;
-            enableACME = true;
-            locations."/" = {
-              proxyPass = "http://localhost:${toString cfg.server.port}";
-            };
-          };
-        };
-      };
-
-      systemd.services.${name} = {
-        path = [ ];
-        description = "Dynamic DNS updater";
-        after = [ "network.target" ];
-        wantedBy = [ "multi-user.target" ];
-        environment = {
-          MYCONFIG = "${builtins.toJSON service_config}";
-          SERVER_ENABLED = if cfg.server.enable then "yes" else "no";
-          PERIOD = "${toString cfg.period}m";
-          LISTENING_ADDRESS = ":${toString cfg.server.port}";
-        };
-
-        serviceConfig =
-          let
-            pyscript =
-              pkgs.writers.writePython3Bin "generate_secret_config.py"
-                {
-                  libraries = [ ];
-                  doCheck = false;
-                }
-                ''
-                  import json
-                  from pathlib import Path
-                  import os
-
-                  cred_dir = Path(os.getenv("CREDENTIALS_DIRECTORY"))
-                  config_str = os.getenv("MYCONFIG")
-
-
-                  def get_credential(name):
-                      secret_p = cred_dir / name
-                      with open(secret_p, 'r') as f:
-                          return f.read().strip()
-
-
-                  config = json.loads(config_str)
-                  print(f"Config: {config}")
-                  for attrset in config["settings"]:
-                      if "password" in attrset:
-                          attrset['password'] = get_credential(attrset['password'])
-                      elif "token" in attrset:
-                          attrset['token'] = get_credential(attrset['token'])
-                      elif "secret_api_key" in attrset:
-                          attrset['secret_api_key'] = get_credential(attrset['secret_api_key'])
-                      elif "api_key" in attrset:
-                          attrset['api_key'] = get_credential(attrset['api_key'])
-                      else:
-                          raise ValueError(f"Missing secret field in {attrset}")
-
-                  # create directory data if it does not exist
-                  data_dir = Path('data')
-                  data_dir.mkdir(mode=0o770, exist_ok=True)
-
-                  # Create a temporary config file
-                  # with appropriate permissions
-                  tmp_config_path = data_dir / '.config.json'
-                  tmp_config_path.touch(mode=0o660, exist_ok=False)
-
-                  # Write the config with secrets back
-                  with open(tmp_config_path, 'w') as f:
-                      f.write(json.dumps(config, indent=4))
-
-                  # Move config into place
-                  config_path = data_dir / 'config.json'
-                  tmp_config_path.rename(config_path)
-
-                  # Set file permissions to read
-                  # and write only by the user and group
-                  for file in data_dir.iterdir():
-                      file.chmod(0o660)
-                '';
-          in
-          {
-            ExecStartPre = lib.getExe pyscript;
-            ExecStart = lib.getExe pkgs.ddns-updater;
-            LoadCredential = lib.mapAttrsToList (_: opt: "${secret_id opt}:${secret_path opt}") cfg.settings;
-            User = name;
-            Group = name;
-            NoNewPrivileges = true;
-            PrivateTmp = true;
-            ProtectSystem = "strict";
-            ReadOnlyPaths = "/";
-            PrivateDevices = "yes";
-            ProtectKernelModules = "yes";
-            ProtectKernelTunables = "yes";
-            WorkingDirectory = "/var/lib/${name}";
-            ReadWritePaths = [
-              "/proc/self"
-              "/var/lib/${name}"
-            ];
-
-            Restart = "always";
-            RestartSec = 60;
-          };
-      };
-    })
-  ];
-}

clanModules/ergochat/README.md

@@ -1,5 +0,0 @@
----
-description = "A modern IRC server"
-categories = ["Social"]
-features = [ "inventory", "deprecated" ]
----

clanModules/ergochat/default.nix

@@ -1,3 +0,0 @@
-{
-  imports = [ ./roles/default.nix ];
-}