machines: fix remote-program for darwin nix copy

MacOS doesn't come with a proper login shell for ssh and therefore doesn't have nix in $PATH as it doesn't source /etc/profile. This restores the remote-program parameter that was accidentally removed in commit cff5d61f26.
2025-06-17 13:02:15 +02:00
501 changed files with 17868 additions and 15132 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -3,6 +3,7 @@
 .hypothesis
 out.log
 .coverage.*
 qubeclan
 pkgs/repro-hook
 testdir
 democlan
@@ -19,6 +20,9 @@ nixos.qcow2
 # macOS stuff
 .DS_Store
 # dream2nix
 .dream2nix
 # python
 __pycache__
 .coverage
@@ -28,6 +32,13 @@ __pycache__
 .ruff_cache
 htmlcov
 # flatpak
 .flatpak-builder
 build
 build-dir
 repo
 .env
 # node
 node_modules
 dist
--- a/checks/backups/flake-module.nix
+++ b/checks/backups/flake-module.nix
@@ -22,7 +22,7 @@
        dependencies = [
          self
          pkgs.stdenv.drvPath
-          self.clan.clanInternals.machines.${pkgs.hostPlatform.system}.test-backup.config.system.clan.deployment.file
+          self.clanInternals.machines.${pkgs.hostPlatform.system}.test-backup.config.system.clan.deployment.file
        ] ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
        closureInfo = pkgs.closureInfo { rootPaths = dependencies; };
      in
@@ -162,7 +162,7 @@
              ]
              ++
              # import the inventory generated nixosModules
-              self.clan.clanInternals.inventoryClass.machines.test-backup.machineImports;
+              self.clanInternals.inventoryClass.machines.test-backup.machineImports;
            clan.core.settings.directory = ./.;
          };
--- a/checks/borgbackup/default.nix
+++ b/checks/borgbackup/default.nix
@@ -8,7 +8,7 @@ nixosLib.runTest (
  { ... }:
  {
    imports = [
-      clan-core.modules.nixosTest.clanTest
+      clan-core.modules.nixosVmTest.clanTest
    ];
    hostPkgs = pkgs;
--- a/checks/clan-core-for-checks.nix
+++ b/checks/clan-core-for-checks.nix
@@ -1,6 +1,6 @@
 { fetchgit }:
 fetchgit {
  url = "https://git.clan.lol/clan/clan-core.git";
-  rev = "28131afbbcd379a8ff04c79c66c670ef655ed889";
+  rev = "13a9b1719835ef4510e4adb6941ddfe9a91d41cb";
-  sha256 = "1294cwjlnc341fl6zbggn4rgq8z33gqkcyggjfvk9cf7zdgygrf6";
+  sha256 = "sha256-M+pLnpuX+vIsxTFtbBZaNA1OwGQPeSbsMbTiDl1t4vY=";
 }
--- a/checks/data-mesher/default.nix
+++ b/checks/data-mesher/default.nix
@@ -16,7 +16,7 @@ nixosLib.runTest (
  { ... }:
  {
    imports = [
-      clan-core.modules.nixosTest.clanTest
+      clan-core.modules.nixosVmTest.clanTest
    ];
    hostPkgs = pkgs;
--- a/checks/dummy-inventory-test-from-flake/default.nix
+++ b/checks/dummy-inventory-test-from-flake/default.nix
@@ -9,7 +9,7 @@ nixosLib.runTest (
  { hostPkgs, config, ... }:
  {
    imports = [
-      clan-core.modules.nixosTest.clanTest
+      clan-core.modules.nixosVmTest.clanTest
    ];
    hostPkgs = pkgs;
--- a/checks/dummy-inventory-test/default.nix
+++ b/checks/dummy-inventory-test/default.nix
@@ -8,7 +8,7 @@ nixosLib.runTest (
  { ... }:
  {
    imports = [
-      clan-core.modules.nixosTest.clanTest
+      clan-core.modules.nixosVmTest.clanTest
    ];
    hostPkgs = pkgs;
--- a/checks/flake-module.nix
+++ b/checks/flake-module.nix
@@ -9,7 +9,6 @@ in
 {
  imports = filter pathExists [
    ./backups/flake-module.nix
    ../nixosModules/clanCore/machine-id/tests/flake-module.nix
    ./devshell/flake-module.nix
    ./flash/flake-module.nix
    ./impure/flake-module.nix
@@ -37,25 +36,29 @@ in
            inherit (self) clanLib;
            clan-core = self;
          };
-          nixosTests = lib.optionalAttrs (pkgs.stdenv.isLinux) {
+          nixosTests =
            lib.optionalAttrs (pkgs.stdenv.isLinux) {
-            # Base Tests
+              # Base Tests
-            secrets = self.clanLib.test.baseTest ./secrets nixosTestArgs;
+              secrets = self.clanLib.test.baseTest ./secrets nixosTestArgs;
-            borgbackup-legacy = self.clanLib.test.baseTest ./borgbackup-legacy nixosTestArgs;
+              borgbackup-legacy = self.clanLib.test.baseTest ./borgbackup-legacy nixosTestArgs;
-            wayland-proxy-virtwl = self.clanLib.test.baseTest ./wayland-proxy-virtwl nixosTestArgs;
+              wayland-proxy-virtwl = self.clanLib.test.baseTest ./wayland-proxy-virtwl nixosTestArgs;
-            # Container Tests
+              # Container Tests
-            container = self.clanLib.test.containerTest ./container nixosTestArgs;
+              container = self.clanLib.test.containerTest ./container nixosTestArgs;
-            zt-tcp-relay = self.clanLib.test.containerTest ./zt-tcp-relay nixosTestArgs;
+              zt-tcp-relay = self.clanLib.test.containerTest ./zt-tcp-relay nixosTestArgs;
-            matrix-synapse = self.clanLib.test.containerTest ./matrix-synapse nixosTestArgs;
+              matrix-synapse = self.clanLib.test.containerTest ./matrix-synapse nixosTestArgs;
-            postgresql = self.clanLib.test.containerTest ./postgresql nixosTestArgs;
+              postgresql = self.clanLib.test.containerTest ./postgresql nixosTestArgs;
            user-firewall-iptables = self.clanLib.test.containerTest ./user-firewall/iptables.nix nixosTestArgs;
            user-firewall-nftables = self.clanLib.test.containerTest ./user-firewall/nftables.nix nixosTestArgs;
-            dummy-inventory-test = import ./dummy-inventory-test nixosTestArgs;
+              dummy-inventory-test = import ./dummy-inventory-test nixosTestArgs;
-            dummy-inventory-test-from-flake = import ./dummy-inventory-test-from-flake nixosTestArgs;
+              dummy-inventory-test-from-flake = import ./dummy-inventory-test-from-flake nixosTestArgs;
-            data-mesher = import ./data-mesher nixosTestArgs;
+              data-mesher = import ./data-mesher nixosTestArgs;
-          };
+            }
            // lib.optionalAttrs (pkgs.stdenv.hostPlatform.system == "aarch64-linux") {
              # for some reason this hangs in an odd place in CI, but it works on my machine ...
              # on aarch64-linux it works though
              mumble = import ./mumble nixosTestArgs;
            };
          packagesToBuild = lib.removeAttrs self'.packages [
            # exclude the check that checks that nothing depends on the repo root
@@ -83,7 +86,7 @@ in
                _n: m:
                let
                  schema =
-                    (self.clanLib.evalService {
+                    (self.clanLib.inventory.evalClanService {
                      modules = [ m ];
                      prefix = [
                        "checks"
@@ -109,9 +112,6 @@ in
            cp ${../flake.lock} $out/flake.lock
          '';
        };
      packages = lib.optionalAttrs (pkgs.stdenv.isLinux) {
        run-vm-test-offline = pkgs.callPackage ../pkgs/run-vm-test-offline { };
      };
      legacyPackages = {
        nixosTests =
          let
--- a/checks/impure/flake-module.nix
+++ b/checks/impure/flake-module.nix
@@ -28,12 +28,6 @@
        ROOT=$(git rev-parse --show-toplevel)
        cd "$ROOT/pkgs/clan-cli"
        # Set up custom git configuration for tests
        export GIT_CONFIG_GLOBAL=$(mktemp)
        git config --file "$GIT_CONFIG_GLOBAL" user.name "Test User"
        git config --file "$GIT_CONFIG_GLOBAL" user.email "test@example.com"
        export GIT_CONFIG_SYSTEM=/dev/null
        # this disables dynamic dependency loading in clan-cli
        export CLAN_NO_DYNAMIC_DEPS=1
@@ -43,9 +37,6 @@
        jobs="$((jobs > 13 ? 13 : jobs))"
        nix develop "$ROOT#clan-cli" -c bash -c "TMPDIR=/tmp python -m pytest -n $jobs -m impure ./clan_cli $@"
        # Clean up temporary git config
        rm -f "$GIT_CONFIG_GLOBAL"
      '';
    };
 }
--- a/checks/installation/flake-module.nix
+++ b/checks/installation/flake-module.nix
@@ -8,9 +8,9 @@ let
    { modulesPath, pkgs, ... }:
    let
      dependencies = [
-        self.clan.clanInternals.machines.${pkgs.hostPlatform.system}.test-install-machine-with-system.config.system.build.toplevel
+        self.clanInternals.machines.${pkgs.hostPlatform.system}.test-install-machine-with-system.config.system.build.toplevel
-        self.clan.clanInternals.machines.${pkgs.hostPlatform.system}.test-install-machine-with-system.config.system.build.diskoScript
+        self.clanInternals.machines.${pkgs.hostPlatform.system}.test-install-machine-with-system.config.system.build.diskoScript
-        self.clan.clanInternals.machines.${pkgs.hostPlatform.system}.test-install-machine-with-system.config.system.clan.deployment.file
+        self.clanInternals.machines.${pkgs.hostPlatform.system}.test-install-machine-with-system.config.system.clan.deployment.file
        pkgs.stdenv.drvPath
        pkgs.bash.drvPath
        pkgs.nixos-anywhere
--- a/checks/mumble/default.nix
+++ b/checks/mumble/default.nix
@@ -0,0 +1,132 @@
 {
  pkgs,
  nixosLib,
  clan-core,
  lib,
  ...
 }:
 nixosLib.runTest (
  { ... }:
  let
    machines = [
      "peer1"
      "peer2"
    ];
  in
  {
    imports = [
      clan-core.modules.nixosVmTest.clanTest
    ];
    hostPkgs = pkgs;
    name = "mumble";
    defaults =
      { pkgs, modulesPath, ... }:
      {
        imports = [
          (modulesPath + "/../tests/common/x11.nix")
        ];
        clan.services.mumble.user = "alice";
        environment.systemPackages = [ pkgs.killall ];
      };
    clan = {
      directory = ./.;
      # TODO: container driver does not support: sleep, wait_for_window, send_chars, wait_for_text
      test.useContainers = false;
      inventory = {
        machines = lib.genAttrs machines (_: { });
        services = {
          mumble.default = {
            roles.server.machines = machines;
          };
        };
      };
    };
    enableOCR = true;
    testScript = ''
      import time
      import re
      def machine_has_text(machine: Machine, regex: str) -> bool:
          variants = machine.get_screen_text_variants()
          # for debugging
          # machine.screenshot(f"/tmp/{machine.name}.png")
          for text in variants:
              print(f"Expecting '{regex}' in '{text}'")
              if re.search(regex, text) is not None:
                  return True
          return False
      start_all()
      with subtest("Waiting for x"):
        peer1.wait_for_x()
        peer2.wait_for_x()
      with subtest("Waiting for murmur"):
        peer1.wait_for_unit("murmur.service")
        peer2.wait_for_unit("murmur.service")
      with subtest("Starting Mumble"):
        # starting mumble is blocking
        peer1.execute("mumble >&2 &")
        peer2.execute("mumble >&2 &")
      with subtest("Wait for Mumble"):
        peer1.wait_for_window(r"Mumble")
        peer2.wait_for_window(r"Mumble")
      with subtest("Wait for certificate creation"):
        peer1.wait_for_window(r"Mumble")
        peer2.wait_for_window(r"Mumble")
        for i in range(20):
          time.sleep(1)
          peer1.send_chars("\n")
          peer1.send_chars("\n")
          peer2.send_chars("\n")
          peer2.send_chars("\n")
          if machine_has_text(peer1, r"Mumble Server Connect") and \
              machine_has_text(peer2, r"Mumble Server Connect"):
            break
        else:
          raise Exception("Timeout waiting for certificate creation")
      with subtest("Check validity of server certificates"):
        peer1.execute("killall .mumble-wrapped")
        peer1.sleep(1)
        peer1.execute("mumble mumble://peer2 >&2 &")
        peer1.wait_for_window(r"Mumble")
        for i in range(20):
          time.sleep(1)
          peer1.send_chars("\n")
          peer1.send_chars("\n")
          if machine_has_text(peer1, "Connected."):
            break
        else:
          raise Exception("Timeout waiting for certificate creation")
        peer2.execute("killall .mumble-wrapped")
        peer2.sleep(1)
        peer2.execute("mumble mumble://peer1 >&2 &")
        peer2.wait_for_window(r"Mumble")
        for i in range(20):
          time.sleep(1)
          peer2.send_chars("\n")
          peer2.send_chars("\n")
          if machine_has_text(peer2, "Connected."):
            break
        else:
          raise Exception("Timeout waiting for certificate creation")
    '';
  }
 )
--- a/checks/mumble/machines/peer1/facts/mumble-cert
+++ b/checks/mumble/machines/peer1/facts/mumble-cert
@@ -0,0 +1,22 @@
 -----BEGIN CERTIFICATE-----
 MIIDazCCAlOgAwIBAgIUCUjfNkF0CDhTKbO3nNczcsCW4qEwDQYJKoZIhvcNAQEL
 BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
 GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNDA2MjcwOTM2NDZaFw0yNDA3
 MjcwOTM2NDZaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
 HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
 AQUAA4IBDwAwggEKAoIBAQDCcdZEJvXJIeOKO5pF5XUFvUeJtCCiwfWvWS662bxc
 R/5MZucRLqfTNYo9aBv4NITw5kxZsTaaubmS4zSGQoTEAVzqzVdi3a/gNvsdVLb+
 7CivpmweLllX/OGsTL0kHPEI+74AYiTBjXfdWV1Y5T1tuwc3G8ATrguQ33Uo5vvF
 vcqsbTKcRZC0pB9O/nn4q03GsRdvlpaKakIhjMpRG/uZ3u7wtbyZ+WqjsjxZNfnY
 aMyPoaipFqX1v+L7GKlOj2NpyEZFVVwa2ZqhVSYXyDfpAWQFznwKGzD5mjtcyKym
 gnv/5LwrpH4Xj+JMt48hN+rPnu5vfXT8Y4KnID30OQW7AgMBAAGjUzBRMB0GA1Ud
 DgQWBBQBBO8Wp975pAGioMjkaxANAVInfzAfBgNVHSMEGDAWgBQBBO8Wp975pAGi
 oMjkaxANAVInfzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAg
 F40MszTZXpR/A1z9B1CcXH47tNK67f8bCMR2dhvXODbpatwSihyxhQjtLb5R6kYH
 5Yq/B4yrh303j0CXaobCQ4nQH7zI7fhViww+TzW7vDhgM7ueEyyXrqCXt6JY8avg
 TuvIRtJSeWSQJ5aLNaYqmiwMf/tj9W3BMDpctGyLqu1WTSrbpYa9mA5Vudud70Yz
 DgZ/aqHilB07cVNqzVYZzRZ56WJlTjGzVevRgnHZqPiZNVrU13H6gtWa3r8aV4Gj
 i4F663eRAttj166cRgfl1QqpSG2IprNyV9UfuS2LlUaVNT3y0idawiJ4HhaA8pGB
 ZqMUUkA4DSucb6xxEcTK
 -----END CERTIFICATE-----
--- a/checks/mumble/machines/peer1/key.age
+++ b/checks/mumble/machines/peer1/key.age
@@ -0,0 +1 @@
 AGE-SECRET-KEY-1UCXEUJH6JXF8LFKWFHDM4N9AQE2CCGQZGXLUNV4TKR5KY0KC8FDQ2TY4NX
--- a/checks/mumble/machines/peer1/peer_1_test_cert
+++ b/checks/mumble/machines/peer1/peer_1_test_cert
@@ -0,0 +1,14 @@
 -----BEGIN CERTIFICATE-----
 MIICHTCCAaKgAwIBAgIIT2gZuvqVFP0wCgYIKoZIzj0EAwIwSjESMBAGA1UEChMJ
 U3luY3RoaW5nMSAwHgYDVQQLExdBdXRvbWF0aWNhbGx5IEdlbmVyYXRlZDESMBAG
 A1UEAxMJc3luY3RoaW5nMB4XDTIzMTIwNjAwMDAwMFoXDTQzMTIwMTAwMDAwMFow
 SjESMBAGA1UEChMJU3luY3RoaW5nMSAwHgYDVQQLExdBdXRvbWF0aWNhbGx5IEdl
 bmVyYXRlZDESMBAGA1UEAxMJc3luY3RoaW5nMHYwEAYHKoZIzj0CAQYFK4EEACID
 YgAEBAr1CsciwCa0vi7eC6xxuSGijY3txbjtsyFanec/fge4oJBD3rVpaLKFETb3
 TvHHsuvblzElcP483MEVq6FMUoxwuL9CzTtpJrRhtwSmAs8AHLFu8irVn8sZjgkL
 sXMho1UwUzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
 AQUFBwMCMAwGA1UdEwEB/wQCMAAwFAYDVR0RBA0wC4IJc3luY3RoaW5nMAoGCCqG
 SM49BAMCA2kAMGYCMQDbrtLgfcyMMIkNQn+PJe9DHYAqj8C47LQcWuIY/nekhOu0
 aUfKctEAwyBtI60Y5zcCMQCEdgD/6CNBh7Qqq3z3CKPhlrpxHtCO5tNw17k0jfdH
 haCwJInHZvZgclHk4EtFpTw=
 -----END CERTIFICATE-----
--- a/checks/mumble/machines/peer1/peer_1_test_key
+++ b/checks/mumble/machines/peer1/peer_1_test_key
@@ -0,0 +1,6 @@
 -----BEGIN EC PRIVATE KEY-----
 MIGkAgEBBDA14Nqo17Xs/xRLGH2KLuyzjKp4eW9iWFobVNM93RZZbECT++W3XcQc
 cEc5WVtiPmWgBwYFK4EEACKhZANiAAQECvUKxyLAJrS+Lt4LrHG5IaKNje3FuO2z
 IVqd5z9+B7igkEPetWlosoURNvdO8cey69uXMSVw/jzcwRWroUxSjHC4v0LNO2km
 tGG3BKYCzwAcsW7yKtWfyxmOCQuxcyE=
 -----END EC PRIVATE KEY-----
--- a/checks/mumble/machines/peer2/facts/mumble-cert
+++ b/checks/mumble/machines/peer2/facts/mumble-cert
@@ -0,0 +1,22 @@
 -----BEGIN CERTIFICATE-----
 MIIDazCCAlOgAwIBAgIUfENbTtH5nr7giuawwQpDYqUpWJswDQYJKoZIhvcNAQEL
 BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
 GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNDA2MjcwOTQxNDNaFw0yNDA3
 MjcwOTQxNDNaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
 HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
 AQUAA4IBDwAwggEKAoIBAQCfP6cZhCs9jOnWqyQP12vrOOxlBrWofYZFf9amUA24
 AfE7oGcSfkylanmkxzvGqQkhgLAvkHZj/GEvHujKyy8PgcEGP+pwmsfWNQMvU0Dz
 j3syjWOTi3eIC/3DoUnHlWCT2qCil/bjqxgU1l7fO/OXUlq5kyvIjln7Za4sUHun
 ixe/m96Er6l8a4Mh2pxh2C5pkLCvulkQhjjGG+R6MccH8wwQwmLg5oVBkFEZrnRE
 pnRKBI0DvA+wk1aJFAPOI4d8Q5T7o/MyxH3f8TYGHqbeMQFCKwusnlWPRtrNdaIc
 gaLvSpR0LVlroXGu8tYmRpvHPByoKGDbgVvO0Bwx8fmRAgMBAAGjUzBRMB0GA1Ud
 DgQWBBR7r+mQWNUZ0TpQNwrwjgxgngvOjTAfBgNVHSMEGDAWgBR7r+mQWNUZ0TpQ
 NwrwjgxgngvOjTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCO
 7B4s6uQEGE8jg3CQgy76oU/D8sazGcP8+/E4JLHSc0Nj49w4ztSpkOVk2HyEtzbm
 uR3TreIw+SfqpbiOI/ivVNDbEBsb/vEeq7qPzDH1Bi72plHZNRVhNGGV5rd7ibga
 TkfXHKPM9yt8ffffHHiu1ROvb8gg2B6JbQwboU4hvvmmorW7onyTFSYEzZVdNSpv
 pUtKPldxYjTnLlbsJdXC4xyCC4PrJt2CC0n0jsWfICJ77LMxIxTODh8oZNjbPg6r
 RdI7U/DsD+R072DjbIcrivvigotJM+jihzz5inZwbO8o0WQOHAbJLIG3C3BnRW3A
 Ek4u3+HXZMl5a0LGJ76u
 -----END CERTIFICATE-----
--- a/checks/mumble/machines/peer2/peer_2_test_cert
+++ b/checks/mumble/machines/peer2/peer_2_test_cert
@@ -0,0 +1,14 @@
 -----BEGIN CERTIFICATE-----
 MIICHjCCAaOgAwIBAgIJAKbMWefkf1rVMAoGCCqGSM49BAMCMEoxEjAQBgNVBAoT
 CVN5bmN0aGluZzEgMB4GA1UECxMXQXV0b21hdGljYWxseSBHZW5lcmF0ZWQxEjAQ
 BgNVBAMTCXN5bmN0aGluZzAeFw0yMzEyMDYwMDAwMDBaFw00MzEyMDEwMDAwMDBa
 MEoxEjAQBgNVBAoTCVN5bmN0aGluZzEgMB4GA1UECxMXQXV0b21hdGljYWxseSBH
 ZW5lcmF0ZWQxEjAQBgNVBAMTCXN5bmN0aGluZzB2MBAGByqGSM49AgEGBSuBBAAi
 A2IABFZTMt4RfsfBue0va7QuNdjfXMI4HfZzJCEcG+b9MtV7FlDmwMKX5fgGykD9
 FBbC7yiza3+xCobdMb5bakz1qYJ7nUFCv1mwSDo2eNM+/XE+rJmlre8NwkwGmvzl
 h1uhyqNVMFMwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
 BgEFBQcDAjAMBgNVHRMBAf8EAjAAMBQGA1UdEQQNMAuCCXN5bmN0aGluZzAKBggq
 hkjOPQQDAgNpADBmAjEAwzhsroN6R4/quWeXj6dO5gt5CfSTLkLee6vrcuIP5i1U
 rZvJ3OKQVmmGG6IWYe7iAjEAyuq3X2wznaqiw2YK3IDI4qVeYWpCUap0fwRNq7/x
 4dC4k+BOzHcuJOwNBIY/bEuK
 -----END CERTIFICATE-----
--- a/checks/mumble/machines/peer2/peer_2_test_key
+++ b/checks/mumble/machines/peer2/peer_2_test_key
@@ -0,0 +1,6 @@
 -----BEGIN EC PRIVATE KEY-----
 MIGkAgEBBDCXHGpvumKjjDRxB6SsjZOb7duw3w+rdlGQCJTIvRThLjD6zwjnyImi
 7c3PD5nWtLqgBwYFK4EEACKhZANiAARWUzLeEX7HwbntL2u0LjXY31zCOB32cyQh
 HBvm/TLVexZQ5sDCl+X4BspA/RQWwu8os2t/sQqG3TG+W2pM9amCe51BQr9ZsEg6
 NnjTPv1xPqyZpa3vDcJMBpr85Ydboco=
 -----END EC PRIVATE KEY-----
--- a/checks/mumble/peer_1/key.age
+++ b/checks/mumble/peer_1/key.age
@@ -0,0 +1 @@
 AGE-SECRET-KEY-1UCXEUJH6JXF8LFKWFHDM4N9AQE2CCGQZGXLUNV4TKR5KY0KC8FDQ2TY4NX
--- a/checks/mumble/peer_1/peer_1_test_cert
+++ b/checks/mumble/peer_1/peer_1_test_cert
@@ -0,0 +1,22 @@
 -----BEGIN CERTIFICATE-----
 MIIDazCCAlOgAwIBAgIUCUjfNkF0CDhTKbO3nNczcsCW4qEwDQYJKoZIhvcNAQEL
 BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
 GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNDA2MjcwOTM2NDZaFw0yNDA3
 MjcwOTM2NDZaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
 HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
 AQUAA4IBDwAwggEKAoIBAQDCcdZEJvXJIeOKO5pF5XUFvUeJtCCiwfWvWS662bxc
 R/5MZucRLqfTNYo9aBv4NITw5kxZsTaaubmS4zSGQoTEAVzqzVdi3a/gNvsdVLb+
 7CivpmweLllX/OGsTL0kHPEI+74AYiTBjXfdWV1Y5T1tuwc3G8ATrguQ33Uo5vvF
 vcqsbTKcRZC0pB9O/nn4q03GsRdvlpaKakIhjMpRG/uZ3u7wtbyZ+WqjsjxZNfnY
 aMyPoaipFqX1v+L7GKlOj2NpyEZFVVwa2ZqhVSYXyDfpAWQFznwKGzD5mjtcyKym
 gnv/5LwrpH4Xj+JMt48hN+rPnu5vfXT8Y4KnID30OQW7AgMBAAGjUzBRMB0GA1Ud
 DgQWBBQBBO8Wp975pAGioMjkaxANAVInfzAfBgNVHSMEGDAWgBQBBO8Wp975pAGi
 oMjkaxANAVInfzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAg
 F40MszTZXpR/A1z9B1CcXH47tNK67f8bCMR2dhvXODbpatwSihyxhQjtLb5R6kYH
 5Yq/B4yrh303j0CXaobCQ4nQH7zI7fhViww+TzW7vDhgM7ueEyyXrqCXt6JY8avg
 TuvIRtJSeWSQJ5aLNaYqmiwMf/tj9W3BMDpctGyLqu1WTSrbpYa9mA5Vudud70Yz
 DgZ/aqHilB07cVNqzVYZzRZ56WJlTjGzVevRgnHZqPiZNVrU13H6gtWa3r8aV4Gj
 i4F663eRAttj166cRgfl1QqpSG2IprNyV9UfuS2LlUaVNT3y0idawiJ4HhaA8pGB
 ZqMUUkA4DSucb6xxEcTK
 -----END CERTIFICATE-----
--- a/checks/mumble/peer_1/peer_1_test_key
+++ b/checks/mumble/peer_1/peer_1_test_key
@@ -0,0 +1,28 @@
 -----BEGIN PRIVATE KEY-----
 MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDCcdZEJvXJIeOK
 O5pF5XUFvUeJtCCiwfWvWS662bxcR/5MZucRLqfTNYo9aBv4NITw5kxZsTaaubmS
 4zSGQoTEAVzqzVdi3a/gNvsdVLb+7CivpmweLllX/OGsTL0kHPEI+74AYiTBjXfd
 WV1Y5T1tuwc3G8ATrguQ33Uo5vvFvcqsbTKcRZC0pB9O/nn4q03GsRdvlpaKakIh
 jMpRG/uZ3u7wtbyZ+WqjsjxZNfnYaMyPoaipFqX1v+L7GKlOj2NpyEZFVVwa2Zqh
 VSYXyDfpAWQFznwKGzD5mjtcyKymgnv/5LwrpH4Xj+JMt48hN+rPnu5vfXT8Y4Kn
 ID30OQW7AgMBAAECggEAGVKn+/Iy+kG+l2cRvV6XseqnoWhjA69M5swviMgIfuAl
 Xx/boeI4mwoS+dJQKi/0zEbB1MB+gwIDB/0s/vs0vS4MQswBQG/skr+2TmiU+Hgb
 CF0dIYUZv5rAbScFTumx/mCCqxwc+1QIMzyLKqOYL203EFc92ZJGEVT4th321haZ
 8Wd+dllcYAb7BbEeBhCrTqRe9T3zt5reZgtZTquTF5hGm8EAyBp6rLjZK7dyZ9dd
 gyIsDbWgPC9vkRc6x/eANn70hgDbYOuoXwAP/qIFnWLL1Zzy8LKUyOsSgQ91S3S3
 Il4Lt6lEyU3+61MsCYss7jDoP/7REEjz5h6gfxlFSQKBgQD9u8nhHuwte4/d9VNU
 rhSBW9h8IJzwPif/eS8vh9VaS2SjR2dDCcHg6rGYKnexeEzUcx56aQMA+p3nRJwy
 Uwnx5BfEWs9FO6yPR8VEI0a2sBp+hoWKJX/Lvat+QCs6IFuGmlQpczD7/RYAkhG4
 mwyt/ymqzjukb9mFaeYIltOfPwKBgQDELnkH1ChTUH5u3HgDoelFbzR18okz6dxH
 urMbfZMAl8W5h2zAvHsAX5qxyHHankOUsiH2y3BrAgqQtTuIA2a5W7j+yHBkYiEZ
 EUNeI9YNA0KU+wwZpVVvRGUsRB5SUBo5LlcSYmX/V32f0oU5Np44i0vjl3Ju8esx
 2MLfj1A2hQKBgQDCxtZZZ0h8Pb8Z7wpSFfQNvXi5CLwQvFYuClQLk6VXVErkAJsn
 XiUjyGYeXnNVm/i2mcyKwXQZ20k90HBrPU2ED8mi5Ob5ya5Uqw6mmMHe2d7sw81d
 WB37RBWSrCXC0DYSZQQ4cYHn3sd2Fqtd4EBijV7qDLjCKU582OdKLqYzNwKBgH31
 UKQkJZgIkIThbPT4GewI0GgCRvFb76DmUGUQJTg2Oi86siq1WUwOFiabie5RuxZX
 oNLyH8W008/BbO2RMX1FVOvRCciJ8LJFkTl6TM6iDzfUUBqPOuFryoG3Yrh60btw
 81rMbqyZIgFhi0QGu2OWnC0Oadyt2tJwV/5t55R5AoGBAPspZttDmOzVkAJDSn9Z
 iByYt1KmwBQ6l7LpFg33a7ds9zWqW4+i6r0PzXvSewf/z69L0cAywSk5CaJJjDso
 dTlNMqwux01wd6V+nQGR871xnsOg+qzgJ565TJZelWgRmNRUooi4DMp5POJA33xp
 rqAISUfW0w2S+q7/5Lm0QiJE
 -----END PRIVATE KEY-----
--- a/checks/mumble/peer_2/peer_2_test_cert
+++ b/checks/mumble/peer_2/peer_2_test_cert
@@ -0,0 +1,22 @@
 -----BEGIN CERTIFICATE-----
 MIIDazCCAlOgAwIBAgIUfENbTtH5nr7giuawwQpDYqUpWJswDQYJKoZIhvcNAQEL
 BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
 GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNDA2MjcwOTQxNDNaFw0yNDA3
 MjcwOTQxNDNaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
 HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
 AQUAA4IBDwAwggEKAoIBAQCfP6cZhCs9jOnWqyQP12vrOOxlBrWofYZFf9amUA24
 AfE7oGcSfkylanmkxzvGqQkhgLAvkHZj/GEvHujKyy8PgcEGP+pwmsfWNQMvU0Dz
 j3syjWOTi3eIC/3DoUnHlWCT2qCil/bjqxgU1l7fO/OXUlq5kyvIjln7Za4sUHun
 ixe/m96Er6l8a4Mh2pxh2C5pkLCvulkQhjjGG+R6MccH8wwQwmLg5oVBkFEZrnRE
 pnRKBI0DvA+wk1aJFAPOI4d8Q5T7o/MyxH3f8TYGHqbeMQFCKwusnlWPRtrNdaIc
 gaLvSpR0LVlroXGu8tYmRpvHPByoKGDbgVvO0Bwx8fmRAgMBAAGjUzBRMB0GA1Ud
 DgQWBBR7r+mQWNUZ0TpQNwrwjgxgngvOjTAfBgNVHSMEGDAWgBR7r+mQWNUZ0TpQ
 NwrwjgxgngvOjTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCO
 7B4s6uQEGE8jg3CQgy76oU/D8sazGcP8+/E4JLHSc0Nj49w4ztSpkOVk2HyEtzbm
 uR3TreIw+SfqpbiOI/ivVNDbEBsb/vEeq7qPzDH1Bi72plHZNRVhNGGV5rd7ibga
 TkfXHKPM9yt8ffffHHiu1ROvb8gg2B6JbQwboU4hvvmmorW7onyTFSYEzZVdNSpv
 pUtKPldxYjTnLlbsJdXC4xyCC4PrJt2CC0n0jsWfICJ77LMxIxTODh8oZNjbPg6r
 RdI7U/DsD+R072DjbIcrivvigotJM+jihzz5inZwbO8o0WQOHAbJLIG3C3BnRW3A
 Ek4u3+HXZMl5a0LGJ76u
 -----END CERTIFICATE-----
--- a/checks/mumble/peer_2/peer_2_test_key
+++ b/checks/mumble/peer_2/peer_2_test_key
@@ -0,0 +1,28 @@
 -----BEGIN PRIVATE KEY-----
 MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCfP6cZhCs9jOnW
 qyQP12vrOOxlBrWofYZFf9amUA24AfE7oGcSfkylanmkxzvGqQkhgLAvkHZj/GEv
 HujKyy8PgcEGP+pwmsfWNQMvU0Dzj3syjWOTi3eIC/3DoUnHlWCT2qCil/bjqxgU
 1l7fO/OXUlq5kyvIjln7Za4sUHunixe/m96Er6l8a4Mh2pxh2C5pkLCvulkQhjjG
 G+R6MccH8wwQwmLg5oVBkFEZrnREpnRKBI0DvA+wk1aJFAPOI4d8Q5T7o/MyxH3f
 8TYGHqbeMQFCKwusnlWPRtrNdaIcgaLvSpR0LVlroXGu8tYmRpvHPByoKGDbgVvO
 0Bwx8fmRAgMBAAECggEACAkjOnNj5zA0IIP0RuRc6rqtmw9ynTTwUJN51lyVxKI8
 dQDMEq/S2En+J2VyS7z92/XtbgkBIFx83u7VWl5UWpj2j4UsJFB7IwD7zyiJT4D+
 +3cM/kX8Wx4XyQZbfbm47N0MXAgFCkn45hxHH0acLReXwmN9wxoDyl7AIjZRdwvG
 Qq0rnOnIc8kkkew7L6AiFwQS8b77eyzua3d6moKXN9hU/kfiJ6YUFG/WLe0pmQA1
 HbF27YghfeLnYUt50oDuX6jF6CzQhflchWVq/wn8/cxEpg/RMicWE8ulrTk7o27l
 JwCrHrhYEBsPuZO4mxX/DHrAMmhTeFjLaV5bQlz0PQKBgQDgRPSOEixYnKz9iPs/
 EDTlji5LA3Rm6TytRCNsjYY6Trw60KcvYqwyDUCiEjruvOQ9mqgBiQm1VHSalrG3
 RcbVfpEMouyZbEwmTjS8KdOi5x4Z6AX+4yWDN31jX3b8sktgbxV/HRdg3sA3q7MJ
 vExTUuoXg57W+FepIZ+XlhSoQwKBgQC1x6UMAlAeW45/yUUm/LFRcCgb/bdCQx+e
 hSb8w3jdvVoNWgx1j7RsjjFKaZUnseK3qQvVfCm4Qjvlz6MpKDxslaUYuR162Ku0
 e153z/xc7XRoXyPyPLdGZFlWii30jirB7ZqPdyz6mwlWwqdImNerbUqdFt9R8bId
 pYsyHB5zmwKBgBjYCq9iW/9E+/TqI8sMpI95fK9app5v4AThs3rnAqOa7Ucmrh6V
 s7Wnui06D8U6r54Tb+EbqTOpM3Gcl/tRg4FLEA5yTfuA/76Ok1D04Tj+mVsNVPyz
 dQhgMUe835WGusroA12df2V/x5NjNeYyMdJZMQ2ByyrNQAjAbMmCGq+5AoGBAIj8
 ERFysMOfxUvg9b7CkDFJrsAhOzew86P2vYGfIHchGTqUkG0LRTDFGrnzxNXsBGjY
 +DUB40Kajx7IkTETxC0jvA1ceq23l/VjPrZVQt0YiC+a+rCyNn7SYkyHxsfTVr9b
 ea0BZyDXMntyJrPbkjL6Ik8tDE9pLwuOU84ISJ5fAoGAZ2+Ams/VhdZj/wpRpMky
 K4jtS4nzbCmJzzTa6vdVV7Kjer5kFxSFFqMrS/FtJ/RxHeHvxdze9dfGu9jIdTKK
 vSzbyQdHFfZgRkmAKfcoN9u567z7Oc74AQ9UgFEGdEVFQUbfWOevmr8KIPt8nDQK
 J9HuVfILi1kH0jzDd/64TvA=
 -----END PRIVATE KEY-----
--- a/checks/mumble/sops/machines/peer1/key.json
+++ b/checks/mumble/sops/machines/peer1/key.json
@@ -0,0 +1,6 @@
 [
  {
    "publickey": "age1987metkajgdefk0sfhjqjjtczy9eu2lsg700rwcac6hhy2alhdsshjmpw8",
    "type": "age"
  }
 ]
--- a/checks/mumble/sops/machines/peer2/key.json
+++ b/checks/mumble/sops/machines/peer2/key.json
@@ -0,0 +1,6 @@
 [
  {
    "publickey": "age1fndalxxeduekn5s8q3znl73vjfx2n8kydylyrc2j3aurc93pypvs6pcql4",
    "type": "age"
  }
 ]
--- a/checks/mumble/sops/secrets/peer1-age.key/secret
+++ b/checks/mumble/sops/secrets/peer1-age.key/secret
@@ -0,0 +1,15 @@
 {
 	"data": "ENC[AES256_GCM,data:TfEsytctWPCLuo/icbicgRfy7O/txYCllTiLiUlusagGShZyXyIR46TNL9E4XWI2Lce9hIn8zczOdUWaEFPuXcvRMMMWILY3DzI=,iv:zDdq0rdYz/KIwKvIiu9MvKyX9v1pWYxZG3F/7KllBa0=,tag:mTPJGmJ+tKrgYaCZXJ37Nw==,type:str]",
 	"sops": {
 		"age": [
 			{
 				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2MmFpbUJuNzRnNGRlQXcy\naEhRanpHbjZpbFZxVkZ2TXFJWk8xYm9lYmlVCmVhRFdDZyt4SjJick1CdnZseWx1\nMGdvaTBYekdBeFUyaHEvTzNJVVM4TncKLS0tIG8rZ1kyTFJTRndQNFVXOC9OTTc5\nZHZGVW1FTzlLQ0RRcjNWeEpVWmVKMDgK7UDm509nexdHqG2xU8CBDZkRStjQIAAN\nDmOz5A8uWpIiyvU2LdOBcc/FQKHaXjB7OAmfT03nJccOeqSF2N3N3g==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-04-16T16:40:26Z",
 		"mac": "ENC[AES256_GCM,data:5Qe20lbqERvSM5fDY9Orhrtv2U6zholh6uHMq0CqV1OOg+vVWSlqTqJrtz2rD/qQTUECRKzWUHB1D/kgLrJ33lRoEMqrhjmvBfxtDnNjLzoYITlLcYOm9qiv3gOqcrpdBKW10YyNlGP/+Q377Lfbo8tcZ8nmuaT8qA9PYr+AKcs=,iv:IIJEFAvoX9SY3jvkD0xVe1/L6iRPMyzmxeRmpGvZI0I=,tag:1D3BBUjj1suNeL+mVYDiKw==,type:str]",
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.10.1"
 	}
 }
--- a/checks/mumble/sops/secrets/peer1-age.key/users/admin
+++ b/checks/mumble/sops/secrets/peer1-age.key/users/admin
@@ -0,0 +1 @@
 ../../../users/admin
--- a/checks/mumble/sops/secrets/peer2-age.key/secret
+++ b/checks/mumble/sops/secrets/peer2-age.key/secret
@@ -0,0 +1,15 @@
 {
 	"data": "ENC[AES256_GCM,data:NI9y5OdFkBgHf+wfn+ISDL11nh/ud+1RV5SPC64TV4Hvg0w8GKkmjJI5uiGDGI1+FfWwnHWOFexavtM2ZJr/cWfhA6dGKvzrKJc=,iv:itiZFGsGEZD/SH42akh1CLCDbuZxMSj05quMNKwvKg4=,tag:v36FGDDHIuFaABHG9we6ag==,type:str]",
 	"sops": {
 		"age": [
 			{
 				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByUVVJek9Ha2ljMkt4U2pi\nSmRRd2g2R0VXZGlySG5TT1E1czFpaWFyNlFjCmRJOThCQWlCNDZnRVRFVHpSTzBW\nOWZCUU5jK2dGQTloOEZMUFFVdk04cXMKLS0tIDVzSTdXRk1UZ3psd29kdnVUcitM\nbFlqb0srUGFCVUhlNzU1dUdTTUkwN0UKAIslz1WCMZWrE+aLPJjeM+wZSXMmwnqx\nyRZT5vVzCPWv2r8sbIjhi1rFbkfF+NXHkzNZD9NS4zddwsDsz5HO1g==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-04-16T16:40:48Z",
 		"mac": "ENC[AES256_GCM,data:2iDDnVdLPWxYcjdZrDlTb8PzPVOPEZ06QXCFvnZ2gf8ioXPiSY69ZAHRHTGpqCEp5Ve7qTIELbNja2TGU0ONLIcIRWyzqgc4q+G3n2V5fYQURW114pzaK0Ct6r6yR9oZQy8H66uEYQafkyuN2R9++3w5G0LGj8UovPcYQqNEQVo=,iv:TkCAdIgjRpZpsnhhvTfMqGVD/IveFyobYa9SExFWcC4=,tag:4RLhumGqeLT15waqHT0mRg==,type:str]",
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.10.1"
 	}
 }
--- a/checks/mumble/sops/secrets/peer2-age.key/users/admin
+++ b/checks/mumble/sops/secrets/peer2-age.key/users/admin
@@ -0,0 +1 @@
 ../../../users/admin
--- a/nixosModules/clanCore/machine-id/tests/sops/users/admin/key.json
+++ b/nixosModules/clanCore/machine-id/tests/sops/users/admin/key.json
--- a/checks/mumble/vars/per-machine/peer1/mumble/mumble-cert/value
+++ b/checks/mumble/vars/per-machine/peer1/mumble/mumble-cert/value
@@ -0,0 +1,21 @@
 -----BEGIN CERTIFICATE-----
 MIIDfzCCAmegAwIBAgIUH9AKYdV75FHHBcR4mgfTZB/7eEcwDQYJKoZIhvcNAQEL
 BQAwaDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM
 DVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBENsYW4xDTALBgNVBAsMBENsYW4xDjAM
 BgNVBAMMBXBlZXIxMB4XDTI1MDQxNjE2NDAzN1oXDTI1MDUxNjE2NDAzN1owaDEL
 MAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBG
 cmFuY2lzY28xDTALBgNVBAoMBENsYW4xDTALBgNVBAsMBENsYW4xDjAMBgNVBAMM
 BXBlZXIxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA80mo3OFSaW8F
 Ni/W7WZ70bJoGGFPFK17kiRgPu6+ghDiinmzlAQOt8A/u+egl4FsvT9Oz99TjCN1
 zkK3I74ItKmumpGKGPp92bpm62vQZa4g861xKqLlcbOwJwcfofwa8r4PhhjDhdXS
 k9vsgiwy0N5FEga79QbDEO/qwSvY+O8yKNG+lNXeOetymKvVbudL8A0je150vmpg
 oYfYjH57Oa7DpGaIrOpbZsmaBlYHD5dhfJbuX0Gxuq42gkfcBtxv3NbY0NoPVZFV
 jOvhVPyV9Xme/3JAQUSti+Fd2ZfJ+Ayl90ElA5wk25T1JBEEnMYQlQVBqPawX87C
 i1EtOysfxQIDAQABoyEwHzAdBgNVHQ4EFgQUFtjyWNCF1Yxd8ymIZ4kE9fXMY5Yw
 DQYJKoZIhvcNAQELBQADggEBAAHiQcWDvZjN2VTaWY2cQMYy3m8wkdoJTR20uV2z
 MpjY4KwCiMzTtsFe2LhiYMYFETwqHpG+B6ElOghh/+F8l96vQRbcVI9I3XTKs0G4
 +zdUtMOyB2XZumB4HBQa3PiXXrA4kAGJV88y5QC4UkZMw6SfwjW8OrtQ5Jim4vUB
 PZxY75ZIjw4JhknTqKNua7xehY4TBghRrGZAlD4eon7Yc5bIew6Gw5LHIoszOZgk
 9CFEo1XLN5z8aL9L+V8dh2DNNqF4KiXCRNgwqLmLoepL2Xptd90AOZsBI9mGxMP9
 YUPsnzcGqcat1x6Fi2Guw++ESDxUp6qKjMGAxPzSXje/TiM=
 -----END CERTIFICATE-----
--- a/checks/mumble/vars/per-machine/peer1/mumble/mumble-key/machines/peer1
+++ b/checks/mumble/vars/per-machine/peer1/mumble/mumble-key/machines/peer1
@@ -0,0 +1 @@
 ../../../../../../sops/machines/peer1
--- a/checks/mumble/vars/per-machine/peer1/mumble/mumble-key/secret
+++ b/checks/mumble/vars/per-machine/peer1/mumble/mumble-key/secret
@@ -0,0 +1,19 @@
 {
 	"data": "ENC[AES256_GCM,data:IyVffgpj8MSp2pKoic3+UMYBbeu6Fo/BGslSNQpNoURuulqSze7AZPXry/PnXEWAEvoqkfUURAq8kZdWxu5Go6N8YSkd6/sVOScw2Osa3v/qh9ysEPCuoIwYY1/h9IfUmzNM8Q3hgF4BXhb5D1F2cFQ0fZM8dQU1jn8J0DTfwXlR9ALgWRoCCAXHQxBBc1SYRMlnXbbCACfRxkJHGAtQbwwzsGo/as/Ng+YVUiXdQyLJUv3hwGax793pyX8YKQl+Bu1G3+qZJGlL3lkjL5T/7HIIs81YN9XgsT7G9kvMmR4tJWpHCHGHxU9aofSHSTxUX1lil7GUsR6xSefFEIgbZaQ27KUXwKrlZ8dQKJZIwCiUczkMtrdwBZlKkzqlD+Hi5yGSSUsIQ+lvjeR74UwPXOX/HtvGA+mEgcTSO48FCWmU7ymjvTXyoVf9ui75IZjRyHKfpM8WlFHS+lXCSEN+B6HHHMIEeo1nOpKk6e2qRd28oJHwzoqlms63YFEbPd4d2DTGNVAtO3nhXe4+5IqzvR1DZHoNQO7AiDDAJiz5DKPoOkq/u7FEBVewKQWgZyvt09vC0X+1kxqXeeOXmJILLuRngri5BKLS3YR3hgmKbN31G4KIQm3lJUoE6F0c0Opu5lAJZStwMQcwmflrXdlwYsuzMfc48wcWQYtKenuG+r5DzR0je6iwxaru3XWf/aqUnga700+rFMz5dUVOy8IlJYmpd2hdpjwriTcJyV4KwplWzdjhnb7csjrzgAiHJ5iF2MHzfVgVGje0pk6An2+iUEqoh+fmFRVlA9ZZ923Ksxl+iYRn+29Cde/JgdZu5EywDHHs3yHjfbMnFvoXuAOJ/2TX3cA95DjD2+OGvd78jKExF+Q9rda5IdU6kb93QKVf+OyOSNpTdQhKnJRusou5Q255PqoTguiJIMDoH00qGA2y5k/5q49wl9Xq5jNiU70fyaygoPOfxbghfIeIjT0z2/awaXoUW33jAqXylxY0gTTTNPZI7w4d6hRqixgU27dyCkdAQfN+bnCe6ExXSLczmZf8UfGegjRm4lyKOKgX/QLLgRwStB6BBHGn+a+8NrAH9DFgpof4fJ74LN7Vx5oQTIGbQTvSkjGy4VOez0ajmqjQI516XrBvFbLfAnYA1jGaR0ZRkD6ALISdwFhjlycAc2tAffv9F9WKsrVKWvCU3pqGV0OmWtk5chqWrfvrFY7tj0aVZUUHZBBynksiUx/8Tt5unS3OUap86FiPUknvh5lPEPZqrZc/TNiCN+8oLFAtkOXyEnFSJjZSOB/vLcd+lMkWhcGa+usvE1hGZEaiTOXsN9IOihjcZjcR2YYHR0LlkFxzzlN9ILllt7W1cgKApCovZVmtJuU3fCwjOocP1iBeAFNQfzgJ+6gMqXN8oufCrw7g4v8Y0hNjjEJEriufO+qLIg3nHivcgwy4Cp/fL9wof9UFsaKl2okbP66im7BuDcO/x8ZQ+lk9OjWPSHFJTAPScgiwPchwn74aaHiihjhocyWQ2uVzKn9JkBFkMcoUlAz7xwUFBW7AYvVS/dFQA0xF1l4aki7JdoK6L1JptEu1KpbQ2UHLoIp+W0jFB2MRnSDOEtUHMR9af/vHtgV4xoZoCCHDz/PAlK74C2wK20LO1FoQJdch2/IO6bGiAj832wrLKDp4T2VPooS/hqd6U0Jmvtvcv0vdKbewCDgbfMH3lcydwXl4eQh5lDE8Fm+HXo2Zt8lvqRexeqzyIvGy1P/ndx21uxuacTkp3yi2qTHrdy3IkGMIHTZtfQATRgbxMEpUwHyk2hr08RNqlitbHzgor2+Gn6J/DaLuzvfaFl4p5npjNJ5dGjQqjj5VEz/L16VDeBLL7b9BKorqb7LvZUlqVcCYBcd7S7mHUHT4GhlLaEb67PxA6eJbhdVtyB8o7sTE3tGY8OdBg0ClJB2cEJHS1SqQRS+GdIhuWwZS+Go7YCx9EnnqezMMuEK4lfB+LCGaVDj32XNVtaBhDvdxPuBN5QFgjbWMIOGFV8O3l9dTrlDDwYpmFANG0Wz0pjOzX4CL4LXxNSu9k2SSdPw4iKoe/7Rl3yxVsKhrLOQPW3M6Hc/vULNBMvZxRH32zPE4qKo9SD+h6rwBrC9JiwrWdLJQHtu6Yk8GT5agQNCVC1pogvHVvB7+15UdZ7yjyhUONGOfIHDB2peYame3gF0Nce3dbzqUUE5tNuD4FyKkYZbGNr9WDD9nX1i/7EboDnFh2x6pAU+MRl4oyW0dtHiiTnIR6bE=,iv:IZYhje9AgGRe0gQcodG/PQAaRBipBC/7F8qAkG35cxc=,tag:jpXpm1eghy/668gT0bmqMA==,type:str]",
 	"sops": {
 		"age": [
 			{
 				"recipient": "age1987metkajgdefk0sfhjqjjtczy9eu2lsg700rwcac6hhy2alhdsshjmpw8",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3MDdhSTZMbXlSdDVNVVZU\ndkFyVVI0eDhOUHZRU2FFalVNR3g5dUY5T25FCnl0aXpZRVpaR1hvdm5kSHplOE0x\nckloNFF3OVhNTnAxY2ZpZjNFV3plVXMKLS0tIG4yU0w2c1VGbDVCTUhYbjVrMXhr\nb0dpUnp2YUFWSERSRTVVK3g0WTNKWE0KpUfYS71F/1J1G38/ymd/+bWhABmze1GC\nehgSMymmVdsq+ZjHdJ1XcCyecsn/9aFcaZkEbASiLU8ecLNQOEGgRQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWeXBUOU13M2VvZVNBNUZW\nMy9VV1dMV1FlQU9qekhZWitwb3JISTFwdENBCnB5ZHpNK29DRHBoZ2M4dEJ6UVpq\nWHFOM1lYS0ROQ2NpSTNUdkZqUkorWGsKLS0tIDhaalVJNE1oU0N3WUtodnlsQWla\nUTVmTnhPTHVCWXUyK1ZESGR1Ym5CMXcK3YqyKO/FTdxcxVy5zBGg+JCOWMBOxqd2\n9+FgUJaYaizGy+HLpP5jgtjgz7k504yqEQCo9aQ1CzbvNHom5tAu7A==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-04-16T16:40:41Z",
 		"mac": "ENC[AES256_GCM,data:R8fWg7Vwq2mnjbTTtyYuLWwrmB6TZYZVx9xPcO5NOvGAABNIxtAVSe9yTpV25OlJiXruTNhPHDxfjwDW8Nad47Sd9fV9QzH36uygT9DOaVrrOD/TH5ojvpCuognofuJ8YHgUsq+yhiQs0QKi5efUrtRVDcXXr8s/UazyuG3vYzk=,iv:eBpSr8GKvG51govZWtqTVMWsWZDctDQ2vVgMm/jq62U=,tag:Yth78awXPAPa/7J+WxTDug==,type:str]",
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.10.1"
 	}
 }
--- a/checks/mumble/vars/per-machine/peer1/mumble/mumble-key/users/admin
+++ b/checks/mumble/vars/per-machine/peer1/mumble/mumble-key/users/admin
@@ -0,0 +1 @@
 ../../../../../../sops/users/admin
--- a/checks/mumble/vars/per-machine/peer2/mumble/mumble-cert/value
+++ b/checks/mumble/vars/per-machine/peer2/mumble/mumble-cert/value
@@ -0,0 +1,21 @@
 -----BEGIN CERTIFICATE-----
 MIIDfzCCAmegAwIBAgIUYuUk46fwZ4CBcJ40NWnT9VDIEPUwDQYJKoZIhvcNAQEL
 BQAwaDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM
 DVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBENsYW4xDTALBgNVBAsMBENsYW4xDjAM
 BgNVBAMMBXBlZXIyMB4XDTI1MDQxNjE2NDA1OVoXDTI1MDUxNjE2NDA1OVowaDEL
 MAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBG
 cmFuY2lzY28xDTALBgNVBAoMBENsYW4xDTALBgNVBAsMBENsYW4xDjAMBgNVBAMM
 BXBlZXIyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA45nKnn0r3HwU
 qqSRuOXbou8zpdf+5i+e1h7pmunXR7WPxPBP09t6i+99BO27GcID59zGMquabpNS
 dFhj+p+KZkqN+4sokZmyBU1civQqiwX2n5KtoaG0fU3gFFK6pfx3OQawQ6mJ50GU
 HhA2R3CuA0rXcssr6oPynj9z6pbaL7mKckOWE804xIWZuMEoWNdQEKmUmE5d1ioa
 edlblzwhqZSS+zAAeUvmb+YUEL6T54lCYYqPPnmwmiwfYFSBGu/SGyFtIijbCuIZ
 TJMDzzutx1/3Dsv2pOKC0uPb5qRcmdRePAzgBFSna4MNgfbpGHFkGPJgjiue0VIC
 qyedlpF5UQIDAQABoyEwHzAdBgNVHQ4EFgQUuIeLdxGVyhFbgFRtFbPIIJWw1R0w
 DQYJKoZIhvcNAQELBQADggEBAFj26XejazrXOfa67o8vGoZrR2TGXOLFWFeplO8B
 29AruG9poH+sInyxYo1RWAQLQMfDud/yGg73EeYylULbG1bBznKYLLHdvy4l6eXt
 SEVkEMruH0Kw93zt+NqvSO3bHCX+la1rjizyDcD4iu93xUg2uPSBmVpVpW/aeBCN
 3eF4FbBocUexmIWaygmMPY5yFY2tAf+OinBf4uSWcKEpFikIqAxQWRSDMWm8xFwY
 CG7rhfpwDauagpZtkjKkrrRedhdfGiXbxOVtYlBULuUMOggEI+ElpbD0UhyEYCsD
 XoJn7AOC0sYCGpj2F1ESwFX/5EhyciLjMuVwohFVcyWWg+Q=
 -----END CERTIFICATE-----
--- a/checks/mumble/vars/per-machine/peer2/mumble/mumble-key/machines/peer2
+++ b/checks/mumble/vars/per-machine/peer2/mumble/mumble-key/machines/peer2
@@ -0,0 +1 @@
 ../../../../../../sops/machines/peer2
--- a/checks/mumble/vars/per-machine/peer2/mumble/mumble-key/secret
+++ b/checks/mumble/vars/per-machine/peer2/mumble/mumble-key/secret
@@ -0,0 +1,19 @@
 {
 	"data": "ENC[AES256_GCM,data:LX0ZXli/xtlyI8JLDyQz2p69eKz3gMQLn/PwJh4GB1tgQ75Ei+zQyetnCKkzrm+xGDZjLgm3QXft8VyNqhxf/7a1konP9IHfZH1j1wn/1ELFyTR2IKQzIdsiilP67+nZeLFIS4wBfEMS4hGoOIVXIqohDYkryDkvoYqHOw2U5HVDf3GlqeaEfKM8zJMZgGUYAoLCJEEWmBSSYrT/jH5hVxVgd1qE+5JmhV1Uah7TWW2HX+XDpU4aeV3zQWyWZNTHDXtgnEUBb4nFsvWGrGUrB9A8FEoZFOC1jJj8NLU/aOZ8EvDkI0Us6nw8leQwwox9O9PY8MDAAlPVsTe5+vcP/svpu+P3Gor/MrJzsk1IKalIdUiSYFego3FyyQonfXdQs8oO+ufF4nkMo+BRPvXwPUGwHjyCVaL5nYtgnV4VCSBoGY612Tmc86ihJW4mUzA5ghjUTWwduDSfoWI5H0JO5TabJnMPkPcIBSms46lhCCNMSY8WvtqcGz1mUgLTjQ+fhHt4Ci/K+VCiQNjjFH5tEq6P4bhYnG1+U5rAFRIyXg+m2Z/JONKkSiVVs/0u6yzKFAji6/osqhLkFZCqpCuk2OhVtsn2Bg1ko7WjuQAZHEgh6WSmsK6nyDfGpLSdfBBRscevPA3QsE3tTwO8/i5pxaGIm7BxH6OJcbv3x/r7+8TX52orgtSO/ODiOn+ylRDUwbnTVqB8pkM6+moLDRmpmCK87a5CETfPJ/7u7bEAmcbAH5LsmBL5T8tqLpGOnCkj4ZozZ6sv8qAFxR3vmmWvpkCtJYKml9Hsqww0Laytgj76TO8xMuQSwRPgbkXRr6QaF+o1EwEW6fArb/wtsUUJSDBdv2K6UpyPwITSEQk2z0o3Cr6Y9luYlGXKmpegQWcjcBxUVWd06V21IFHTT/WM4joEBsliVAAlJBcyjYj3Sq9onxiXOHVgmNFzQpxTlSoaqVCuVLegHB8E5ipyrDtaw4gl6l3pNKdNCyILJtk226rOZpZZ/wBMs2FWUyosrlBe46oa7XynkCzPbItivxpZwqN5nPjOFQi/QXzN9i2iDCXZvoNnFKG0B/fSKb3Dho5cpqhhxUIu1AttcTj9YNx6lsw5ZGkdaLyomqIB4rRFVj9U98cY/lEP4Hgn2kl71bhloIu1R/1qxZXuk7KAC7QJ5Nk773Pb7oHVfWwaQxFmcTR2IEQm5SuXvyxWUVWpH9kuTgwhXPypJRuob3IJX2Nrm4kRKdL8U5HH/UWYhXTFcOMrbqY0b/iFAhxu/qQYvCVOSZrV43elCI70e0PGaIM9c+ifL7EZw+uHlJP6lWgtqqmbjR+K+7ZmXjVAq6KngRGetIlkjC60aMiFmqTZ1f1RADLQyEUHKbLT6YqePU698vHM+zTr+38HLOMxz80/EpC0L0qvdsMY9DXUIHow2/sffGFbWto5Jh2KcWQoSB2dMeQCOeZT45qaCwwE9ZG5sZJTWJvWgjsTegHDvlnv7LzlFOYyfWSr708v+twz/eI0Z1PmCZq8f6iN0T0fA7ncbPjp22ebg+YztDPEO1F+ThtvOrvz4ptVUr5Riywwf1aL6qGYUGZ/epOfaHosnf29l71e3xQD3Ry9DB7DEJXNGmrmF7AF1aEJXsvFSnqNa0A3pkP56cK+SfhEQbaFA7pJWqSnNqRuZR+60ItKQ/plimZRhPobKYb8bjJ0CyFtAf6fez1Q8XC/YohMNi3vZ1sdkmQ+O0CCV72sS7jRpSJOc6zG2KB4zL9JllxThNAXBvB+4rHoowG5ltCw2xm/eTQSdUivCkT67EocjS8RjucLfYvc2aH9+tLaIkwFUYsNKkd+JpNlmD6E6fp229YJ3908JrksYCRc//MQhaDMaig1Bc7JPTGqHlHZFtHhbrGIHPoRMLL6djRKXlPndQ/ZGKTca72oBNt4KXO2MQhTYtP08Zgt8E2lpjUhbWnNsyikuVju7UWi0ynT2RPNaRgffoXZtnDVsCYv1yhYnrfoqNOGZpR4GE/rwyQMw3/osNI91l7vKSGIhAQAPnTT77A5xWiVMb0VL4WzokZaWFWL9BGkSIMcbJNkZB1udwrNeqwU7N8WHwQKGuBSg1YOd9wE0A8GmNNuBo0Qjo4QCGs0Q/GAvrczppinbNkABSgW570/i+Ep7UOJ83Zcv7XhxoHdlsdmpweGIpOdjC4WMfYlNRwVJ2eg7qhvuFOzuvSZBMCmPpC/gkjYgD9FjsH1rzgxbcOvkkUzxHQImiYHxYd6h7ZqqGD7XINy1oSPJEaK,iv:zNaVGK5hNxziOoPTbwaUhUwBuFbCiGNrfVMpeMxL3JI=,tag:6v8Hf4Symd1T16MOEChtcA==,type:str]",
 	"sops": {
 		"age": [
 			{
 				"recipient": "age1fndalxxeduekn5s8q3znl73vjfx2n8kydylyrc2j3aurc93pypvs6pcql4",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1VGVjRkdJOGx3c05YM28y\nM3dCbkU4TXBHK1VVOFFkY3FQVk0rQVp0d1g0CnZPR3FtUGlCb2lKSVc1Z3VtM0JM\nV1ZtZ3NVVndvak43cStIRWZxWldKSncKLS0tIEdJVHFFTzdaNklLVHdURndGa3Qy\nc2lEZ1hER3dGL0FKNUZrSkxMOXMvOGsKHGJ44Ey6mR3rV6NPPmn/QTsyjL08wCzu\nkUdD0jgSMLwInX5R9Gh9+Zbc9NIfEgSzLr6up6UlgW/4iWvM4oFPRg==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjcHVweTFZenhZZzVDZ2ts\nTnNxNkZLWnVQRmpoa0ZldHpxdWt0Sy9jRVFFClExS2FMM3hiSlRQR2lmb25RTEo0\nRTRGdmxCaXJoeXdNaVU3cGRIRFlibWsKLS0tIFFzVFhCR2hSOStYNk5yNmc5UkZl\nTHdWSUZTZUIyUEp2OFR0SFpzMzFFd0EKlsRWNJjapPefXxyuUtFWlPs/UIC9V1N7\nF7Ek+TAKl11SwGGA2qla1yvnDOxkZvFg7gWsurZeEBH4PuPZ1OE/Yg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-04-16T16:41:03Z",
 		"mac": "ENC[AES256_GCM,data:1DcuXden9WAF3frVjOMgpt0nniqiGEAA4SubPLk86GODEaOXxZSVStX1rr0GCF0t0tR4O4jl4cnRvZHF9Zjj7smA5Wf8jPpbSCrZX4oBo/HP3UU+A78yxSrj4gmoeH4m/aaJv0co77Vwcm/HglE6Q89Oc9BUqE2e4FGVmDUZTws=,iv:OAa2hvuw6aUcp3qKkRpDeLMDcq9Kkn/Bc+86DzV5h5g=,tag:wVrs9oyfaCAv3gZxsxbMPg==,type:str]",
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.10.1"
 	}
 }
--- a/checks/mumble/vars/per-machine/peer2/mumble/mumble-key/users/admin
+++ b/checks/mumble/vars/per-machine/peer2/mumble/mumble-key/users/admin
@@ -0,0 +1 @@
 ../../../../../../sops/users/admin
--- a/checks/mycelium/default.nix
+++ b/checks/mycelium/default.nix
@@ -8,7 +8,7 @@ nixosLib.runTest (
  { ... }:
  {
    imports = [
-      clan-core.modules.nixosTest.clanTest
+      clan-core.modules.nixosVmTest.clanTest
    ];
    hostPkgs = pkgs;
--- a/checks/syncthing/default.nix
+++ b/checks/syncthing/default.nix
@@ -9,7 +9,7 @@ nixosLib.runTest (
  { ... }:
  {
    imports = [
-      clan-core.modules.nixosTest.clanTest
+      clan-core.modules.nixosVmTest.clanTest
    ];
    hostPkgs = pkgs;
--- a/checks/user-firewall/common.nix
+++ b/checks/user-firewall/common.nix
@@ -1,100 +0,0 @@
 # Shared configuration for user firewall tests
 { self, pkgs, ... }:
 {
  imports = [
    self.nixosModules.user-firewall
  ];
  networking.firewall.enable = true;
  # Configure the user firewall module
  # Test with default allowedInterfaces (which includes wg*)
  networking.user-firewall = {
    # Use defaults for allowedInterfaces to test that wg* is included by default
    exemptUsers = [
      "root"
      "alice"
    ];
  };
  # Create test users
  users.users = {
    alice = {
      isNormalUser = true;
      uid = 1001;
      initialPassword = "test";
    };
    bob = {
      isNormalUser = true;
      uid = 1002;
      initialPassword = "test";
    };
  };
  # Add tools for testing
  environment.systemPackages = with pkgs; [
    curl
    netcat
    iproute2
  ];
  # Add a local web server for testing
  services.nginx = {
    enable = true;
    virtualHosts = {
      "localhost" = {
        listen = [
          {
            addr = "127.0.0.1";
            port = 8080;
          }
        ];
        locations."/" = {
          return = "200 'test server response'";
          extraConfig = "add_header Content-Type text/plain;";
        };
      };
      "wg0-test" = {
        listen = [
          {
            addr = "10.100.0.2";
            port = 8081;
          }
          {
            addr = "[fd00::2]";
            port = 8081;
          }
        ];
        locations."/" = {
          return = "200 'wg0 interface test response'";
          extraConfig = "add_header Content-Type text/plain;";
        };
      };
    };
  };
  # Create a dummy interface to test allowed interface patterns
  systemd.services.setup-wg0-interface = {
    description = "Setup wg0 dummy interface";
    after = [ "network-pre.target" ];
    before = [ "network.target" ];
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;
    };
    script = ''
      ${pkgs.iproute2}/bin/ip link add wg0 type dummy || true
      ${pkgs.iproute2}/bin/ip addr add 10.100.0.2/24 dev wg0 || true
      ${pkgs.iproute2}/bin/ip addr add fd00::2/64 dev wg0 || true
      ${pkgs.iproute2}/bin/ip link set wg0 up || true
    '';
  };
  # Make nginx wait for the wg0 interface
  systemd.services.nginx = {
    after = [ "setup-wg0-interface.service" ];
    requires = [ "setup-wg0-interface.service" ];
  };
 }
--- a/checks/user-firewall/iptables.nix
+++ b/checks/user-firewall/iptables.nix
@@ -1,82 +0,0 @@
 {
  name = "user-firewall-iptables";
  nodes = {
    router =
      { ... }:
      {
        imports = [ ./router.nix ];
      };
    machine =
      { ... }:
      {
        imports = [ ./common.nix ];
        # Force iptables backend
        networking.nftables.enable = false;
      };
  };
  testScript = ''
    start_all()
    router.wait_for_unit("multi-user.target")
    router.wait_for_unit("nginx.service")
    machine.wait_for_unit("multi-user.target")
    machine.wait_for_unit("nginx.service")
    # Get router IPs (both IPv4 and IPv6)
    router_ip = router.succeed("ip -4 addr show eth1 | grep -oP '(?<=inet\\s)\\d+(\\.\\d+){3}'").strip()
    router_ip6 = router.succeed("ip -6 addr show eth1 | grep -oP '(?<=inet6\\s)[0-9a-f:]+' | grep -v '^fe80' | head -1").strip()
    print(f"Router IPv4: {router_ip}")
    print(f"Router IPv6: {router_ip6}")
    # Test firewall restart
    machine.succeed("systemctl restart firewall")
    machine.wait_for_unit("firewall.service")
    # Verify rules are loaded
    machine.succeed("iptables -L user-firewall-output >&2")
    # Test alice (exempt user) - should succeed both locally and to router
    machine.wait_until_succeeds("runuser -u alice -- curl -s http://127.0.0.1:8080")
    machine.succeed(f"runuser -u alice -- curl -s http://{router_ip}")
    machine.succeed(f"runuser -u alice -- curl -s http://[{router_ip6}]")
    # Test bob (restricted user) - localhost should work, external should fail
    machine.succeed("runuser -u bob -- curl -s http://127.0.0.1:8080")
    # This should be blocked by firewall - IPv4
    result = machine.succeed(f"runuser -u bob -- curl -s --connect-timeout 2 http://{router_ip} 2>&1 || echo 'EXIT_CODE='$?")
    assert "EXIT_CODE=7" in result, f"Bob should be blocked from external IPv4 access (expected EXIT_CODE=7) but got: {result}"
    # This should be blocked by firewall - IPv6
    result6 = machine.succeed(f"runuser -u bob -- curl -s --connect-timeout 2 http://[{router_ip6}] 2>&1 || echo 'EXIT_CODE='$?")
    assert "EXIT_CODE=7" in result6, f"Bob should be blocked from external IPv6 access (expected EXIT_CODE=7) but got: {result6}"
    # Verify the rules are actually present for both IPv4 and IPv6
    rules4 = machine.succeed("iptables -L user-firewall-output -n -v")
    assert "REJECT" in rules4, "REJECT rule not found in iptables"
    rules6 = machine.succeed("ip6tables -L user-firewall-output -n -v")
    assert "REJECT" in rules6, "REJECT rule not found in ip6tables"
    # Wait for the dummy interface to be created
    machine.wait_for_unit("setup-wg0-interface.service")
    machine.wait_for_unit("nginx.service")
    machine.wait_for_open_port(8081, "10.100.0.2")
    # Check that wg0 interface exists
    machine.succeed("ip link show wg0")
    machine.succeed("ip addr show wg0")
    # The key test: users should be able to connect via wg0 interface
    # For alice (exempt user) - should work
    machine.succeed("runuser -u alice -- curl -s --interface wg0 http://10.100.0.2:8081/")
    machine.succeed("runuser -u alice -- curl -s --interface wg0 http://[fd00::2]:8081/")  # IPv6 test
    # For bob (restricted user) - should also work because wg* is in default allowedInterfaces
    machine.succeed("runuser -u bob -- curl -s --interface wg0 http://10.100.0.2:8081/")
    machine.succeed("runuser -u bob -- curl -s --interface wg0 http://[fd00::2]:8081/")  # IPv6 test
    # Verify that wg* interfaces are allowed in the firewall rules
    machine.succeed("iptables -L user-firewall-output -n -v | grep -E 'wg0|wg\\+' >&2")
  '';
 }
--- a/checks/user-firewall/nftables.nix
+++ b/checks/user-firewall/nftables.nix
@@ -1,77 +0,0 @@
 {
  name = "user-firewall-nftables";
  nodes = {
    router = {
      imports = [ ./router.nix ];
    };
    machine = {
      imports = [ ./common.nix ];
      # Force nftables backend
      networking.nftables.enable = true;
    };
  };
  testScript = ''
    start_all()
    router.wait_for_unit("multi-user.target")
    router.wait_for_unit("nginx.service")
    machine.wait_for_unit("multi-user.target")
    machine.wait_for_unit("nginx.service")
    # Get router IPs (both IPv4 and IPv6)
    router_ip = router.succeed("ip -4 addr show eth1 | grep -oP '(?<=inet\\s)\\d+(\\.\\d+){3}'").strip()
    router_ip6 = router.succeed("ip -6 addr show eth1 | grep -oP '(?<=inet6\\s)[0-9a-f:]+' | grep -v '^fe80' | head -1").strip()
    print(f"Router IPv4: {router_ip}")
    print(f"Router IPv6: {router_ip6}")
    # Test nftables restart
    machine.succeed("systemctl restart nftables")
    machine.wait_for_unit("nftables.service")
    # Verify rules are loaded
    machine.succeed("nft list table inet user-firewall >&2")
    # Test alice (exempt user) - should succeed both locally and to router
    machine.wait_until_succeeds("runuser -u alice -- curl -s http://127.0.0.1:8080")
    machine.succeed(f"runuser -u alice -- curl -s http://{router_ip}")
    machine.succeed(f"runuser -u alice -- curl -s http://[{router_ip6}]")
    # Test bob (restricted user) - localhost should work, external should fail
    machine.succeed("runuser -u bob -- curl -s http://127.0.0.1:8080")
    # This should be blocked by firewall - IPv4
    result = machine.succeed(f"runuser -u bob -- curl -s --connect-timeout 2 http://{router_ip} 2>&1 || echo 'EXIT_CODE='$?")
    assert "EXIT_CODE=7" in result, f"Bob should be blocked from external IPv4 access (expected EXIT_CODE=7) but got: {result}"
    # This should be blocked by firewall - IPv6
    result6 = machine.succeed(f"runuser -u bob -- curl -s --connect-timeout 2 http://[{router_ip6}] 2>&1 || echo 'EXIT_CODE='$?")
    assert "EXIT_CODE=7" in result6, f"Bob should be blocked from external IPv6 access (expected EXIT_CODE=7) but got: {result6}"
    # Verify the rules are actually present
    rules = machine.succeed("nft list table inet user-firewall")
    assert 'meta skuid 1002' in rules and 'reject' in rules, f"Reject rule for bob (uid 1002) not found in nftables. Actual rules:\n{rules}"
    assert "oifname" in rules, f"Interface rules not found in nftables. Actual rules:\n{rules}"
    # Wait for the dummy interface to be created
    machine.wait_for_unit("setup-wg0-interface.service")
    machine.wait_for_unit("nginx.service")
    machine.wait_for_open_port(8081, "10.100.0.2")
    # Check that wg0 interface exists
    machine.succeed("ip link show wg0")
    machine.succeed("ip addr show wg0")
    # The key test: users should be able to connect via wg0 interface
    # For alice (exempt user) - should work
    machine.succeed("runuser -u alice -- curl -s --interface wg0 http://10.100.0.2:8081/")
    machine.succeed("runuser -u alice -- curl -s --interface wg0 http://[fd00::2]:8081/")  # IPv6 test
    # For bob (restricted user) - should also work because wg* is in default allowedInterfaces
    machine.succeed("runuser -u bob -- curl -s --interface wg0 http://10.100.0.2:8081/")
    machine.succeed("runuser -u bob -- curl -s --interface wg0 http://[fd00::2]:8081/")  # IPv6 test
    # Verify that wg* interfaces are allowed in the nftables rules
    rules_with_wg = machine.succeed("nft list table inet user-firewall | grep -E 'oifname.*wg' >&2")
  '';
 }
--- a/checks/user-firewall/router.nix
+++ b/checks/user-firewall/router.nix
@@ -1,32 +0,0 @@
 # Shared router configuration for user firewall tests
 { ... }:
 {
  networking.firewall.enable = false;
  networking.useNetworkd = true;
  # Simple web server to test connectivity
  services.nginx = {
    enable = true;
    virtualHosts."router" = {
      listen = [
        {
          addr = "0.0.0.0";
          port = 80;
        }
        {
          addr = "[::]";
          port = 80;
        }
        {
          addr = "10.100.0.1";
          port = 80;
        }
      ];
      locations."/" = {
        return = "200 'router response'";
        extraConfig = "add_header Content-Type text/plain;";
      };
    };
  };
 }
--- a/clanModules/admin/roles/default.nix
+++ b/clanModules/admin/roles/default.nix
@@ -18,13 +18,6 @@
    ../../root-password
  ];
  config = {
    warnings = [
      "The clan.admin module is deprecated and will be removed on 2025-07-15.
      Please migrate to user-maintained configuration or the new equivalent clan services
      (https://docs.clan.lol/reference/clanServices)."
    ];
    users.users.root.openssh.authorizedKeys.keys = builtins.attrValues config.clan.admin.allowedKeys;
  };
 }
--- a/clanModules/auto-upgrade/roles/default.nix
+++ b/clanModules/auto-upgrade/roles/default.nix
@@ -13,15 +13,7 @@ in
      description = "Flake reference";
    };
  };
  config = {
    warnings = [
      "The clan.auto-upgrade module is deprecated and will be removed on 2025-07-15.
      Please migrate to user-maintained configuration or the new equivalent clan services
      (https://docs.clan.lol/reference/clanServices)."
    ];
    system.autoUpgrade = {
      inherit (cfg) flake;
      enable = true;
--- a/clanModules/borgbackup/roles/client.nix
+++ b/clanModules/borgbackup/roles/client.nix
@@ -90,12 +90,6 @@ in
  config = {
    warnings = [
      "The clan.borgbackup module is deprecated and will be removed on 2025-07-15.
      Please migrate to user-maintained configuration or the new equivalent clan services
      (https://docs.clan.lol/reference/clanServices)."
    ];
    # Destinations
    clan.borgbackup.destinations =
      let
--- a/clanModules/data-mesher/roles/admin.nix
+++ b/clanModules/data-mesher/roles/admin.nix
@@ -27,13 +27,6 @@ in
  };
  config = {
    warnings = [
      "The clan.admin module is deprecated and will be removed on 2025-07-15.
      Please migrate to user-maintained configuration or the new equivalent clan services
      (https://docs.clan.lol/reference/clanServices)."
    ];
    services.data-mesher.initNetwork =
      let
        # for a given machine, read it's public key and remove any new lines
--- a/clanModules/deltachat/roles/default.nix
+++ b/clanModules/deltachat/roles/default.nix
@@ -1,15 +1,5 @@
 { config, pkgs, ... }:
 {
  config,
  pkgs,
  ...
 }:
 {
  warnings = [
    "The clan.deltachat module is deprecated and will be removed on 2025-07-15.
      Please migrate to user-maintained configuration or the new equivalent clan services
      (https://docs.clan.lol/reference/clanServices)."
  ];
  networking.firewall.interfaces."zt+".allowedTCPPorts = [ 25 ]; # smtp with other hosts
  environment.systemPackages = [ pkgs.deltachat-desktop ];
--- a/clanModules/disk-id/roles/default.nix
+++ b/clanModules/disk-id/roles/default.nix
@@ -7,12 +7,6 @@
 {
  config = {
    warnings = [
      "The clan.disk-id module is deprecated and will be removed on 2025-07-15.
      Please migrate to user-maintained configuration or the new equivalent clan services
      (https://docs.clan.lol/reference/clanServices)."
    ];
    clan.core.vars.generators.disk-id = {
      files.diskId.secret = false;
      runtimeInputs = [
--- a/clanModules/ergochat/roles/default.nix
+++ b/clanModules/ergochat/roles/default.nix
@@ -1,11 +1,4 @@
 _: {
  warnings = [
    "The clan.ergochat module is deprecated and will be removed on 2025-07-15.
      Please migrate to user-maintained configuration or the new equivalent clan services
      (https://docs.clan.lol/reference/clanServices)."
  ];
  services.ergochat = {
    enable = true;
--- a/clanModules/flake-module.nix
+++ b/clanModules/flake-module.nix
@@ -23,6 +23,7 @@ in
    iwd = ./iwd;
    localbackup = ./localbackup;
    localsend = ./localsend;
    machine-id = ./machine-id;
    matrix-synapse = ./matrix-synapse;
    moonlight = ./moonlight;
    mumble = ./mumble;
--- a/clanModules/garage/roles/default.nix
+++ b/clanModules/garage/roles/default.nix
@@ -1,12 +1,5 @@
 { config, pkgs, ... }:
 {
  warnings = [
    "The clan.ergochat module is deprecated and will be removed on 2025-07-15.
      Please migrate to user-maintained configuration or the new equivalent clan services
      (https://docs.clan.lol/reference/clanServices)."
  ];
  systemd.services.garage.serviceConfig = {
    LoadCredential = [
      "rpc_secret_path:${config.clan.core.vars.generators.garage-shared.files.rpc_secret.path}"
--- a/clanModules/heisenbridge/roles/default.nix
+++ b/clanModules/heisenbridge/roles/default.nix
@@ -11,11 +11,6 @@
    ] "Importing the module will already enable the service.")
  ];
  config = {
    warnings = [
      "The clan.heisenbridge module is deprecated and will be removed on 2025-07-15.
      Please migrate to user-maintained configuration or the new equivalent clan services
      (https://docs.clan.lol/reference/clanServices)."
    ];
    services.heisenbridge = {
      enable = true;
      homeserver = "http://localhost:8008"; # TODO: Sync with matrix-synapse
--- a/clanModules/iwd/roles/default.nix
+++ b/clanModules/iwd/roles/default.nix
@@ -81,7 +81,15 @@ in
    })
    {
      warnings = [
-        "The clan.iwd module is deprecated and will be removed on 2025-07-15. Please migrate to a user-maintained configuration or use the wifi service."
+        ''
          The clan module `iwd` is deprecated and replaced by the clan service `wifi`
          Please migrate your config to the new service (see: https://docs.clan.lol/reference/clanServices/wifi/)
          To keep passwords after migrating the config, use:
            clan vars get <your-machine> iwd.<network-name>/ssid | clan vars set <your-machine> wifi.<network-name>/network-name
          and:
            clan vars get <your-machine> iwd.<network-name>/password | clan vars set <your-machine> wifi.<network-name>/password
        ''
      ];
      # disable wpa supplicant
--- a/clanModules/localsend/roles/default.nix
+++ b/clanModules/localsend/roles/default.nix
@@ -38,12 +38,6 @@ in
    ] "Importing the module will already enable the service.")
  ];
  config = {
    warnings = [
      "The clan.localsend module is deprecated and will be removed on 2025-07-15.
      Please migrate to user-maintained configuration or the new equivalent clan services
      (https://docs.clan.lol/reference/clanServices)."
    ];
    clan.core.state.localsend.folders = [
      "/var/localsend"
    ];
--- a/clanModules/machine-id/README.md
+++ b/clanModules/machine-id/README.md
@@ -0,0 +1,4 @@
 ---
 description = "Sets the /etc/machine-id and exposes it as a nix option"
 features = [ "inventory" ]
 ---
--- a/clanModules/machine-id/default.nix
+++ b/clanModules/machine-id/default.nix
@@ -0,0 +1,6 @@
 # Dont import this file
 # It is only here for backwards compatibility.
 # Dont author new modules with this file.
 {
  imports = [ ./roles/default.nix ];
 }
--- a/clanModules/machine-id/roles/default.nix
+++ b/clanModules/machine-id/roles/default.nix
@@ -0,0 +1,45 @@
 {
  config,
  pkgs,
  lib,
  ...
 }:
 let
  var = config.clan.core.vars.generators.machine-id.files.machineId or { };
 in
 {
  config = lib.mkMerge [
    (lib.mkIf ((var.value or null) != null) {
      assertions = [
        {
          assertion = lib.stringLength var.value == 32;
          message = "machineId must be exactly 32 characters long.";
        }
      ];
      boot.kernelParams = [
        ''systemd.machine_id=${var.value}''
      ];
      environment.etc."machine-id" = {
        text = var.value;
      };
    })
    {
      clan.core.vars.generators.machine-id = {
        files.machineId.secret = false;
        runtimeInputs = [
          pkgs.coreutils
          pkgs.bash
        ];
        script = ''
          uuid=$(bash ${./uuid4.sh})
          # Remove the hyphens from the UUID
          uuid_no_hyphens=$(echo -n "$uuid" | tr -d '-')
          echo -n "$uuid_no_hyphens" > "$out/machineId"
        '';
      };
    }
  ];
 }
--- a/nixosModules/clanCore/machine-id/uuid4.sh
+++ b/nixosModules/clanCore/machine-id/uuid4.sh
--- a/clanModules/moonlight/default.nix
+++ b/clanModules/moonlight/default.nix
@@ -4,10 +4,6 @@ let
  defaultPort = 48011;
 in
 {
  warnings = [
    "The clan.moonlight module is deprecated and will be removed on 2025-07-15. Please migrate to user-maintained configuration."
  ];
  hardware.opengl.enable = true;
  environment.systemPackages = [
    pkgs.moonlight-qt
--- a/clanModules/mumble/roles/server.nix
+++ b/clanModules/mumble/roles/server.nix
@@ -37,13 +37,6 @@ in
  };
  config = {
    warnings = [
      "The clan.mumble module is deprecated and will be removed on 2025-07-15.
      Please migrate to user-maintained configuration or the new equivalent clan services
      (https://docs.clan.lol/reference/clanServices)."
    ];
    services.murmur = {
      enable = true;
      logDays = -1;
--- a/clanModules/mycelium/roles/peer.nix
+++ b/clanModules/mycelium/roles/peer.nix
@@ -19,12 +19,6 @@
    };
  };
  config.warnings = [
    "The clan.mycelium module is deprecated and will be removed on 2025-07-15.
      Please migrate to user-maintained configuration or the new equivalent clan services
      (https://docs.clan.lol/reference/clanServices)."
  ];
  config.services.mycelium = {
    enable = true;
    addHostedPublicNodes = lib.mkDefault config.clan.mycelium.addHostedPublicNodes;
--- a/clanModules/packages/roles/default.nix
+++ b/clanModules/packages/roles/default.nix
@@ -12,12 +12,6 @@
    };
  };
  config = {
    warnings = [
      "The clan.packages module is deprecated and will be removed on 2025-07-15.
      Please migrate to user-maintained configuration or the new equivalent clan services
      (https://docs.clan.lol/reference/clanServices)."
    ];
    environment.systemPackages = map (
      pName: lib.getAttrFromPath (lib.splitString "." pName) pkgs
    ) config.clan.packages.packages;
--- a/clanModules/root-password/roles/default.nix
+++ b/clanModules/root-password/roles/default.nix
@@ -6,13 +6,6 @@
  ...
 }:
 {
  warnings = [
    "The clan.root-password module is deprecated and will be removed on 2025-07-15.
      Please migrate to user-maintained configuration or the new equivalent clan services
      (https://docs.clan.lol/reference/clanServices)."
  ];
  users.mutableUsers = false;
  users.users.root.hashedPasswordFile =
    config.clan.core.vars.generators.root-password.files.password-hash.path;
--- a/clanModules/sshd/roles/server.nix
+++ b/clanModules/sshd/roles/server.nix
@@ -17,13 +17,6 @@ in
    clan.sshd.hostKeys.rsa.enable = lib.mkEnableOption "Generate RSA host key";
  };
  config = {
    warnings = [
      "The clan.sshd module is deprecated and will be removed on 2025-07-15.
      Please migrate to user-maintained configuration or the new equivalent clan services
      (https://docs.clan.lol/reference/clanServices)."
    ];
    services.openssh = {
      enable = true;
      settings.PasswordAuthentication = false;
--- a/clanModules/state-version/roles/default.nix
+++ b/clanModules/state-version/roles/default.nix
@@ -3,13 +3,6 @@ let
  var = config.clan.core.vars.generators.state-version.files.version or { };
 in
 {
  warnings = [
    "The clan.state-version module is deprecated and will be removed on 2025-07-15.
      Please migrate to user-maintained configuration or the new equivalent clan services
      (https://docs.clan.lol/reference/clanServices)."
  ];
  system.stateVersion = lib.mkDefault (lib.removeSuffix "\n" var.value);
  clan.core.vars.generators.state-version = {
--- a/clanModules/sunshine/default.nix
+++ b/clanModules/sunshine/default.nix
@@ -17,10 +17,6 @@ let
  listenPort = 48011;
 in
 {
  warnings = [
    "The clan.sunshine module is deprecated and will be removed on 2025-07-15. Please migrate to user-maintained configuration."
  ];
  networking.firewall = {
    allowedTCPPorts = [
      47984
--- a/clanModules/syncthing/roles/peer.nix
+++ b/clanModules/syncthing/roles/peer.nix
@@ -11,7 +11,6 @@ in
  imports = [
    ../shared.nix
  ];
  clan.syncthing.introducer = lib.strings.removeSuffix "\n" (
    if builtins.pathExists introducerId then
      builtins.readFile introducerId
--- a/clanModules/thelounge/default.nix
+++ b/clanModules/thelounge/default.nix
@@ -1,8 +1,4 @@
 _: {
  warnings = [
    "The clan.thelounge module is deprecated and will be removed on 2025-07-15. Please migrate to user-maintained configuration."
  ];
  services.thelounge = {
    enable = true;
    public = true;
--- a/clanModules/user-password/roles/default.nix
+++ b/clanModules/user-password/roles/default.nix
@@ -26,13 +26,6 @@ in
  };
  config = {
    warnings = [
      "The clan.user-password module is deprecated and will be removed on 2025-07-15.
      Please migrate to user-maintained configuration or the new equivalent clan services
      (https://docs.clan.lol/reference/clanServices)."
    ];
    users.mutableUsers = false;
    users.users.${cfg.user} = {
      hashedPasswordFile = config.clan.core.vars.generators.user-password.files.user-password-hash.path;
--- a/clanModules/xfce/default.nix
+++ b/clanModules/xfce/default.nix
@@ -1,8 +1,4 @@
 {
  warnings = [
    "The clan.xfce module is deprecated and will be removed on 2025-07-15. Please migrate to user-maintained configuration."
  ];
  services.xserver = {
    enable = true;
    desktopManager.xfce.enable = true;
--- a/clanModules/zerotier/roles/controller.nix
+++ b/clanModules/zerotier/roles/controller.nix
@@ -17,13 +17,6 @@ in
    ../shared.nix
  ];
  config = {
    warnings = [
      "The clan.zerotier module is deprecated and will be removed on 2025-07-15.
      Please migrate to user-maintained configuration or the new equivalent clan services
      (https://docs.clan.lol/reference/clanServices)."
    ];
    systemd.services.zerotier-inventory-autoaccept =
      let
        machines = uniqueStrings (roles.moon.machines ++ roles.controller.machines ++ roles.peer.machines);
--- a/clanModules/zt-tcp-relay/default.nix
+++ b/clanModules/zt-tcp-relay/default.nix
@@ -13,10 +13,6 @@
    };
  };
  config = {
    warnings = [
      "The clan.zt-tcp-relay module is deprecated and will be removed on 2025-07-15. Please migrate to user-maintained configuration."
    ];
    networking.firewall.allowedTCPPorts = [ config.clan.zt-tcp-relay.port ];
    systemd.services.zt-tcp-relay = {
--- a/clanServices/admin/flake-module.nix
+++ b/clanServices/admin/flake-module.nix
@@ -1,18 +1,17 @@
-{ lib, ... }:
+{ lib, self, ... }:
 let
  module = lib.modules.importApply ./default.nix { };
 in
 {
  clan.modules = {
-    admin = module;
+    admin = lib.modules.importApply ./default.nix { };
  };
  perSystem =
-    { ... }:
+    { pkgs, ... }:
    {
-      clan.nixosTests.admin = {
+      checks = lib.optionalAttrs (pkgs.stdenv.isLinux) {
-        imports = [ ./tests/vm/default.nix ];
+        admin = import ./tests/vm/default.nix {
-
+          inherit pkgs;
-        clan.modules."@clan/admin" = module;
+          clan-core = self;
          nixosLib = import (self.inputs.nixpkgs + "/nixos/lib") { };
        };
      };
    };
 }
--- a/clanServices/admin/tests/vm/default.nix
+++ b/clanServices/admin/tests/vm/default.nix
@@ -1,45 +1,62 @@
 {
  pkgs,
  nixosLib,
  clan-core,
  ...
 }:
 let
  public-key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII6zj7ubTg6z/aDwRNwvM/WlQdUocMprQ8E92NWxl6t+ test@test";
 in
-{
+nixosLib.runTest (
-  name = "admin";
+  { ... }:
  {
    imports = [
      clan-core.modules.nixosVmTest.clanTest
    ];
-  clan = {
+    hostPkgs = pkgs;
    directory = ./.;
    inventory = {
-      machines.client = { };
+    name = "admin";
      machines.server = { };
-      instances = {
+    clan = {
-        ssh-test-one = {
+      directory = ./.;
-          module.name = "@clan/admin";
+      modules."@clan/admin" = ../../default.nix;
-          roles.default.machines."server".settings = {
+      inventory = {
-            allowedKeys.testkey = public-key;
+
        machines.client = { };
        machines.server = { };
        instances = {
          ssh-test-one = {
            module.name = "@clan/admin";
            roles.default.machines."server".settings = {
              allowedKeys.testkey = public-key;
            };
          };
        };
      };
    };
  };
-  nodes = {
+    nodes = {
-    client.environment.etc.private-test-key.source = ./private-test-key;
+      client.environment.etc.private-test-key.source = ./private-test-key;
-    server = {
+      server = {
-      services.openssh.enable = true;
+        services.openssh.enable = true;
      };
    };
  };
-  testScript = ''
+    testScript = ''
-    start_all()
+      start_all()
-    machines = [client, server]
+      machines = [client, server]
-    for m in machines:
+      for m in machines:
-        m.systemctl("start network-online.target")
+          m.systemctl("start network-online.target")
-    for m in machines:
+      for m in machines:
-        m.wait_for_unit("network-online.target")
+          m.wait_for_unit("network-online.target")
-    client.succeed(f"ssh -F /dev/null -i /etc/private-test-key -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o BatchMode=yes root@server true &>/dev/null")
+      client.succeed(f"ssh -F /dev/null -i /etc/private-test-key -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o BatchMode=yes root@server true &>/dev/null")
-  '';
+    '';
-}
+  }
 )
--- a/clanServices/auto-upgrade/default.nix
+++ b/clanServices/auto-upgrade/default.nix
@@ -0,0 +1,33 @@
 { ... }:
 {
  _class = "clan.service";
  manifest.name = "clan-core/auto-upgrade";
  manifest.description = "Automatic system upgrade for the Clan App";
  manifest.categories = [ "System" ];
  roles.default = {
    interface =
      { lib, ... }:
      {
        options.flake = lib.mkOption {
          type = lib.types.str;
          description = "Flake reference";
        };
      };
    perInstance =
      { settings, ... }:
      {
        nixosModule =
          { ... }:
          {
            system.autoUpgrade = {
              inherit (settings) flake;
              enable = true;
              dates = "02:00";
              randomizedDelaySec = "45min";
            };
          };
      };
  };
 }
--- a/clanServices/auto-upgrade/flake-module.nix
+++ b/clanServices/auto-upgrade/flake-module.nix
@@ -0,0 +1,6 @@
 { lib, ... }:
 {
  clan.modules = {
    auto-upgrade = lib.modules.importApply ./default.nix { };
  };
 }
--- a/clanServices/borgbackup/flake-module.nix
+++ b/clanServices/borgbackup/flake-module.nix
@@ -1,18 +1,17 @@
-{ lib, ... }:
+{ lib, self, ... }:
 let
  module = lib.modules.importApply ./default.nix { };
 in
 {
  clan.modules = {
-    borgbackup = module;
+    borgbackup = lib.modules.importApply ./default.nix { };
  };
  perSystem =
-    { ... }:
+    { pkgs, ... }:
    {
-      clan.nixosTests.borgbackup = {
+      checks = lib.optionalAttrs (pkgs.stdenv.isLinux) {
-        imports = [ ./tests/vm/default.nix ];
+        borgbackup = import ./tests/vm/default.nix {
-
+          inherit pkgs;
-        clan.modules."@clan/borgbackup" = module;
+          clan-core = self;
          nixosLib = import (self.inputs.nixpkgs + "/nixos/lib") { };
        };
      };
    };
 }
--- a/clanServices/borgbackup/tests/vm/default.nix
+++ b/clanServices/borgbackup/tests/vm/default.nix
@@ -1,112 +1,118 @@
 {
  module,
  pkgs,
  nixosLib,
  clan-core,
  ...
 }:
-{
+nixosLib.runTest (
-  name = "borgbackup";
+  { ... }:
  {
    imports = [
      clan-core.modules.nixosVmTest.clanTest
    ];
-  clan = {
+    hostPkgs = pkgs;
    directory = ./.;
    test.useContainers = true;
    inventory = {
-      machines.clientone = { };
+    name = "borgbackup";
      machines.serverone = { };
-      instances = {
+    clan = {
-        borgone = {
+      directory = ./.;
      test.useContainers = true;
      modules."@clan/borgbackup" = ../../default.nix;
      inventory = {
-          module.name = "@clan/borgbackup";
+        machines.clientone = { };
        machines.serverone = { };
-          roles.client.machines."clientone" = { };
+        instances = {
-          roles.server.machines."serverone".settings.directory = "/tmp/borg-test";
+          borgone = {
            module.name = "@clan/borgbackup";
            roles.client.machines."clientone" = { };
            roles.server.machines."serverone".settings.directory = "/tmp/borg-test";
          };
        };
      };
    };
  };
-  nodes = {
+    nodes = {
    serverone = {
      services.openssh.enable = true;
      # Needed so PAM doesn't see the user as locked
      users.users.borg.password = "borg";
    };
    clientone =
      {
        config,
        pkgs,
        clan-core,
        ...
      }:
      let
        dependencies = [
          clan-core
          pkgs.stdenv.drvPath
        ] ++ builtins.map (i: i.outPath) (builtins.attrValues clan-core.inputs);
        closureInfo = pkgs.closureInfo { rootPaths = dependencies; };
      in
      {
      serverone = {
        services.openssh.enable = true;
-
+        # Needed so PAM doesn't see the user as locked
-        users.users.root.openssh.authorizedKeys.keyFiles = [ ../../../../checks/assets/ssh/pubkey ];
+        users.users.borg.password = "borg";
        clan.core.networking.targetHost = config.networking.hostName;
        environment.systemPackages = [ clan-core.packages.${pkgs.system}.clan-cli ];
        environment.etc.install-closure.source = "${closureInfo}/store-paths";
        nix.settings = {
          substituters = pkgs.lib.mkForce [ ];
          hashed-mirrors = null;
          connect-timeout = pkgs.lib.mkForce 3;
          flake-registry = pkgs.writeText "flake-registry" ''{"flakes":[],"version":2}'';
        };
        system.extraDependencies = dependencies;
        clan.core.state.test-backups.folders = [ "/var/test-backups" ];
      };
-  };
+      clientone =
        { config, pkgs, ... }:
        let
          dependencies = [
            clan-core
            pkgs.stdenv.drvPath
          ] ++ builtins.map (i: i.outPath) (builtins.attrValues clan-core.inputs);
          closureInfo = pkgs.closureInfo { rootPaths = dependencies; };
-  testScript = ''
+        in
-    import json
+        {
    start_all()
-    machines = [clientone, serverone]
+          services.openssh.enable = true;
-    for m in machines:
+          users.users.root.openssh.authorizedKeys.keyFiles = [ ../../../../checks/assets/ssh/pubkey ];
        m.systemctl("start network-online.target")
-    for m in machines:
+          clan.core.networking.targetHost = config.networking.hostName;
        m.wait_for_unit("network-online.target")
-    # dummy data
+          environment.systemPackages = [ clan-core.packages.${pkgs.system}.clan-cli ];
    clientone.succeed("mkdir -p /var/test-backups /var/test-service")
    clientone.succeed("echo testing > /var/test-backups/somefile")
-    clientone.succeed("${pkgs.coreutils}/bin/install -Dm 600 ${../../../../checks/assets/ssh/privkey} /root/.ssh/id_ed25519")
+          environment.etc.install-closure.source = "${closureInfo}/store-paths";
-    clientone.succeed("${pkgs.coreutils}/bin/touch /root/.ssh/known_hosts")
+          nix.settings = {
-    clientone.wait_until_succeeds("timeout 2 ssh -o StrictHostKeyChecking=accept-new localhost hostname")
+            substituters = pkgs.lib.mkForce [ ];
-    clientone.wait_until_succeeds("timeout 2 ssh -o StrictHostKeyChecking=accept-new $(hostname) hostname")
+            hashed-mirrors = null;
            connect-timeout = pkgs.lib.mkForce 3;
            flake-registry = pkgs.writeText "flake-registry" ''{"flakes":[],"version":2}'';
          };
          system.extraDependencies = dependencies;
-    # create
+          clan.core.state.test-backups.folders = [ "/var/test-backups" ];
-    clientone.succeed("borgbackup-create >&2")
+        };
    clientone.wait_until_succeeds("! systemctl is-active borgbackup-job-serverone >&2")
-    # list
+    };
    backup_id = json.loads(clientone.succeed("borg-job-serverone list --json"))["archives"][0]["archive"]
    out = clientone.succeed("borgbackup-list").strip()
    print(out)
    assert backup_id in out, f"backup {backup_id} not found in {out}"
-    # borgbackup restore
+    testScript = ''
-    clientone.succeed("rm -f /var/test-backups/somefile")
+      import json
-    clientone.succeed(f"NAME='serverone::borg@serverone:.::{backup_id}' borgbackup-restore >&2")
+      start_all()
-    assert clientone.succeed("cat /var/test-backups/somefile").strip() == "testing", "restore failed"
+
-  '';
+      machines = [clientone, serverone]
-}
+
      for m in machines:
          m.systemctl("start network-online.target")
      for m in machines:
          m.wait_for_unit("network-online.target")
      # dummy data
      clientone.succeed("mkdir -p /var/test-backups /var/test-service")
      clientone.succeed("echo testing > /var/test-backups/somefile")
      clientone.succeed("${pkgs.coreutils}/bin/install -Dm 600 ${../../../../checks/assets/ssh/privkey} /root/.ssh/id_ed25519")
      clientone.succeed("${pkgs.coreutils}/bin/touch /root/.ssh/known_hosts")
      clientone.wait_until_succeeds("timeout 2 ssh -o StrictHostKeyChecking=accept-new localhost hostname")
      clientone.wait_until_succeeds("timeout 2 ssh -o StrictHostKeyChecking=accept-new $(hostname) hostname")
      # create
      clientone.succeed("borgbackup-create >&2")
      clientone.wait_until_succeeds("! systemctl is-active borgbackup-job-serverone >&2")
      # list
      backup_id = json.loads(clientone.succeed("borg-job-serverone list --json"))["archives"][0]["archive"]
      out = clientone.succeed("borgbackup-list").strip()
      print(out)
      assert backup_id in out, f"backup {backup_id} not found in {out}"
      # borgbackup restore
      clientone.succeed("rm -f /var/test-backups/somefile")
      clientone.succeed(f"NAME='serverone::borg@serverone:.::{backup_id}' borgbackup-restore >&2")
      assert clientone.succeed("cat /var/test-backups/somefile").strip() == "testing", "restore failed"
    '';
  }
 )
--- a/clanServices/deltachat/default.nix
+++ b/clanServices/deltachat/default.nix
@@ -0,0 +1,164 @@
 { ... }:
 {
  _class = "clan.service";
  manifest.name = "clan-core/deltachat";
  manifest.description = "Email-based instant messaging for Desktop";
  manifest.categories = [ "Social" ];
  roles.default = {
    interface =
      { ... }:
      {
        options = { };
      };
    perInstance =
      { settings, ... }:
      {
        nixosModule =
          { config, pkgs, ... }:
          {
            networking.firewall.interfaces."zt+".allowedTCPPorts = [ 25 ]; # smtp with other hosts
            environment.systemPackages = [ pkgs.deltachat-desktop ];
            services.maddy =
              let
                domain = "${config.clan.core.settings.machine.name}.local";
              in
              {
                enable = true;
                primaryDomain = domain;
                config = ''
                  # Minimal configuration with TLS disabled, adapted from upstream example
                  # configuration here https://github.com/foxcpp/maddy/blob/master/maddy.conf
                  # Do not use this in unencrypted networks!
                  auth.pass_table local_authdb {
                    table sql_table {
                      driver sqlite3
                      dsn credentials.db
                      table_name passwords
                    }
                  }
                  storage.imapsql local_mailboxes {
                    driver sqlite3
                    dsn imapsql.db
                  }
                  table.chain local_rewrites {
                    optional_step regexp "(.+)\+(.+)@(.+)" "$1@$3"
                    optional_step static {
                      entry postmaster postmaster@$(primary_domain)
                    }
                    optional_step file /etc/maddy/aliases
                  }
                  msgpipeline local_routing {
                    destination postmaster $(local_domains) {
                      modify {
                        replace_rcpt &local_rewrites
                      }
                      deliver_to &local_mailboxes
                    }
                    default_destination {
                      reject 550 5.1.1 "User doesn't exist"
                    }
                  }
                  smtp tcp://[::]:25 {
                    limits {
                      all rate 20 1s
                      all concurrency 10
                    }
                    dmarc yes
                    check {
                      require_mx_record
                      dkim
                      spf
                    }
                    source $(local_domains) {
                      reject 501 5.1.8 "Use Submission for outgoing SMTP"
                    }
                    default_source {
                      destination postmaster $(local_domains) {
                        deliver_to &local_routing
                      }
                      default_destination {
                        reject 550 5.1.1 "User doesn't exist"
                      }
                    }
                  }
                  submission tcp://[::1]:587 {
                    limits {
                      all rate 50 1s
                    }
                    auth &local_authdb
                    source $(local_domains) {
                      check {
                          authorize_sender {
                              prepare_email &local_rewrites
                              user_to_email identity
                          }
                      }
                      destination postmaster $(local_domains) {
                          deliver_to &local_routing
                      }
                      default_destination {
                          modify {
                              dkim $(primary_domain) $(local_domains) default
                          }
                          deliver_to &remote_queue
                      }
                    }
                    default_source {
                      reject 501 5.1.8 "Non-local sender domain"
                    }
                  }
                  target.remote outbound_delivery {
                    limits {
                      destination rate 20 1s
                      destination concurrency 10
                    }
                    mx_auth {
                      dane
                      mtasts {
                        cache fs
                        fs_dir mtasts_cache/
                      }
                      local_policy {
                          min_tls_level encrypted
                          min_mx_level none
                      }
                    }
                  }
                  target.queue remote_queue {
                    target &outbound_delivery
                    autogenerated_msg_domain $(primary_domain)
                    bounce {
                      destination postmaster $(local_domains) {
                        deliver_to &local_routing
                      }
                      default_destination {
                          reject 550 5.0.0 "Refusing to send DSNs to non-local addresses"
                      }
                    }
                  }
                  imap tcp://[::1]:143 {
                    auth &local_authdb
                    storage &local_mailboxes
                  }
                '';
                ensureAccounts = [ "user@${domain}" ];
                ensureCredentials = {
                  "user@${domain}".passwordFile = pkgs.writeText "dummy" "foobar";
                };
              };
          };
      };
  };
 }
--- a/clanServices/deltachat/flake-module.nix
+++ b/clanServices/deltachat/flake-module.nix
@@ -0,0 +1,17 @@
 { lib, self, ... }:
 {
  clan.modules = {
    deltachat = lib.modules.importApply ./default.nix { };
  };
  perSystem =
    { pkgs, ... }:
    {
      checks = lib.optionalAttrs (pkgs.stdenv.isLinux) {
        deltachat = import ./tests/vm/default.nix {
          inherit pkgs;
          clan-core = self;
          nixosLib = import (self.inputs.nixpkgs + "/nixos/lib") { };
        };
      };
    };
 }
--- a/clanServices/deltachat/tests/vm/default.nix
+++ b/clanServices/deltachat/tests/vm/default.nix
@@ -0,0 +1,50 @@
 {
  pkgs,
  nixosLib,
  clan-core,
  ...
 }:
 nixosLib.runTest (
  { ... }:
  {
    imports = [
      clan-core.modules.nixosVmTest.clanTest
    ];
    hostPkgs = pkgs;
    name = "deltachat";
    clan = {
      directory = ./.;
      modules."@clan/deltachat" = ../../default.nix;
      inventory = {
        machines.server = { };
        instances = {
          deltachat-test = {
            module.name = "@clan/deltachat";
            roles.default.machines."server".settings = { };
          };
        };
      };
    };
    nodes = {
      server = { };
    };
    testScript = ''
      start_all()
      server.wait_for_unit("maddy")
      # imap
      server.succeed("${pkgs.netcat}/bin/nc -z -v ::1 143")
      # smtp submission
      server.succeed("${pkgs.netcat}/bin/nc -z -v ::1 587")
      # smtp
      server.succeed("${pkgs.netcat}/bin/nc -z -v ::1 25")
    '';
  }
 )
--- a/clanServices/deltachat/tests/vm/sops/users/admin/key.json
+++ b/clanServices/deltachat/tests/vm/sops/users/admin/key.json
@@ -0,0 +1,4 @@
 {
  "publickey": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
  "type": "age"
 }
--- a/clanServices/ergochat/default.nix
+++ b/clanServices/ergochat/default.nix
@@ -0,0 +1,36 @@
 { ... }:
 {
  _class = "clan.service";
  manifest.name = "clan-core/ergochat";
  manifest.description = "A modern IRC server";
  manifest.categories = [ "Social" ];
  roles.default = {
    interface =
      { ... }:
      {
        options = { };
      };
    perInstance =
      { settings, ... }:
      {
        nixosModule =
          { ... }:
          {
            services.ergochat = {
              enable = true;
              settings = {
                datastore = {
                  autoupgrade = true;
                  path = "/var/lib/ergo/ircd.db";
                };
              };
            };
            clan.core.state.ergochat.folders = [ "/var/lib/ergo" ];
          };
      };
  };
 }
--- a/clanServices/ergochat/flake-module.nix
+++ b/clanServices/ergochat/flake-module.nix
@@ -0,0 +1,17 @@
 { lib, self, ... }:
 {
  clan.modules = {
    ergochat = lib.modules.importApply ./default.nix { };
  };
  perSystem =
    { pkgs, ... }:
    {
      checks = lib.optionalAttrs (pkgs.stdenv.isLinux) {
        ergochat = import ./tests/vm/default.nix {
          inherit pkgs;
          clan-core = self;
          nixosLib = import (self.inputs.nixpkgs + "/nixos/lib") { };
        };
      };
    };
 }
--- a/clanServices/ergochat/tests/vm/default.nix
+++ b/clanServices/ergochat/tests/vm/default.nix
@@ -0,0 +1,51 @@
 {
  pkgs,
  nixosLib,
  clan-core,
  ...
 }:
 nixosLib.runTest (
  { ... }:
  {
    imports = [
      clan-core.modules.nixosVmTest.clanTest
    ];
    hostPkgs = pkgs;
    name = "ergochat";
    clan = {
      directory = ./.;
      modules."@clan/ergochat" = ../../default.nix;
      inventory = {
        machines.server = { };
        instances = {
          ergochat-test = {
            module.name = "@clan/ergochat";
            roles.default.machines."server".settings = { };
          };
        };
      };
    };
    nodes = {
      server = { };
    };
    testScript = ''
      start_all()
      server.wait_for_unit("ergochat")
      # Check that ergochat is running
      server.succeed("systemctl status ergochat")
      # Check that the data directory exists
      server.succeed("test -d /var/lib/ergo")
      # Check that the server is listening on the correct ports
      server.succeed("${pkgs.netcat}/bin/nc -z -v ::1 6667")
    '';
  }
 )
--- a/clanServices/ergochat/tests/vm/sops/users/admin/key.json
+++ b/clanServices/ergochat/tests/vm/sops/users/admin/key.json
@@ -0,0 +1,4 @@
 {
  "publickey": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
  "type": "age"
 }
--- a/clanServices/garage/default.nix
+++ b/clanServices/garage/default.nix
@@ -8,15 +8,8 @@
  roles.default = {
    perInstance.nixosModule =
      { config, pkgs, ... }:
      {
        config,
        pkgs,
        lib,
        ...
      }:
      {
        services.garage.enable = lib.mkDefault true;
        systemd.services.garage.serviceConfig = {
          LoadCredential = [
            "rpc_secret_path:${config.clan.core.vars.generators.garage-shared.files.rpc_secret.path}"
--- a/clanServices/garage/flake-module.nix
+++ b/clanServices/garage/flake-module.nix
@@ -1,19 +1,18 @@
-{ lib, ... }:
+{ lib, self, ... }:
 let
  module = lib.modules.importApply ./default.nix { };
 in
 {
  clan.modules = {
-    garage = module;
+    garage = lib.modules.importApply ./default.nix { };
  };
  perSystem =
-    { ... }:
+    { pkgs, ... }:
    {
-      clan.nixosTests.garage = {
+      checks = lib.optionalAttrs (pkgs.stdenv.isLinux) {
-        imports = [ ./tests/vm/default.nix ];
+        garage = import ./tests/vm/default.nix {
-
+          inherit pkgs;
-        clan.modules."@clan/garage" = module;
+          clan-core = self;
          nixosLib = import (self.inputs.nixpkgs + "/nixos/lib") { };
        };
      };
    };
 }
--- a/clanServices/garage/tests/vm/default.nix
+++ b/clanServices/garage/tests/vm/default.nix
@@ -1,76 +1,87 @@
 {
  module,
  pkgs,
  nixosLib,
  clan-core,
  ...
 }:
-{
+nixosLib.runTest (
-  name = "garage";
+  { ... }:
  {
    imports = [
      clan-core.modules.nixosVmTest.clanTest
    ];
-  clan = {
+    hostPkgs = pkgs;
    directory = ./.;
    inventory = {
      machines.server = { };
-      instances = {
+    name = "garage";
        garage-test = {
          module.name = "@clan/garage";
          roles.default.machines."server".settings = { };
        };
      };
    };
  };
-  nodes = {
+    clan = {
-    server = {
+      directory = ./.;
-      services.garage = {
+      modules."@clan/garage" = ../../default.nix;
-        enable = true;
+      inventory = {
-        package = pkgs.garage;
+        machines.server = { };
        settings = {
-          metadata_dir = "/var/lib/garage/meta";
+        instances = {
-          data_dir = "/var/lib/garage/data";
+          garage-test = {
-          db_engine = "sqlite";
+            module.name = "@clan/garage";
-
+            roles.default.machines."server".settings = { };
          replication_factor = 1;
          rpc_bind_addr = "127.0.0.1:3901";
          s3_api = {
            api_bind_addr = "127.0.0.1:3900";
            s3_region = "garage";
            root_domain = ".s3.garage";
          };
          s3_web = {
            bind_addr = "127.0.0.1:3902";
            root_domain = ".web.garage";
          };
          admin = {
            api_bind_addr = "127.0.0.1:3903";
          };
        };
      };
    };
  };
-  testScript = ''
+    nodes = {
-    start_all()
+      server = {
        services.garage = {
          enable = true;
          package = pkgs.garage;
          settings = {
-    server.wait_for_unit("network-online.target")
+            metadata_dir = "/var/lib/garage/meta";
-    server.wait_for_unit("garage")
+            data_dir = "/var/lib/garage/data";
            db_engine = "sqlite";
-    # Check that garage is running
+            replication_factor = 1;
    server.succeed("systemctl status garage")
-    # Check that the data directories exist
+            rpc_bind_addr = "127.0.0.1:3901";
    server.succeed("test -d /var/lib/garage/meta")
    server.succeed("test -d /var/lib/garage/data")
-    # Check that the ports are open to confirm that garage is running
+            s3_api = {
-    server.wait_until_succeeds("${pkgs.netcat}/bin/nc -z -v 127.0.0.1 3901")
+              api_bind_addr = "127.0.0.1:3900";
-    server.succeed("${pkgs.netcat}/bin/nc -z -v 127.0.0.1 3900")
+              s3_region = "garage";
-    server.succeed("${pkgs.netcat}/bin/nc -z -v 127.0.0.1 3902")
+              root_domain = ".s3.garage";
-    server.succeed("${pkgs.netcat}/bin/nc -z -v 127.0.0.1 3903")
+            };
-  '';
+
-}
+            s3_web = {
              bind_addr = "127.0.0.1:3902";
              root_domain = ".web.garage";
            };
            admin = {
              api_bind_addr = "127.0.0.1:3903";
            };
          };
        };
      };
    };
    testScript = ''
      start_all()
      server.wait_for_unit("network-online.target")
      server.wait_for_unit("garage")
      # Check that garage is running
      server.succeed("systemctl status garage")
      # Check that the data directories exist
      server.succeed("test -d /var/lib/garage/meta")
      server.succeed("test -d /var/lib/garage/data")
      # Check that the ports are open to confirm that garage is running
      server.succeed("${pkgs.netcat}/bin/nc -z -v 127.0.0.1 3901")
      server.succeed("${pkgs.netcat}/bin/nc -z -v 127.0.0.1 3900")
      server.succeed("${pkgs.netcat}/bin/nc -z -v 127.0.0.1 3902")
      server.succeed("${pkgs.netcat}/bin/nc -z -v 127.0.0.1 3903")
    '';
  }
 )
--- a/clanServices/heisenbridge/default.nix
+++ b/clanServices/heisenbridge/default.nix
@@ -0,0 +1,35 @@
 { ... }:
 {
  _class = "clan.service";
  manifest.name = "clan-core/heisenbridge";
  manifest.description = "A matrix bridge to communicate with IRC";
  manifest.categories = [ "Social" ];
  roles.default = {
    interface =
      { lib, ... }:
      {
        options.homeserver = lib.mkOption {
          type = lib.types.str;
          default = "http://localhost:8008";
          description = "URL of the Matrix homeserver";
        };
      };
    perInstance =
      { settings, ... }:
      {
        nixosModule = {
          services.heisenbridge = {
            enable = true;
            homeserver = settings.homeserver;
          };
          services.matrix-synapse.settings.app_service_config_files = [
            "/var/lib/heisenbridge/registration.yml"
          ];
        };
      };
  };
 }
--- a/clanServices/heisenbridge/flake-module.nix
+++ b/clanServices/heisenbridge/flake-module.nix
@@ -0,0 +1,17 @@
 { lib, self, ... }:
 {
  clan.modules = {
    heisenbridge = lib.modules.importApply ./default.nix { };
  };
  perSystem =
    { pkgs, ... }:
    {
      checks = lib.optionalAttrs (pkgs.stdenv.isLinux) {
        heisenbridge = import ./tests/vm/default.nix {
          inherit pkgs;
          clan-core = self;
          nixosLib = import (self.inputs.nixpkgs + "/nixos/lib") { };
        };
      };
    };
 }
--- a/clanServices/heisenbridge/tests/vm/default.nix
+++ b/clanServices/heisenbridge/tests/vm/default.nix
@@ -0,0 +1,65 @@
 {
  pkgs,
  nixosLib,
  clan-core,
  ...
 }:
 nixosLib.runTest (
  { ... }:
  {
    imports = [
      clan-core.modules.nixosVmTest.clanTest
    ];
    hostPkgs = pkgs;
    name = "heisenbridge";
    clan = {
      directory = ./.;
      modules."@clan/heisenbridge" = ../../default.nix;
      inventory = {
        machines.server = { };
        instances = {
          heisenbridge-test = {
            module.name = "@clan/heisenbridge";
            roles.default.machines."server".settings = {
              homeserver = "http://127.0.0.1:8008";
            };
          };
        };
      };
    };
    nodes = {
      server = {
        # Setup a minimal matrix-synapse to test with
        services.matrix-synapse = {
          enable = true;
          settings.server_name = "example.com";
          settings.database = {
            name = "sqlite3";
          };
        };
      };
    };
    testScript = ''
      start_all()
      server.wait_for_unit("matrix-synapse")
      server.wait_for_unit("heisenbridge")
      # Check that heisenbridge is running
      server.succeed("systemctl status heisenbridge")
      # Wait for the bridge to initialize
      server.wait_until_succeeds("journalctl -u heisenbridge | grep -q 'bridge is now running'")
      # Check that heisenbridge is listening on the default port
      server.succeed("${pkgs.netcat}/bin/nc -z -v 127.0.0.1 9898")
    '';
  }
 )
--- a/clanServices/heisenbridge/tests/vm/sops/users/admin/key.json
+++ b/clanServices/heisenbridge/tests/vm/sops/users/admin/key.json
@@ -0,0 +1,4 @@
 {
  "publickey": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
  "type": "age"
 }
--- a/clanServices/hello-world/flake-module.nix
+++ b/clanServices/hello-world/flake-module.nix
@@ -14,7 +14,7 @@ in
    hello-world = module;
  };
  perSystem =
-    { ... }:
+    { pkgs, ... }:
    let
      # Module that contains the tests
      # This module adds:
@@ -41,10 +41,15 @@ in
        2. To run the test
        nix build .#checks.x86_64-linux.hello-service
      */
-      clan.nixosTests.hello-service = {
+      checks =
-        imports = [ ./tests/vm/default.nix ];
+        # Currently we don't support nixos-integration tests on darwin
-
+        lib.optionalAttrs (pkgs.stdenv.isLinux) {
-        clan.modules.hello-service = module;
+          hello-service = import ./tests/vm/default.nix {
-      };
+            inherit module;
            inherit self inputs pkgs;
            nixosLib = import (self.inputs.nixpkgs + "/nixos/lib") { };
            clan-core = self;
          };
        };
    };
 }
--- a/clanServices/hello-world/tests/eval-tests.nix
+++ b/clanServices/hello-world/tests/eval-tests.nix
@@ -6,7 +6,7 @@
 let
  testFlake = clanLib.buildClan {
    # Point to the folder of the module
-    # TODO: make this optional
+    # TODO: make this optional in buildClan
    directory = ./..;
    # Create some test machines
@@ -44,7 +44,10 @@ in
  test_simple = {
    inherit testFlake;
-    expr = { };
+    expr = {
-    expected = { };
+    };
    expected = {
    };
  };
 }
--- a/clanServices/hello-world/tests/vm/default.nix
+++ b/clanServices/hello-world/tests/vm/default.nix
@@ -1,29 +1,44 @@
 {
  pkgs,
  nixosLib,
  clan-core,
  module,
  ...
 }:
-{
+nixosLib.runTest (
-  name = "hello-service";
+  { ... }:
  {
    imports = [
      clan-core.modules.nixosVmTest.clanTest
    ];
-  clan = {
+    hostPkgs = pkgs;
    directory = ./.;
    inventory = {
      machines.peer1 = { };
-      instances."test" = {
+    name = "hello-service";
-        module.name = "hello-service";
+
-        roles.peer.machines.peer1 = { };
+    clan = {
      directory = ./.;
      modules = {
        hello-service = module;
      };
      inventory = {
        machines.peer1 = { };
        instances."test" = {
          module.name = "hello-service";
          roles.peer.machines.peer1 = { };
        };
      };
    };
  };
-  testScript =
+    testScript =
-    { nodes, ... }:
+      { nodes, ... }:
-    ''
+      ''
-      start_all()
+        start_all()
-      # peer1 should have the 'hello' file
+        # peer1 should have the 'hello' file
-      value = peer1.succeed("cat ${nodes.peer1.clan.core.vars.generators.hello.files.hello.path}")
+        value = peer1.succeed("cat ${nodes.peer1.clan.core.vars.generators.hello.files.hello.path}")
-      assert value.strip() == "Hello world from peer1", value
+        assert value.strip() == "Hello world from peer1", value
-    '';
+      '';
-}
+  }
 )
--- a/clanServices/importer/README.md
+++ b/clanServices/importer/README.md
@@ -8,13 +8,13 @@ inventory.instances = {
  zone1 = {
    module.name = "@clan/importer";
-    roles.default.tags.zone1 = {};
+    roles.default.tags = [ "zone1" ];
    roles.default.extraModules = [ "modules/zone1.nix" ];
  };
  base = {
    module.name = "@clan/importer";
-    roles.default.tags.all = {};
+    roles.default.tags = [ "all" ];
    roles.default.extraModules = [ "modules/base.nix" ];
  };
--- a/clanServices/localsend/README.md
+++ b/clanServices/localsend/README.md
@@ -0,0 +1,17 @@
 LocalSend is a free, open-source alternative to AirDrop that allows you to
 securely share files and messages with nearby devices over your local network
 without needing an internet connection.
 ## Example Usage
 ```nix
 inventory.instances = {
  localsend = {
    module = {
      name = "localsend";
      input = "clan";
    };
    roles.default.machines.draper = { };
  };
 }
 ```
--- a/Show More
+++ b/Show More
		`@@ -0,0 +1 @@`
							`AGE-SECRET-KEY-1UCXEUJH6JXF8LFKWFHDM4N9AQE2CCGQZGXLUNV4TKR5KY0KC8FDQ2TY4NX`